From dhaynes at mitre.org Thu Aug 20 11:36:00 2015
Content-Type: multipart/mixed; boundary="===============0354293428912558388=="
MIME-Version: 1.0
From: Haynes, Dan <dhaynes at mitre.org>
To: scap-security-guide at lists.fedorahosted.org
Subject: RE: [PATCH] Rewrote various GConf checks to standardize on
 xmlfilecontent	tests and ensured they were actually checking the correct
 location	(gconf.xml.mandatory, not gconf.xml.defaults).
Date: Mon, 16 Dec 2013 17:46:58 +0000
Message-ID: <6A1F6FD3001BDD40A94503E2223CEBD50AE0A0AF@IMCMBX03.MITRE.ORG>
In-Reply-To: 52AF3331.3070200@eclipse.ncsc.mil

--===============0354293428912558388==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

For the GConf checks, it looks like the content first used the ind-def:text=
filecontent54_test and was just updated to use the ind-def:xmlfilecontent_t=
est which seems like a good improvement to me. =


Just curious, has anyone considered using the unix-def:gconf_test (http://o=
val.mitre.org/language/version5.10.1/ovaldefinition/documentation/unix-defi=
nitions-schema.html#gconf_test)?  If so, are there any problems with the gc=
onf_test that make using the ind-def:xmlfilecontent_test more desirable?  T=
his seems to be a good opportunity for me to get some feedback on the usabi=
lity of the unix-def:gconf_test from an OVAL content authoring perspective =
:).

Thanks,

Danny

>-----Original Message-----	=

>From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-
>security-guide-bounces(a)lists.fedorahosted.org] On Behalf Of Maura Dailey
>Sent: Monday, December 16, 2013 12:07 PM
>To: scap-security-guide(a)lists.fedorahosted.org
>Subject: Re: [PATCH] Rewrote various GConf checks to standardize on
>xmlfilecontent tests and ensured they were actually checking the correct
>location (gconf.xml.mandatory, not gconf.xml.defaults).
>
>I pushed it!
>
>- Maura Dailey
>
>On 12/16/2013 11:59 AM, Shawn Wells wrote:
>> On 12/16/13, 11:43 AM, Maura Dailey wrote:
>>> I've been out sick, but I noticed that no one seems to have looked at
>>> this one. Let me know if I can push this or if I need to change
>>> something.
>>>
>>> Thanks,
>>> Maura Dailey
>>>
>>> On 11/25/2013 04:02 PM, Maura Dailey wrote:
>>>> Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
>>>> ---
>>>>   .../input/checks/gconf_gnome_disable_automount.xml |   59
>>>> +++++++++++---------
>>>>   .../checks/gconf_gnome_disable_thumbnailers.xml    |   34 ++++++-----
>>>>   ...f_gnome_screensaver_idle_activation_enabled.xml |   19 ++++--
>>>>   .../checks/gconf_gnome_screensaver_idle_delay.xml  |   24 +++++---
>>>>   .../gconf_gnome_screensaver_lock_enabled.xml       |   14 +++--
>>>>   .../checks/gconf_gnome_screensaver_mode_blank.xml  |   12 +++-
>>>>   RHEL6/input/checks/package_GConf2_installed.xml    |   26 +++++++++
>>>>   .../input/checks/templates/packages_installed.csv  |    1 +
>>>>   RHEL6/input/fixes/bash/package_GConf2_installed.sh |    1 +
>>>>   9 files changed, 124 insertions(+), 66 deletions(-)
>>>>   create mode 100644 RHEL6/input/checks/package_GConf2_installed.xml
>>>>   create mode 100644
>RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>>>
>>>> diff --git a/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>>> b/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>>> index e2e7efc..f78fc89 100644
>>>> --- a/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>>> +++ b/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>>> @@ -1,41 +1,46 @@
>>>>   <def-group>
>>>> -  <definition class=3D"compliance"
>>>> -  id=3D"gconf_gnome_disable_automount" version=3D"1">
