From ray.v.shaw.ctr at mail.mil Thu Aug 20 11:36:11 2015
Content-Type: multipart/mixed; boundary="===============1571205936277887672=="
MIME-Version: 1.0
From: Shaw, Ray V CTR USARMY RDECOM ARL (US) <ray.v.shaw.ctr at mail.mil>
To: scap-security-guide at lists.fedorahosted.org
Subject: RE: [PATCH] Rewrote various GConf checks to standardize on
 xmlfilecontent	tests and ensured they were actually checking the correct
 location	(gconf.xml.mandatory, not gconf.xml.defaults). (UNCLASSIFIED)
Date: Thu, 26 Dec 2013 19:07:07 +0000
Message-ID: <517F37858E593249B11B9B7B6BA732073121AC65@ucolhp9j.easf.csd.disa.mil>
In-Reply-To: 52AF3331.3070200@eclipse.ncsc.mil

--===============1571205936277887672==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Classification: UNCLASSIFIED
Caveats: NONE

[Sorry for the delayed response, especially since I'm pretty sure I opened =
the BZ; I've been stupidly busy at work.]

The checks still seem to be looking at gconf.xml.defaults for:

gconf_gnome_screensaver_idle_activation_enabled.xml
gconf_gnome_screensaver_idle_delay.xml
gconf_gnome_screensaver_lock_enabled.xml
gconf_gnome_screensaver_mode_blank.xml

Did something go awry with part of this patch?  I do see the commit in the =
git log, and the "thumbnailers" check is looking at gconf.xml.mandatory.

--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CIO, Unix Support


-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-sec=
urity-guide-bounces(a)lists.fedorahosted.org] On Behalf Of Maura Dailey
Sent: Monday, December 16, 2013 12:07 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: [PATCH] Rewrote various GConf checks to standardize on xmlfile=
content tests and ensured they were actually checking the correct location =
(gconf.xml.mandatory, not gconf.xml.defaults).

I pushed it!

- Maura Dailey

On 12/16/2013 11:59 AM, Shawn Wells wrote:
> On 12/16/13, 11:43 AM, Maura Dailey wrote:
>> I've been out sick, but I noticed that no one seems to have looked at =

>> this one. Let me know if I can push this or if I need to change =

>> something.
>>
>> Thanks,
>> Maura Dailey
>>
>> On 11/25/2013 04:02 PM, Maura Dailey wrote:
>>> Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
>>> ---
>>>   .../input/checks/gconf_gnome_disable_automount.xml |   59 =

>>> +++++++++++---------
>>>   .../checks/gconf_gnome_disable_thumbnailers.xml    |   34 ++++++-----
>>>   ...f_gnome_screensaver_idle_activation_enabled.xml |   19 ++++--
>>>   .../checks/gconf_gnome_screensaver_idle_delay.xml  |   24 +++++---
>>>   .../gconf_gnome_screensaver_lock_enabled.xml       |   14 +++--
>>>   .../checks/gconf_gnome_screensaver_mode_blank.xml  |   12 +++-
>>>   RHEL6/input/checks/package_GConf2_installed.xml    |   26 +++++++++
>>>   .../input/checks/templates/packages_installed.csv  |    1 +
>>>   RHEL6/input/fixes/bash/package_GConf2_installed.sh |    1 +
>>>   9 files changed, 124 insertions(+), 66 deletions(-)
>>>   create mode 100644 RHEL6/input/checks/package_GConf2_installed.xml
>>>   create mode 100644 =

>>> RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>>
>>> diff --git a/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>> b/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>> index e2e7efc..f78fc89 100644
>>> --- a/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>> +++ b/RHEL6/input/checks/gconf_gnome_disable_automount.xml
>>> @@ -1,41 +1,46 @@
>>>   <def-group>
>>> -  <definition class=3D"compliance"
>>> -  id=3D"gconf_gnome_disable_automount" version=3D"1">
>>> +  <definition class=3D"compliance" id=3D"gconf_gnome_disable_automount=
" =

>>> version=3D"1">
>>>       <metadata>
>>>         <title>Disable GNOME Automounting</title>
>>>         <affected family=3D"unix">
>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>         </affected>
>>> -      <description>The system's default desktop environment, GNOME, =

>>> will mount devices and removable media (such as DVDs, CDs and USB =

>>> flash drives) whenever they are inserted into the system.  Disable =

>>> automount and autorun within GNOME.</description>
>>> +      <description>The system's default desktop environment, GNOME,
>>> will mount
>>> +      devices and removable media (such as DVDs, CDs and USB flash
>>> drives)
>>> +      whenever they are inserted into the system. Disable automount
>>> and autorun
>>> +      within GNOME.</description>
>>> +      <reference source=3D"MED" ref_id=3D"20131125" =

