Hello,
These patches should address a few sshd false positives [Patch 0001] and
add support for %gconf-tree.xml [Patch 0002] as well as a recommendation to
change remediation for the GDM login banner from a gdm user default to a
gconf mandatory setting [Patch 0003].
[Patch 0001]:
When initially running the scan, some sshd settings such as
PermitRootLogin were showing that they were set correcly. This patch should
fix those as well as hopefully address
https://fedorahosted.org/scap-security-guide/ticket/434
[Patch 0002]:
Adds support to check %gconf-tree.xml. If %gconf-tree.xml exists
(such as being deployed through Satellite), it takes precedence over any
directory containing a %gconf.xml file under
/etc/gconf/gconf.xml.mandatory. Plus having a single configuration file to
create/change/modify is always a plus. Could potentially help address
https://fedorahosted.org/scap-security-guide/ticket/282
[Patch 0003]:
This is a recommendation to move setting the gdm banner and login
settings from /var/lib/gdm to /etc/gconf/gconf.xml.mandatory. Reason for
this is that the /etc/gconf directory is the location for administrators to
set mandatory system policies over user set policies. Plus due to the gconf
order of processing/precedance, it would be recommended to set under /etc
rather than /var as anything set as a mandatory policy would be the default
no matter what was in /var/lib/gdm. If approved, would potentially address
https://fedorahosted.org/scap-security-guide/ticket/319
Thanks,
Gabe
From 1bbd0243217cf2d82a9176d1723fbf015898770c Mon Sep 17 00:00:00 2001
From: Gabe <[email protected]>
Date: Sun, 29 Jun 2014 17:34:10 -0600
Subject: [PATCH] Fix various ssh false positives
- Fix disabling root login false positive
- Fix disabling rhosts false positive
- Fix disabling host based authentication false positive
---
shared/oval/disable_host_auth.xml | 4 ++--
shared/oval/sshd_disable_rhosts.xml | 4 ++--
shared/oval/sshd_disable_root_login.xml | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml
index 6f4eb9d2309883cf7836cb8d7f2a49abbd9257a6..de51fd722fd8f3b42623dbe44c56b4fb7ef29f30 100644
--- a/shared/oval/disable_host_auth.xml
+++ b/shared/oval/disable_host_auth.xml
@@ -14,7 +14,7 @@
<extend_definition comment="sshd service is disabled"
definition_ref="service_sshd_disabled" />
<criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config"
- test_ref="test_sshd_hostbasedauthentication" />
+ negate="true" test_ref="test_sshd_hostbasedauthentication" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -24,7 +24,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_rhosts.xml b/shared/oval/sshd_disable_rhosts.xml
index cb59a1f48252f9c4137fb2097adb1fa67860f9bd..5d3eeb1766306c9177f53666cfe163544a1b1283 100644
--- a/shared/oval/sshd_disable_rhosts.xml
+++ b/shared/oval/sshd_disable_rhosts.xml
@@ -15,7 +15,7 @@
<extend_definition comment="sshd service is disabled"
definition_ref="service_sshd_disabled" />
<criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config"
- test_ref="test_sshd_rsh_emulation_disabled" />
+ negate="true" test_ref="test_sshd_rsh_emulation_disabled" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled"
version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_root_login.xml b/shared/oval/sshd_disable_root_login.xml
index 73c4906cd1d782594c37278e35b19ea4da82d662..6f8cede5efb375a9a8071e3a9927fcf6f612cba8 100644
--- a/shared/oval/sshd_disable_root_login.xml
+++ b/shared/oval/sshd_disable_root_login.xml
@@ -15,7 +15,7 @@
<extend_definition comment="sshd service is disabled"
definition_ref="service_sshd_disabled" />
<criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config"
- test_ref="test_sshd_permitrootlogin_no" />
+ negate="true" test_ref="test_sshd_permitrootlogin_no" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -25,7 +25,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
--
1.9.3
From aae370aa6aa20db440919b8044716911869ea0dc Mon Sep 17 00:00:00 2001
From: Gabe <[email protected]>
Date: Sun, 29 Jun 2014 19:26:37 -0600
Subject: [PATCH] Add support for gconf-tree.xml
- Adds support for %gconf-tree.xml in the existing gconf oval checks as %gconf-tree.xml is the top of the gconf configuration order of precedance.