>>>> +  <definition class=3D"compliance" id=3D"gconf_gnome_disable_automoun=
t"
>>>> version=3D"1">
>>>>       <metadata>
>>>>         <title>Disable GNOME Automounting</title>
>>>>         <affected family=3D"unix">
>>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>>         </affected>
>>>> -      <description>The system's default desktop environment, GNOME,
>>>> will mount devices and removable media (such as DVDs, CDs and USB
>>>> flash drives) whenever they are inserted into the system.  Disable
>>>> automount and autorun within GNOME.</description>
>>>> +      <description>The system's default desktop environment, GNOME,
>>>> will mount
>>>> +      devices and removable media (such as DVDs, CDs and USB flash
>>>> drives)
>>>> +      whenever they are inserted into the system. Disable automount
>>>> and autorun
>>>> +      within GNOME.</description>
>>>> +      <reference source=3D"MED" ref_id=3D"20131125"
>>>> ref_url=3D"test_attestation" />
>>>>       </metadata>
>>>> -    <criteria operator=3D"AND">
>>>> +    <criteria operator=3D"OR">
>>>> +      <extend_definition comment=3D"GConf2 installed"
>>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>>         <criterion comment=3D"Disable automount in GNOME"
>>>> test_ref=3D"test_gconf_gnome_disable_automount" />
>>>> -      <criterion comment=3D"Disable autorun in GNOME"
>>>> test_ref=3D"test_gconf_gnome_disable_automount_autorun" />
>>>> +      <criterion comment=3D"Disable autorun in GNOME"
>>>> test_ref=3D"test_gconf_gnome_disable_automount_autorun" />
>>>>       </criteria>
>>>>     </definition>
>>>> -
>>>> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_ex=
ist"
>>>> -  comment=3D"Disable automount in GNOME"
>>>> -  id=3D"test_gconf_gnome_disable_automount" version=3D"1">
>>>> +  <ind:xmlfilecontent_test check=3D"all" check_existence=3D"all_exist"
>>>> +  comment=3D"Disable automount in GNOME"
>>>> id=3D"test_gconf_gnome_disable_automount"
>>>> +  version=3D"1">
>>>>       <ind:object object_ref=3D"obj_gconf_gnome_disable_automount" />
>>>> -  </ind:textfilecontent54_test>
>>>> -  <ind:textfilecontent54_object
>>>> id=3D"obj_gconf_gnome_disable_automount" version=3D"1">
>>>> -
>>>>
><ind:path>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences</ind:p
>ath>
>>>> -    <ind:filename>%gconf.xml</ind:filename>
>>>> -    <ind:pattern operation=3D"pattern
>>>>
>match">^\s*.entry\s+name=3D"media_automount"\s+mtime=3D"\d+"\s+type=3D"bo
>ol"\s+value=3D"false"\/.$</ind:pattern>
>>>> -    <ind:instance datatype=3D"int">1</ind:instance>
>>>> -  </ind:textfilecontent54_object>
>>>> -
>>>> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_ex=
ist"
>>>> -  comment=3D"Disable autorun in GNOME"
>>>> +    <ind:state state_ref=3D"state_gconf_gnome_disable_automount" />
>>>> +  </ind:xmlfilecontent_test>
>>>> +  <ind:xmlfilecontent_state
>>>> id=3D"state_gconf_gnome_disable_automount" version=3D"1">
>>>> +    <ind:value_of datatype=3D"string">false</ind:value_of>
>>>> +  </ind:xmlfilecontent_state>
>>>> +  <ind:xmlfilecontent_object id=3D"obj_gconf_gnome_disable_automount"
>>>> version=3D"1">
>>>> +
>>>>
><ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%g
>conf.xml</ind:filepath>
>>>> +
><ind:xpath>/gconf/entry[@name=3D'media_automount']/@value</ind:xpath>
>>>> +  </ind:xmlfilecontent_object>
>>>> +  <ind:xmlfilecontent_test check=3D"all" check_existence=3D"all_exist"
>>>> +  comment=3D"Disable autorun in GNOME"
>>>>     id=3D"test_gconf_gnome_disable_automount_autorun" version=3D"1">
>>>>       <ind:object
