--- RHEL/6/input/checks/banner_gui_enabled.xml | 3 +- RHEL/6/input/checks/package_gdm_installed.xml | 26 ++++++++++++++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/fixes/bash/package_gdm_installed.sh | 1 + 4 files changed, 30 insertions(+), 1 deletions(-) create mode 100644 RHEL/6/input/checks/package_gdm_installed.xml create mode 100644 RHEL/6/input/fixes/bash/package_gdm_installed.sh
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml index a6c147c..4be3183 100644 --- a/RHEL/6/input/checks/banner_gui_enabled.xml +++ b/RHEL/6/input/checks/banner_gui_enabled.xml @@ -8,7 +8,8 @@ <description>Enable the GUI warning banner.</description> <reference source="rmercer" ref_id="20131104" ref_url="test_attestation" /> </metadata> - <criteria> + <criteria operator="OR"> + <extend_definition comment="gdm installed" definition_ref="package_gdm_installed" negate="true" /> <criterion comment="check settings" test_ref="test_banner_gui_enabled" /> </criteria> </definition> diff --git a/RHEL/6/input/checks/package_gdm_installed.xml b/RHEL/6/input/checks/package_gdm_installed.xml new file mode 100644 index 0000000..b9ea21f --- /dev/null +++ b/RHEL/6/input/checks/package_gdm_installed.xml @@ -0,0 +1,26 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_gdm_installed" + version="1"> + <metadata> + <title>Package gdm Installed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The RPM package gdm should be installed.</description> + <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package gdm is installed" + test_ref="test_package_gdm_installed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="all_exist" + id="test_package_gdm_installed" version="1" + comment="package gdm is installed"> + <linux:object object_ref="obj_package_gdm_installed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_gdm_installed" version="1"> + linux:namegdm</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index 6dfc406..ef6e737 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -2,6 +2,7 @@ aide audit cronie GConf2 +gdm iptables iptables-ipv6 irqbalance diff --git a/RHEL/6/input/fixes/bash/package_gdm_installed.sh b/RHEL/6/input/fixes/bash/package_gdm_installed.sh new file mode 100644 index 0000000..b5025fa --- /dev/null +++ b/RHEL/6/input/fixes/bash/package_gdm_installed.sh @@ -0,0 +1 @@ +yum -y install gdm
I have an open question that you and others can weigh in on. Should we introduce a new check, package_gdm_installed? Or is it sufficient to rely on the existing check GConf2, which has gdm as a dependency? I had this dilemma when I submitted the other more closely related GConf2 dependent checks, which is why I skipped the gui banner check.
- Maura Dailey
On 04/25/2014 10:47 AM, Paul Tittle wrote:
RHEL/6/input/checks/banner_gui_enabled.xml | 3 +- RHEL/6/input/checks/package_gdm_installed.xml | 26 ++++++++++++++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/fixes/bash/package_gdm_installed.sh | 1 + 4 files changed, 30 insertions(+), 1 deletions(-) create mode 100644 RHEL/6/input/checks/package_gdm_installed.xml create mode 100644 RHEL/6/input/fixes/bash/package_gdm_installed.sh
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml index a6c147c..4be3183 100644 --- a/RHEL/6/input/checks/banner_gui_enabled.xml +++ b/RHEL/6/input/checks/banner_gui_enabled.xml @@ -8,7 +8,8 @@ <description>Enable the GUI warning banner.</description> <reference source="rmercer" ref_id="20131104" ref_url="test_attestation" /> </metadata>
<criteria>
<criteria operator="OR">
<extend_definition comment="gdm installed" definition_ref="package_gdm_installed" negate="true" /> <criterion comment="check settings" test_ref="test_banner_gui_enabled" /> </criteria></definition>
diff --git a/RHEL/6/input/checks/package_gdm_installed.xml b/RHEL/6/input/checks/package_gdm_installed.xml new file mode 100644 index 0000000..b9ea21f --- /dev/null +++ b/RHEL/6/input/checks/package_gdm_installed.xml @@ -0,0 +1,26 @@ +<def-group>
<!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_gdm_installed"
- version="1">
<metadata>
<title>Package gdm Installed</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The RPM package gdm should be installed.</description><reference source="swells" ref_id="20130829" ref_url="test_attestation"/></metadata>
<criteria>
<criterion comment="package gdm is installed"test_ref="test_package_gdm_installed" /></criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_gdm_installed" version="1"
- comment="package gdm is installed">
- <linux:object object_ref="obj_package_gdm_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_gdm_installed" version="1">
- linux:namegdm</linux:name>
- </linux:rpminfo_object>
+</def-group> diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index 6dfc406..ef6e737 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -2,6 +2,7 @@ aide audit cronie GConf2 +gdm iptables iptables-ipv6 irqbalance diff --git a/RHEL/6/input/fixes/bash/package_gdm_installed.sh b/RHEL/6/input/fixes/bash/package_gdm_installed.sh new file mode 100644 index 0000000..b5025fa --- /dev/null +++ b/RHEL/6/input/fixes/bash/package_gdm_installed.sh @@ -0,0 +1 @@ +yum -y install gdm
Maura,
That's a good observation. However, I have run across a use-case where GConf2 is installed but gdm isn't: you can have vnc sessions that use gnome-session. The other gconf checks are needed for that machine, but the gdm one isn't. So I think it may be necessary to have a separate gdm package check.
