New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduced rule to disable XDMCP in gdm #5997
Conversation
@mildas That's wrong, it applies to all products. You are right that it doesn't belong to any profile. |
ebe6c91
to
5c17687
Compare
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
to have those thin clients on a separate network that cannot be accessed by the outside world, and can only connect to the server. | ||
The only point from which you need to access outside is the server. This type of set up should never use an unmanaged hub or other sniffable network. | ||
|
||
severity: medium |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it is unencrypted, I believe that the severity is a high.
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
Check whether there is the xdmcp section in the gdm configuration - run <code>grep '^\s*\[xdmcp\]' /etc/gdm/custom.conf</code> | ||
If no results are returned, the whole section is missing, in which case you can add it to the file | ||
using printf - <code>printf '%\n' "" "[xdmcp]" "Enable=false" >> /etc/gdm/custom.conf</code> | ||
|
||
If grep returned results, you have to open the custom.conf file in a text editor, | ||
and make sure that there is only one assignment to Enable, | ||
namely Enable=false between the beginning of the [xdmcp] section | ||
and another section or the end of the file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To ensure that XDMCP is disabled in /etc/gdm/custom.conf
, run the following command:
grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf
The output should return the following:
[xdmcp] Enable=false
shared/macros-bash.jinja
Outdated
elif grep -qs '[[:space:]]*\[{{{ section }}}]' '{{{ filename }}}'; then | ||
sed -i '/[[:space:]]*\[{{{ section }}}]/a {{{ key }}}={{{ value }}}' '{{{ filename }}}' | ||
else | ||
mkdir -p {{{ "/".join(filename.split("/")[:-1]) }}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/etc/gdm
and specifically /etc/gdm/custom.conf
is owned by the gdm package. It would be better to check if gdm package exists or /etc/gdm/custom.conf
exists rather than mkdir
the directory and adding the file in the event that /etc/gdm/
doesn't exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The OVAL evaluates as not applicable if gdm
is not installed, so this case is covered in case of oscap ... --remediate
. Generally, that can be said about almost every config file that we remediate. Your point is legitimate, but if we decide to enforce this behavior, let it be a project-wide coordinated effort. The worst thing is a mix of approaches in similar remediations, which is inconsistent, and provides poor guidance to inexperienced content authors that learn by example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oscap shouldn't remediate if not applicable and remediating something that isn't installed is pointless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oscap won't execute this remediation if gdm
is not installed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: Why are we making directories? Seems like we shouldn't be doing this a part of remediations. Are there remediations that need to have a directory created that isn't provided by a rpm?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point, we can probably abort the remediation if the directory doesn't exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, non-applicability is assumed if the parent folder of the config file doesn't exist.
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml
Outdated
Show resolved
Hide resolved
@redhatrises I am happy to incorporate your suggestions, thanks for those! |
/retest |
1 similar comment
/retest |
c867e1f
to
9af0340
Compare
Co-authored-by: Gabe Alford <redhatrises@gmail.com>
If the parent folder of the config file to be remediated doesn't exist, don't do anything and just say that we think that remediation is not applicable.
Co-authored-by: Gabe Alford <redhatrises@gmail.com>
9af0340
to
0fd3aed
Compare
Changes identified: |
@matejak: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I believe that everything has been addressed here. Merging. Any new issues can be fixed in follow up PRs. |
Introduce a new rule to disable the insecure xdmcp.
TBD:
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1807173