>>>> object_ref=3D"obj_gconf_gnome_disable_automount_autorun" />
>>>> -  </ind:textfilecontent54_test>
>>>> -  <ind:textfilecontent54_object
>>>> id=3D"obj_gconf_gnome_disable_automount_autorun" version=3D"1">
>>>> -
>>>>
><ind:path>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences</ind:p
>ath>
>>>> -    <ind:filename>%gconf.xml</ind:filename>
>>>> -    <ind:pattern operation=3D"pattern
>>>>
>match">^\s*.entry\s+name=3D"media_autorun_never"\s+mtime=3D"\d+"\s+type=3D
>"bool"\s+value=3D"true"\/.$</ind:pattern>
>>>> -    <ind:instance datatype=3D"int">1</ind:instance>
>>>> -  </ind:textfilecontent54_object>
>>>> -
>>>> +    <ind:state
>>>> state_ref=3D"state_gconf_gnome_disable_automount_autorun" />
>>>> +  </ind:xmlfilecontent_test>
>>>> +  <ind:xmlfilecontent_state
>>>> id=3D"state_gconf_gnome_disable_automount_autorun" version=3D"1">
>>>> +    <ind:value_of datatype=3D"string">true</ind:value_of>
>>>> +  </ind:xmlfilecontent_state>
>>>> +  <ind:xmlfilecontent_object
>>>> id=3D"obj_gconf_gnome_disable_automount_autorun" version=3D"1">
>>>> +
>>>>
><ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%g
>conf.xml</ind:filepath>
>>>> +
>>>>
><ind:xpath>/gconf/entry[@name=3D'media_autorun_never']/@value</ind:xpat
>h>
>>>> +  </ind:xmlfilecontent_object>
>>>>   </def-group>
>>>> diff --git a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>>> b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>>> index 72bf086..80045a3 100644
>>>> --- a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>>> +++ b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>>> @@ -1,28 +1,32 @@
>>>>   <def-group>
>>>> -  <definition class=3D"compliance"
>>>> -  id=3D"gconf_gnome_disable_thumbnailers" version=3D"1">
>>>> +  <definition class=3D"compliance"
>>>> id=3D"gconf_gnome_disable_thumbnailers" version=3D"1">
>>>>       <metadata>
>>>>         <title>Disable All GNOME Thumbnailers</title>
>>>>         <affected family=3D"unix">
>>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>>         </affected>
>>>> -      <description>The system's default desktop environment, GNOME,
>>>> uses a number of different thumbnailer programs to generate
>>>> thumbnails for any new or modified content in an opened folder.
>>>> Disable the execution of these thumbnail applications within
>>>> GNOME.</description>
>>>> +      <description>The system's default desktop environment, GNOME,
>>>> uses a
>>>> +      number of different thumbnailer programs to generate
>>>> thumbnails for any
>>>> +      new or modified content in an opened folder. Disable the
>>>> execution of
>>>> +      these thumbnail applications within GNOME.</description>
>>>> +      <reference source=3D"MED" ref_id=3D"20131125"
>>>> ref_url=3D"test_attestation" />
>>>>       </metadata>
>>>> -    <criteria>
>>>> +    <criteria operator=3D"OR">
>>>> +      <extend_definition comment=3D"GConf2 installed"
>>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>>         <criterion comment=3D"Disable thumbnailers in GNOME"
>>>> test_ref=3D"test_gconf_gnome_disable_thumbnailers" />
>>>>       </criteria>
>>>>     </definition>
>>>> -
>>>> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"none_e=
xist"
>>>> -  comment=3D"Disable thumbnailers in GNOME"
>>>> +  <ind:xmlfilecontent_test check=3D"all" check_existence=3D"all_exist"
>>>> +  comment=3D"Disable thumbnailers in GNOME"
>>>>     id=3D"test_gconf_gnome_disable_thumbnailers" version=3D"1">
>>>>       <ind:object object_ref=3D"obj_gconf_gnome_disable_thumbnailers" =
/>
>>>> -  </ind:textfilecontent54_test>
>>>> -  <ind:textfilecontent54_object
