Dconf macros update to align them with OVAL expectation #9751
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
- printf '%s=%s\n' "disable-restart-buttons" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-restart-buttons\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-restart-buttons(\s*=)/#\1disable-restart-buttons\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*disable-restart-buttons\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*disable-restart-buttons\\s*=\\s*.*/disable-restart-buttons=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-restart-buttons=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-restart-buttons$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/login-screen/disable-restart-buttons$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/disable-restart-buttons$" /etc/dconf/db/gdm.d/
then
echo "/org/gnome/login-screen/disable-restart-buttons" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
- printf '%s=%s\n' "disable-user-list" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*disable-user-list\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*disable-user-list\\s*=\\s*.*/disable-user-list=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\disable-user-list=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/disable-user-list$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/login-screen/disable-user-list$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/disable-user-list$" /etc/dconf/db/gdm.d/
then
echo "/org/gnome/login-screen/disable-user-list" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
- printf '%s=%s\n' "enable-smartcard-authentication" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)enable-smartcard-authentication(\s*=)/#\1enable-smartcard-authentication\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*enable-smartcard-authentication\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*enable-smartcard-authentication\\s*=\\s*.*/enable-smartcard-authentication=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\enable-smartcard-authentication=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/enable-smartcard-authentication$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/login-screen/enable-smartcard-authentication$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/enable-smartcard-authentication$" /etc/dconf/db/gdm.d/
then
echo "/org/gnome/login-screen/enable-smartcard-authentication" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
- printf '%s=%s\n' "removal-action" "'lock-screen'" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)removal-action(\s*=)/#\1removal-action\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'lock-screen'")"
+if grep -q "^\\s*removal-action\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" /etc/dconf/db/local.d/
then
echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
DBDIR="/etc/dconf/db/gdm.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
- printf '%s=%s\n' "allowed-failures" "3" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")"
if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)allowed-failures(\s*=)/#\1allowed-failures\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/login-screen\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")"
+if grep -q "^\\s*allowed-failures\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|gdm.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/gdm.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/login-screen/allowed-failures$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/login-screen/allowed-failures$" /etc/dconf/db/gdm.d/
then
echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
- printf '%s=%s\n' "automount" "false" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*automount\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)automount(\s*=)/#\1automount\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
+if grep -q "^\\s*automount\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*automount\\s*=\\s*.*/automount=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/media-handling/automount$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/media-handling/automount$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/media-handling/automount" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
- printf '%s=%s\n' "automount-open" "false" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)automount-open(\s*=)/#\1automount-open\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
+if grep -q "^\\s*automount-open\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/media-handling/automount-open$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/media-handling/automount-open$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
- printf '%s=%s\n' "autorun-never" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)autorun-never(\s*=)/#\1autorun-never\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/media-handling\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*autorun-never\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/media-handling/autorun-never$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/media-handling/autorun-never$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/thumbnailers\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE}
- printf '%s=%s\n' "disable-all" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-all\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-all(\s*=)/#\1disable-all\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/thumbnailers\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/thumbnailers]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*disable-all\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*disable-all\\s*=\\s*.*/disable-all=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/thumbnailers\\]|a\\disable-all=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/thumbnailers/disable-all$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/thumbnailers/disable-all$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/thumbnailers/disable-all$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/thumbnailers/disable-all" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
- printf '%s=%s\n' "disable-wifi-create" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)disable-wifi-create(\s*=)/#\1disable-wifi-create\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*disable-wifi-create\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/nm-applet/disable-wifi-create$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/nm-applet/disable-wifi-create$" /etc/dconf/db/local.d/
then
echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
- printf '%s=%s\n' "suppress-wireless-networks-available" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)suppress-wireless-networks-available(\s*=)/#\1suppress-wireless-networks-available\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/nm-applet\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/nm-applet/suppress-wireless-networks-available$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/nm-applet/suppress-wireless-networks-available$" /etc/dconf/db/local.d/
then
echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "authentication-methods" "['vnc']" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
if grep -q "^\\s*authentication-methods\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)authentication-methods(\s*=)/#\1authentication-methods\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "['vnc']")"
+if grep -q "^\\s*authentication-methods\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*authentication-methods\\s*=\\s*.*/authentication-methods=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/Vino\\]|a\\authentication-methods=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/Vino/authentication-methods$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/Vino/authentication-methods$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/Vino/authentication-methods$" /etc/dconf/db/local.d/
then
echo "/org/gnome/Vino/authentication-methods" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/Vino\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
- printf '%s=%s\n' "require-encryption" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*require-encryption\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)require-encryption(\s*=)/#\1require-encryption\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/Vino\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/Vino]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*require-encryption\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*require-encryption\\s*=\\s*.*/require-encryption=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/Vino\\]|a\\require-encryption=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/Vino/require-encryption$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/Vino/require-encryption$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/Vino/require-encryption$" /etc/dconf/db/local.d/
then
echo "/org/gnome/Vino/require-encryption" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
- printf '%s=%s\n' "idle-activation-enabled" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)idle-activation-enabled(\s*=)/#\1idle-activation-enabled\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*idle-activation-enabled\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
@@ -2,12 +2,19 @@
if rpm --quiet -q gdm; then
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/idle-activation-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/idle-activation-enabled$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -7,26 +7,36 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
- printf '%s=%s\n' "idle-delay" "uint32 ${inactivity_timeout_value}" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)idle-delay(\s*=)/#\1idle-delay\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/session\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")"
+if grep -q "^\\s*idle-delay\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${DCONFFILE}"
fi
dconf update
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -7,26 +7,36 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
- printf '%s=%s\n' "lock-delay" "uint32 ${var_screensaver_lock_delay}" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)lock-delay(\s*=)/#\1lock-delay\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")"
+if grep -q "^\\s*lock-delay\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${DCONFFILE}"
fi
dconf update
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
- printf '%s=%s\n' "lock-enabled" "true" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)lock-enabled(\s*=)/#\1lock-enabled\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")"
+if grep -q "^\\s*lock-enabled\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
@@ -2,12 +2,19 @@
if rpm --quiet -q gdm; then
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/lock-enabled$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-enabled$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
- printf '%s=%s\n' "picture-uri" "string ''" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")"
if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)picture-uri(\s*=)/#\1picture-uri\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")"
+if grep -q "^\\s*picture-uri\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/picture-uri$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/picture-uri$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info
@@ -4,36 +4,53 @@
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | cut -d":" -f1)
DCONFFILE="/etc/dconf/db/local.d/00-security-settings"
DBDIR="/etc/dconf/db/local.d"
mkdir -p "${DBDIR}"
-if [ "${#SETTINGSFILES[@]}" -eq 0 ]
+# Comment out the configurations in databases different from the target one
+if [ "${#SETTINGSFILES[@]}" -ne 0 ]
then
- [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE}
- printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
- printf '%s=%s\n' "show-full-name-in-top-bar" "false" >> ${DCONFFILE}
-else
- escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}"
then
- sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${SETTINGSFILES[@]}"
+ sed -Ei "s/(^\s*)show-full-name-in-top-bar(\s*=)/#\1show-full-name-in-top-bar\2/g" "${SETTINGSFILES[@]}"
+ fi
+fi
+
+
+[ ! -z "${DCONFFILE}" ] && echo "" >> "${DCONFFILE}"
+if ! grep -q "\\[org/gnome/desktop/screensaver\\]" "${DCONFFILE}"
+then
+ printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE}
+fi
+
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")"
+if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${DCONFFILE}"
+then
+ sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${DCONFFILE}"
else
- sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${SETTINGSFILES[@]}"
- fi
+ sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${DCONFFILE}"
fi
dconf update
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -2,12 +2,19 @@
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
-LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1)
+LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" \
+ | grep -v 'distro\|ibus\|local.d' | grep ":" | cut -d":" -f1)
LOCKSFOLDER="/etc/dconf/db/local.d/locks"
mkdir -p "${LOCKSFOLDER}"
-if [[ -z "${LOCKFILES}" ]]
+# Comment out the configurations in databases different from the target one
+if [[ ! -z "${LOCKFILES}" ]]
+then
+ sed -i -E "s|^/org/gnome/desktop/screensaver/lock-delay$|#&|" "${LOCKFILES[@]}"
+fi
+
+if ! grep -qr "^/org/gnome/desktop/screensaver/lock-delay$" /etc/dconf/db/local.d/
then
echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- xccdf_org.ssgprojec
... The diff is trimmed here ... |
jan-cerny
added
Ansible
jan-cerny
requested changes
Nov 2, 2022
OVAL only checks for one specific db, but bash macros allow any db Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Xeicker
force-pushed
the
dconf-macros-update
branch
from
3211056
to
891a91b
Compare
|
Code Climate has analyzed commit 891a91b and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 46.6% (0.0% change). View more on Code Climate. |
jan-cerny
approved these changes
Nov 3, 2022
There was a problem hiding this comment.
Automatus tests are currently broken - see #9753 . But, when executed locally, they pass:
[jcerny@thinkpad scap-security-guide{pr/9751}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 dconf_gnome_screensaver_lock_delay,dconf_gnome_disable_geolocation,dconf_gnome_disable_user_list,dconf_gnome_screensaver_idle_delay,dconf_gnome_screensaver_idle_activation_locked,dconf_gnome_disable_automount_open,dconf_gnome_disable_ctrlaltdel_reboot,dconf_gnome_remote_access_encryption,dconf_gnome_disable_wifi_notification,dconf_gnome_disable_wifi_create,dconf_gnome_login_banner_text,dconf_gnome_disable_restart_shutdown,dconf_gnome_screensaver_lock_enabled,dconf_gnome_remote_access_credential_prompt,dconf_gnome_disable_automount,dconf_gnome_enable_smartcard_auth,dconf_gnome_screensaver_idle_activation_enabled,dconf_gnome_screensaver_lock_locked,dconf_gnome_disable_thumbnailers,dconf_gnome_login_retries,dconf_gnome_disable_autorun,dconf_gnome_session_idle_user_locks,dconf_gnome_banner_enabled,dconf_gnome_screensaver_mode_blank,dconf_gnome_screensaver_user_locks,dconf_gnome_screensaver_user_info
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-11-03-1005/test_suite.log
WARNING - Script ubuntu_correct_value_stig.pass.sh is not applicable on given platform
WARNING - Script ubuntu_missing_value_stig.fail.sh is not applicable on given platform
WARNING - Script correct_value_stig.pass.sh is not applicable on given platform
WARNING - Script missing_value_stig.fail.sh is not applicable on given platform
WARNING - Script correct_value.pass.sh is not applicable on given platform
WARNING - Script correct_value_stig_wrong_db.fail.sh is not applicable on given platform
WARNING - Script wrapped_banner.fail.sh is not applicable on given platform
WARNING - Script wrong_value.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
WARNING - Script empty.fail.sh - profile xccdf_org.ssgproject.content_profile_ncp not found in datastream
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
INFO - Script wrong_value_stig.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script missing_lock.fail.sh using profile (all) OK
INFO - Script missing_setting.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script correct_value_wrong_db.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script correct_value_wrong_db.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - Script correct_value_wrong_db.fail.sh using profile xccdf_org.ssgproject.content_profile_stig OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script missing_lock.fail.sh using profile (all) OK
INFO - Script setting_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script setting_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script setting_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_unlocked.fail.sh using profile (all) OK
INFO - Script setting_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_not_locked.fail.sh using profile (all) OK
INFO - Script setting_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
INFO - Script comented_value.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_unlocked.fail.sh using profile (all) OK
INFO - Script setting_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script correct_value_wrong_db.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/9751}]$
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
dconf_gdm_dirwhen OVAL uses itRationale:
dconf_gdm_dirReview Hints:
dconf_gdm_diris used, should only be present where OVAL also uses it