1.8.{2-3} Using /etc/gdm3/greeter.dconf-defaults does NOT make CIS report rules as compliant

[ipruteanu-sie]

Describe the Issue
Using /etc/gdm3/greeter.dconf-defaults file does not make CIS report a Pass status for rules 1.8.2 and 1.8.3.

I don't know if you ever tried these steps:

1. sudo apt update && apt install -y gdm3 on the target Ubuntu system(which forces the condition for above-mentioned rules to be evaluated as True)
2. Enabling variable which forces 1.8.2 and 1.8.3 rules, respectively: ubtu22cis_desktop_required: true in defaults\main.yml
3. Running role against Ubuntu system(optionally using gnome as value for tags)
4. Verify results reported by CIS.

Expected Behavior

• "1.8.2 | PATCH | Ensure GDM login banner is configured" -> PASS
• "1.8.3 | PATCH | Ensure disable-user-list is enabled" -> PASS

Actual Behavior

• "1.8.2 | PATCH | Ensure GDM login banner is configured" -> FAIL
• "1.8.3 | PATCH | Ensure disable-user-list is enabled" -> FAIL

Control(s) Affected

• 1.8.2(sce/nix_gdm_login_banner_configured_chk.sh)
• 1.8.3(sce/nix_gdm_disable_user_list_chk.sh)

Environment (please complete the following information):

• branch being used: devel

Additional Notes

• As explained:
  • 1)here@Gnome
  • 2)or here@RedHat
  • 3)or here@Suse,

this common approach suggested by above references works for CIS, but only because it it does not use /etc/gdm3/greeter.dconf-defaults defaults file.

• It has indeed a reference to OTHER DEFAULTS FILE, respectively /usr/share/gdm/greeter-dconf-defaults:

user-db:user
system-db:gdm
file-db:/usr/share/gdm/greeter-dconf-defaults                      # ** HERE **

, but CIS checks only if disable-user-list=true value is set in dconf-profile files within /etc/dconf/db/*(as highlighted in the below screenshot).

Possible Solution
I'll provide a PR, which would make CIS report Pass.
I was wondering, though, if you had some reasons to use the defaults approach, reasons which could make my suggested fix not so good as your original approach.