---
RHEL/6/input/checks/banner_gui_enabled.xml | 22 +++++++++++++-
.../input/checks/gconf_gnome_disable_automount.xml | 35 ++++++++++++++++++----
.../checks/gconf_gnome_disable_thumbnailers.xml | 19 ++++++++++--
...f_gnome_screensaver_idle_activation_enabled.xml | 19 ++++++++++--
.../checks/gconf_gnome_screensaver_idle_delay.xml | 13 ++++++++
.../gconf_gnome_screensaver_lock_enabled.xml | 12 ++++++++
.../checks/gconf_gnome_screensaver_mode_blank.xml | 19 ++++++++++--
7 files changed, 123 insertions(+), 16 deletions(-)
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml
index 4be3183ab33553fc159b63e09d2906f60ce43cfe..953cc298cc7771ef709a31b02eb452243b85acaa 100644
--- a/RHEL/6/input/checks/banner_gui_enabled.xml
+++ b/RHEL/6/input/checks/banner_gui_enabled.xml
@@ -10,7 +10,9 @@
</metadata>
<criteria operator="OR">
<extend_definition comment="gdm installed" definition_ref="package_gdm_installed" negate="true" />
- <criterion comment="check settings" test_ref="test_banner_gui_enabled" />
+ <criterion comment="check var settings" test_ref="test_banner_gui_enabled" />
+ <criterion comment="check etc settings tree" test_ref="test_tree_banner_gui_enabled" />
+ <criterion comment="check etc settings without tree" test_ref="test_no_tree_banner_gui_enabled" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all" comment="stuff" id="test_banner_gui_enabled" version="1">
@@ -22,6 +24,24 @@
<ind:xpath>/gconf/entry[@name='banner_message_enable']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+<ind:xmlfilecontent_test check="all" comment="checks for gconf-tree file" id="test_tree_banner_gui_enabled" version="1">
+ <ind:object object_ref="object_banner_message_enable_tree" />
+ <ind:state state_ref="state_banner_message_enable" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="object_banner_message_enable_tree" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/dir/entry[@name='banner_message_enable']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all" comment="checks for absent gconf-tree file" id="test_no_tree_banner_gui_enabled" version="1">
+ <ind:object object_ref="object_banner_message_enable_no_tree" />
+ <ind:state state_ref="state_banner_message_enable" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="object_banner_message_enable_no_tree" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml</ind:filepath>
+ <ind:xpath>/gconf/entry[@name='banner_message_enable']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
<ind:xmlfilecontent_state id="state_banner_message_enable" version="1">
<ind:value_of datatype="string">true</ind:value_of>
</ind:xmlfilecontent_state>
diff --git a/RHEL/6/input/checks/gconf_gnome_disable_automount.xml b/RHEL/6/input/checks/gconf_gnome_disable_automount.xml
index f78fc898a67e460cb31579dd82592ea37f78200f..5d788d13faaf02b3180d58ff91cdfb9c17f2d29b 100644
--- a/RHEL/6/input/checks/gconf_gnome_disable_automount.xml
+++ b/RHEL/6/input/checks/gconf_gnome_disable_automount.xml
@@ -14,7 +14,9 @@
<criteria operator="OR">
<extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" />
<criterion comment="Disable automount in GNOME" test_ref="test_gconf_gnome_disable_automount" />
+ <criterion comment="Disable automount in GNOME" test_ref="test_gconf_tree_gnome_disable_automount" />
<criterion comment="Disable autorun in GNOME" test_ref="test_gconf_gnome_disable_automount_autorun" />
+ <criterion comment="Disable autorun in GNOME" test_ref="test_gconf_tree_gnome_disable_automount_autorun" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all" check_existence="all_exist"
@@ -23,24 +25,45 @@
<ind:object object_ref="obj_gconf_gnome_disable_automount" />
<ind:state state_ref="state_gconf_gnome_disable_automount" />
</ind:xmlfilecontent_test>
- <ind:xmlfilecontent_state id="state_gconf_gnome_disable_automount" version="1">
- <ind:value_of datatype="string">false</ind:value_of>
- </ind:xmlfilecontent_state>
<ind:xmlfilecontent_object id="obj_gconf_gnome_disable_automount" version="1">
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='media_automount']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all" check_existence="all_exist" comment="Disable automount in GNOME" id="test_gconf_tree_gnome_disable_automount" version="1">
+ <ind:object object_ref="obj_gconf_tree_gnome_disable_automount" />
