From 89f967ca5598cab539fe66560534207b45ff9734 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 30 May 2019 13:22:30 +0200
Subject: [PATCH 1/9] Introduced the "DConf System DBs are in sync with
 keyfiles" rule.

---
 fedora/profiles/ospp.profile                  |  1 +
 .../gnome/dconf_db_up_to_date/bash/shared.sh  |  3 +
 .../gnome/dconf_db_up_to_date/oval/shared.xml | 63 +++++++++++++++++++
 .../gnome/dconf_db_up_to_date/rule.yml        | 30 +++++++++
 rhel7/profiles/ospp.profile                   |  1 +
 shared/references/cce-rhel-avail.txt        |  2 -
 6 files changed, 98 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
 create mode 100644 linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml

diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
index b5e8fe097c..92cf738385 100644
--- a/fedora/profiles/ospp.profile
+++ b/fedora/profiles/ospp.profile
@@ -43,6 +43,7 @@ selections:
     - sysctl_kernel_kptr_restrict
     - sysctl_kernel_kexec_load_disabled
     - sysctl_kernel_dmesg_restrict
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_delay
diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh
new file mode 100644
index 0000000000..db06c9f5aa
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+dconf update
diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
new file mode 100644
index 0000000000..b3b5b0358b
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
@@ -0,0 +1,63 @@
+<def-group>
+
+  {{% macro check_db_is_up_to_date(db_name) %}}
+  <unix:file_object id="obj_dconf_{{{ db_name }}}_db" comment="The binary system-wide dconf database with '{{{ db_name }}}' settings" version="1">
+    <unix:filepath>/etc/dconf/db/{{{ db_name }}}</unix:filepath>
+  </unix:file_object>
+
+  <local_variable id="var_dconf_{{{ db_name }}}_db_modified_time" datatype="string" version="1" comment="When the '{{{ db_name }}}' dconf DB has been modified">
+    <time_difference format_2="seconds_since_epoch">
+      <object_component object_ref="obj_dconf_{{{ db_name }}}_db" item_field="m_time"/>
+    </time_difference>
+  </local_variable>
+
+  <unix:file_object id="obj_dconf_{{{ db_name }}}_config" comment="The dconf keyfile with '{{{ db_name }}}' settings" version="1">
+    <unix:path>/etc/dconf/db/{{{ db_name }}}.d/</unix:path>
+    <unix:filename operation="pattern match">.*</unix:filename>
+  </unix:file_object>
+
+  <local_variable id="var_dconf_{{{ db_name }}}_keyfiles_modified_time" datatype="int" version="1" comment="When dconf keyfiles in the '{{{ db_name }}}' tree have been modified">
+    <time_difference format_2="seconds_since_epoch">
+      <object_component object_ref="obj_dconf_{{{ db_name }}}_config" item_field="m_time"/>
+    </time_difference>
+  </local_variable>
+
+  <ind:variable_test check="all" check_existence="all_exist" id="test_dconf_{{{ db_name }}}_up_to_date" version="1" comment="Check if the {{{ db_name }}} dconf DB is up-to-date with keyfiles in the {{{ db_name }}} tree.">
+    <ind:object object_ref="object_{{{ db_name }}}_db_modified_time" />
+    <ind:state state_ref="state_{{{ db_name }}}_db_is_up_to_date" />
+  </ind:variable_test>
+
+  <ind:variable_object comment="All modified times of all keyfiles" id="object_{{{ db_name }}}_db_modified_time" version="1">
+     <ind:var_ref>var_dconf_{{{ db_name }}}_db_modified_time</ind:var_ref>
+   </ind:variable_object>
+
+  <!-- The age of the DB has to be lower than age of any keyfile. -->
+  <ind:variable_state id="state_{{{ db_name }}}_db_is_up_to_date" version="1">
+    <ind:value datatype="int" operation="less than or equal" var_check="all" var_ref="var_dconf_{{{ db_name }}}_keyfiles_modified_time" />
+  </ind:variable_state>
+  {{% endmacro %}}
+
+  <definition class="compliance" id="dconf_db_up_to_date" version="2">
+    <metadata>
+      <title>Configure the GNOME3 GUI Screen locking</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>Red Hat Enterprise Linux 8</platform>
+        <platform>multi_platform_fedora</platform>
+        <platform>multi_platform_ol</platform>
+      </affected>
+      <description>The allowed period of inactivity before the screensaver is activated.</description>
+    </metadata>
+    <criteria operator="OR">
+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
+      <criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
+        <criterion comment="local database is up-to-date wrt keyfiles" test_ref="test_dconf_local_up_to_date" />
+        <criterion comment="gdm database is up-to-date wrt keyfiles" test_ref="test_dconf_gdm_up_to_date" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  {{{ check_db_is_up_to_date("local") }}}
+  {{{ check_db_is_up_to_date("gdm") }}}
+
+</def-group>
diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
new file mode 100644
index 0000000000..3017b789f8
--- /dev/null
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,ol7,ol8
+
+title: 'Make sure that the dconf databases are up-to-date with regards to respective keyfiles'
+
+description: |-
+    By default, DConf uses a binary database as a data backend.
+    The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the <pre>dconf update</pre> command.
+
+rationale: |-
+    Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
+    Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
+    configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
+    which gives confidence that it reflects them.
+
+severity: high
+
+identifiers:
+    cce@rhel8: 81003-6
+    cce@rhel7: 81004-4
+
+ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles'
+
+ocil: |-
+    In order to be sure that the databases are up-to-date, run the
+    <pre>dconf update</pre>
+    command as the administrator.
+
+platform: machine
diff --git a/rhel7/profiles/ospp.profile b/rhel7/profiles/ospp.profile
index 36e5d7ee90..d551465f70 100644
--- a/rhel7/profiles/ospp.profile
+++ b/rhel7/profiles/ospp.profile
@@ -401,6 +401,7 @@ selections:
     - network_sniffer_disabled
     - network_ipv6_disable_rpc
     - network_ipv6_privacy_extensions
+    - dconf_db_up_to_date
     - dconf_gnome_banner_enabled
     - dconf_gnome_disable_automount
     - dconf_gnome_disable_ctrlaltdel_reboot
diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt
index 3cc6d0a916..d6e8161225 100644
--- a/shared/references/cce-rhel-avail.txt
+++ b/shared/references/cce-rhel-avail.txt
@@ -1,5 +1,3 @@
-CCE-81003-6
-CCE-81004-4
 CCE-81005-1
 CCE-81006-9
 CCE-81007-7

