this common approach suggested by above references works for CIS, but only because it it does not use /etc/gdm3/greeter.dconf-defaults defaults file.
It has indeed a reference to OTHER DEFAULTS FILE, respectively /usr/share/gdm/greeter-dconf-defaults:
user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults # ** HERE **
, but CIS checks only if disable-user-list=true value is set in dconf-profile files within /etc/dconf/db/*(as highlighted in the below screenshot).
Possible Solution
I'll provide a PR, which would make CIS report Pass.
I was wondering, though, if you had some reasons to use the defaults approach, reasons which could make my suggested fix not so good as your original approach.
Describe the Issue Using
/etc/gdm3/greeter.dconf-defaults
file does not make CIS report aPass
status for rules 1.8.2 and 1.8.3.I don't know if you ever tried these steps:
sudo apt update && apt install -y gdm3
on the target Ubuntu system(which forces the condition for above-mentioned rules to be evaluated asTrue
)ubtu22cis_desktop_required: true
in defaults\main.ymlgnome
as value fortags
)Expected Behavior
Actual Behavior
Control(s) Affected
sce/nix_gdm_login_banner_configured_chk.sh
)sce/nix_gdm_disable_user_list_chk.sh
)Environment (please complete the following information):
Additional Notes
this common approach suggested by above references works for CIS, but only because it it does not use
/etc/gdm3/greeter.dconf-defaults
defaults file./usr/share/gdm/greeter-dconf-defaults
:, but CIS checks only if
disable-user-list=true
value is set in dconf-profile files within/etc/dconf/db/*
(as highlighted in the below screenshot).Possible Solution I'll provide a PR, which would make CIS report
Pass
. I was wondering, though, if you had some reasons to use thedefaults
approach, reasons which could make my suggested fix not so good as your original approach.