+ <ind:state state_ref="state_gconf_gnome_disable_automount" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="obj_gconf_tree_gnome_disable_automount" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/dir/entry[@name='media_automount']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_state id="state_gconf_gnome_disable_automount" version="1">
+ <ind:value_of datatype="string">false</ind:value_of>
+ </ind:xmlfilecontent_state>
+
<ind:xmlfilecontent_test check="all" check_existence="all_exist"
comment="Disable autorun in GNOME"
id="test_gconf_gnome_disable_automount_autorun" version="1">
<ind:object object_ref="obj_gconf_gnome_disable_automount_autorun" />
<ind:state state_ref="state_gconf_gnome_disable_automount_autorun" />
</ind:xmlfilecontent_test>
- <ind:xmlfilecontent_state id="state_gconf_gnome_disable_automount_autorun" version="1">
- <ind:value_of datatype="string">true</ind:value_of>
- </ind:xmlfilecontent_state>
<ind:xmlfilecontent_object id="obj_gconf_gnome_disable_automount_autorun" version="1">
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='media_autorun_never']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all" check_existence="all_exist" comment="Disable autorun in GNOME" id="test_gconf_tree_gnome_disable_automount_autorun" version="1">
+ <ind:object object_ref="obj_gconf_tree_gnome_disable_automount_autorun" />
+ <ind:state state_ref="state_gconf_gnome_disable_automount_autorun" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="obj_gconf_tree_gnome_disable_automount_autorun" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/dir/entry[@name='media_autorun_never']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_state id="state_gconf_gnome_disable_automount_autorun" version="1">
+ <ind:value_of datatype="string">true</ind:value_of>
+ </ind:xmlfilecontent_state>
</def-group>
diff --git a/RHEL/6/input/checks/gconf_gnome_disable_thumbnailers.xml b/RHEL/6/input/checks/gconf_gnome_disable_thumbnailers.xml
index 80045a3772ddf9ba5b96527f8ab059c555c5b1aa..cca38f55bba54998c716652c7b1c54ec89f6b43e 100644
--- a/RHEL/6/input/checks/gconf_gnome_disable_thumbnailers.xml
+++ b/RHEL/6/input/checks/gconf_gnome_disable_thumbnailers.xml
@@ -14,6 +14,7 @@
<criteria operator="OR">
<extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" />
<criterion comment="Disable thumbnailers in GNOME" test_ref="test_gconf_gnome_disable_thumbnailers" />
+ <criterion comment="Disable thumbnailers in GNOME" test_ref="test_gconf_tree_gnome_disable_thumbnailers" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all" check_existence="all_exist"
@@ -22,11 +23,23 @@
<ind:object object_ref="obj_gconf_gnome_disable_thumbnailers" />
<ind:state state_ref="state_gconf_gnome_disable_thumbnailers" />
</ind:xmlfilecontent_test>
- <ind:xmlfilecontent_state id="state_gconf_gnome_disable_thumbnailers" version="1">
- <ind:value_of datatype="string">true</ind:value_of>
- </ind:xmlfilecontent_state>
<ind:xmlfilecontent_object id="obj_gconf_gnome_disable_thumbnailers" version="1">
<ind:filepath>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='disable_all']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all" check_existence="all_exist"
+ comment="Disable thumbnailers in GNOME"
+ id="test_gconf_tree_gnome_disable_thumbnailers" version="1">
+ <ind:object object_ref="obj_gconf_tree_gnome_disable_thumbnailers" />
+ <ind:state state_ref="state_gconf_gnome_disable_thumbnailers" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="obj_gconf_tree_gnome_disable_thumbnailers" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/dir/entry[@name='disable_all']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_state id="state_gconf_gnome_disable_thumbnailers" version="1">
+ <ind:value_of datatype="string">true</ind:value_of>
+ </ind:xmlfilecontent_state>
</def-group>
diff --git a/RHEL/6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml b/RHEL/6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
index 0d012a72c54b085e5eff4b8796dcfb1b6f6a306d..409806d48f18d171eaa0c9840e7ce61659234d44 100644
--- a/RHEL/6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
+++ b/RHEL/6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
@@ -12,6 +12,7 @@
<criteria operator="OR">
<extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" />
<criterion comment="gnome screensaver is activated on idle" test_ref="test_gnome_screensaver_idle_activated" />
+ <criterion comment="gnome screensaver is activated on idle" test_ref="test_gconf_tree_gnome_screensaver_idle_activated" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all"