From 5a857f490e914078b610eb3d05e390861c30eef4 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 29 May 2019 17:31:02 +0200
Subject: [PATCH 2/9] Add test scenarios for dconf gnome rules.

---
 .../correct_value.pass.sh                     | 18 ++++++++++++++++
 .../wrong_value.fail.sh                       | 18 ++++++++++++++++
 .../correct_value.pass.sh                     | 21 +++++++++++++++++++
 .../wrong_value.fail.sh                       | 21 +++++++++++++++++++
 .../correct_value.pass.sh                     | 18 ++++++++++++++++
 .../wrong_value.fail.sh                       | 18 ++++++++++++++++
 .../correct_value.pass.sh                     | 18 ++++++++++++++++
 .../wrong_value.fail.sh                       | 18 ++++++++++++++++
 .../correct_value.pass.sh                     | 18 ++++++++++++++++
 .../wrong_value.fail.sh                       | 18 ++++++++++++++++
 .../correct_value.pass.sh                     | 18 ++++++++++++++++
 .../wrong_value.fail.sh                       | 18 ++++++++++++++++
 12 files changed, 222 insertions(+)
 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh
 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh

diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh
new file mode 100644
index 0000000000..d6f11373d0
--- /dev/null
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../../../group_software/group_gnome/dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings"
+
+dconf update
diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh
new file mode 100644
index 0000000000..f1e97fea20
--- /dev/null
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../../../group_software/group_gnome/dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings"
+
+dconf update
diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh
new file mode 100644
index 0000000000..e161691aa7
--- /dev/null
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../../../group_software/group_gnome/dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials."
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}''" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh
new file mode 100644
index 0000000000..b45c5b193f
--- /dev/null
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../../../group_software/group_gnome/dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+login_banner_text="Wrong Banner Text"
+expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-text" "'${expanded}'" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-text" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh
new file mode 100644
index 0000000000..a5a207b80a
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh
new file mode 100644
index 0000000000..04d3e9eca2
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "disable-restart-buttons" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh
new file mode 100644
index 0000000000..9a3d60d9f6
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh
new file mode 100644
index 0000000000..11e3cbfa9b
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "disable-user-list" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh
new file mode 100644
index 0000000000..58703799f6
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh
new file mode 100644
index 0000000000..18f89c182e
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "enable-smartcard-authentication" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh
new file mode 100644
index 0000000000..0cc2a80762
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh
new file mode 100644
index 0000000000..f89a9d74b9
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "allowed-failures" "gdm.d" "00-security-settings-lock"
+
+dconf update

