On 12/16/13, 11:43 AM, Maura Dailey wrote:
I've been out sick, but I noticed that no one seems to have
looked at
this one. Let me know if I can push this or if I need to change
something.
Thanks,
Maura Dailey
On 11/25/2013 04:02 PM, Maura Dailey wrote:
> Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
> ---
> .../input/checks/gconf_gnome_disable_automount.xml | 59
> +++++++++++---------
> .../checks/gconf_gnome_disable_thumbnailers.xml | 34 ++++++-----
> ...f_gnome_screensaver_idle_activation_enabled.xml | 19 ++++--
> .../checks/gconf_gnome_screensaver_idle_delay.xml | 24 +++++---
> .../gconf_gnome_screensaver_lock_enabled.xml | 14 +++--
> .../checks/gconf_gnome_screensaver_mode_blank.xml | 12 +++-
> RHEL6/input/checks/package_GConf2_installed.xml | 26 +++++++++
> .../input/checks/templates/packages_installed.csv | 1 +
> RHEL6/input/fixes/bash/package_GConf2_installed.sh | 1 +
> 9 files changed, 124 insertions(+), 66 deletions(-)
> create mode 100644 RHEL6/input/checks/package_GConf2_installed.xml
> create mode 100644 RHEL6/input/fixes/bash/package_GConf2_installed.sh
>
> diff --git a/RHEL6/input/checks/gconf_gnome_disable_automount.xml
> b/RHEL6/input/checks/gconf_gnome_disable_automount.xml
> index e2e7efc..f78fc89 100644
> --- a/RHEL6/input/checks/gconf_gnome_disable_automount.xml
> +++ b/RHEL6/input/checks/gconf_gnome_disable_automount.xml
> @@ -1,41 +1,46 @@
> <def-group>
> - <definition class="compliance"
> - id="gconf_gnome_disable_automount" version="1">
> + <definition class="compliance"
id="gconf_gnome_disable_automount"
> version="1">
> <metadata>
> <title>Disable GNOME Automounting</title>
> <affected family="unix">
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> - <description>The system's default desktop environment, GNOME,
> will mount devices and removable media (such as DVDs, CDs and USB
> flash drives) whenever they are inserted into the system. Disable
> automount and autorun within GNOME.</description>
> + <description>The system's default desktop environment, GNOME,
> will mount
> + devices and removable media (such as DVDs, CDs and USB flash
> drives)
> + whenever they are inserted into the system. Disable automount
> and autorun
> + within GNOME.</description>
> + <reference source="MED" ref_id="20131125"
> ref_url="test_attestation" />
> </metadata>
> - <criteria operator="AND">
> + <criteria operator="OR">
> + <extend_definition comment="GConf2 installed"
> definition_ref="package_GConf2_installed" negate="true" />
> <criterion comment="Disable automount in GNOME"
> test_ref="test_gconf_gnome_disable_automount" />
> - <criterion comment="Disable autorun in GNOME"
> test_ref="test_gconf_gnome_disable_automount_autorun" />
> + <criterion comment="Disable autorun in GNOME"
> test_ref="test_gconf_gnome_disable_automount_autorun" />
> </criteria>
> </definition>
> -
> - <ind:textfilecontent54_test check="all"
check_existence="all_exist"
> - comment="Disable automount in GNOME"
> - id="test_gconf_gnome_disable_automount" version="1">
> + <ind:xmlfilecontent_test check="all"
check_existence="all_exist"
> + comment="Disable automount in GNOME"
> id="test_gconf_gnome_disable_automount"
> + version="1">
> <ind:object object_ref="obj_gconf_gnome_disable_automount" />
> - </ind:textfilecontent54_test>