>>>> id=3D"obj_gconf_gnome_disable_thumbnailers" version=3D"1">
>>>> -
>>>>
><ind:path>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers</i
>nd:path>
>>>> -    <ind:filename>%gconf.xml</ind:filename>
>>>> -    <ind:pattern operation=3D"pattern
>>>>
>match">^\s*.entry\s+name=3D"disable_all"\s+mtime=3D"\d+"\s+type=3D"bool"\s=
+va
>lue=3D"true"\/.$</ind:pattern>
>>>> -    <ind:instance datatype=3D"int">1</ind:instance>
>>>> -  </ind:textfilecontent54_object>
>>>> -
>>>> +    <ind:state state_ref=3D"state_gconf_gnome_disable_thumbnailers" />
>>>> +  </ind:xmlfilecontent_test>
>>>> +  <ind:xmlfilecontent_state
>>>> id=3D"state_gconf_gnome_disable_thumbnailers" version=3D"1">
>>>> +    <ind:value_of datatype=3D"string">true</ind:value_of>
>>>> +  </ind:xmlfilecontent_state>
>>>> +  <ind:xmlfilecontent_object
>>>> id=3D"obj_gconf_gnome_disable_thumbnailers" version=3D"1">
>>>> +
>>>>
><ind:filepath>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers
>/%gconf.xml</ind:filepath>
>>>> + <ind:xpath>/gconf/entry[@name=3D'disable_all']/@value</ind:xpath>
>>>> +  </ind:xmlfilecontent_object>
>>>>   </def-group>
>>>> diff --git
>>>>
>a/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xm
>l
>>>>
>b/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.x
>ml
>>>>
>>>> index 5776014..0d012a7 100644
>>>> ---
>>>>
>a/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xm
>l
>>>>
>>>> +++
>>>>
>b/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.x
>ml
>>>>
>>>> @@ -5,21 +5,26 @@
>>>>         <affected family=3D"unix">
>>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>>         </affected>
>>>> -      <description>Idle activation of the screen saver should be
>>>> enabled.</description>
>>>> +      <description>Idle activation of the screen saver should be
>>>> +      enabled.</description>
>>>> +      <reference source=3D"MED" ref_id=3D"20131125"
>>>> ref_url=3D"test_attestation" />
>>>>       </metadata>
>>>> -    <criteria>
>>>> +    <criteria operator=3D"OR">
>>>> +      <extend_definition comment=3D"GConf2 installed"
>>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>>         <criterion comment=3D"gnome screensaver is activated on idle"
>>>> test_ref=3D"test_gnome_screensaver_idle_activated" />
>>>>       </criteria>
>>>>     </definition>
>>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"gnome screensaver
>>>> is activated on idle" id=3D"test_gnome_screensaver_idle_activated"
>>>> version=3D"1">
>>>> +  <ind:xmlfilecontent_test check=3D"all"
>>>> +  comment=3D"gnome screensaver is activated on idle"
>>>> +  id=3D"test_gnome_screensaver_idle_activated" version=3D"1">
>>>>       <ind:object
>>>> object_ref=3D"object_gnome_screensaver_idle_activated" />
>>>> -    <ind:state state_ref=3D"state_activated_on_idle" />
>>>> +    <ind:state state_ref=3D"state_gnome_screensaver_idle_activated" />
>>>>     </ind:xmlfilecontent_test>
>>>> -  <ind:xmlfilecontent_state id=3D"state_activated_on_idle" version=3D=
"1">
>>>> +  <ind:xmlfilecontent_state
>>>> id=3D"state_gnome_screensaver_idle_activated" version=3D"1">
>>>>       <ind:value_of datatype=3D"string">true</ind:value_of>
>>>>     </ind:xmlfilecontent_state>
>>>>     <ind:xmlfilecontent_object
>>>> id=3D"object_gnome_screensaver_idle_activated" version=3D"1">
>>>> -
>>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-
>tree.xml</ind:filepath>
>>>> -
>>>>
><ind:xpath>/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir[@name=3D'=
gn
>ome-
>screensaver']/entry[@name=3D'idle_activation_enabled']/local_schema[1]/def=
au
>lt[1]/@value</ind:xpath>
>>>> +
>>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-
>screensaver/%gconf.xml</ind:filepath>
>>>> +
>>>>
><ind:xpath>/gconf/entry[@name=3D'idle_activation_enabled']/@value</ind:xpa
>th>
>>>>     </ind:xmlfilecontent_object>
>>>>   </def-group>
>>>> diff --git
>>>> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>>> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>>> index 70cc1c2..c77e608 100644
>>>> --- a/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>>> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>>> @@ -5,22 +5,30 @@
>>>>         <affected family=3D"unix">
>>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>>         </affected>
>>>> -      <description>The allowed period of inactivity before the
>>>> screensaver is activated.</description>
>>>> +      <description>The allowed period of inactivity before the
>>>> screensaver is
>>>> +      activated.</description>
>>>> +      <reference source=3D"MED" ref_id=3D"20131125"
>>>> ref_url=3D"test_attestation" />
>>>>       </metadata>
>>>> -    <criteria>
>>>> +    <criteria operator=3D"OR">
>>>> +      <extend_definition comment=3D"GConf2 installed"
>>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>>         <criterion comment=3D"check value of idle_delay in GCONF"
>>>> test_ref=3D"test_gnome_screensaver_idle_delay" />
>>>>       </criteria>
>>>>     </definition>
>>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"test screensaver
>>>> timeout period" id=3D"test_gnome_screensaver_idle_delay" version=3D"1">
>>>> +  <ind:xmlfilecontent_test check=3D"all"
>>>> +  comment=3D"test screensaver timeout period"
>>>> +  id=3D"test_gnome_screensaver_idle_delay" version=3D"1">
>>>>       <ind:object object_ref=3D"object_gnome_screensaver_idle_delay" />
>>>>       <ind:state state_ref=3D"state_gnome_screensaver_idle_delay" />
>>>>     </ind:xmlfilecontent_test>
>>>>     <ind:xmlfilecontent_object
>>>> id=3D"object_gnome_screensaver_idle_delay" version=3D"1">
>>>> -
>>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-
>tree.xml</ind:filepath>
>>>> -    <ind:xpath datatype=3D"string"
>>>>
>operation=3D"equals">/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir=
[@
>name=3D'gnome-
>screensaver']/entry[@name=3D'idle_delay']/local_schema[1]/default[1]/@valu=
e<
>/ind:xpath>
>>>> +
>>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-
>screensaver/%gconf.xml</ind:filepath>
>>>> + <ind:xpath>/gconf/entry[@name=3D'idle_delay']/@value</ind:xpath>
>>>>     </ind:xmlfilecontent_object>
>>>> -  <ind:xmlfilecontent_state comment=3D"idle timeout"
>>>> id=3D"state_gnome_screensaver_idle_delay" version=3D"1">
>>>> -    <ind:value_of datatype=3D"int" operation=3D"less than or equal"
>>>> var_check=3D"all" var_ref=3D"inactivity_timeout_value" />
>>>> +  <ind:xmlfilecontent_state comment=3D"idle timeout"
>>>> +  id=3D"state_gnome_screensaver_idle_delay" version=3D"1">
>>>> +    <ind:value_of datatype=3D"int" operation=3D"less than or equal"
>>>> var_check=3D"all"
>>>> +    var_ref=3D"inactivity_timeout_value" />
>>>>     </ind:xmlfilecontent_state>
>>>> -  <external_variable comment=3D"inactivity timeout variable"
>>>> datatype=3D"int" id=3D"inactivity_timeout_value" version=3D"1" />
>>>> +  <external_variable comment=3D"inactivity timeout variable"
>>>> datatype=3D"int"
>>>> +  id=3D"inactivity_timeout_value" version=3D"1" />
>>>>   </def-group>
>>>> diff --git
>>>> a/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>>> b/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>>> index 06d3020..cc031fc 100644