From d2facf408c5f011449539fc3edeaed90a72af04d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 30 May 2019 15:39:36 +0200
Subject: [PATCH 3/9] Add test scenarios for dconf_db_up_to_date.

---
 .../group_gnome/dconf_test_functions.sh       |  7 ++++-
 .../db_not_up_to_date.fail.sh                 | 26 +++++++++++++++++++
 .../db_up_to_date.pass.sh                     | 21 +++++++++++++++
 .../no_db_files.fail.sh                       | 23 ++++++++++++++++
 4 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh

diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
index 07940ea272..d975ea0715 100644
--- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
@@ -4,6 +4,11 @@ clean_dconf_settings(){
 	rm -rf /etc/dconf/db/*
 }
 
+# Wipes out dconf db files
+remove_dconf_databases(){
+	rm -f /etc/dconf/db/*
+}
+
 # Adds a new dconf setting
 # $1 _path
 # $2 _setting
@@ -12,7 +17,7 @@ clean_dconf_settings(){
 # $5 _settingFile
 add_dconf_setting() {
 	local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5
-	mkdir /etc/dconf/db/${_db}
+	mkdir -p /etc/dconf/db/${_db} || true
 	echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile}
 	echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile}
 }
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh
new file mode 100644
index 0000000000..bb8b1d42ff
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"
+
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock"
+
+dconf update
+
+sleep 3
+
+# make static files newer than the database
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh
new file mode 100644
index 0000000000..66ed76e4fa
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+clean_dconf_settings
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"
+
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock"
+
+dconf update
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh
new file mode 100644
index 0000000000..a7bc04efac
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../dconf_test_functions.sh
+
+if ! rpm -q dconf; then
+    yum -y install dconf
+fi
+
+if ! rpm -q gdm; then
+    yum -y install gdm
+fi
+
+# remove all database files
+remove_dconf_databases
+
+sleep 3
+
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"
+
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-security-settings-lock"

From d57e981a45e88a9e28b621ed5d9cbf64c17f3592 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 30 May 2019 16:45:35 +0200
Subject: [PATCH 4/9] Add dconf_db_up_to_date to profiles which use gnome
 config.

---
 fedora/profiles/pci-dss.profile | 1 +
 ol7/profiles/pci-dss.profile    | 1 +
 ol7/profiles/stig-ol7-disa.profile       | 1 +
 ol8/profiles/ospp.profile       | 1 +
 ol8/profiles/pci-dss.profile    | 1 +
 rhel7/profiles/C2S.profile      | 1 +
 rhel7/profiles/hipaa.profile    | 1 +
 rhel7/profiles/ospp42.profile   | 1 +
 rhel7/profiles/pci-dss.profile  | 1 +
 rhel7/profiles/stig-rhel7-disa.profile     | 1 +
 rhel8/profiles/cjis.profile     | 1 +
 rhel8/profiles/hipaa.profile    | 1 +
 rhel8/profiles/ospp.profile     | 1 +
 rhel8/profiles/pci-dss.profile  | 1 +
 14 files changed, 14 insertions(+)

diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile
index 5e47534e81..dea9efe685 100644
--- a/fedora/profiles/pci-dss.profile
+++ b/fedora/profiles/pci-dss.profile
@@ -98,6 +98,7 @@ selections:
     - account_disable_post_pw_expiration
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_unlock_time
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_lock_enabled
diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile
index 1648129066..01fcda6031 100644
--- a/ol7/profiles/pci-dss.profile
+++ b/ol7/profiles/pci-dss.profile
@@ -121,6 +121,7 @@ selections:
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_unlock_time
     - account_unique_name
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_enabled
diff --git a/ol7/profiles/stig-ol7-disa.profile b/ol7/profiles/stig-ol7-disa.profile
index f9d2f4c900..9ae23a41be 100644
--- a/ol7/profiles/stig-ol7-disa.profile
+++ b/ol7/profiles/stig-ol7-disa.profile
@@ -109,6 +109,7 @@ selections:
     - audit_rules_usergroup_modification_opasswd
     - audit_rules_usergroup_modification_passwd
     - audit_rules_usergroup_modification_shadow
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_activation_locked
     - dconf_gnome_screensaver_idle_delay
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
index 5c13575f72..8506713cc1 100644
--- a/ol8/profiles/ospp.profile
+++ b/ol8/profiles/ospp.profile
@@ -42,6 +42,7 @@ selections:
     - sysctl_kernel_kptr_restrict
     - sysctl_kernel_kexec_load_disabled
     - sysctl_kernel_dmesg_restrict
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_delay
diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile
index 6920cf9b7d..237757c523 100644
--- a/ol8/profiles/pci-dss.profile
+++ b/ol8/profiles/pci-dss.profile
@@ -126,6 +126,7 @@ selections:
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_unlock_time
     - account_unique_name
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_enabled
diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile
index 65805957af..031b0247df 100644
--- a/rhel7/profiles/C2S.profile
+++ b/rhel7/profiles/C2S.profile
@@ -70,6 +70,7 @@ selections:
     - selinux_confinement_of_daemons
     - banner_etc_issue
     - login_banner_text=usgcb_default
+    - dconf_db_up_to_date
     - dconf_gnome_login_banner_text
     - dconf_gnome_banner_enabled
     - security_patches_up_to_date
diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
index 76fb4a8269..a58f625309 100644
--- a/rhel7/profiles/hipaa.profile
+++ b/rhel7/profiles/hipaa.profile
@@ -28,6 +28,7 @@ selections:
     - service_debug-shell_disabled
     - disable_ctrlaltdel_reboot
     - disable_ctrlaltdel_burstaction
+    - dconf_db_up_to_date
     - dconf_gnome_remote_access_credential_prompt
     - dconf_gnome_remote_access_encryption
     - sshd_disable_empty_passwords
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
index de4827afaf..3f59466477 100644
--- a/rhel7/profiles/ospp42.profile
+++ b/rhel7/profiles/ospp42.profile
@@ -42,6 +42,7 @@ selections:
     - sysctl_kernel_kptr_restrict
     - sysctl_kernel_kexec_load_disabled
     - sysctl_kernel_dmesg_restrict
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_delay
diff --git a/rhel7/profiles/pci-dss.profile b/rhel7/profiles/pci-dss.profile
index b4e4786ce9..0d9a51c42b 100644
--- a/rhel7/profiles/pci-dss.profile
+++ b/rhel7/profiles/pci-dss.profile
@@ -79,6 +79,7 @@ selections:
     - account_disable_post_pw_expiration
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_unlock_time
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_lock_enabled
diff --git a/rhel7/profiles/stig-rhel7-disa.profile b/rhel7/profiles/stig-rhel7-disa.profile
index 4edae36b0c..1d558f0068 100644
--- a/rhel7/profiles/stig-rhel7-disa.profile
+++ b/rhel7/profiles/stig-rhel7-disa.profile
@@ -57,6 +57,7 @@ selections:
     - rpm_verify_permissions
     - rpm_verify_ownership
     - rpm_verify_hashes
+    - dconf_db_up_to_date
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
     - banner_etc_issue
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index ec225d89a4..8d173d257f 100644
--- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile
@@ -86,6 +86,7 @@ selections:
     - var_password_pam_retry=5
     - var_accounts_passwords_pam_faillock_deny=5
     - var_accounts_passwords_pam_faillock_unlock_time=600
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_lock_enabled
diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile
index d44960d84c..3debc739fc 100644
--- a/rhel8/profiles/hipaa.profile
+++ b/rhel8/profiles/hipaa.profile
@@ -28,6 +28,7 @@ selections:
     - service_debug-shell_disabled
     - disable_ctrlaltdel_reboot
     - disable_ctrlaltdel_burstaction
+    - dconf_db_up_to_date
     - dconf_gnome_remote_access_credential_prompt
     - dconf_gnome_remote_access_encryption
     - sshd_disable_empty_passwords
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index f9f7cd04dc..c5a7ee5ed5 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -219,6 +219,7 @@ selections:
     ### FMT_MOF_EXT.1 / AC-11(a)
     ### Enable Screen Lock
     - package_tmux_installed
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_lock_delay
diff --git a/rhel8/profiles/pci-dss.profile b/rhel8/profiles/pci-dss.profile
index bdca65b4fa..89abad1338 100644
--- a/rhel8/profiles/pci-dss.profile
+++ b/rhel8/profiles/pci-dss.profile
@@ -98,6 +98,7 @@ selections:
     - account_disable_post_pw_expiration
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_unlock_time
+    - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_delay
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_lock_enabled

