Fixes issues as reported by Carlos M: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-May/005485...
Wasn't able to duplicate <= conditional fails. Testing in patch #1.
Shawn Wells (2): [bugfix RHEL6] Updates to gconf_gnome_screensaver_idle_delay Added vim swap files to checks/.gitignore
RHEL/6/input/checks/.gitignore | 1 + .../checks/gconf_gnome_screensaver_idle_delay.xml | 6 +++--- RHEL/6/input/system/accounts/physical.xml | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-)
As identified by Carlos M., the gconf_gnome_screensaver_idle_delay check needed updating per Red Hat bug 867945https://bugzilla.redhat.com/show_bug.cgi?id=867945
Testing for <= conditions:
[shawnw@ssg-rhel6-devbox checks]$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /desktop/gnome/session/idle_delay 15 [shawnw@ssg-rhel6-devbox checks]$ gconftool-2 -g /desktop/gnome/session/idle_delay 15 [shawnw@ssg-rhel6-devbox checks]$ ./testcheck.py gconf_gnome_screensaver_idle_delay.xml external_variable with id : inactivity_timeout_value Evaluating with OVAL tempfile : /tmp/gconf_gnome_screensaver_idle_delay9I6ODL.xml Writing results to : /tmp/gconf_gnome_screensaver_idle_delay9I6ODL.xml-results Definition oval:scap-security-guide.testing:def:199: true Definition oval:scap-security-guide.testing:def:198: true
[shawnw@ssg-rhel6-devbox checks]$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /desktop/gnome/session/idle_delay 10 [shawnw@ssg-rhel6-devbox checks]$ ./testcheck.py gconf_gnome_screensaver_idle_delay.xml external_variable with id : inactivity_timeout_value Evaluating with OVAL tempfile : /tmp/gconf_gnome_screensaver_idle_delayMU0FZv.xml Writing results to : /tmp/gconf_gnome_screensaver_idle_delayMU0FZv.xml-results Definition oval:scap-security-guide.testing:def:199: true Definition oval:scap-security-guide.testing:def:198: true Evaluation done.
Testing for > conditions: [shawnw@ssg-rhel6-devbox checks]$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /desktop/gnome/session/idle_delay 100 [shawnw@ssg-rhel6-devbox checks]$ ./testcheck.py gconf_gnome_screensaver_idle_delay.xml external_variable with id : inactivity_timeout_value Evaluating with OVAL tempfile : /tmp/gconf_gnome_screensaver_idle_delayfWk9E5.xml Writing results to : /tmp/gconf_gnome_screensaver_idle_delayfWk9E5.xml-results Definition oval:scap-security-guide.testing:def:199: true Definition oval:scap-security-guide.testing:def:198: false Evaluation done.
Signed-off-by: Shawn Wells shawn@redhat.com --- .../checks/gconf_gnome_screensaver_idle_delay.xml | 6 +++--- RHEL/6/input/system/accounts/physical.xml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml b/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml index c77e608..00f11df 100644 --- a/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml +++ b/RHEL/6/input/checks/gconf_gnome_screensaver_idle_delay.xml @@ -1,5 +1,5 @@ <def-group> - <definition class="compliance" id="gconf_gnome_screensaver_idle_delay" version="1"> + <definition class="compliance" id="gconf_gnome_screensaver_idle_delay" version="2"> <metadata> <title>Configure GUI Screen Locking</title> <affected family="unix"> @@ -7,7 +7,7 @@ </affected> <description>The allowed period of inactivity before the screensaver is activated.</description> - <reference source="MED" ref_id="20131125" ref_url="test_attestation" /> + <reference source="SDW" ref_id="20140522" ref_url="test_attestation" /> </metadata> <criteria operator="OR"> <extend_definition comment="GConf2 installed" definition_ref="package_GConf2_installed" negate="true" /> @@ -21,7 +21,7 @@ <ind:state state_ref="state_gnome_screensaver_idle_delay" /> </ind:xmlfilecontent_test> <ind:xmlfilecontent_object id="object_gnome_screensaver_idle_delay" version="1"> - ind:filepath/etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml</ind:filepath> + ind:filepath/etc/gconf/gconf.xml.mandatory/desktop/gnome/session/%gconf.xml</ind:filepath> ind:xpath/gconf/entry[@name='idle_delay']/@value</ind:xpath> </ind:xmlfilecontent_object> <ind:xmlfilecontent_state comment="idle timeout" diff --git a/RHEL/6/input/system/accounts/physical.xml b/RHEL/6/input/system/accounts/physical.xml index 4d7c0e6..e36056e 100644 --- a/RHEL/6/input/system/accounts/physical.xml +++ b/RHEL/6/input/system/accounts/physical.xml @@ -261,11 +261,11 @@ inactivity in the GNOME desktop to 15 minutes: --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ - --set /apps/gnome-screensaver/idle_delay 15</pre> + --set /desktop/gnome/session/idle_delay 15</pre> </description> <ocil clause="it is not"> To check the current idle time-out value, run the following command: -<pre>$ gconftool-2 -g /apps/gnome-screensaver/idle_delay</pre> +<pre>$ gconftool-2 -g /desktop/gnome/session/idle_delay</pre> If properly configured, the output should be <tt>15</tt>. </ocil> <rationale>
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/checks/.gitignore | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/RHEL/6/input/checks/.gitignore b/RHEL/6/input/checks/.gitignore index dd8748c..a7737f8 100644 --- a/RHEL/6/input/checks/.gitignore +++ b/RHEL/6/input/checks/.gitignore @@ -1,3 +1,4 @@ # files to not track in git *.ini *.pyc +*.swp
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Friday, May 23, 2014 2:52:52 AM Subject: [PATCH 0/2] fixes to gconf_gnome_screensaver_idle_delay
Fixes issues as reported by Carlos M: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-May/005485...
ACK for the set, works fine [*].
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Wasn't able to duplicate <= conditional fails. Testing in patch #1.
P.S.: [*] Wasn't able to duplicate the conditional fails for values lower than 15 either once the patch is applied (=> looks the reason of failures was just setting of the incorrect location, but that the original "less than or equal" OVAL check part works / worked fine).
Shawn Wells (2): [bugfix RHEL6] Updates to gconf_gnome_screensaver_idle_delay Added vim swap files to checks/.gitignore
RHEL/6/input/checks/.gitignore | 1 + .../checks/gconf_gnome_screensaver_idle_delay.xml | 6 +++--- RHEL/6/input/system/accounts/physical.xml | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jan Lieskovsky -
Shawn Wells