From 89f967ca5598cab539fe66560534207b45ff9734 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Thu, 30 May 2019 13:22:30 +0200

Subject: [PATCH 1/9] Introduced the "DConf System DBs are in sync with

 keyfiles" rule.

---

 fedora/profiles/ospp.profile                  |  1 +

 .../gnome/dconf_db_up_to_date/bash/shared.sh  |  3 +

 .../gnome/dconf_db_up_to_date/oval/shared.xml | 63 +++++++++++++++++++

 .../gnome/dconf_db_up_to_date/rule.yml        | 30 +++++++++

 rhel7/profiles/ospp.profile                   |  1 +

 shared/references/cce-rhel-avail.txt        |  2 -

 6 files changed, 98 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml

 create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml

diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile

index b5e8fe097c..92cf738385 100644

--- a/fedora/profiles/ospp.profile

+++ b/fedora/profiles/ospp.profile

@@ -43,6 +43,7 @@ selections:

     - sysctl_kernel_kptr_restrict

     - sysctl_kernel_kexec_load_disabled

     - sysctl_kernel_dmesg_restrict

+    - dconf_db_up_to_date

     - dconf_gnome_screensaver_idle_activation_enabled

     - dconf_gnome_screensaver_idle_delay

     - dconf_gnome_screensaver_lock_delay

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh

new file mode 100644

index 0000000000..db06c9f5aa

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh

@@ -0,0 +1,3 @@

+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol

+

+dconf update

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml

new file mode 100644

index 0000000000..b3b5b0358b

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml

@@ -0,0 +1,63 @@

+<def-group>

+

+  {{% macro check_db_is_up_to_date(db_name) %}}

+  <unix:file_object id="obj_dconf_{{{ db_name }}}_db" comment="The binary system-wide dconf database with '{{{ db_name }}}' settings" version="1">

+    <unix:filepath>/etc/dconf/db/{{{ db_name }}}</unix:filepath>

+  </unix:file_object>

+

+  <local_variable id="var_dconf_{{{ db_name }}}_db_modified_time" datatype="string" version="1" comment="When the '{{{ db_name }}}' dconf DB has been modified">

+    <time_difference format_2="seconds_since_epoch">

+      <object_component object_ref="obj_dconf_{{{ db_name }}}_db" item_field="m_time"/>

+    </time_difference>

+  </local_variable>

+

+  <unix:file_object id="obj_dconf_{{{ db_name }}}_config" comment="The dconf keyfile with '{{{ db_name }}}' settings" version="1">

+    <unix:path>/etc/dconf/db/{{{ db_name }}}.d/</unix:path>

+    <unix:filename operation="pattern match">.*</unix:filename>

+  </unix:file_object>

+

+  <local_variable id="var_dconf_{{{ db_name }}}_keyfiles_modified_time" datatype="int" version="1" comment="When dconf keyfiles in the '{{{ db_name }}}' tree have been modified">

+    <time_difference format_2="seconds_since_epoch">

+      <object_component object_ref="obj_dconf_{{{ db_name }}}_config" item_field="m_time"/>

+    </time_difference>

+  </local_variable>

+

+  <ind:variable_test check="all" check_existence="all_exist" id="test_dconf_{{{ db_name }}}_up_to_date" version="1" comment="Check if the {{{ db_name }}} dconf DB is up-to-date with keyfiles in the {{{ db_name }}} tree.">

+    <ind:object object_ref="object_{{{ db_name }}}_db_modified_time" />

+    <ind:state state_ref="state_{{{ db_name }}}_db_is_up_to_date" />

+  </ind:variable_test>

+

+  <ind:variable_object comment="All modified times of all keyfiles" id="object_{{{ db_name }}}_db_modified_time" version="1">

+     <ind:var_ref>var_dconf_{{{ db_name }}}_db_modified_time</ind:var_ref>

+   </ind:variable_object>

+

+  

+  <ind:variable_state id="state_{{{ db_name }}}_db_is_up_to_date" version="1">

+    <ind:value datatype="int" operation="less than or equal" var_check="all" var_ref="var_dconf_{{{ db_name }}}_keyfiles_modified_time" />