> - <ind:textfilecontent54_object
> id="obj_gconf_gnome_disable_automount" version="1">
> -
>
<ind:path>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences</ind:path>
> - <ind:filename>%gconf.xml</ind:filename>
> - <ind:pattern operation="pattern
>
match">^\s*.entry\s+name="media_automount"\s+mtime="\d+"\s+type="bool"\s+value="false"\/.$</ind:pattern>
> - <ind:instance datatype="int">1</ind:instance>
> - </ind:textfilecontent54_object>
> -
> - <ind:textfilecontent54_test check="all"
check_existence="all_exist"
> - comment="Disable autorun in GNOME"
> + <ind:state state_ref="state_gconf_gnome_disable_automount" />
> + </ind:xmlfilecontent_test>
> + <ind:xmlfilecontent_state id="state_gconf_gnome_disable_automount"
> version="1">
> + <ind:value_of datatype="string">false</ind:value_of>
> + </ind:xmlfilecontent_state>
> + <ind:xmlfilecontent_object id="obj_gconf_gnome_disable_automount"
> version="1">
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%gconf.xml</ind:filepath>
> +
<ind:xpath>/gconf/entry[@name='media_automount']/@value</ind:xpath>
> + </ind:xmlfilecontent_object>
> + <ind:xmlfilecontent_test check="all"
check_existence="all_exist"
> + comment="Disable autorun in GNOME"
> id="test_gconf_gnome_disable_automount_autorun"
version="1">
> <ind:object
> object_ref="obj_gconf_gnome_disable_automount_autorun" />
> - </ind:textfilecontent54_test>
> - <ind:textfilecontent54_object
> id="obj_gconf_gnome_disable_automount_autorun" version="1">
> -
>
<ind:path>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences</ind:path>
> - <ind:filename>%gconf.xml</ind:filename>
> - <ind:pattern operation="pattern
>
match">^\s*.entry\s+name="media_autorun_never"\s+mtime="\d+"\s+type="bool"\s+value="true"\/.$</ind:pattern>
> - <ind:instance datatype="int">1</ind:instance>
> - </ind:textfilecontent54_object>
> -
> + <ind:state
> state_ref="state_gconf_gnome_disable_automount_autorun" />
> + </ind:xmlfilecontent_test>
> + <ind:xmlfilecontent_state
> id="state_gconf_gnome_disable_automount_autorun" version="1">
> + <ind:value_of datatype="string">true</ind:value_of>
> + </ind:xmlfilecontent_state>
> + <ind:xmlfilecontent_object
> id="obj_gconf_gnome_disable_automount_autorun" version="1">
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%gconf.xml</ind:filepath>
> +
<ind:xpath>/gconf/entry[@name='media_autorun_never']/@value</ind:xpath>
> + </ind:xmlfilecontent_object>
> </def-group>
> diff --git a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
> b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
> index 72bf086..80045a3 100644
> --- a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
> +++ b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
> @@ -1,28 +1,32 @@
> <def-group>
> - <definition class="compliance"
> - id="gconf_gnome_disable_thumbnailers" version="1">
> + <definition class="compliance"
> id="gconf_gnome_disable_thumbnailers" version="1">
> <metadata>
> <title>Disable All GNOME Thumbnailers</title>
> <affected family="unix">
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> - <description>The system's default desktop environment, GNOME,
> uses a number of different thumbnailer programs to generate
> thumbnails for any new or modified content in an opened folder.
