Add SLE16 CCE for gnome_gdm_disable_unattended_automatic_login rule

Author: teacup-on-rockingchair

linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml

@@ -22,6 +22,7 @@ severity: high
 identifiers:
     cce@sle12: CCE-83245-1
     cce@sle15: CCE-85723-5
+    cce@sle16: CCE-96251-4
     cce@slmicro5: CCE-93754-0
 
 references:

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml

@@ -7,14 +7,26 @@
 
 - name: "Set GNOME3 Screensaver Inactivity Timeout"
   community.general.ini_file:
-    dest: "/etc/dconf/db/local.d/00-security-settings"
+    dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings"
     section: "org/gnome/desktop/session"
     option: idle-delay
     value: "uint32 {{ inactivity_timeout_value }}"
     create: yes
     no_extra_spaces: yes
   register: result_ini
 
+- name: "Prevent user modification of GNOME Screensaver Inactivity Timeout"
+  ansible.builtin.lineinfile:
+    path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock
+    regexp: '^/org/gnome/desktop/session/idle-delay$'
+    line: '/org/gnome/desktop/session/idle-delay'
+    create: yes
+  register: result_lineinfile
+
 - name: Dconf Update
   ansible.builtin.command: dconf update
-  when: result_ini is changed
+  when: result_ini is changed or result_lineinfile is changed
+
+{{% if product in ['sle15', 'sle16'] %}}
+{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}}
+{{% endif %}}

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/ansible/shared.yml

@@ -7,24 +7,26 @@
 
 - name: "Set GNOME3 Screensaver Lock Delay After Activation Period"
   community.general.ini_file:
-    dest: "/etc/dconf/db/local.d/00-security-settings"
+    dest: "/etc/dconf/db/{{{ dconf_gdm_dir }}}/00-security-settings"
     section: "org/gnome/desktop/screensaver"
     option: lock-delay
     value: "uint32 {{ var_screensaver_lock_delay }}"
     create: yes
     no_extra_spaces: yes
   register: result_ini
 
-# apply fix for enable_dconf_user_profile, OVAL checks it
-{{% if product in ['sle15', 'sle16'] %}}
-- name: "Configure GNOME3 DConf User Profile"
+- name: "Prevent user modification of GNOME Screensaver Lock Delay"
   ansible.builtin.lineinfile:
-    dest: "/etc/dconf/profile/gdm"
-    line: "user-db:user\nsystem-db:gdm"
+    path: /etc/dconf/db/{{{ dconf_gdm_dir }}}/locks/00-security-settings-lock
+    regexp: '^/org/gnome/desktop/screensaver/lock-delay$'
+    line: '/org/gnome/desktop/screensaver/lock-delay'
     create: yes
-    state: present
-{{% endif %}}
+  register: result_lineinfile
 
 - name: Dconf Update
   ansible.builtin.command: dconf update
-  when: result_ini is changed
+  when: result_ini is changed or result_lineinfile is changed
+
+{{% if product in ['sle15', 'sle16'] %}}
+{{{ ansible_enable_dconf_user_profile(profile="gdm", database="gdm") }}}
+{{% endif %}}

shared/references/cce-sle16-avail.txt

@@ -438,7 +438,6 @@ CCE-96247-2
 CCE-96248-0
 CCE-96249-8
 CCE-96250-6
-CCE-96251-4
 CCE-96252-2
 CCE-96253-0
 CCE-96254-8