Question regarding EL7 gnome/dconf remediation strategy
by Sean
Hi all,
I have been carefully watching the EL7 security guide remediation
development over the past few months hoping to get a leg up on the first
release of the EL7 DISA-STIG. I have really enjoyed the work all of the
contributors are putting in, at times the remediations have driven me to
look at solving other problems in more graceful ways! So thank you for all
the collective knowledge being put into this project!
So onto the question... I was looking at the gnome gui related items and
how dconf has replaced gconftool-2. I have already used dconf db files to
tweak gnome desktops and wonder if my testing strategy is faulty, or if
there is a shortcoming in limiting your search of dconf files to the
local.d directory, and perhaps not including the site.d directory as well.
Let's take the screensaver idle-delay as an example. It seems that
profiles typically follow this pattern: user->local->site. It's been my
experience through some basic testing of the possibilities, that when a
site level idle-delay and lock is in place, it overrides the local level
idle-delay and lock configuration the remediation would assert. This would
mean that the setting not comply with the SCAP test but still pass the
test, right?
Does the community see this as an issue? Or perhaps this is designed to
allow for deviation from the standard?
Thanks for your input, and again especially for all the effort put in!
--Sean
8 years, 4 months
SCAP Security Guide 0.1.27 is the latest stable release (to search
for download from now on)
by Jan Lieskovsky
Hello folks,
since it has been again almost two months since the last SSG release
(SCAP Security Guide 0.1.26 has been released Mon Oct 19-th 2015), and
since there have been pretty lot of code changes during this period, let
me introduce the latest stable SCAP Security Guide 0.1.27 release:
Highlights of this release include:
New CNSS No. 1253 Profile for Red Hat Enterprise Linux 6,
New C2S (CIS) Profile for Red Hat Enterprise Linux 7,
New Debian/8 (Jessie) product and initial benchmark for it,
(Thanks to Jean-Baptiste Donnette and Philippe Thierry for the work on this!)
Improved (more granular) mapping of official PCI DSS v3 standard
to the PCI DSS profile for Red Hat Enterprise Linux 7,
Finished (OVALs, and selected remediations) for PCI DSS profile
for Red Hat Enterprise Linux 6. More granular mapping of official
rules to come yet.
Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.
Be sure to check a more detailed Changelog / Release Notes at:
[1] https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.27
and test the code:
[2] https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.27.tar.gz (tarball)
[3] https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.27...
(DataStream formatted pre-built Zip archive using 5.11 as OVAL language schema version),
[4] https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.27...
(DataStream formatted pre-built Zip archive using 5.10 as OVAL language schema version).
Should you find any issue(s), be sure to report it(them):
[5] https://github.com/OpenSCAP/scap-security-guide/issues/new
Happy hardening!
Regards, Jan.
--
Jan iankko Lieskovsky (on behalf of the SCAP Security Guide upstream team)
P.S.: Full list of issues / PRs closed within this release is reachable at:
[6] https://github.com/OpenSCAP/scap-security-guide/issues?q=milestone%3A0.1.27
8 years, 4 months