Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rules for SLES-12-010060 #6806

Merged
merged 3 commits into from
Apr 14, 2021
Merged

Add rules for SLES-12-010060 #6806

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
537b962
Add rules for SLES-12-010060
brett060102 Apr 7, 2021
d9e3ee1
use when not jinja if to match other code
brett060102 Apr 8, 2021
d4e8821
add suse specific info to description
brett060102 Apr 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 15 additions & 1 deletion ...ftware/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# reboot = false
# strategy = unknown
# complexity = low
# disruption = medium

- name: Dconf Update
vojtapolasek marked this conversation as resolved.
Show resolved Hide resolved
command: dconf update
when: ansible_distribution == 'SLES'

- name: "Enable GNOME3 Screensaver Lock After Idle Period"
ini_file:
dest: "/etc/dconf/db/local.d/00-security-settings"
Expand All @@ -19,5 +24,14 @@
line: '/org/gnome/desktop/screensaver/lock-enabled'
create: yes

- name: "Check GNOME3 screenserver disable-lock-screen false"
command: gsettings get org.gnome.desktop.lockdown disable-lock-screen
register: cmd_out
when: ansible_distribution == 'SLES'

- name: "Update GNOME3 screenserver disable-lock-screen false"
command: gsettings set org.gnome.desktop.lockdown disable-lock-screen false
when: ansible_distribution == 'SLES'

- name: Dconf Update
command: dconf update
22 changes: 21 additions & 1 deletion .../system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,17 @@
documentation_complete: true

prodtype: fedora,ol7,ol8,rhel7,rhel8
prodtype: fedora,ol7,ol8,rhel7,rhel8,sle12
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed that you add only sle12 here but ansible modifications and the if clause in ocil is mentioning also sle15. Is that intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this point we don't have a sle-15 stig for, this item, but in case one drops we did not want to mess with turning if = sle12 to if in [sle12,sle15], we had too many places where we needed to do that because we just didn't think far enough ahead when we did sle-12.


title: 'Enable GNOME3 Screensaver Lock After Idle Period'

description: |-
{{% if product in ['sle12','sle15'] %}}
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
run the following command to configure the SUSE operating system to allow the user to lock the GUI:
<pre>gsettings set org.gnome.desktop.lockdown disable-lock-screen false</pre>
Validate that <tt>disable-lock-screen</tt> has been set to <tt>false</tt> with the command:
<pre>gsettings get org.gnome.desktop.lockdown disable-lock-screen</pre>
{{% else %}}
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set <tt>lock-enabled</tt> to <tt>true</tt> in
<tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
Expand All @@ -16,6 +23,7 @@ description: |-
For example:
<pre>/org/gnome/desktop/screensaver/lock-enabled</pre>
After the settings have been set, run <tt>dconf update</tt>.
{{% endif %}}

rationale: |-
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
Expand All @@ -26,13 +34,16 @@ severity: medium
identifiers:
cce@rhel7: CCE-80112-6
cce@rhel8: CCE-80777-6
cce@sle12: CCE-83222-0

references:
stigid@ol7: OL07-00-010060
cjis: 5.5.5
cui: 3.1.10
disa: CCI-000056,CCI-000058
disa@sle12: CCI-000060
nist: CM-6(a)
nist@sle12: AC-11(b),AC-11(a),AC-11(1),AC-11(1).1,AC-11.1(iii),AC-11
nist-csf: PR.AC-7
ospp: FMT_MOF_EXT.1
pcidss: Req-8.1.8
Expand All @@ -44,15 +55,24 @@ references:
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
cis-csc: 1,12,15,16
stigid@rhel8: RHEL-08-020030
stigid@sle12: SLES-12-010060

ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly'

ocil: |-
To check the status of the idle screen lock activation, run the following command:
{{% if product in ['sle12','sle15'] %}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add this product specific if clause also to the description? The description is shown in the HTML guide and report. The ocil is not.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will do.

<pre>gsettings get org.gnome.desktop.lockdown disable-lock-screen</pre>
If the result is "true", this is a finding.
Configure the SUSE operating system to allow the user to lock the GUI.
Run the following command to configure the SUSE operating system to allow the user to lock the GUI:
<pre>gsettings set org.gnome.desktop.lockdown disable-lock-screen false</pre>
{{% else %}}
<pre>$ gsettings get org.gnome.desktop.screensaver lock-enabled</pre>
If properly configured, the output should be <tt>true</tt>.
To ensure that users cannot change how long until the the screensaver locks, run the following:
<pre>$ grep lock-enabled /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output for <tt>lock-enabled</tt> should be <tt>/org/gnome/desktop/screensaver/lock-enabled</tt>
{{% endif %}}

platform: machine
1 change: 1 addition & 0 deletions sle12/profiles/stig.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ selections:
- dconf_db_up_to_date
- dconf_gnome_banner_enabled
- dconf_gnome_login_banner_text
- dconf_gnome_screensaver_lock_enabled
- dir_perms_world_writable_sticky_bits
- dir_perms_world_writable_system_owned_group
- disable_ctrlaltdel_reboot
Expand Down