From 42cb1e23c1c39dd19d99628d133fae60b06f078c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 30 May 2019 17:26:11 +0200
Subject: [PATCH 5/9] Added an OVAL customization for Fedora
 (dconf_db_up_to_date).

---
 .../gnome/dconf_db_up_to_date/oval/shared.xml    | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
index b3b5b0358b..6b34446487 100644
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
@@ -37,6 +37,10 @@
   </ind:variable_state>
   {{% endmacro %}}
 
+  {{% macro check_db_criterion(db_name) %}}
+      <criterion comment="{{{ db_name }}} database is up-to-date wrt keyfiles" test_ref="test_dconf_{{{ db_name }}}_up_to_date" />
+  {{% endmacro %}}
+
   <definition class="compliance" id="dconf_db_up_to_date" version="2">
     <metadata>
       <title>Configure the GNOME3 GUI Screen locking</title>
@@ -50,14 +54,18 @@
     </metadata>
     <criteria operator="OR">
       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-      <criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
-        <criterion comment="local database is up-to-date wrt keyfiles" test_ref="test_dconf_local_up_to_date" />
-        <criterion comment="gdm database is up-to-date wrt keyfiles" test_ref="test_dconf_gdm_up_to_date" />
+      <criteria comment="check that all DBs in question are up-to-date" operator="AND">
+        {{% if product != 'fedora' %}}
+          {{{ check_db_criterion("gdm") }}}
+        {{% endif %}}
+        {{{ check_db_criterion("local") }}}
       </criteria>
     </criteria>
   </definition>
 
+  {{% if product != 'fedora' %}}
+    {{{ check_db_is_up_to_date("gdm") }}}
+  {{% endif %}}
   {{{ check_db_is_up_to_date("local") }}}
-  {{{ check_db_is_up_to_date("gdm") }}}
 
 </def-group>

From 758e239c798620038216c554a05cba9bd95a93c1 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 30 May 2019 17:37:36 +0200
Subject: [PATCH 6/9] Create helper function to install gdm and dconf to be
 used within test scenarios.

Fix test scenario when dconf db is not up to date.
---
 .../correct_value.pass.sh                          |  8 +-------
 .../wrong_value.fail.sh                            |  8 +-------
 .../correct_value.pass.sh                          |  8 +-------
 .../wrong_value.fail.sh                            |  8 +-------
 .../group_gnome/dconf_test_functions.sh            | 11 +++++++++++
 .../correct_value.pass.sh                          |  8 +-------
 .../wrong_value.fail.sh                            |  8 +-------
 .../correct_value.pass.sh                          |  8 +-------
 .../wrong_value.fail.sh                            |  8 +-------
 .../correct_value.pass.sh                          |  8 +-------
 .../wrong_value.fail.sh                            |  8 +-------
 .../correct_value.pass.sh                          |  8 +-------
 .../wrong_value.fail.sh                            |  8 +-------
 .../db_not_up_to_date.fail.sh                      | 14 +++++---------
 .../rule_dconf_db_up_to_date/db_up_to_date.pass.sh |  8 +-------
 .../rule_dconf_db_up_to_date/no_db_files.fail.sh   | 11 +++--------
 16 files changed, 32 insertions(+), 108 deletions(-)

diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh
index d6f11373d0..285c9474d4 100644
--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/correct_value.pass.sh
@@ -3,13 +3,7 @@
 
 . ../../../../group_software/group_gnome/dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "true" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh
index f1e97fea20..9408a5c3bb 100644
--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_banner_enabled/wrong_value.fail.sh
@@ -3,13 +3,7 @@
 
 . ../../../../group_software/group_gnome/dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-enable" "false" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh
index e161691aa7..c39f919959 100644
--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/correct_value.pass.sh
@@ -3,13 +3,7 @@
 