>>>> --- a/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>>> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>>> @@ -5,19 +5,23 @@
>>>>         <affected family=3D"unix">
>>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>>         </affected>
>>>> -      <description>Idle activation of the screen lock should be
>>>> enabled.</description>
>>>> +      <description>Idle activation of the screen lock should be
>>>> +      enabled.</description>
>>>> +      <reference source=3D"MED" ref_id=3D"20131125"
>>>> ref_url=3D"test_attestation" />
>>>>       </metadata>
>>>> -    <criteria>
>>>> +    <criteria operator=3D"OR">
>>>> +      <extend_definition comment=3D"GConf2 installed"
>>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>>         <criterion comment=3D"screensaver lock is enabled"
>>>> test_ref=3D"test_screensaver_lock_enabled" />
>>>>       </criteria>
>>>>     </definition>
>>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"screensaver lock =
is
>>>> enabled" id=3D"test_screensaver_lock_enabled" version=3D"1">
>>>> +  <ind:xmlfilecontent_test check=3D"all" comment=3D"screensaver lock =
is
>>>> enabled"
>>>> +  id=3D"test_screensaver_lock_enabled" version=3D"1">
>>>>       <ind:object object_ref=3D"object_screensaver_lock_enabled" />
>>>>       <ind:state state_ref=3D"state_screensaver_lock_enabled" />
>>>>     </ind:xmlfilecontent_test>
>>>>     <ind:xmlfilecontent_object id=3D"object_screensaver_lock_enabled"
>>>> version=3D"1">
>>>> -
>>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-
>tree.xml</ind:filepath>
>>>> -
>>>>
><ind:xpath>/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir[@name=3D'=
gn
>ome-
>screensaver']/entry[@name=3D'lock_enabled']/local_schema[1]/default[1]/@val
>ue</ind:xpath>
>>>> +
>>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-
>screensaver/%gconf.xml</ind:filepath>
>>>> + <ind:xpath>/gconf/entry[@name=3D'lock_enabled']/@value</ind:xpath>
>>>>     </ind:xmlfilecontent_object>
>>>>     <ind:xmlfilecontent_state id=3D"state_screensaver_lock_enabled"
>>>> version=3D"1">
>>>>       <ind:value_of datatype=3D"string">true</ind:value_of>
>>>> diff --git
>>>> a/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>>> b/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>>> index 7cad7cd..8229d71 100644
>>>> --- a/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>>> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>>> @@ -6,12 +6,16 @@
>>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>>         </affected>
>>>>         <description>The screen saver should be blank.</description>
>>>> +      <reference source=3D"MED" ref_id=3D"20131125"
>>>> ref_url=3D"test_attestation" />
>>>>       </metadata>
>>>> -    <criteria>
>>>> +    <criteria operator=3D"OR">
>>>> +      <extend_definition comment=3D"GConf2 installed"
>>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>>         <criterion comment=3D"gnome screensaver set to blank screen"
>>>> test_ref=3D"test_gnome_screensaver_mode" />
>>>>       </criteria>
>>>>     </definition>
>>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"gnome screensaver
>>>> set to blank screen" id=3D"test_gnome_screensaver_mode" version=3D"1">
>>>> +  <ind:xmlfilecontent_test check=3D"all"
>>>> +  comment=3D"gnome screensaver set to blank screen"
>>>> +  id=3D"test_gnome_screensaver_mode" version=3D"1">
>>>>       <ind:object object_ref=3D"object_gnome_screensaver_mode" />
>>>>       <ind:state state_ref=3D"state_gnome_screensaver_mode" />
>>>>     </ind:xmlfilecontent_test>
>>>> @@ -19,7 +23,7 @@