On 4/25/14 11:17 AM, Maura Dailey wrote:
I have an open question that you and others can weigh in on. Should we introduce a new check, package_gdm_installed? Or is it sufficient to rely on the existing check GConf2, which has gdm as a dependency? I had this dilemma when I submitted the other more closely related GConf2 dependent checks, which is why I skipped the gui banner check.
- Maura Dailey
On 04/25/2014 10:47 AM, Paul Tittle wrote:
RHEL/6/input/checks/banner_gui_enabled.xml | 3 +- RHEL/6/input/checks/package_gdm_installed.xml | 26 ++++++++++++++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/fixes/bash/package_gdm_installed.sh | 1 + 4 files changed, 30 insertions(+), 1 deletions(-) create mode 100644 RHEL/6/input/checks/package_gdm_installed.xml create mode 100644 RHEL/6/input/fixes/bash/package_gdm_installed.sh
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml index a6c147c..4be3183 100644 --- a/RHEL/6/input/checks/banner_gui_enabled.xml +++ b/RHEL/6/input/checks/banner_gui_enabled.xml @@ -8,7 +8,8 @@ <description>Enable the GUI warning banner.</description> <reference source="rmercer" ref_id="20131104" ref_url="test_attestation" /> </metadata>
<criteria>
<criteria operator="OR">
<extend_definition comment="gdm installed"definition_ref="package_gdm_installed" negate="true" /> <criterion comment="check settings" test_ref="test_banner_gui_enabled" /> </criteria> </definition> diff --git a/RHEL/6/input/checks/package_gdm_installed.xml b/RHEL/6/input/checks/package_gdm_installed.xml new file mode 100644 index 0000000..b9ea21f --- /dev/null +++ b/RHEL/6/input/checks/package_gdm_installed.xml @@ -0,0 +1,26 @@ +<def-group>
- <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT
EDIT. -->
- <definition class="compliance" id="package_gdm_installed"
- version="1">
<metadata>
<title>Package gdm Installed</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The RPM package gdm should beinstalled.</description>
<reference source="swells" ref_id="20130829"ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package gdm is installed"test_ref="test_package_gdm_installed" /></criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_gdm_installed" version="1"
- comment="package gdm is installed">
- <linux:object object_ref="obj_package_gdm_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_gdm_installed" version="1">
- linux:namegdm</linux:name>
- </linux:rpminfo_object>
+</def-group> diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index 6dfc406..ef6e737 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -2,6 +2,7 @@ aide audit cronie GConf2 +gdm iptables iptables-ipv6 irqbalance diff --git a/RHEL/6/input/fixes/bash/package_gdm_installed.sh b/RHEL/6/input/fixes/bash/package_gdm_installed.sh new file mode 100644 index 0000000..b5025fa --- /dev/null +++ b/RHEL/6/input/fixes/bash/package_gdm_installed.sh @@ -0,0 +1 @@ +yum -y install gdm
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
If you're run into this situation, however unusual, then your rationale makes sense to me. ACK.
- Maura Dailey
On 04/25/2014 11:34 AM, Paul Tittle (Contractor) wrote:
Maura,
That's a good observation. However, I have run across a use-case where GConf2 is installed but gdm isn't: you can have vnc sessions that use gnome-session. The other gconf checks are needed for that machine, but the gdm one isn't. So I think it may be necessary to have a separate gdm package check.
On 4/25/14 11:17 AM, Maura Dailey wrote:
I have an open question that you and others can weigh in on. Should we introduce a new check, package_gdm_installed? Or is it sufficient to rely on the existing check GConf2, which has gdm as a dependency? I had this dilemma when I submitted the other more closely related GConf2 dependent checks, which is why I skipped the gui banner check.