 . ../../../../group_software/group_gnome/dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 login_banner_text="--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials."
 expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
diff --git a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh
index b45c5b193f..b9e7fc8661 100644
--- a/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh
+++ b/tests/data/group_system/group_accounts/group_accounts-banners/group_gui_login_banner/rule_dconf_gnome_login_banner_text/wrong_value.fail.sh
@@ -3,13 +3,7 @@
 
 . ../../../../group_software/group_gnome/dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 login_banner_text="Wrong Banner Text"
 expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/(\^\(.*\)\$|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;')
diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
index d975ea0715..a218f1f8e7 100644
--- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
@@ -1,4 +1,15 @@
 
+# Check if gdm and dconf are installed, if not then install them
+install_dconf_and_gdm_if_needed(){
+	if ! rpm -q dconf; then
+		yum -y install dconf
+	fi
+
+	if ! rpm -q gdm; then
+		yum -y install gdm
+	fi
+}
+
 # Wipes out dconf db settings directory
 clean_dconf_settings(){
 	rm -rf /etc/dconf/db/*
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh
index a5a207b80a..9aea0b74cf 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/correct_value.pass.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "true" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh
index 04d3e9eca2..d8c571fc0a 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_restart_shutdown/wrong_value.fail.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "disable-restart-buttons" "false" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh
index 9a3d60d9f6..776f9e7c23 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/correct_value.pass.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "disable-user-list" "true" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh
index 11e3cbfa9b..571bd75f22 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_disable_user_list/wrong_value.fail.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "disable-user-list" "false" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh
index 58703799f6..13562cfa1d 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/correct_value.pass.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "true" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh
index 18f89c182e..666ce2c21c 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_enable_smartcard_auth/wrong_value.fail.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "enable-smartcard-authentication" "false" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh
index 0cc2a80762..59d005967a 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/correct_value.pass.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "allowed-failures" "3" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh
index f89a9d74b9..c6d31f5b8a 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_login_screen/rule_dconf_gnome_login_retries/wrong_value.fail.sh
@@ -3,13 +3,7 @@
 
 . ../../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "allowed-failures" "99" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh
index bb8b1d42ff..db6e7138aa 100644
--- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_not_up_to_date.fail.sh
@@ -3,13 +3,7 @@
 
 . ../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
@@ -20,7 +14,9 @@ add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "local.d" "00-se
 
 dconf update
 
-sleep 3
+# ensure that the modification happens a reasonable amount of time after running dconf update
+sleep 5
 
-# make static files newer than the database
+# make static keyfiles newer than the database
 add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
+add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "local.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh
index 66ed76e4fa..5a6c2f0a43 100644
--- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/db_up_to_date.pass.sh
@@ -3,13 +3,7 @@
 
 . ../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 clean_dconf_settings
 add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh
index a7bc04efac..3fdbed905e 100644
--- a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_db_files.fail.sh
@@ -3,18 +3,13 @@
 
 . ../dconf_test_functions.sh
 
-if ! rpm -q dconf; then
-    yum -y install dconf
-fi
-
-if ! rpm -q gdm; then
-    yum -y install gdm
-fi
+install_dconf_and_gdm_if_needed
 
 # remove all database files
 remove_dconf_databases
 
-sleep 3
+# ensure that the modification happens a reasonable amount of time after running dconf update
+sleep 5
 
 add_dconf_setting "org/gnome/login-screen" "banner-message-enabled" "true" "gdm.d" "00-security-settings"
 add_dconf_lock "org/gnome/login-screen" "banner-message-enable" "gdm.d" "00-security-settings-lock"

From 68e3f056a723ceb170fd81105d354e390e3ea00a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 31 May 2019 10:06:03 +0200
Subject: [PATCH 7/9] Update dconf_db_up_to_date OVAL metadata.