>>> ref_url=3D"test_attestation" />
>>>       </metadata>
>>> -    <criteria operator=3D"AND">
>>> +    <criteria operator=3D"OR">
>>> +      <extend_definition comment=3D"GConf2 installed" =

>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>         <criterion comment=3D"Disable automount in GNOME" =

>>> test_ref=3D"test_gconf_gnome_disable_automount" />
>>> -      <criterion comment=3D"Disable autorun in GNOME" =

>>> test_ref=3D"test_gconf_gnome_disable_automount_autorun" />
>>> +      <criterion comment=3D"Disable autorun in GNOME" =

>>> test_ref=3D"test_gconf_gnome_disable_automount_autorun" />
>>>       </criteria>
>>>     </definition>
>>> -
>>> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exi=
st"
>>> -  comment=3D"Disable automount in GNOME"
>>> -  id=3D"test_gconf_gnome_disable_automount" version=3D"1">
>>> +  <ind:xmlfilecontent_test check=3D"all" check_existence=3D"all_exist"
>>> +  comment=3D"Disable automount in GNOME" =

>>> id=3D"test_gconf_gnome_disable_automount"
>>> +  version=3D"1">
>>>       <ind:object object_ref=3D"obj_gconf_gnome_disable_automount" />
>>> -  </ind:textfilecontent54_test>
>>> -  <ind:textfilecontent54_object
>>> id=3D"obj_gconf_gnome_disable_automount" version=3D"1">
>>> -
>>> <ind:path>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences</ind=
:path>
>>> -    <ind:filename>%gconf.xml</ind:filename>
>>> -    <ind:pattern operation=3D"pattern =

>>> match">^\s*.entry\s+name=3D"media_automount"\s+mtime=3D"\d+"\s+type=3D"=
bool"\s+value=3D"false"\/.$</ind:pattern>
>>> -    <ind:instance datatype=3D"int">1</ind:instance>
>>> -  </ind:textfilecontent54_object>
>>> -
>>> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exi=
st"
>>> -  comment=3D"Disable autorun in GNOME"
>>> +    <ind:state state_ref=3D"state_gconf_gnome_disable_automount" />  =

>>> + </ind:xmlfilecontent_test>  <ind:xmlfilecontent_state
>>> id=3D"state_gconf_gnome_disable_automount" version=3D"1">
>>> +    <ind:value_of datatype=3D"string">false</ind:value_of>
>>> +  </ind:xmlfilecontent_state>
>>> +  <ind:xmlfilecontent_object id=3D"obj_gconf_gnome_disable_automount" =

>>> version=3D"1">
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferenc
>>> es/%gconf.xml</ind:filepath>
>>> + <ind:xpath>/gconf/entry[@name=3D'media_automount']/@value</ind:xpath
>>> + >
>>> +  </ind:xmlfilecontent_object>
>>> +  <ind:xmlfilecontent_test check=3D"all" check_existence=3D"all_exist"
>>> +  comment=3D"Disable autorun in GNOME"
>>>     id=3D"test_gconf_gnome_disable_automount_autorun" version=3D"1">
>>>       <ind:object
>>> object_ref=3D"obj_gconf_gnome_disable_automount_autorun" />
>>> -  </ind:textfilecontent54_test>
>>> -  <ind:textfilecontent54_object
>>> id=3D"obj_gconf_gnome_disable_automount_autorun" version=3D"1">
>>> -
>>> <ind:path>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences</ind=
:path>
>>> -    <ind:filename>%gconf.xml</ind:filename>
>>> -    <ind:pattern operation=3D"pattern =

>>> match">^\s*.entry\s+name=3D"media_autorun_never"\s+mtime=3D"\d+"\s+type=
=3D"bool"\s+value=3D"true"\/.$</ind:pattern>
>>> -    <ind:instance datatype=3D"int">1</ind:instance>
>>> -  </ind:textfilecontent54_object>
>>> -
>>> +    <ind:state
>>> state_ref=3D"state_gconf_gnome_disable_automount_autorun" />
>>> +  </ind:xmlfilecontent_test>
>>> +  <ind:xmlfilecontent_state
>>> id=3D"state_gconf_gnome_disable_automount_autorun" version=3D"1">
>>> +    <ind:value_of datatype=3D"string">true</ind:value_of>
>>> +  </ind:xmlfilecontent_state>
>>> +  <ind:xmlfilecontent_object
>>> id=3D"obj_gconf_gnome_disable_automount_autorun" version=3D"1">
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferenc
>>> es/%gconf.xml</ind:filepath>
>>> + =

>>> <ind:xpath>/gconf/entry[@name=3D'media_autorun_never']/@value</ind:xpa
>>> th>
>>> +  </ind:xmlfilecontent_object>
>>>   </def-group>
>>> diff --git a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>> b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>> index 72bf086..80045a3 100644
>>> --- a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>> +++ b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
>>> @@ -1,28 +1,32 @@
>>>   <def-group>
>>> -  <definition class=3D"compliance"
>>> -  id=3D"gconf_gnome_disable_thumbnailers" version=3D"1">
>>> +  <definition class=3D"compliance" =

>>> id=3D"gconf_gnome_disable_thumbnailers" version=3D"1">
>>>       <metadata>
>>>         <title>Disable All GNOME Thumbnailers</title>
>>>         <affected family=3D"unix">
>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>         </affected>
>>> -      <description>The system's default desktop environment, GNOME, =

>>> uses a number of different thumbnailer programs to generate =

>>> thumbnails for any new or modified content in an opened folder.
>>> Disable the execution of these thumbnail applications within =

>>> GNOME.</description>
>>> +      <description>The system's default desktop environment, GNOME,
>>> uses a
>>> +      number of different thumbnailer programs to generate
>>> thumbnails for any
>>> +      new or modified content in an opened folder. Disable the
>>> execution of
>>> +      these thumbnail applications within GNOME.</description>
>>> +      <reference source=3D"MED" ref_id=3D"20131125" =

>>> ref_url=3D"test_attestation" />
>>>       </metadata>
>>> -    <criteria>
>>> +    <criteria operator=3D"OR">
>>> +      <extend_definition comment=3D"GConf2 installed" =

>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>         <criterion comment=3D"Disable thumbnailers in GNOME" =

>>> test_ref=3D"test_gconf_gnome_disable_thumbnailers" />
>>>       </criteria>
>>>     </definition>
>>> -
>>> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"none_ex=
ist"
>>> -  comment=3D"Disable thumbnailers in GNOME"
>>> +  <ind:xmlfilecontent_test check=3D"all" check_existence=3D"all_exist"
>>> +  comment=3D"Disable thumbnailers in GNOME"
>>>     id=3D"test_gconf_gnome_disable_thumbnailers" version=3D"1">
>>>       <ind:object object_ref=3D"obj_gconf_gnome_disable_thumbnailers" =

>>> />
>>> -  </ind:textfilecontent54_test>
>>> -  <ind:textfilecontent54_object
>>> id=3D"obj_gconf_gnome_disable_thumbnailers" version=3D"1">
>>> -
>>> <ind:path>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers</in=
d:path>
>>> -    <ind:filename>%gconf.xml</ind:filename>
>>> -    <ind:pattern operation=3D"pattern =

>>> match">^\s*.entry\s+name=3D"disable_all"\s+mtime=3D"\d+"\s+type=3D"bool=
"\s+value=3D"true"\/.$</ind:pattern>
>>> -    <ind:instance datatype=3D"int">1</ind:instance>
>>> -  </ind:textfilecontent54_object>
>>> -
>>> +    <ind:state state_ref=3D"state_gconf_gnome_disable_thumbnailers" =

>>> + />  </ind:xmlfilecontent_test>  <ind:xmlfilecontent_state
>>> id=3D"state_gconf_gnome_disable_thumbnailers" version=3D"1">
>>> +    <ind:value_of datatype=3D"string">true</ind:value_of>
>>> +  </ind:xmlfilecontent_state>
>>> +  <ind:xmlfilecontent_object
>>> id=3D"obj_gconf_gnome_disable_thumbnailers" version=3D"1">
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnail
>>> ers/%gconf.xml</ind:filepath>
>>> + <ind:xpath>/gconf/entry[@name=3D'disable_all']/@value</ind:xpath>
>>> +  </ind:xmlfilecontent_object>
>>>   </def-group>
>>> diff --git
>>> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled
>>> .xml =

>>> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled
>>> .xml
>>>
>>> index 5776014..0d012a7 100644
>>> ---
>>> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled
>>> .xml
>>>
>>> +++ =

>>> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled
>>> .xml
>>>
>>> @@ -5,21 +5,26 @@
>>>         <affected family=3D"unix">
>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>         </affected>
>>> -      <description>Idle activation of the screen saver should be =

>>> enabled.</description>
>>> +      <description>Idle activation of the screen saver should be
>>> +      enabled.</description>
>>> +      <reference source=3D"MED" ref_id=3D"20131125" =

>>> ref_url=3D"test_attestation" />
>>>       </metadata>
>>> -    <criteria>
>>> +    <criteria operator=3D"OR">
>>> +      <extend_definition comment=3D"GConf2 installed" =

>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>         <criterion comment=3D"gnome screensaver is activated on idle" =

>>> test_ref=3D"test_gnome_screensaver_idle_activated" />
>>>       </criteria>
>>>     </definition>
>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"gnome screensaver =

>>> is activated on idle" id=3D"test_gnome_screensaver_idle_activated"
>>> version=3D"1">
>>> +  <ind:xmlfilecontent_test check=3D"all"
>>> +  comment=3D"gnome screensaver is activated on idle"
>>> +  id=3D"test_gnome_screensaver_idle_activated" version=3D"1">
>>>       <ind:object
>>> object_ref=3D"object_gnome_screensaver_idle_activated" />
>>> -    <ind:state state_ref=3D"state_activated_on_idle" />
>>> +    <ind:state state_ref=3D"state_gnome_screensaver_idle_activated" =

>>> + />
>>>     </ind:xmlfilecontent_test>
>>> -  <ind:xmlfilecontent_state id=3D"state_activated_on_idle" =

>>> version=3D"1">
>>> +  <ind:xmlfilecontent_state
>>> id=3D"state_gnome_screensaver_idle_activated" version=3D"1">
>>>       <ind:value_of datatype=3D"string">true</ind:value_of>
>>>     </ind:xmlfilecontent_state>
>>>     <ind:xmlfilecontent_object
>>> id=3D"object_gnome_screensaver_idle_activated" version=3D"1">
>>> -
>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:fil
>>> epath>
>>> -
>>> <ind:xpath>/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir[@name=
=3D'
>>> gnome-screensaver']/entry[@name=3D'idle_activation_enabled']/local_sch
>>> ema[1]/default[1]/@value</ind:xpath>
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/
>>> %gconf.xml</ind:filepath>
>>> + =

>>> <ind:xpath>/gconf/entry[@name=3D'idle_activation_enabled']/@value</ind:=
xpath>
>>>     </ind:xmlfilecontent_object>
>>>   </def-group>
>>> diff --git
>>> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>> index 70cc1c2..c77e608 100644
>>> --- a/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
>>> @@ -5,22 +5,30 @@
>>>         <affected family=3D"unix">
>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>         </affected>
>>> -      <description>The allowed period of inactivity before the =

>>> screensaver is activated.</description>
>>> +      <description>The allowed period of inactivity before the
>>> screensaver is
>>> +      activated.</description>
>>> +      <reference source=3D"MED" ref_id=3D"20131125" =

>>> ref_url=3D"test_attestation" />
>>>       </metadata>
>>> -    <criteria>
>>> +    <criteria operator=3D"OR">
>>> +      <extend_definition comment=3D"GConf2 installed" =

>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>         <criterion comment=3D"check value of idle_delay in GCONF" =

>>> test_ref=3D"test_gnome_screensaver_idle_delay" />
>>>       </criteria>
>>>     </definition>
>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"test screensaver =

>>> timeout period" id=3D"test_gnome_screensaver_idle_delay" version=3D"1">
>>> +  <ind:xmlfilecontent_test check=3D"all"
>>> +  comment=3D"test screensaver timeout period"
>>> +  id=3D"test_gnome_screensaver_idle_delay" version=3D"1">
>>>       <ind:object object_ref=3D"object_gnome_screensaver_idle_delay" />
>>>       <ind:state state_ref=3D"state_gnome_screensaver_idle_delay" />
>>>     </ind:xmlfilecontent_test>
>>>     <ind:xmlfilecontent_object
>>> id=3D"object_gnome_screensaver_idle_delay" version=3D"1">
>>> -
>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:filepa=
th>
>>> -    <ind:xpath datatype=3D"string" =

>>> operation=3D"equals">/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/=
dir
>>> [@name=3D'gnome-screensaver']/entry[@name=3D'idle_delay']/local_schema[1
>>> ]/default[1]/@value</ind:xpath>
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/
>>> %gconf.xml</ind:filepath>
>>> + <ind:xpath>/gconf/entry[@name=3D'idle_delay']/@value</ind:xpath>
>>>     </ind:xmlfilecontent_object>
>>> -  <ind:xmlfilecontent_state comment=3D"idle timeout" =

>>> id=3D"state_gnome_screensaver_idle_delay" version=3D"1">
>>> -    <ind:value_of datatype=3D"int" operation=3D"less than or equal" =

>>> var_check=3D"all" var_ref=3D"inactivity_timeout_value" />
>>> +  <ind:xmlfilecontent_state comment=3D"idle timeout"
>>> +  id=3D"state_gnome_screensaver_idle_delay" version=3D"1">
>>> +    <ind:value_of datatype=3D"int" operation=3D"less than or equal" =

>>> var_check=3D"all"
>>> +    var_ref=3D"inactivity_timeout_value" />
>>>     </ind:xmlfilecontent_state>
>>> -  <external_variable comment=3D"inactivity timeout variable" =

>>> datatype=3D"int" id=3D"inactivity_timeout_value" version=3D"1" />
>>> +  <external_variable comment=3D"inactivity timeout variable" =

>>> datatype=3D"int"
>>> +  id=3D"inactivity_timeout_value" version=3D"1" />
>>>   </def-group>
>>> diff --git
>>> a/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>> b/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>> index 06d3020..cc031fc 100644
>>> --- a/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
>>> @@ -5,19 +5,23 @@
>>>         <affected family=3D"unix">
>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>         </affected>
>>> -      <description>Idle activation of the screen lock should be =

>>> enabled.</description>
>>> +      <description>Idle activation of the screen lock should be
>>> +      enabled.</description>
>>> +      <reference source=3D"MED" ref_id=3D"20131125" =

>>> ref_url=3D"test_attestation" />
>>>       </metadata>
>>> -    <criteria>
>>> +    <criteria operator=3D"OR">
>>> +      <extend_definition comment=3D"GConf2 installed" =

>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>         <criterion comment=3D"screensaver lock is enabled" =

>>> test_ref=3D"test_screensaver_lock_enabled" />
>>>       </criteria>
>>>     </definition>
>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"screensaver lock i=
s =

>>> enabled" id=3D"test_screensaver_lock_enabled" version=3D"1">
>>> +  <ind:xmlfilecontent_test check=3D"all" comment=3D"screensaver lock is
>>> enabled"
>>> +  id=3D"test_screensaver_lock_enabled" version=3D"1">
>>>       <ind:object object_ref=3D"object_screensaver_lock_enabled" />
>>>       <ind:state state_ref=3D"state_screensaver_lock_enabled" />
>>>     </ind:xmlfilecontent_test>
>>>     <ind:xmlfilecontent_object id=3D"object_screensaver_lock_enabled" =

>>> version=3D"1">
>>> -
>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:fil
>>> epath>
>>> -
>>> <ind:xpath>/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir[@name=
=3D'
>>> gnome-screensaver']/entry[@name=3D'lock_enabled']/local_schema[1]/defa
>>> ult[1]/@value</ind:xpath>
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/
>>> %gconf.xml</ind:filepath>
>>> + <ind:xpath>/gconf/entry[@name=3D'lock_enabled']/@value</ind:xpath>
>>>     </ind:xmlfilecontent_object>
>>>     <ind:xmlfilecontent_state id=3D"state_screensaver_lock_enabled" =

>>> version=3D"1">
>>>       <ind:value_of datatype=3D"string">true</ind:value_of>
>>> diff --git
>>> a/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>> b/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>> index 7cad7cd..8229d71 100644
>>> --- a/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
>>> @@ -6,12 +6,16 @@
>>>           <platform>Red Hat Enterprise Linux 6</platform>
>>>         </affected>
>>>         <description>The screen saver should be blank.</description>
>>> +      <reference source=3D"MED" ref_id=3D"20131125" =

>>> ref_url=3D"test_attestation" />
>>>       </metadata>
>>> -    <criteria>
>>> +    <criteria operator=3D"OR">
>>> +      <extend_definition comment=3D"GConf2 installed" =

>>> definition_ref=3D"package_GConf2_installed" negate=3D"true" />
>>>         <criterion comment=3D"gnome screensaver set to blank screen" =

>>> test_ref=3D"test_gnome_screensaver_mode" />
>>>       </criteria>
>>>     </definition>
>>> -  <ind:xmlfilecontent_test check=3D"all" comment=3D"gnome screensaver =

>>> set to blank screen" id=3D"test_gnome_screensaver_mode" version=3D"1">
>>> +  <ind:xmlfilecontent_test check=3D"all"
>>> +  comment=3D"gnome screensaver set to blank screen"
>>> +  id=3D"test_gnome_screensaver_mode" version=3D"1">
>>>       <ind:object object_ref=3D"object_gnome_screensaver_mode" />
>>>       <ind:state state_ref=3D"state_gnome_screensaver_mode" />
>>>     </ind:xmlfilecontent_test>
>>> @@ -19,7 +23,7 @@
>>>       <ind:value_of datatype=3D"string">blank-only</ind:value_of>
>>>     </ind:xmlfilecontent_state>
>>>     <ind:xmlfilecontent_object id=3D"object_gnome_screensaver_mode" =

>>> version=3D"1">
>>> -
>>> <ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:fil
>>> epath>
>>> -
>>> <ind:xpath>/gconf/dir[@name=3D'schemas']/dir[@name=3D'apps']/dir[@name=
=3D'
>>> gnome-screensaver']/entry[@name=3D'mode']/local_schema[1]/default[1]/s
>>> tringvalue[1]/text()</ind:xpath>
>>> + =

>>> <ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/
>>> %gconf.xml</ind:filepath>
>>> + =

>>> <ind:xpath>/gconf/entry[@name=3D'mode']/stringvalue[1]/text()</ind:xpat=
h>
>>>     </ind:xmlfilecontent_object>
>>>   </def-group>
>>> diff --git a/RHEL6/input/checks/package_GConf2_installed.xml
>>> b/RHEL6/input/checks/package_GConf2_installed.xml
>>> new file mode 100644
>>> index 0000000..032d76b
>>> --- /dev/null
>>> +++ b/RHEL6/input/checks/package_GConf2_installed.xml
>>> @@ -0,0 +1,26 @@
>>> +<def-group>
>>> + <!-- THIS FILE IS GENERATED by create_package_installed.py.  DO
>>> NOT EDIT.  -->
>>> +  <definition class=3D"compliance" id=3D"package_GConf2_installed"
>>> +  version=3D"1">
>>> +    <metadata>
>>> +      <title>Package GConf2 Installed</title>
>>> +      <affected family=3D"unix">
>>> +        <platform>Red Hat Enterprise Linux 6</platform>
>>> +      </affected>
>>> +      <description>The RPM package GConf2 should be
>>> installed.</description>
>>> +      <reference source=3D"swells" ref_id=3D"20130829" =

>>> ref_url=3D"test_attestation"/>
>>> +    </metadata>
>>> +    <criteria>
>>> +      <criterion comment=3D"package GConf2 is installed"
>>> +      test_ref=3D"test_package_GConf2_installed" />
>>> +    </criteria>
>>> +  </definition>
>>> +  <linux:rpminfo_test check=3D"all" check_existence=3D"all_exist"
>>> +  id=3D"test_package_GConf2_installed" version=3D"1"
>>> +  comment=3D"package GConf2 is installed">
>>> +    <linux:object object_ref=3D"obj_package_GConf2_installed" />
>>> +  </linux:rpminfo_test>
>>> +  <linux:rpminfo_object id=3D"obj_package_GConf2_installed" version=3D=
"1">
>>> +    <linux:name>GConf2</linux:name>
>>> +  </linux:rpminfo_object>
>>> +</def-group>
>>> diff --git a/RHEL6/input/checks/templates/packages_installed.csv
>>> b/RHEL6/input/checks/templates/packages_installed.csv
>>> index 990f332..d956daa 100644
>>> --- a/RHEL6/input/checks/templates/packages_installed.csv
>>> +++ b/RHEL6/input/checks/templates/packages_installed.csv
>>> @@ -1,6 +1,7 @@
>>>   aide
>>>   audit
>>>   cronie
>>> +GConf2
>>>   iptables
>>>   iptables-ipv6
>>>   irqbalance
>>> diff --git a/RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>> b/RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>> new file mode 100644
>>> index 0000000..02c8768
>>> --- /dev/null
>>> +++ b/RHEL6/input/fixes/bash/package_GConf2_installed.sh
>>> @@ -0,0 +1 @@
>>> +yum -y install GConf2
>
> This is great! Ack.
>
> This tracks back to
> https://bugzilla.redhat.com/show_bug.cgi?id=3D1043053. Give a shout =

> after you've pushed and I'll resolve the bug.
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Classification: UNCLASSIFIED
Caveats: NONE



--===============1571205936277887672==--