+  </ind:variable_state>

+  {{% endmacro %}}

+

+  <definition class="compliance" id="dconf_db_up_to_date" version="2">

+    <metadata>

+      <title>Configure the GNOME3 GUI Screen locking</title>

+      <affected family="unix">

+        <platform>Red Hat Enterprise Linux 7</platform>

+        <platform>Red Hat Enterprise Linux 8</platform>

+        <platform>multi_platform_fedora</platform>

+        <platform>multi_platform_ol</platform>

+      </affected>

+      <description>The allowed period of inactivity before the screensaver is activated.</description>

+    </metadata>

+    <criteria operator="OR">

+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />

+      <criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">

+        <criterion comment="local database is up-to-date wrt keyfiles" test_ref="test_dconf_local_up_to_date" />

+        <criterion comment="gdm database is up-to-date wrt keyfiles" test_ref="test_dconf_gdm_up_to_date" />

+      </criteria>

+    </criteria>

+  </definition>

+

+  {{{ check_db_is_up_to_date("local") }}}

+  {{{ check_db_is_up_to_date("gdm") }}}

+

+</def-group>

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml

new file mode 100644

index 0000000000..3017b789f8

--- /dev/null

+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml

@@ -0,0 +1,30 @@

+documentation_complete: true

+

+prodtype: rhel7,rhel8,fedora,ol7,ol8

+

+title: 'Make sure that the dconf databases are up-to-date with regards to respective keyfiles'

+

+description: |-

+    By default, DConf uses a binary database as a data backend.

+    The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the 
dconf update
 command.

+

+rationale: |-

+    Unlike text-based keyfiles, the binary database is impossible to check by OVAL.

+    Therefore, in order to evaluate dconf configuration, both have to be true at the same time -

+    configuration files have to be compliant, and the database needs to be more recent than those keyfiles,

+    which gives confidence that it reflects them.

+

+severity: high

+

+identifiers:

+    cce@rhel8: 81003-6

+    cce@rhel7: 81004-4

+

+ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles'

+

+ocil: |-

+    In order to be sure that the databases are up-to-date, run the

+    
dconf update

+    command as the administrator.

+

+platform: machine

diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile

index 36e5d7ee90..d551465f70 100644

--- a/rhel7/profiles/ospp.profile

+++ b/rhel7/profiles/ospp.profile

@@ -401,6 +401,7 @@ selections:

     - network_sniffer_disabled

     - network_ipv6_disable_rpc

     - network_ipv6_privacy_extensions

+    - dconf_db_up_to_date

     - dconf_gnome_banner_enabled

     - dconf_gnome_disable_automount

     - dconf_gnome_disable_ctrlaltdel_reboot

diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt

index 3cc6d0a916..d6e8161225 100644

--- a/shared/references/cce-rhel-avail.txt

+++ b/shared/references/cce-rhel-avail.txt

@@ -1,5 +1,3 @@

-CCE-81003-6

-CCE-81004-4

 CCE-81005-1

 CCE-81006-9

 CCE-81007-7

From 5a857f490e914078b610eb3d05e390861c30eef4 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Wed, 29 May 2019 17:31:02 +0200

Subject: [PATCH 2/9] Add test scenarios for dconf gnome rules.

---

 .../correct_value.pass.sh                     | 18 ++++++++++++++++

 .../wrong_value.fail.sh                       | 18 ++++++++++++++++

 .../correct_value.pass.sh                     | 21 +++++++++++++++++++

 .../wrong_value.fail.sh                       | 21 +++++++++++++++++++

 .../correct_value.pass.sh                     | 18 ++++++++++++++++

 .../wrong_value.fail.sh                       | 18 ++++++++++++++++

 .../correct_value.pass.sh                     | 18 ++++++++++++++++

 .../wrong_value.fail.sh                       | 18 ++++++++++++++++

 .../correct_value.pass.sh                     | 18 ++++++++++++++++

 .../wrong_value.fail.sh                       | 18 ++++++++++++++++

 .../correct_value.pass.sh                     | 18 ++++++++++++++++

 .../wrong_value.fail.sh                       | 18 ++++++++++++++++

 12 files changed, 222 insertions(+)