---
 .../system/software/gnome/dconf_db_up_to_date/oval/shared.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
index 6b34446487..499bb4db60 100644
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
@@ -43,14 +43,14 @@
 
   <definition class="compliance" id="dconf_db_up_to_date" version="2">
     <metadata>
-      <title>Configure the GNOME3 GUI Screen locking</title>
+      <title>The dconf databases are up-to-date.</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 7</platform>
         <platform>Red Hat Enterprise Linux 8</platform>
         <platform>multi_platform_fedora</platform>
         <platform>multi_platform_ol</platform>
       </affected>
-      <description>The allowed period of inactivity before the screensaver is activated.</description>
+      <description>Make sure that the dconf databases are up-to-date with regards to respective keyfiles.</description>
     </metadata>
     <criteria operator="OR">
       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />

From f86c4b314cc7d4d3922cf424a77674f9332eced9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 31 May 2019 15:59:11 +0200
Subject: [PATCH 8/9] Made the gdm.d keyfile tree relevant only for RHEL7.

---
 .../system/software/gnome/dconf_db_up_to_date/oval/shared.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
index 499bb4db60..bc31a6cb7e 100644
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
@@ -55,7 +55,7 @@
     <criteria operator="OR">
       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
       <criteria comment="check that all DBs in question are up-to-date" operator="AND">
-        {{% if product != 'fedora' %}}
+        {{% if product == 'rhel7' %}}
           {{{ check_db_criterion("gdm") }}}
         {{% endif %}}
         {{{ check_db_criterion("local") }}}
@@ -63,7 +63,7 @@
     </criteria>
   </definition>
 
-  {{% if product != 'fedora' %}}
+  {{% if product == 'rhel7' %}}
     {{{ check_db_is_up_to_date("gdm") }}}
   {{% endif %}}
   {{{ check_db_is_up_to_date("local") }}}

From 64a53ece4ffea9f9d4017955433a251493649175 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jun 2019 14:39:09 +0200
Subject: [PATCH 9/9] Added support for missing keyfiles.

---
 .../gnome/dconf_db_up_to_date/oval/shared.xml        | 12 +++++++++---
 .../rule_dconf_db_up_to_date/no_keyfiles.pass.sh     |  8 ++++++++
 2 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh

diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
index bc31a6cb7e..f073268762 100644
--- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
@@ -12,8 +12,7 @@
   </local_variable>
 
   <unix:file_object id="obj_dconf_{{{ db_name }}}_config" comment="The dconf keyfile with '{{{ db_name }}}' settings" version="1">
-    <unix:path>/etc/dconf/db/{{{ db_name }}}.d/</unix:path>
-    <unix:filename operation="pattern match">.*</unix:filename>
+    <unix:filepath operation="pattern match">^/etc/dconf/db/{{{ db_name }}}.d/.*</unix:filepath>
   </unix:file_object>
 
   <local_variable id="var_dconf_{{{ db_name }}}_keyfiles_modified_time" datatype="int" version="1" comment="When dconf keyfiles in the '{{{ db_name }}}' tree have been modified">
@@ -35,10 +34,17 @@
   <ind:variable_state id="state_{{{ db_name }}}_db_is_up_to_date" version="1">
     <ind:value datatype="int" operation="less than or equal" var_check="all" var_ref="var_dconf_{{{ db_name }}}_keyfiles_modified_time" />
   </ind:variable_state>
+
+  <unix:file_test id="test_dconf_{{{ db_name }}}_no_keyfiles" check="all" check_existence="none_exist" comment="no keyfiles applicable to the {{{ db_name }}} database" version="1">
+    <unix:object object_ref="obj_dconf_{{{ db_name }}}_config" />
+  </unix:file_test>
   {{% endmacro %}}
 
   {{% macro check_db_criterion(db_name) %}}
-      <criterion comment="{{{ db_name }}} database is up-to-date wrt keyfiles" test_ref="test_dconf_{{{ db_name }}}_up_to_date" />
+      <criteria comment="check that all DBs in question are up-to-date" operator="OR">
+        <criterion comment="{{{ db_name }}} database is up-to-date wrt keyfiles" test_ref="test_dconf_{{{ db_name }}}_up_to_date" />
+	<criterion comment="no keyfiles applicable to the {{{ db_name }}} database" test_ref="test_dconf_{{{ db_name }}}_no_keyfiles" />
+      </criteria>
   {{% endmacro %}}
 
   <definition class="compliance" id="dconf_db_up_to_date" version="2">
diff --git a/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh
new file mode 100644
index 0000000000..06945575f1
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/rule_dconf_db_up_to_date/no_keyfiles.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../dconf_test_functions.sh
+
+install_dconf_and_gdm_if_needed
+
+clean_dconf_settings