> Disable the execution of these thumbnail applications within
> GNOME.</description>
> + <description>The system's default desktop environment, GNOME,
> uses a
> + number of different thumbnailer programs to generate
> thumbnails for any
> + new or modified content in an opened folder. Disable the
> execution of
> + these thumbnail applications within GNOME.</description>
> + <reference source="MED" ref_id="20131125"
> ref_url="test_attestation" />
> </metadata>
> - <criteria>
> + <criteria operator="OR">
> + <extend_definition comment="GConf2 installed"
> definition_ref="package_GConf2_installed" negate="true" />
> <criterion comment="Disable thumbnailers in GNOME"
> test_ref="test_gconf_gnome_disable_thumbnailers" />
> </criteria>
> </definition>
> -
> - <ind:textfilecontent54_test check="all"
check_existence="none_exist"
> - comment="Disable thumbnailers in GNOME"
> + <ind:xmlfilecontent_test check="all"
check_existence="all_exist"
> + comment="Disable thumbnailers in GNOME"
> id="test_gconf_gnome_disable_thumbnailers" version="1">
> <ind:object object_ref="obj_gconf_gnome_disable_thumbnailers"
/>
> - </ind:textfilecontent54_test>
> - <ind:textfilecontent54_object
> id="obj_gconf_gnome_disable_thumbnailers" version="1">
> -
>
<ind:path>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers</ind:path>
> - <ind:filename>%gconf.xml</ind:filename>
> - <ind:pattern operation="pattern
>
match">^\s*.entry\s+name="disable_all"\s+mtime="\d+"\s+type="bool"\s+value="true"\/.$</ind:pattern>
> - <ind:instance datatype="int">1</ind:instance>
> - </ind:textfilecontent54_object>
> -
> + <ind:state state_ref="state_gconf_gnome_disable_thumbnailers"
/>
> + </ind:xmlfilecontent_test>
> + <ind:xmlfilecontent_state
> id="state_gconf_gnome_disable_thumbnailers" version="1">
> + <ind:value_of datatype="string">true</ind:value_of>
> + </ind:xmlfilecontent_state>
> + <ind:xmlfilecontent_object
> id="obj_gconf_gnome_disable_thumbnailers" version="1">
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers/%gconf.xml</ind:filepath>
> +
<ind:xpath>/gconf/entry[@name='disable_all']/@value</ind:xpath>
> + </ind:xmlfilecontent_object>
> </def-group>
> diff --git
> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
> index 5776014..0d012a7 100644
> ---
> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
> +++
> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_activation_enabled.xml
> @@ -5,21 +5,26 @@
> <affected family="unix">
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> - <description>Idle activation of the screen saver should be
> enabled.</description>
> + <description>Idle activation of the screen saver should be
> + enabled.</description>
> + <reference source="MED" ref_id="20131125"
> ref_url="test_attestation" />
> </metadata>
> - <criteria>
> + <criteria operator="OR">
> + <extend_definition comment="GConf2 installed"
> definition_ref="package_GConf2_installed" negate="true" />
> <criterion comment="gnome screensaver is activated on idle"
> test_ref="test_gnome_screensaver_idle_activated" />
> </criteria>
> </definition>
> - <ind:xmlfilecontent_test check="all" comment="gnome screensaver
is
> activated on idle" id="test_gnome_screensaver_idle_activated"
> version="1">
> + <ind:xmlfilecontent_test check="all"
> + comment="gnome screensaver is activated on idle"
> + id="test_gnome_screensaver_idle_activated" version="1">
> <ind:object
> object_ref="object_gnome_screensaver_idle_activated" />
> - <ind:state state_ref="state_activated_on_idle" />
> + <ind:state state_ref="state_gnome_screensaver_idle_activated"
/>
> </ind:xmlfilecontent_test>
> - <ind:xmlfilecontent_state id="state_activated_on_idle"
version="1">
> + <ind:xmlfilecontent_state
> id="state_gnome_screensaver_idle_activated" version="1">
> <ind:value_of datatype="string">true</ind:value_of>
> </ind:xmlfilecontent_state>
> <ind:xmlfilecontent_object
> id="object_gnome_screensaver_idle_activated" version="1">
> -
>
<ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:filepath>
> -
>
<ind:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_activation_enabled']/local_schema[1]/default[1]/@value</ind:xpath>
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
> +
>
<ind:xpath>/gconf/entry[@name='idle_activation_enabled']/@value</ind:xpath>