 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh

 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh

 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh

 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh

diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh

new file mode 100644

index 0000000000..d6f11373d0

--- /dev/null

+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../../../group_software/group_gnome/dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings"

+

+dconf update

diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh

new file mode 100644

index 0000000000..f1e97fea20

--- /dev/null

+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../../../group_software/group_gnome/dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings"

+

+dconf update

diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh

new file mode 100644

index 0000000000..e161691aa7

--- /dev/null

+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh

@@ -0,0 +1,21 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../../../group_software/group_gnome/dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials."

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}''" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh

new file mode 100644

index 0000000000..b45c5b193f

--- /dev/null

+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh

@@ -0,0 +1,21 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../../../group_software/group_gnome/dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+login_banner_text="Wrong Banner Text"

+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh

new file mode 100644

index 0000000000..a5a207b80a

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh

new file mode 100644

index 0000000000..04d3e9eca2

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh

new file mode 100644

index 0000000000..9a3d60d9f6

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh

new file mode 100644

index 0000000000..11e3cbfa9b

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh

new file mode 100644

index 0000000000..58703799f6

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh

new file mode 100644

index 0000000000..18f89c182e

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh

new file mode 100644

index 0000000000..0cc2a80762

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh

new file mode 100644

index 0000000000..f89a9d74b9

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock"

+

+dconf update

From d2facf408c5f011449539fc3edeaed90a72af04d Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 30 May 2019 15:39:36 +0200

Subject: [PATCH 3/9] Add test scenarios for dconf_db_up_to_date.

---

 .../group_gnome/dconf_test_functions.sh       |  7 ++++-

 .../db_not_up_to_date.fail.sh                 | 26 +++++++++++++++++++

 .../db_up_to_date.pass.sh                     | 21 +++++++++++++++

 .../no_db_files.fail.sh                       | 23 ++++++++++++++++

 4 files changed, 76 insertions(+), 1 deletion(-)

 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh

 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh

diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh

index 07940ea272..d975ea0715 100644

--- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh

+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh

@@ -4,6 +4,11 @@ clean_dconf_settings(){

 	rm -rf /etc/dconf/db/*

 }

+# Wipes out dconf db files

+remove_dconf_databases(){

+	rm -f /etc/dconf/db/*

+}

+

 # Adds a new dconf setting

 # $1 _path

 # $2 _setting

@@ -12,7 +17,7 @@ clean_dconf_settings(){

 # $5 _settingFile

 add_dconf_setting() {

 	local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5

-	mkdir /etc/dconf/db/${_db}

+	mkdir -p /etc/dconf/db/${_db} || true

 	echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile}

 	echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile}

 }

diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh

new file mode 100644

index 0000000000..bb8b1d42ff

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh

@@ -0,0 +1,26 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"

+

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock"

+

+dconf update

+

+sleep 3

+

+# make static files newer than the database

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"

diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh

new file mode 100644

index 0000000000..66ed76e4fa

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh

@@ -0,0 +1,21 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+clean_dconf_settings

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"

+

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock"

+

+dconf update

diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh

new file mode 100644

index 0000000000..a7bc04efac

--- /dev/null

+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh

@@ -0,0 +1,23 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+. ../dconf_test_functions.sh

+

+if ! rpm -q dconf; then

+    yum -y install dconf

+fi

+

+if ! rpm -q gdm; then

+    yum -y install gdm

+fi

+

+# remove all database files

+remove_dconf_databases

+

+sleep 3

+

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"

+

+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"

+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock"

From d57e981a45e88a9e28b621ed5d9cbf64c17f3592 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 30 May 2019 16:45:35 +0200

Subject: [PATCH 4/9] Add dconf_db_up_to_date to profiles which use gnome

 config.