@@ -20,11 +21,23 @@
<ind:object object_ref="object_gnome_screensaver_idle_activated" />
<ind:state state_ref="state_gnome_screensaver_idle_activated" />
</ind:xmlfilecontent_test>
- <ind:xmlfilecontent_state id="state_gnome_screensaver_idle_activated" version="1">
- <ind:value_of datatype="string">true</ind:value_of>
- </ind:xmlfilecontent_state>
<ind:xmlfilecontent_object id="object_gnome_screensaver_idle_activated" version="1">
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='idle_activation_enabled']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all"
+ comment="gnome screensaver is activated on idle"
+ id="test_gconf_tree_gnome_screensaver_idle_activated" version="1">
+ <ind:object object_ref="object_gconf_tree_gnome_screensaver_idle_activated" />
+ <ind:state state_ref="state_gnome_screensaver_idle_activated" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="object_gconf_tree_gnome_screensaver_idle_activated" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/entry[@name='idle_activation_enabled']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_state id="state_gnome_screensaver_idle_activated" version="1">
+ <ind:value_of datatype="string">true</ind:value_of>
+ </ind:xmlfilecontent_state>
</def-group>
diff --git a/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml b/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml
index 00f11df4095d35302e1a1ecf6f03e6ab399c8a56..619f77f841467bedbb64c140da23cb40f2d27015 100644
--- a/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml
+++ b/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml
@@ -12,6 +12,7 @@
<criteria operator="OR">
<extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" />
<criterion comment="check value of idle_delay in GCONF" test_ref="test_gnome_screensaver_idle_delay" />
+ <criterion comment="check value of idle_delay in GCONF" test_ref="test_gconf_tree_gnome_screensaver_idle_delay" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all"
@@ -24,6 +25,18 @@
<ind:filepath>/etc/gconf/gconf.xml.mandatory/desktop/gnome/session/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='idle_delay']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all"
+ comment="test screensaver timeout period"
+ id="test_gconf_tree_gnome_screensaver_idle_delay" version="1">
+ <ind:object object_ref="object_gconf_tree_gnome_screensaver_idle_delay" />
+ <ind:state state_ref="state_gnome_screensaver_idle_delay" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="object_gconf_tree_gnome_screensaver_idle_delay" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/dir/entry[@name='idle_delay']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
<ind:xmlfilecontent_state comment="idle timeout"
id="state_gnome_screensaver_idle_delay" version="1">
<ind:value_of datatype="int" operation="less than or equal" var_check="all"
diff --git a/RHEL/6/input/checks/gconf_gnome_screensaver_lock_enabled.xml b/RHEL/6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
index cc031fcf000167afc70ec1891171f048f2a5ec60..5ec09b4ef7187779823ff9353498678e4e9a9080 100644
--- a/RHEL/6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
+++ b/RHEL/6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
@@ -12,6 +12,7 @@
<criteria operator="OR">
<extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" />
<criterion comment="screensaver lock is enabled" test_ref="test_screensaver_lock_enabled" />
+ <criterion comment="screensaver lock is enabled" test_ref="test_gconf_tree_screensaver_lock_enabled" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all" comment="screensaver lock is enabled"
@@ -23,6 +24,17 @@
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='lock_enabled']/@value</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all" comment="screensaver lock is enabled"
+ id="test_gconf_tree_screensaver_lock_enabled" version="1">
+ <ind:object object_ref="object_gconf_tree_screensaver_lock_enabled" />
+ <ind:state state_ref="state_screensaver_lock_enabled" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="object_gconf_tree_screensaver_lock_enabled" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/entry[@name='lock_enabled']/@value</ind:xpath>
+ </ind:xmlfilecontent_object>
+
<ind:xmlfilecontent_state id="state_screensaver_lock_enabled" version="1">
<ind:value_of datatype="string">true</ind:value_of>
</ind:xmlfilecontent_state>
