I based this on the existing disable GNOME automounting check. I've run the command to disable it manually and checked its output against what my script checks for with testcheck.py and everything seems to work correctly.
- Maura Dailey
Maura Dailey (1): Adding check for disabling GNOME thumbnailers in gconf
.../checks/gconf_gnome_disable_thumbnailers.xml | 28 ++++++++++++++++++++ RHEL6/input/system/permissions/mounting.xml | 2 +- 2 files changed, 29 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- .../checks/gconf_gnome_disable_thumbnailers.xml | 28 ++++++++++++++++++++ RHEL6/input/system/permissions/mounting.xml | 2 +- 2 files changed, 29 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
diff --git a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml new file mode 100644 index 0000000..72bf086 --- /dev/null +++ b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml @@ -0,0 +1,28 @@ +<def-group> + <definition class="compliance" + id="gconf_gnome_disable_thumbnailers" version="1"> + <metadata> + <title>Disable All GNOME Thumbnailers</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME.</description> + </metadata> + <criteria> + <criterion comment="Disable thumbnailers in GNOME" test_ref="test_gconf_gnome_disable_thumbnailers" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="none_exist" + comment="Disable thumbnailers in GNOME" + id="test_gconf_gnome_disable_thumbnailers" version="1"> + <ind:object object_ref="obj_gconf_gnome_disable_thumbnailers" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_gconf_gnome_disable_thumbnailers" version="1"> + ind:path/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers</ind:path> + ind:filename%gconf.xml</ind:filename> + <ind:pattern operation="pattern match">^\s*.entry\s+name="disable_all"\s+mtime="\d+"\s+type="bool"\s+value="true"/.$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index 60ff0a3..6180b48 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -262,7 +262,7 @@ file to exploit this flaw. Assuming the attacker could place the malicious file malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required.</rationale> <ident cce="27224-5" /> -<oval id="disable_gnome_thumbnailers" /> +<oval id="gconf_gnome_disable_thumbnailers" /> <ref nist="CM-7" /> </Rule>
On 5/20/13 11:38 AM, Maura Dailey wrote:
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
.../checks/gconf_gnome_disable_thumbnailers.xml | 28 ++++++++++++++++++++ RHEL6/input/system/permissions/mounting.xml | 2 +- 2 files changed, 29 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
diff --git a/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml new file mode 100644 index 0000000..72bf086 --- /dev/null +++ b/RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml @@ -0,0 +1,28 @@ +<def-group>
- <definition class="compliance"
- id="gconf_gnome_disable_thumbnailers" version="1">
<metadata>
<title>Disable All GNOME Thumbnailers</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME.</description></metadata>
<criteria>
<criterion comment="Disable thumbnailers in GNOME" test_ref="test_gconf_gnome_disable_thumbnailers" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist"
- comment="Disable thumbnailers in GNOME"
- id="test_gconf_gnome_disable_thumbnailers" version="1">
- <ind:object object_ref="obj_gconf_gnome_disable_thumbnailers" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_gconf_gnome_disable_thumbnailers" version="1">
- ind:path/etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers</ind:path>
- ind:filename%gconf.xml</ind:filename>
- <ind:pattern operation="pattern match">^\s*.entry\s+name="disable_all"\s+mtime="\d+"\s+type="bool"\s+value="true"/.$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index 60ff0a3..6180b48 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -262,7 +262,7 @@ file to exploit this flaw. Assuming the attacker could place the malicious file malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required.</rationale>
<ident cce="27224-5" /> -<oval id="disable_gnome_thumbnailers" /> +<oval id="gconf_gnome_disable_thumbnailers" /> <ref nist="CM-7" /> </Rule>
ack
scap-security-guide@lists.fedorahosted.org
-
Maura Dailey -
Shawn Wells