---

 fedora/profiles/pci-dss.profile | 1 +

 ol7/profiles/pci-dss.profile    | 1 +

 ol7/profiles/stig-ol7-disa.profile       | 1 +

 ol8/profiles/ospp.profile       | 1 +

 ol8/profiles/pci-dss.profile    | 1 +

 rhel7/profiles/C2S.profile      | 1 +

 rhel7/profiles/hipaa.profile    | 1 +

 rhel7/profiles/ospp42.profile   | 1 +

 rhel7/profiles/pci-dss.profile  | 1 +

 rhel7/profiles/stig-rhel7-disa.profile     | 1 +

 rhel8/profiles/cjis.profile     | 1 +

 rhel8/profiles/hipaa.profile    | 1 +

 rhel8/profiles/ospp.profile     | 1 +

 rhel8/profiles/pci-dss.profile  | 1 +

 14 files changed, 14 insertions(+)

diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile

index 5e47534e81..dea9efe685 100644

--- a/fedora/profiles/pci-dss.profile

+++ b/fedora/profiles/pci-dss.profile

@@ -98,6 +98,7 @@ selections:

     - account_disable_post_pw_expiration

     - accounts_passwords_pam_faillock_deny

     - accounts_passwords_pam_faillock_unlock_time

+    - dconf_db_up_to_date

     - dconf_gnome_screensaver_idle_delay

     - dconf_gnome_screensaver_idle_activation_enabled

     - dconf_gnome_screensaver_lock_enabled

diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile

index 1648129066..01fcda6031 100644

--- a/ol7/profiles/pci-dss.profile

+++ b/ol7/profiles/pci-dss.profile

@@ -121,6 +121,7 @@ selections:

     - accounts_passwords_pam_faillock_deny

     - accounts_passwords_pam_faillock_unlock_time

     - account_unique_name

+    - dconf_db_up_to_date

     - dconf_gnome_screensaver_idle_activation_enabled

     - dconf_gnome_screensaver_idle_delay

     - dconf_gnome_screensaver_lock_enabled

diff --git a/ol7/profiles/stig-ol7-disa.profile b/ol7/profiles/stig-ol7-disa.profile

index f9d2f4c900..9ae23a41be 100644

--- a/ol7/profiles/stig-ol7-disa.profile

+++ b/ol7/profiles/stig-ol7-disa.profile

@@ -109,6 +109,7 @@ selections:

     - audit_rules_usergroup_modification_opasswd

     - audit_rules_usergroup_modification_passwd

     - audit_rules_usergroup_modification_shadow

+    - dconf_db_up_to_date

     - dconf_gnome_screensaver_idle_activation_enabled

     - dconf_gnome_screensaver_idle_activation_locked

     - dconf_gnome_screensaver_idle_delay

diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile

index 5c13575f72..8506713cc1 100644

--- a/ol8/profiles/ospp.profile

+++ b/ol8/profiles/ospp.profile

@@ -42,6 +42,7 @@ selections:

     - sysctl_kernel_kptr_restrict

     - sysctl_kernel_kexec_load_disabled

     - sysctl_kernel_dmesg_restrict

+    - dconf_db_up_to_date

     - dconf_gnome_screensaver_idle_activation_enabled

     - dconf_gnome_screensaver_idle_delay

     - dconf_gnome_screensaver_lock_delay

diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile

index 6920cf9b7d..237757c523 100644

--- a/ol8/profiles/pci-dss.profile

+++ b/ol8/profiles/pci-dss.profile

@@ -126,6 +126,7 @@ selections:

     - accounts_passwords_pam_faillock_deny

     - accounts_passwords_pam_faillock_unlock_time

     - account_unique_name

+    - dconf_db_up_to_date

     - dconf_gnome_screensaver_idle_activation_enabled

     - dconf_gnome_screensaver_idle_delay

     - dconf_gnome_screensaver_lock_enabled

diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile

index 65805957af..031b0247df 100644

--- a/rhel7/profiles/C2S.profile

+++ b/rhel7/profiles/C2S.profile

@@ -70,6 +70,7 @@ selections:

     - selinux_confinement_of_daemons

     - banner_etc_issue

     - login_banner_text=usgcb_default

+    - dconf_db_up_to_date

     - dconf_gnome_login_banner_text

     - dconf_gnome_banner_enabled

     - security_patches_up_to_date

diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile