Hi Frank, Thank you for the reply. I see you're running your resolution using both gsettings overrides and dconf. I was particularly looking at this remediation for my example with the idle-delay: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/remediations/bash/dconf_gnome_screensaver_idle_delay.sh
...and this oval document: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/dconf_gnome_screensaver_idle_delay.xml Prior to reviewing the OpenSCAP Gnome items, I had written my own remediation based on the EL6 DISA STIG, interpreting and translating as best I could. I placed it at the "site" level instead of local. I did so because it seemed less likely to be overridden. Someone would have to have access to place a file which would be parsed after mine in the site.d folder. Anyway, it does seem that the current Security Guide remediation and oval check leave room for the presence of a finding that would pass the test anyway. Sort of like running the EL6 iptables remediation against EL7 - the remediation runs without error, SCAP test for EL6 does not produce a Finding, and yet since firewalld is running an INPUT ACCEPT policy. P.S. We are using Puppet and Foreman in our project - I'm not sure if your kickstarts are driven toward Satellite 6, but with Foreman's OpenSCAP plugin, a good puppet module to apply the STIG seems like a great match (although I haven't gotten the OpenSCAP plugin working yet with the DISA STIG). Provisioning makes for a great start, and Puppet keeps it that way through the system's lifecycle. -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
