From rmercer at harris.com Thu Aug 20 11:35:42 2015
Content-Type: multipart/mixed; boundary="===============1073403337342936439=="
MIME-Version: 1.0
From: Mercer, Rodney <rmercer at harris.com>
To: scap-security-guide at lists.fedorahosted.org
Subject: banner_gui_enabled.xml
Date: Mon, 04 Nov 2013 17:31:32 -0500
Message-ID: <1383604292.15857.79.camel@osc145>

--===============1073403337342936439==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

I was seeing a fail on "Result for Enable GUI Warning Banner"
CCE-27195-7.

I found this ticket:
https://fedorahosted.org/scap-security-guide/ticket/319

So I worked on the banner_gui_enabled.xml file and came up with the
attached replacement. I tested it and it appears to work correctly.

Could someone check this to see if I have this right?

Thanks,
Rodney.

-- =




--===============1073403337342936439==
Content-Type: application/xml
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="banner_gui_enabled.xml"

PGRlZi1ncm91cD4KICA8ZGVmaW5pdGlvbiBjbGFzcz0iY29tcGxpYW5jZSIgaWQ9ImJhbm5lcl9n
dWlfZW5hYmxlZCIgdmVyc2lvbj0iMSI+CiAgICA8bWV0YWRhdGE+CiAgICAgIDx0aXRsZT5FbmFi
bGUgR1VJIFdhcm5pbmcgQmFubmVyPC90aXRsZT4KICAgICAgPGFmZmVjdGVkIGZhbWlseT0idW5p
eCI+CiAgICAgICAgPHBsYXRmb3JtPlJlZCBIYXQgRW50ZXJwcmlzZSBMaW51eCA2PC9wbGF0Zm9y
bT4KICAgICAgPC9hZmZlY3RlZD4KICAgICAgPGRlc2NyaXB0aW9uPkVuYWJsZSB0aGUgR1VJIHdh
cm5pbmcgYmFubmVyLjwvZGVzY3JpcHRpb24+CiAgICA8L21ldGFkYXRhPgogICAgPGNyaXRlcmlh
PgogICAgICA8Y3JpdGVyaW9uIGNvbW1lbnQ9ImNoZWNrIHNldHRpbmdzIiB0ZXN0X3JlZj0idGVz
dF9iYW5uZXJfZ3VpX2VuYWJsZWQiIC8+CiAgICA8L2NyaXRlcmlhPgogIDwvZGVmaW5pdGlvbj4K
ICA8aW5kOnhtbGZpbGVjb250ZW50X3Rlc3QgY2hlY2s9ImFsbCIgY29tbWVudD0ic3R1ZmYiIGlk
PSJ0ZXN0X2Jhbm5lcl9ndWlfZW5hYmxlZCIgdmVyc2lvbj0iMSI+CiAgICA8aW5kOm9iamVjdCBv
YmplY3RfcmVmPSJvYmplY3RfYmFubmVyX21lc3NhZ2VfZW5hYmxlIiAvPgogICAgPGluZDpzdGF0
ZSBzdGF0ZV9yZWY9InN0YXRlX2Jhbm5lcl9tZXNzYWdlX2VuYWJsZSIgLz4KICA8L2luZDp4bWxm
aWxlY29udGVudF90ZXN0PgogIDxpbmQ6eG1sZmlsZWNvbnRlbnRfb2JqZWN0IGlkPSJvYmplY3Rf
YmFubmVyX21lc3NhZ2VfZW5hYmxlIiB2ZXJzaW9uPSIxIj4KICAgIDxpbmQ6ZmlsZXBhdGg+L3Zh
ci9saWIvZ2RtLy5nY29uZi9hcHBzL2dkbS9zaW1wbGUtZ3JlZXRlci8lZ2NvbmYueG1sPC9pbmQ6
ZmlsZXBhdGg+CiAgICA8aW5kOnhwYXRoPi9nY29uZi9lbnRyeVtAbmFtZT0nYmFubmVyX21lc3Nh
Z2VfZW5hYmxlJ10vQHZhbHVlPC9pbmQ6eHBhdGg+CiAgPC9pbmQ6eG1sZmlsZWNvbnRlbnRfb2Jq
ZWN0PgogIDxpbmQ6eG1sZmlsZWNvbnRlbnRfc3RhdGUgaWQ9InN0YXRlX2Jhbm5lcl9tZXNzYWdl
X2VuYWJsZSIgdmVyc2lvbj0iMSI+CiAgICA8aW5kOnZhbHVlX29mIGRhdGF0eXBlPSJzdHJpbmci
PnRydWU8L2luZDp2YWx1ZV9vZj4KICA8L2luZDp4bWxmaWxlY29udGVudF9zdGF0ZT4KPC9kZWYt
Z3JvdXA+Cg==

--===============1073403337342936439==--

From shawn at redhat.com Thu Aug 20 11:35:42 2015
Content-Type: multipart/mixed; boundary="===============3246339549953321514=="
MIME-Version: 1.0
From: Shawn Wells <shawn at redhat.com>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: banner_gui_enabled.xml
Date: Mon, 04 Nov 2013 20:02:34 -0500
Message-ID: <527843AA.3010106@redhat.com>
In-Reply-To: 1383604292.15857.79.camel@osc145

--===============3246339549953321514==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 11/4/13, 5:31 PM, Rodney L. Mercer wrote:
> I was seeing a fail on "Result for Enable GUI Warning Banner"
> CCE-27195-7.
>
> I found this ticket:
> https://fedorahosted.org/scap-security-guide/ticket/319
>
> So I worked on the banner_gui_enabled.xml file and came up with the
> attached replacement. I tested it and it appears to work correctly.
>
> Could someone check this to see if I have this right?
>
> Thanks,
> Rodney.
> ---------
>
> <def-group>
>    <definition class=3D"compliance" id=3D"banner_gui_enabled" version=3D"=
1">
>      <metadata>
>        <title>Enable GUI Warning Banner</title>
>        <affected family=3D"unix">
>          <platform>Red Hat Enterprise Linux 6</platform>
>        </affected>
>        <description>Enable the GUI warning banner.</description>
>      </metadata>
>      <criteria>
>        <criterion comment=3D"check settings" test_ref=3D"test_banner_gui_=
enabled" />
>      </criteria>
>    </definition>
>    <ind:xmlfilecontent_test check=3D"all" comment=3D"stuff" id=3D"test_ba=
nner_gui_enabled" version=3D"1">
>      <ind:object object_ref=3D"object_banner_message_enable" />
>      <ind:state state_ref=3D"state_banner_message_enable" />
>    </ind:xmlfilecontent_test>
>    <ind:xmlfilecontent_object id=3D"object_banner_message_enable" version=
=3D"1">
>      <ind:filepath>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml=
</ind:filepath>
>      <ind:xpath>/gconf/entry[@name=3D'banner_message_enable']/@value</ind=
:xpath>
>    </ind:xmlfilecontent_object>
>    <ind:xmlfilecontent_state id=3D"state_banner_message_enable" version=
=3D"1">
>      <ind:value_of datatype=3D"string">true</ind:value_of>
>    </ind:xmlfilecontent_state>
> </def-group>

There's a ton of goodness in this. Proper filepath, addition of the =

state, filename->filepath conversion!

As for testing:

[root(a)SSG-RHEL6 checks]# sudo -u gdm gconftool-2 \
 >   --type bool \
 >   --set /apps/gdm/simple-greeter/banner_message_enable false

[root(a)SSG-RHEL6 checks]# ./testcheck.py banner_gui_enabled.xml
Evaluating with OVAL tempfile : /tmp/banner_gui_enabledzCPQAU.xml
Writing results to : /tmp/banner_gui_enabledzCPQAU.xml-results
Definition oval:scap-security-guide.testing:def:241: false
Evaluation done.

[root(a)SSG-RHEL6 checks]# sudo -u gdm gconftool-2   --type bool --set =

/apps/gdm/simple-greeter/banner_message_enable true

[root(a)SSG-RHEL6 checks]# ./testcheck.py banner_gui_enabled.xml
Evaluating with OVAL tempfile : /tmp/banner_gui_enabled72tTqS.xml
Writing results to : /tmp/banner_gui_enabled72tTqS.xml-results
Definition oval:scap-security-guide.testing:def:241: true
Evaluation done.


Add OVAL signoff within the <metadata> tags and please resubmit for an =

ACK, e.g.:

<reference source=3D"rmercer" ref_id=3D"20131104" ref_url=3D"test_attestati=
on" />

Nice work!



--===============3246339549953321514==--