If you're run into this situation, however unusual, then your rationale makes sense to me. ACK.
- Maura Dailey
On 04/25/2014 11:34 AM, Paul Tittle (Contractor) wrote:
Maura,
That's a good observation. However, I have run across a use-case where GConf2 is installed but gdm isn't: you can have vnc sessions that use gnome-session. The other gconf checks are needed for that machine, but the gdm one isn't. So I think it may be necessary to have a separate gdm package check.
On 4/25/14 11:17 AM, Maura Dailey wrote:
I have an open question that you and others can weigh in on. Should we introduce a new check, package_gdm_installed? Or is it sufficient to rely on the existing check GConf2, which has gdm as a dependency? I had this dilemma when I submitted the other more closely related GConf2 dependent checks, which is why I skipped the gui banner check.
- Maura Dailey
On 04/25/2014 10:47 AM, Paul Tittle wrote:
RHEL/6/input/checks/banner_gui_enabled.xml | 3 +- RHEL/6/input/checks/package_gdm_installed.xml | 26 ++++++++++++++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/fixes/bash/package_gdm_installed.sh | 1 + 4 files changed, 30 insertions(+), 1 deletions(-) create mode 100644 RHEL/6/input/checks/package_gdm_installed.xml create mode 100644 RHEL/6/input/fixes/bash/package_gdm_installed.sh
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml index a6c147c..4be3183 100644 --- a/RHEL/6/input/checks/banner_gui_enabled.xml +++ b/RHEL/6/input/checks/banner_gui_enabled.xml @@ -8,7 +8,8 @@ <description>Enable the GUI warning banner.</description> <reference source="rmercer" ref_id="20131104" ref_url="test_attestation" /> </metadata>
<criteria>
<criteria operator="OR">
<extend_definition comment="gdm installed"
definition_ref="package_gdm_installed" negate="true" /> <criterion comment="check settings" test_ref="test_banner_gui_enabled" /> </criteria> </definition> diff --git a/RHEL/6/input/checks/package_gdm_installed.xml b/RHEL/6/input/checks/package_gdm_installed.xml new file mode 100644 index 0000000..b9ea21f --- /dev/null +++ b/RHEL/6/input/checks/package_gdm_installed.xml @@ -0,0 +1,26 @@ +<def-group>
- <!-- THIS FILE IS GENERATED by create_package_installed.py. DO
NOT EDIT. -->
- <definition class="compliance" id="package_gdm_installed"
- version="1">
<metadata>
<title>Package gdm Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package gdm should be
installed.</description>
<reference source="swells" ref_id="20130829"
ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package gdm is installed"
test_ref="test_package_gdm_installed" />
</criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_gdm_installed" version="1"
- comment="package gdm is installed">
- <linux:object object_ref="obj_package_gdm_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_gdm_installed" version="1">
- linux:namegdm</linux:name>
- </linux:rpminfo_object>
+</def-group> diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index 6dfc406..ef6e737 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -2,6 +2,7 @@ aide audit cronie GConf2 +gdm iptables iptables-ipv6 irqbalance diff --git a/RHEL/6/input/fixes/bash/package_gdm_installed.sh b/RHEL/6/input/fixes/bash/package_gdm_installed.sh new file mode 100644 index 0000000..b5025fa --- /dev/null +++ b/RHEL/6/input/fixes/bash/package_gdm_installed.sh @@ -0,0 +1 @@ +yum -y install gdm
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide