Introduced rule to disable XDMCP in gdm #5997
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
@mildas That's wrong, it applies to all products. You are right that it doesn't belong to any profile. |
matejak
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
matejak
force-pushed
the
xdmcp_disabled
branch
from
ebe6c91
to
5c17687
Compare
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
| to have those thin clients on a separate network that cannot be accessed by the outside world, and can only connect to the server. | ||
| The only point from which you need to access outside is the server. This type of set up should never use an unmanaged hub or other sniffable network. | ||
|
|
||
| severity: medium |
There was a problem hiding this comment.
Since it is unencrypted, I believe that the severity is a high.
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
| Check whether there is the xdmcp section in the gdm configuration - run <code>grep '^\s*\[xdmcp\]' /etc/gdm/custom.conf</code> | ||
| If no results are returned, the whole section is missing, in which case you can add it to the file | ||
| using printf - <code>printf '%\n' "" "[xdmcp]" "Enable=false" >> /etc/gdm/custom.conf</code> | ||
|
|
||
| If grep returned results, you have to open the custom.conf file in a text editor, | ||
| and make sure that there is only one assignment to Enable, | ||
| namely Enable=false between the beginning of the [xdmcp] section | ||
| and another section or the end of the file. |
There was a problem hiding this comment.
To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command:
grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf
The output should return the following:
[xdmcp] Enable=false
shared/macros-bash.jinja
Outdated
| elif grep -qs '[[:space:]]*\[{{{ section }}}]' '{{{ filename }}}'; then | ||
| sed -i '/[[:space:]]*\[{{{ section }}}]/a {{{ key }}}={{{ value }}}' '{{{ filename }}}' | ||
| else | ||
| mkdir -p {{{ "/".join(filename.split("/")[:-1]) }}} |
There was a problem hiding this comment.
/etc/gdm and specifically /etc/gdm/custom.conf is owned by the gdm package. It would be better to check if gdm package exists or /etc/gdm/custom.conf exists rather than mkdir the directory and adding the file in the event that /etc/gdm/ doesn't exist.
There was a problem hiding this comment.
The OVAL evaluates as not applicable if gdm is not installed, so this case is covered in case of oscap ... --remediate. Generally, that can be said about almost every config file that we remediate. Your point is legitimate, but if we decide to enforce this behavior, let it be a project-wide coordinated effort. The worst thing is a mix of approaches in similar remediations, which is inconsistent, and provides poor guidance to inexperienced content authors that learn by example.
There was a problem hiding this comment.
oscap shouldn't remediate if not applicable and remediating something that isn't installed is pointless.
There was a problem hiding this comment.
oscap won't execute this remediation if gdm is not installed.
There was a problem hiding this comment.
Question: Why are we making directories? Seems like we shouldn't be doing this a part of remediations. Are there remediations that need to have a directory created that isn't provided by a rpm?
There was a problem hiding this comment.
That's a good point, we can probably abort the remediation if the directory doesn't exist.
There was a problem hiding this comment.
Done, non-applicability is assumed if the parent folder of the config file doesn't exist.
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
|
@redhatrises I am happy to incorporate your suggestions, thanks for those! |
jan-cerny
changed the title
|
/retest |
1 similar comment
|
/retest |
matejak
force-pushed
the
xdmcp_disabled
branch
2 times, most recently
from
c867e1f
to
9af0340
Compare
Co-authored-by: Gabe Alford <redhatrises@gmail.com>
If the parent folder of the config file to be remediated doesn't exist, don't do anything and just say that we think that remediation is not applicable.
Co-authored-by: Gabe Alford <redhatrises@gmail.com>
matejak
force-pushed
the
xdmcp_disabled
branch
from
9af0340
to
0fd3aed
Compare
|
Changes identified: |
|
@matejak: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
I believe that everything has been addressed here. Merging. Any new issues can be fixed in follow up PRs. |
Introduce a new rule to disable the insecure xdmcp.
TBD:
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1807173