>>>>       <ind:value_of datatype=3D"string">blank-only</ind:value_of>
>>>>     </ind:xmlfilecontent_state>
>>>>     <ind:xmlfilecontent_object id=3D"object_gnome_screensaver_mode"
>>>> version=3D"1">
>>>> -
>>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-
>tree.xml</ind:filepath>
>>>> -
>>>>
><ind:xpath>/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir[@name=3D'=
gn
>ome-
>screensaver']/entry[@name=3D'mode']/local_schema[1]/default[1]/stringvalue=
[1
>]/text()</ind:xpath>
>>>> +
>>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-
>screensaver/%gconf.xml</ind:filepath>
>>>> +
>>>>
><ind:xpath>/gconf/entry[@name=3D'mode']/stringvalue[1]/text()</ind:xpath>
>>>>     </ind:xmlfilecontent_object>
>>>>   </def-group>
>>>> diff --git a/RHEL6/input/checks/package_GConf2_installed.xml
>>>> b/RHEL6/input/checks/package_GConf2_installed.xml
>>>> new file mode 100644
>>>> index 0000000..032d76b
>>>> --- /dev/null
>>>> +++ b/RHEL6/input/checks/package_GConf2_installed.xml
>>>> @@ -0,0 +1,26 @@
>>>> +<def-group>
>>>> + <!-- THIS FILE IS GENERATED by create_package_installed.py.  DO
>>>> NOT EDIT.  -->
>>>> +  <definition class=3D"compliance" id=3D"package_GConf2_installed"
>>>> +  version=3D"1">
>>>> +    <metadata>
>>>> +      <title>Package GConf2 Installed</title>
>>>> +      <affected family=3D"unix">
>>>> +        <platform>Red Hat Enterprise Linux 6</platform>
>>>> +      </affected>
>>>> +      <description>The RPM package GConf2 should be
>>>> installed.</description>
>>>> +      <reference source=3D"swells" ref_id=3D"20130829"
>>>> ref_url=3D"test_attestation"/>
>>>> +    </metadata>
>>>> +    <criteria>
>>>> +      <criterion comment=3D"package GConf2 is installed"
>>>> +      test_ref=3D"test_package_GConf2_installed" />
>>>> +    </criteria>
>>>> +  </definition>
>>>> +  <linux:rpminfo_test check=3D"all" check_existence=3D"all_exist"
>>>> +  id=3D"test_package_GConf2_installed" version=3D"1"
>>>> +  comment=3D"package GConf2 is installed">
>>>> +    <linux:object object_ref=3D"obj_package_GConf2_installed" />
>>>> +  </linux:rpminfo_test>
>>>> +  <linux:rpminfo_object id=3D"obj_package_GConf2_installed"
>version=3D"1">
>>>> +    <linux:name>GConf2</linux:name>
>>>> +  </linux:rpminfo_object>
>>>> +</def-group>
>>>> diff --git a/RHEL6/input/checks/templates/packages_installed.csv
>>>> b/RHEL6/input/checks/templates/packages_installed.csv
>>>> index 990f332..d956daa 100644
>>>> --- a/RHEL6/input/checks/templates/packages_installed.csv
>>>> +++ b/RHEL6/input/checks/templates/packages_installed.csv
>>>> @@ -1,6 +1,7 @@
>>>>   aide
>>>>   audit
>>>>   cronie
>>>> +GConf2
>>>>   iptables
>>>>   iptables-ipv6
>>>>   irqbalance
>>>> diff --git a/RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>>> b/RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>>> new file mode 100644
>>>> index 0000000..02c8768
>>>> --- /dev/null
>>>> +++ b/RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>>> @@ -0,0 +1 @@
>>>> +yum -y install GConf2
>>
>> This is great! Ack.
>>
>> This tracks back to
>> https://bugzilla.redhat.com/show_bug.cgi?id=3D1043053. Give a shout
>> after you've pushed and I'll resolve the bug.
>> _______________________________________________
>> scap-security-guide mailing list
>> scap-security-guide(a)lists.fedorahosted.org
>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
>_______________________________________________
>scap-security-guide mailing list
>scap-security-guide(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

--===============0354293428912558388==--