For SSGID Set GNOME Login Inactivity Timeout - (CCE-26828-4), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.. With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
On 02/14/2014 02:17 PM, ssg fthfth wrote:
For SSGID Set GNOME Login Inactivity Timeout - (CCE-26828-4), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.. With the X Window System not installed, the configuration check will fail. Recommend verifying if a windowing system is installed, then, if applicable, check the configuration.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
The check is essentially structured as: (Is GConf Installed? Negate value.) OR (Is the GConf setting applied?)
The truth table is as follows:
Pass GConf Installed? (Negated): No GConf Value Set?: Yes Fail GConf Installed? (Negated): No GConf Value Set?: No Pass GConf Installed? (Negated): Yes GConf Value Set?: Yes Pass GConf Installed? (Negated): Yes GConf Value Set?: No
Assuming I am reading this bug report/warning correctly, the false positive probably refers to the last line, when GConf is not installed, and the value is not set. Obviously, the meaning is still correct (users should pass, because there is no utility that will even read the config file). Is this a problem? There are several other checks that use the same structure.
- Maura Dailey
scap-security-guide@lists.fedorahosted.org
-
Maura Dailey -
ssg fthfth