diff --git a/RHEL/6/input/checks/gconf_gnome_screensaver_mode_blank.xml b/RHEL/6/input/checks/gconf_gnome_screensaver_mode_blank.xml
index 8229d71140cfa8fb3027ebe1d380f93e722a0767..d6bec8ecc15d08839a9d9e2f081417dc2ef71f30 100644
--- a/RHEL/6/input/checks/gconf_gnome_screensaver_mode_blank.xml
+++ b/RHEL/6/input/checks/gconf_gnome_screensaver_mode_blank.xml
@@ -11,6 +11,7 @@
<criteria operator="OR">
<extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" />
<criterion comment="gnome screensaver set to blank screen" test_ref="test_gnome_screensaver_mode" />
+ <criterion comment="gnome screensaver set to blank screen" test_ref="test_gconf_tree_gnome_screensaver_mode" />
</criteria>
</definition>
<ind:xmlfilecontent_test check="all"
@@ -19,11 +20,23 @@
<ind:object object_ref="object_gnome_screensaver_mode" />
<ind:state state_ref="state_gnome_screensaver_mode" />
</ind:xmlfilecontent_test>
- <ind:xmlfilecontent_state id="state_gnome_screensaver_mode" version="1">
- <ind:value_of datatype="string">blank-only</ind:value_of>
- </ind:xmlfilecontent_state>
<ind:xmlfilecontent_object id="object_gnome_screensaver_mode" version="1">
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
<ind:xpath>/gconf/entry[@name='mode']/stringvalue[1]/text()</ind:xpath>
</ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_test check="all"
+ comment="gnome screensaver set to blank screen"
+ id="test_gconf_tree_gnome_screensaver_mode" version="1">
+ <ind:object object_ref="object_gconf_tree_gnome_screensaver_mode" />
+ <ind:state state_ref="state_gnome_screensaver_mode" />
+ </ind:xmlfilecontent_test>
+ <ind:xmlfilecontent_object id="object_gconf_tree_gnome_screensaver_mode" version="1">
+ <ind:filepath>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</ind:filepath>
+ <ind:xpath>/gconf/dir/dir/entry[@name='mode']/stringvalue[1]/text()</ind:xpath>
+ </ind:xmlfilecontent_object>
+
+ <ind:xmlfilecontent_state id="state_gnome_screensaver_mode" version="1">
+ <ind:value_of datatype="string">blank-only</ind:value_of>
+ </ind:xmlfilecontent_state>
</def-group>
--
1.9.3
From 27cf684871cbf8609c20ee0a76e1b7d3fe43e351 Mon Sep 17 00:00:00 2001
From: Gabe <[email protected]>
Date: Sun, 29 Jun 2014 19:41:12 -0600
Subject: [PATCH] update gconftool recommendations for the gui banner
- Update remediation to make banner settings in gconf mandatory by root instead of the gdm user
---
RHEL/6/input/system/accounts/banners.xml | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/RHEL/6/input/system/accounts/banners.xml b/RHEL/6/input/system/accounts/banners.xml
index 0b8dc832ce8b496d76bea329f08a62c66bf49722..6e8aed40d39e2d595a88a96250cd0d68f73629fa 100644
--- a/RHEL/6/input/system/accounts/banners.xml
+++ b/RHEL/6/input/system/accounts/banners.xml
@@ -91,7 +91,8 @@ banner.
<description>
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
-<pre>sudo -u gdm gconftool-2 \
+<pre># gconftool-2 --direct \
+ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gdm/simple-greeter/banner_message_enable true</pre>
To display a banner, this setting must be enabled and then
@@ -117,14 +118,16 @@ process and facilitates possible legal action against attackers.
<description>
To set the text shown by the GNOME Display Manager
in the login screen, run the following command:
-<pre>sudo -u gdm gconftool-2 \
+<pre># gconftool-2 --direct \
+ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
"Text of the warning banner here"</pre>
When entering a warning banner that spans several lines, remember
to begin and end the string with <tt>"</tt>. This command writes
-directly to the file <tt>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</tt>,
-and this file can later be edited directly if necessary.
+directly either to the <tt>/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml</tt>
+if it exists or to the file <tt>/etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml</tt>.
+Either of these files can later be edited directly if necessary.
</description>
<ocil clause="it does not">
To ensure the login warning banner text is properly set, run the following:
@@ -148,7 +151,8 @@ directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
<br /><br />
Run the following command to disable the user list:
-<pre>sudo -u gdm gconftool-2 \
+<pre># gconftool-2 --direct \
+ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gdm/simple-greeter/disable_user_list true</pre>
</description>
--
1.9.3
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
