{"description": "In the default graphical environment, displaying a login warning banner\nin the GNOME Display Manager's login screen can be enabled on the login\nscreen by setting <tt>banner-message-enable</tt> to <tt>true</tt>.\n<br /><br />\nTo enable, add or edit <tt>banner-message-enable</tt> to\n<tt>/etc/dconf/db/gdm.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/login-screen]\nbanner-message-enable=true</pre>\nOnce the setting has been added, add a lock to\n<tt>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</tt> to prevent user modification.\nFor example:\n<pre>/org/gnome/login-screen/banner-message-enable</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.\nThe banner text must also be set.", "rationale": "Display of a standardized and approved use notification before granting access to the operating system\nensures privacy and security notification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance.\n<br /><br />\nFor U.S. Government systems, system use notifications are required only for access via login interfaces\nwith human users and are not required when such human interfaces do not exist.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "cui": ["3.1.9"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["AC-8(a)", "AC-8(b)", "AC-8(c)"], "nist-csf": ["PR.AC-7"], "srg": ["SRG-OS-000023-GPOS-00006", "SRG-OS-000228-GPOS-00088"], "cis": ["1.7.2"], "stigid": ["UBTU-22-271010"], "stigref": ["SV-260535r958390_rule"]}, "control_references": {"cis": ["1.7.2"], "stigid": ["UBTU-22-271010"]}, "components": [], "identifiers": {}, "ocil_clause": "it is not", "ocil": "To ensure a login warning banner is enabled, run the following:\n<pre>$ grep banner-message-enable /etc/dconf/db/gdm.d/*</pre>\nIf properly configured, the output should be <tt>true</tt>.\nTo ensure a login warning banner is locked and cannot be changed by a user, run the following:\n<pre>$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*</pre>\nIf properly configured, the output should be <tt>/org/gnome/login-screen/banner-message-enable</tt>.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to display the Standard Mandatory Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nCreate a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/01-banner-message\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\n[org/gnome/login-screen]\n\nbanner-message-enable=true\n\nRun the following command to update the database:\n\n$ sudo dconf update", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must display a banner before granting local or remote access to the system via a graphical user logon.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.", "vuldiscussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nFor U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.", "checktext": "Note: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\nVerify Ubuntu 22.04 prevents a user from overriding settings for graphical user interfaces.\n\nDetermine if the org.gnome.login-screen banner-message-enable key is writable with the following command:\n\n$ gsettings writable org.gnome.login-screen banner-message-enable\n\nfalse\n\nIf \"banner-message-enable\" is writable or the result is \"true\", this is a finding.", "fixtext": "Configure Ubuntu 22.04 to prevent a user from overriding the banner setting for graphical user interfaces.\n\nCreate a database to contain the systemwide graphical user logon settings (if it does not already exist) with the following command:\n\n$ sudo touch /etc/dconf/db/local.d/locks/session\n\nAdd the following setting to prevent nonprivileged users from modifying it:\n\n/org/gnome/login-screen/banner-message-enable\n\nRun the following command to update the database:\n\n$ sudo dconf update"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Enable GNOME3 Login Warning Banner", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml", "template": null}