- Maura Dailey
On 04/25/2014 10:47 AM, Paul Tittle wrote:
RHEL/6/input/checks/banner_gui_enabled.xml | 3 +- RHEL/6/input/checks/package_gdm_installed.xml | 26 ++++++++++++++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/fixes/bash/package_gdm_installed.sh | 1 + 4 files changed, 30 insertions(+), 1 deletions(-) create mode 100644 RHEL/6/input/checks/package_gdm_installed.xml create mode 100644 RHEL/6/input/fixes/bash/package_gdm_installed.sh
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml index a6c147c..4be3183 100644 --- a/RHEL/6/input/checks/banner_gui_enabled.xml +++ b/RHEL/6/input/checks/banner_gui_enabled.xml @@ -8,7 +8,8 @@ <description>Enable the GUI warning banner.</description> <reference source="rmercer" ref_id="20131104" ref_url="test_attestation" /> </metadata>
<criteria>
<criteria operator="OR">
<extend_definition comment="gdm installed"definition_ref="package_gdm_installed" negate="true" /> <criterion comment="check settings" test_ref="test_banner_gui_enabled" /> </criteria> </definition> diff --git a/RHEL/6/input/checks/package_gdm_installed.xml b/RHEL/6/input/checks/package_gdm_installed.xml new file mode 100644 index 0000000..b9ea21f --- /dev/null +++ b/RHEL/6/input/checks/package_gdm_installed.xml @@ -0,0 +1,26 @@ +<def-group>
- <!-- THIS FILE IS GENERATED by create_package_installed.py. DO
NOT EDIT. -->
- <definition class="compliance" id="package_gdm_installed"
- version="1">
<metadata>
<title>Package gdm Installed</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The RPM package gdm should beinstalled.</description>
<reference source="swells" ref_id="20130829"ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package gdm is installed"test_ref="test_package_gdm_installed" /></criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_gdm_installed" version="1"
- comment="package gdm is installed">
- <linux:object object_ref="obj_package_gdm_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_gdm_installed" version="1">
- linux:namegdm</linux:name>
- </linux:rpminfo_object>
+</def-group> diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index 6dfc406..ef6e737 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -2,6 +2,7 @@ aide audit cronie GConf2 +gdm iptables iptables-ipv6 irqbalance diff --git a/RHEL/6/input/fixes/bash/package_gdm_installed.sh b/RHEL/6/input/fixes/bash/package_gdm_installed.sh new file mode 100644 index 0000000..b5025fa --- /dev/null +++ b/RHEL/6/input/fixes/bash/package_gdm_installed.sh @@ -0,0 +1 @@ +yum -y install gdm
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Thanks Maura. Pushed to master.
On 4/25/14 2:11 PM, Maura Dailey wrote:
If you're run into this situation, however unusual, then your rationale makes sense to me. ACK.
- Maura Dailey
On 04/25/2014 11:34 AM, Paul Tittle (Contractor) wrote:
Maura,
That's a good observation. However, I have run across a use-case where GConf2 is installed but gdm isn't: you can have vnc sessions that use gnome-session. The other gconf checks are needed for that machine, but the gdm one isn't. So I think it may be necessary to have a separate gdm package check.
On 4/25/14 11:17 AM, Maura Dailey wrote:
I have an open question that you and others can weigh in on. Should we introduce a new check, package_gdm_installed? Or is it sufficient to rely on the existing check GConf2, which has gdm as a dependency? I had this dilemma when I submitted the other more closely related GConf2 dependent checks, which is why I skipped the gui banner check.
- Maura Dailey
On 04/25/2014 10:47 AM, Paul Tittle wrote:
RHEL/6/input/checks/banner_gui_enabled.xml | 3 +- RHEL/6/input/checks/package_gdm_installed.xml | 26 ++++++++++++++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/fixes/bash/package_gdm_installed.sh | 1 + 4 files changed, 30 insertions(+), 1 deletions(-) create mode 100644 RHEL/6/input/checks/package_gdm_installed.xml create mode 100644 RHEL/6/input/fixes/bash/package_gdm_installed.sh
diff --git a/RHEL/6/input/checks/banner_gui_enabled.xml b/RHEL/6/input/checks/banner_gui_enabled.xml index a6c147c..4be3183 100644 --- a/RHEL/6/input/checks/banner_gui_enabled.xml +++ b/RHEL/6/input/checks/banner_gui_enabled.xml @@ -8,7 +8,8 @@ <description>Enable the GUI warning banner.</description> <reference source="rmercer" ref_id="20131104" ref_url="test_attestation" /> </metadata>
<criteria>
<criteria operator="OR">
<extend_definition comment="gdm installed"definition_ref="package_gdm_installed" negate="true" /> <criterion comment="check settings" test_ref="test_banner_gui_enabled" /> </criteria> </definition> diff --git a/RHEL/6/input/checks/package_gdm_installed.xml b/RHEL/6/input/checks/package_gdm_installed.xml new file mode 100644 index 0000000..b9ea21f --- /dev/null +++ b/RHEL/6/input/checks/package_gdm_installed.xml @@ -0,0 +1,26 @@ +<def-group>
- <!-- THIS FILE IS GENERATED by create_package_installed.py. DO
NOT EDIT. -->
- <definition class="compliance" id="package_gdm_installed"
- version="1">
<metadata>
<title>Package gdm Installed</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The RPM package gdm should beinstalled.</description>
<reference source="swells" ref_id="20130829"ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package gdm is installed"test_ref="test_package_gdm_installed" /></criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_gdm_installed" version="1"
- comment="package gdm is installed">
- <linux:object object_ref="obj_package_gdm_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_gdm_installed" version="1">
- linux:namegdm</linux:name>
- </linux:rpminfo_object>
+</def-group> diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index 6dfc406..ef6e737 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -2,6 +2,7 @@ aide audit cronie GConf2 +gdm iptables iptables-ipv6 irqbalance diff --git a/RHEL/6/input/fixes/bash/package_gdm_installed.sh b/RHEL/6/input/fixes/bash/package_gdm_installed.sh new file mode 100644 index 0000000..b5025fa --- /dev/null +++ b/RHEL/6/input/fixes/bash/package_gdm_installed.sh @@ -0,0 +1 @@ +yum -y install gdm
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Maura Dailey -
Paul Tittle (Contractor)