> </ind:xmlfilecontent_object>
> </def-group>
> diff --git
> a/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
> b/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
> index 70cc1c2..c77e608 100644
> --- a/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_idle_delay.xml
> @@ -5,22 +5,30 @@
> <affected family="unix">
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> - <description>The allowed period of inactivity before the
> screensaver is activated.</description>
> + <description>The allowed period of inactivity before the
> screensaver is
> + activated.</description>
> + <reference source="MED" ref_id="20131125"
> ref_url="test_attestation" />
> </metadata>
> - <criteria>
> + <criteria operator="OR">
> + <extend_definition comment="GConf2 installed"
> definition_ref="package_GConf2_installed" negate="true" />
> <criterion comment="check value of idle_delay in GCONF"
> test_ref="test_gnome_screensaver_idle_delay" />
> </criteria>
> </definition>
> - <ind:xmlfilecontent_test check="all" comment="test screensaver
> timeout period" id="test_gnome_screensaver_idle_delay"
version="1">
> + <ind:xmlfilecontent_test check="all"
> + comment="test screensaver timeout period"
> + id="test_gnome_screensaver_idle_delay" version="1">
> <ind:object object_ref="object_gnome_screensaver_idle_delay"
/>
> <ind:state state_ref="state_gnome_screensaver_idle_delay" />
> </ind:xmlfilecontent_test>
> <ind:xmlfilecontent_object
> id="object_gnome_screensaver_idle_delay" version="1">
> -
>
<ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:filepath>
> - <ind:xpath datatype="string"
>
operation="equals">/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_delay']/local_schema[1]/default[1]/@value</ind:xpath>
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
> + <ind:xpath>/gconf/entry[@name='idle_delay']/@value</ind:xpath>
> </ind:xmlfilecontent_object>
> - <ind:xmlfilecontent_state comment="idle timeout"
> id="state_gnome_screensaver_idle_delay" version="1">
> - <ind:value_of datatype="int" operation="less than or
equal"
> var_check="all" var_ref="inactivity_timeout_value" />
> + <ind:xmlfilecontent_state comment="idle timeout"
> + id="state_gnome_screensaver_idle_delay" version="1">
> + <ind:value_of datatype="int" operation="less than or
equal"
> var_check="all"
> + var_ref="inactivity_timeout_value" />
> </ind:xmlfilecontent_state>
> - <external_variable comment="inactivity timeout variable"
> datatype="int" id="inactivity_timeout_value"
version="1" />
> + <external_variable comment="inactivity timeout variable"
> datatype="int"
> + id="inactivity_timeout_value" version="1" />
> </def-group>
> diff --git
> a/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
> b/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
> index 06d3020..cc031fc 100644
> --- a/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_lock_enabled.xml
> @@ -5,19 +5,23 @@
> <affected family="unix">
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> - <description>Idle activation of the screen lock should be
> enabled.</description>
> + <description>Idle activation of the screen lock should be
> + enabled.</description>
> + <reference source="MED" ref_id="20131125"
> ref_url="test_attestation" />
> </metadata>
> - <criteria>
> + <criteria operator="OR">
> + <extend_definition comment="GConf2 installed"
> definition_ref="package_GConf2_installed" negate="true" />
> <criterion comment="screensaver lock is enabled"
> test_ref="test_screensaver_lock_enabled" />
> </criteria>
> </definition>
> - <ind:xmlfilecontent_test check="all" comment="screensaver lock
is
> enabled" id="test_screensaver_lock_enabled" version="1">
> + <ind:xmlfilecontent_test check="all" comment="screensaver lock
is
> enabled"
> + id="test_screensaver_lock_enabled" version="1">
> <ind:object object_ref="object_screensaver_lock_enabled" />
> <ind:state state_ref="state_screensaver_lock_enabled" />
> </ind:xmlfilecontent_test>
> <ind:xmlfilecontent_object id="object_screensaver_lock_enabled"
> version="1">
> -
>
<ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:filepath>
> -
>
<ind:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='lock_enabled']/local_schema[1]/default[1]/@value</ind:xpath>
