rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   28bffef986b6ca9568b967c5a33062b59bf8f513
  2.   SOURCES
  3.   scap-security-guide-0.1.41-small_bash_fix_for_gnome_screensaver_lock_delay.patch
Blob Blame History Raw 
From 0286990e3776fa2d3ecbff101eba824bd2addfc7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 20 Sep 2018 15:59:52 +0200
Subject: [PATCH 1/5] Add tests for dconf_gnome_screensaver_lock_enabled

---
 .../comment.fail.sh                           | 14 ++++++++++++++
 .../correct_value.pass.sh                     | 19 +++++++++++++++++++
 .../correct_value_unlocked.fail.sh            | 13 +++++++++++++
 .../line_not_there.fail.sh                    | 10 ++++++++++
 .../wrong_value.fail.sh                       | 13 +++++++++++++
 5 files changed, 69 insertions(+)
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh

diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh
new file mode 100644
index 0000000000..e7598e6496
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum -y install dconf
+
+# It is ok if string is not found in any file
+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
+
+if [ -n "$file" ] ; then
+	sed -i "s/^lock-enabled=.*/#lock-enabled=true/g" $file
+else
+	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
+	echo "#lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings
+fi
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh
new file mode 100644
index 0000000000..0997842791
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum -y install dconf
+
+# It is ok if string is not found in any file
+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
+if [ -n "$file" ] ; then
+	sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file
+else
+	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
+	echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings
+fi
+
+lockfile=$(grep -R "lock-enabled" /etc/dconf/db/local.d/locks) || true
+if [ -z "$file" ] ; then
+    mkdir -p /etc/dconf/db/local.d/locks
+	echo "/org/gnome/desktop/screensaver/lock-enabled" >> /etc/dconf/db/local.d/locks/00-security-settings-lock
+fi
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh
new file mode 100644
index 0000000000..0fd465d43b
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum -y install dconf
+
+# It is ok if string is not found in any file
+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
+if [ -n "$file" ] ; then
+	sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file
+else
+	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
+	echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings
+fi
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh
new file mode 100644
index 0000000000..fe09c8bf59
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum -y install dconf
+
+# It is ok if string is not found in any file
+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
+if [ -n "$file" ] ; then
+    sed -i "/^lock-enabled=.*/d" $file
+fi
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh
new file mode 100644
index 0000000000..eb9e91c595
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+yum -y install dconf
+
+# It is ok if string is not found in any file
+file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
+if [ -n "$file" ] ; then
+	sed -i "s/^lock-enabled=.*/lock-enabled=false/g" $file
+else
+	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
+	echo "lock-enabled=false" >> /etc/dconf/db/local.d/00-security-settings
+fi

From d935d096b769223b40cf8fb08be93b317e9f7076 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 20 Sep 2018 16:01:12 +0200
Subject: [PATCH 2/5] Do not accept commented keys as correct

---
 shared/bash_remediation_functions/include_dconf_settings.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh
index 9752698f34..ac79fe0653 100644
--- a/shared/bash_remediation_functions/include_dconf_settings.sh
+++ b/shared/bash_remediation_functions/include_dconf_settings.sh
@@ -32,7 +32,7 @@ function dconf_settings {
 		echo "[${_path}]" >> ${DCONFFILE}
 		echo "${_key}=${_value}" >> ${DCONFFILE}
 	else
-		if grep -q "${_key}" ${SETTINGSFILES[@]}
+		if grep -q "^(?!#)${_key}" ${SETTINGSFILES[@]}
 		then
 			sed -i "s/${_key}\s*=\s*.*/${_key}=${_value}/g" ${SETTINGSFILES[@]}
 		else

From e8e8b1e8b55dfa67affa07eecf8054d5ca77108c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 20 Sep 2018 16:10:24 +0200
Subject: [PATCH 3/5] Update dconf database after changing dconf setting

---
 shared/bash_remediation_functions/include_dconf_settings.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/shared/bash_remediation_functions/include_dconf_settings.sh b/shared/bash_remediation_functions/include_dconf_settings.sh
index ac79fe0653..02f9877e97 100644
--- a/shared/bash_remediation_functions/include_dconf_settings.sh
+++ b/shared/bash_remediation_functions/include_dconf_settings.sh
@@ -39,6 +39,8 @@ function dconf_settings {
 			sed -i "\|\[${_path}]|a\\${_key}=${_value}" ${SETTINGSFILES[@]}
 		fi
 	fi
+
+	dconf update
 }
 
 # Function to configure DConf locks for RHEL and Fedora systems.

From 61bc573ca262c711c93304106c92ff423f186aa7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 20 Sep 2018 21:18:46 +0200
Subject: [PATCH 4/5] Add common functions for testing

Functions added:
- Clean up all dconf settings
- Add a dconf entry
- Add a dconf lock
---
 .../group_gnome/dconf_test_functions.sh       | 29 +++++++++++++++++++
 .../comment.fail.sh                           | 15 ++++------
 .../correct_value.pass.sh                     | 20 ++++---------
 .../correct_value_unlocked.fail.sh            | 13 +++------
 .../line_not_there.fail.sh                    | 10 -------
 .../setting_not_there.fail.sh                 |  7 +++++
 .../wrong_value.fail.sh                       | 14 ++++-----
 7 files changed, 55 insertions(+), 53 deletions(-)
 create mode 100644 tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
 delete mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh
 create mode 100644 tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh

diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
new file mode 100644
index 0000000000..f76d68e523
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
@@ -0,0 +1,29 @@
+
+# Wipes out dconf db settings directory
+clean_dconf_settings(){
+    rm -rf /etc/dconf/db/*
+}
+
+# Adds a new dconf setting
+# $1 _path
+# $2 _setting
+# $3 _value
+# $4 _db
+# $5 _settingFile
+add_dconf_setting() {
+	local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5
+    mkdir /etc/dconf/db/${_db}
+	echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile}
+	echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile}
+}
+
+# Adds a lock to a dconf setting
+# $1 _path
+# $2 _setting
+# $3 _db
+# $4 _settingFile
+add_dconf_lock(){
+	local _path=$1 _setting=$2 _db=$3 _settingFile=$4
+    mkdir -p /etc/dconf/db/${_db}/locks
+	echo "/${_path}/${_setting}" >> /etc/dconf/db/${_db}/locks/${_settingFile}
+}
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh
index e7598e6496..b76dee4f33 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/comment.fail.sh
@@ -1,14 +1,9 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-yum -y install dconf
-
-# It is ok if string is not found in any file
-file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
+. ../../dconf_test_functions.sh
 
-if [ -n "$file" ] ; then
-	sed -i "s/^lock-enabled=.*/#lock-enabled=true/g" $file
-else
-	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
-	echo "#lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings
-fi
+yum -y install dconf
+clean_dconf_settings
+add_dconf_setting "org/gnome/desktop/screensaver" "#lock-enabled" "true" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh
index 0997842791..a0e39c4409 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value.pass.sh
@@ -1,19 +1,9 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-yum -y install dconf
-
-# It is ok if string is not found in any file
-file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
-if [ -n "$file" ] ; then
-	sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file
-else
-	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
-	echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings
-fi
+. ../../dconf_test_functions.sh
 
-lockfile=$(grep -R "lock-enabled" /etc/dconf/db/local.d/locks) || true
-if [ -z "$file" ] ; then
-    mkdir -p /etc/dconf/db/local.d/locks
-	echo "/org/gnome/desktop/screensaver/lock-enabled" >> /etc/dconf/db/local.d/locks/00-security-settings-lock
-fi
+yum -y install dconf
+clean_dconf_settings
+add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh
index 0fd465d43b..53dea6c471 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/correct_value_unlocked.fail.sh
@@ -1,13 +1,8 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-yum -y install dconf
+. ../../dconf_test_functions.sh
 
-# It is ok if string is not found in any file
-file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
-if [ -n "$file" ] ; then
-	sed -i "s/^lock-enabled=.*/lock-enabled=true/g" $file
-else
-	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
-	echo "lock-enabled=true" >> /etc/dconf/db/local.d/00-security-settings
-fi
+yum -y install dconf
+clean_dconf_settings
+add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "true" "local.d" "00-security-settings"
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh
deleted file mode 100644
index fe09c8bf59..0000000000
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/line_not_there.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_ospp
-
-yum -y install dconf
-
-# It is ok if string is not found in any file
-file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
-if [ -n "$file" ] ; then
-    sed -i "/^lock-enabled=.*/d" $file
-fi
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh
new file mode 100644
index 0000000000..38789f575d
--- /dev/null
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/setting_not_there.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+. ../../dconf_test_functions.sh
+
+yum -y install dconf
+clean_dconf_settings
diff --git a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh
index eb9e91c595..19536910b2 100644
--- a/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh
+++ b/tests/data/group_system/group_software/group_gnome/group_gnome_screen_locking/rule_dconf_gnome_screensaver_lock_enabled/wrong_value.fail.sh
@@ -1,13 +1,9 @@
 #!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-yum -y install dconf
+. ../../dconf_test_functions.sh
 
-# It is ok if string is not found in any file
-file=$(grep -R "lock-enabled" /etc/dconf/db/local.d) || true
-if [ -n "$file" ] ; then
-	sed -i "s/^lock-enabled=.*/lock-enabled=false/g" $file
-else
-	echo "[org/gnome/desktop/screensaver]" > /etc/dconf/db/local.d/00-security-settings
-	echo "lock-enabled=false" >> /etc/dconf/db/local.d/00-security-settings
-fi
+yum -y install dconf
+clean_dconf_settings
+add_dconf_setting "org/gnome/desktop/screensaver" "lock-enabled" "false" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-enabled" "local.d" "00-security-settings"

From cb2ca84970c783660c03464a55295243841baaa1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 20 Sep 2018 21:34:58 +0200
Subject: [PATCH 5/5] Fix indents in dconf_test_functions.sh

---
 .../group_software/group_gnome/dconf_test_functions.sh      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
index f76d68e523..07940ea272 100644
--- a/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
+++ b/tests/data/group_system/group_software/group_gnome/dconf_test_functions.sh
@@ -1,7 +1,7 @@
 
 # Wipes out dconf db settings directory
 clean_dconf_settings(){
-    rm -rf /etc/dconf/db/*
+	rm -rf /etc/dconf/db/*
 }
 
 # Adds a new dconf setting
@@ -12,7 +12,7 @@ clean_dconf_settings(){
 # $5 _settingFile
 add_dconf_setting() {
 	local _path=$1 _setting=$2 _value=$3 _db=$4 _settingFile=$5
-    mkdir /etc/dconf/db/${_db}
+	mkdir /etc/dconf/db/${_db}
 	echo "[${_path}]" > /etc/dconf/db/${_db}/${_settingFile}
 	echo "${_setting}=${_value}" >> /etc/dconf/db/${_db}/${_settingFile}
 }
@@ -24,6 +24,6 @@ add_dconf_setting() {
 # $4 _settingFile
 add_dconf_lock(){
 	local _path=$1 _setting=$2 _db=$3 _settingFile=$4
-    mkdir -p /etc/dconf/db/${_db}/locks
+	mkdir -p /etc/dconf/db/${_db}/locks
 	echo "/${_path}/${_setting}" >> /etc/dconf/db/${_db}/locks/${_settingFile}
 }

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation