This patch includes OVAL for the disable_user_list Rule. It also updates the check and fix to look at the same thing.
Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) [email protected] (gov't) [email protected] (com'l)
>From 4105a39c36cf6d8841e646f4c1ea69f1814cffe0 Mon Sep 17 00:00:00 2001 From: steinkel <[email protected]> Date: Mon, 6 Jan 2014 11:01:53 -0500 Subject: [PATCH] update disable_user_list check and fix and add OVAL Signed-off-by: steinkel <[email protected]> --- .../checks/gconf_gnome_gdm_disable_user_list.xml | 30 ++++++++++++++++++++ RHEL/6/input/system/accounts/banners.xml | 11 ++++-- 2 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 RHEL/6/input/checks/gconf_gnome_gdm_disable_user_list.xml diff --git a/RHEL/6/input/checks/gconf_gnome_gdm_disable_user_list.xml b/RHEL/6/input/checks/gconf_gnome_gdm_disable_user_list.xml new file mode 100644 index 0000000..897c9b4 --- /dev/null +++ b/RHEL/6/input/checks/gconf_gnome_gdm_disable_user_list.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="gconf_gnome_gdm_disable_user_list" version="1"> + <metadata> + <title>Configure Login User List</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Is the local user list displayed on the login screen?</description> + <reference source="LJS" ref_id="20140103" ref_url="test_attestation" /> + </metadata> + <criteria operator="OR"> + <extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" /> + <criterion comment="check value of disable_user_list in GCONF" test_ref="test_gnome_gdm_disable_user_list" /> + </criteria> + </definition> + <ind:xmlfilecontent_test check="all" + comment="test that gdm user list disabled" + id="test_gnome_gdm_disable_user_list" version="1"> + <ind:object object_ref="object_gnome_gdm_disable_user_list" /> + <ind:state state_ref="state_gnome_gdm_disable_user_list" /> + </ind:xmlfilecontent_test> + <ind:xmlfilecontent_object id="object_gnome_gdm_disable_user_list" version="1"> + <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml</ind:filepath> + <ind:xpath>/gconf/entry[@name='disable_user_list']/@value</ind:xpath> + </ind:xmlfilecontent_object> + <ind:xmlfilecontent_state comment="user list disabled" + id="state_gnome_gdm_disable_user_list" version="1"> + <ind:value_of datatype="boolean">true</ind:value_of> + </ind:xmlfilecontent_state> +</def-group> diff --git a/RHEL/6/input/system/accounts/banners.xml b/RHEL/6/input/system/accounts/banners.xml index a9fb433..be8f2a6 100644 --- a/RHEL/6/input/system/accounts/banners.xml +++ b/RHEL/6/input/system/accounts/banners.xml @@ -148,19 +148,22 @@ directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. <br /><br /> Run the following command to disable the user list: -<pre>sudo -u gdm gconftool-2 \ - --type bool \ - --set /apps/gdm/simple-greeter/disable_user_list true</pre> +<pre>$ sudo gconftool-2 --direct \ + --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ + --type bool --set /apps/gdm/simple-greeter/disable_user_list true</pre> </description> <ocil clause="it is not"> To ensure the user list is disabled, run the following command: -<pre>$ gconftool-2 -g /apps/gdm/simple-greeter/disable_user_list</pre> +<pre>$ gconftool-2 --direct \ + --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ + --get /apps/gdm/simple-greeter/disable_user_list</pre> The output should be <tt>true</tt>. </ocil> <rationale>Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.</rationale> <ident cce="27230-2" /> +<oval id="gconf_gnome_gdm_disable_user_list" /> <ref nist="AC-23" disa="366" /> </Rule> -- 1.7.1
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