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
> +
<ind:xpath>/gconf/entry[@name='lock_enabled']/@value</ind:xpath>
> </ind:xmlfilecontent_object>
> <ind:xmlfilecontent_state id="state_screensaver_lock_enabled"
> version="1">
> <ind:value_of datatype="string">true</ind:value_of>
> diff --git
> a/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
> b/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
> index 7cad7cd..8229d71 100644
> --- a/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
> +++ b/RHEL6/input/checks/gconf_gnome_screensaver_mode_blank.xml
> @@ -6,12 +6,16 @@
> <platform>Red Hat Enterprise Linux 6</platform>
> </affected>
> <description>The screen saver should be blank.</description>
> + <reference source="MED" ref_id="20131125"
> ref_url="test_attestation" />
> </metadata>
> - <criteria>
> + <criteria operator="OR">
> + <extend_definition comment="GConf2 installed"
> definition_ref="package_GConf2_installed" negate="true" />
> <criterion comment="gnome screensaver set to blank screen"
> test_ref="test_gnome_screensaver_mode" />
> </criteria>
> </definition>
> - <ind:xmlfilecontent_test check="all" comment="gnome screensaver
> set to blank screen" id="test_gnome_screensaver_mode"
version="1">
> + <ind:xmlfilecontent_test check="all"
> + comment="gnome screensaver set to blank screen"
> + id="test_gnome_screensaver_mode" version="1">
> <ind:object object_ref="object_gnome_screensaver_mode" />
> <ind:state state_ref="state_gnome_screensaver_mode" />
> </ind:xmlfilecontent_test>
> @@ -19,7 +23,7 @@
> <ind:value_of
datatype="string">blank-only</ind:value_of>
> </ind:xmlfilecontent_state>
> <ind:xmlfilecontent_object id="object_gnome_screensaver_mode"
> version="1">
> -
>
<ind:filepath>/etc/gconf/gconf.xml.defaults/%gconf-tree.xml</ind:filepath>
> -
>
<ind:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='mode']/local_schema[1]/default[1]/stringvalue[1]/text()</ind:xpath>
> +
>
<ind:filepath>/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath>
> +
<ind:xpath>/gconf/entry[@name='mode']/stringvalue[1]/text()</ind:xpath>
> </ind:xmlfilecontent_object>
> </def-group>
> diff --git a/RHEL6/input/checks/package_GConf2_installed.xml
> b/RHEL6/input/checks/package_GConf2_installed.xml
> new file mode 100644
> index 0000000..032d76b
> --- /dev/null
> +++ b/RHEL6/input/checks/package_GConf2_installed.xml
> @@ -0,0 +1,26 @@
> +<def-group>
> + <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT
> EDIT. -->
> + <definition class="compliance"
id="package_GConf2_installed"
> + version="1">
> + <metadata>
> + <title>Package GConf2 Installed</title>
> + <affected family="unix">
> + <platform>Red Hat Enterprise Linux 6</platform>
> + </affected>
> + <description>The RPM package GConf2 should be
> installed.</description>
> + <reference source="swells" ref_id="20130829"
> ref_url="test_attestation"/>
> + </metadata>
> + <criteria>
> + <criterion comment="package GConf2 is installed"
> + test_ref="test_package_GConf2_installed" />
> + </criteria>
> + </definition>
> + <linux:rpminfo_test check="all"
check_existence="all_exist"
> + id="test_package_GConf2_installed" version="1"
> + comment="package GConf2 is installed">
> + <linux:object object_ref="obj_package_GConf2_installed" />
> + </linux:rpminfo_test>
> + <linux:rpminfo_object id="obj_package_GConf2_installed"
version="1">
> + <linux:name>GConf2</linux:name>
> + </linux:rpminfo_object>
> +</def-group>
> diff --git a/RHEL6/input/checks/templates/packages_installed.csv
> b/RHEL6/input/checks/templates/packages_installed.csv
> index 990f332..d956daa 100644
> --- a/RHEL6/input/checks/templates/packages_installed.csv
> +++ b/RHEL6/input/checks/templates/packages_installed.csv
> @@ -1,6 +1,7 @@
> aide
> audit
> cronie
> +GConf2
> iptables
> iptables-ipv6
> irqbalance
> diff --git a/RHEL6/input/fixes/bash/package_GConf2_installed.sh
> b/RHEL6/input/fixes/bash/package_GConf2_installed.sh
> new file mode 100644
> index 0000000..02c8768
> --- /dev/null
> +++ b/RHEL6/input/fixes/bash/package_GConf2_installed.sh
> @@ -0,0 +1 @@
> +yum -y install GConf2
This is great! Ack.
This tracks back to
https://bugzilla.redhat.com/show_bug.cgi?id=1043053.
Give a shout after you've pushed and I'll resolve the bug.