Bug 1631378 - dconf db is not checked by OVAL
Summary: dconf db is not checked by OVAL
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide   
(Show other bugs)
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Matěj Týč
QA Contact: BaseOS QE Security Team
Mirek Jahoda
Depends On:
Blocks: 1648377
TreeView+ depends on / blocked
Reported: 2018-09-20 12:53 UTC by Marek Haicman
Modified: 2019-03-07 13:07 UTC (History)
7 users (show)

Fixed In Version: scap-security-guide-0.1.43-1.el7
Doc Type: Known Issue
Doc Text:
*dconf* databases are not checked by OVAL OVAL (Open Vulnerability and Assessment Language) checks used in the *SCAP Security Guide* project are not able to read a *dconf* binary database, only files used to generate the database. The database is not regenerated automatically, the administrator needs to enter the "dconf update" command. As a consequence, changes to the database that are not made using files in the `/etc/dconf/db/` directory cannot be detected by scanning. This may cause false negatives results. To work around this problem, run "dconf update" periodically, for example, using the `/etc/crontab` configuration file.
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Marek Haicman 2018-09-20 12:53:35 UTC
Description of problem:
Rules that check for GNOME dconf configuration are reading and enforcing content of configuration files on the file system in `/etc/dconf/` directory tree. That content is only prescription for `dconf update` to fill in the binary dconf GVariant database. At the moment, there is no OVAL check to verify contents of the real binary DB. So OpenSCAP scanner using SCAP Security Guide cannot identify if the machine is hardened or not.

So "pass" is possibly false negative.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. let's use this rule https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-C2S.html#xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled

1. yum install openscap-scanner scap-security-guide

2. Follow the guide, so add or edit `banner-message-enable=true` to /etc/dconf/db/gdm.d/00-security-settings:


2a. Add `/org/gnome/login-screen/banner-message-enable` to `/etc/dconf/db/gdm.d/locks/00-security-settings-lock`

3. run scan `oscap xccdf eval --profile C2S --rule xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 

4. run `dconf update`

5. repeat #3

6. run `dconf write org/gnome/login-screen/banner-message-enable false`

7. repeat #3

Actual results:
3. pass
5. pass
7. pass

Expected results:
3. fail
5. pass
7. fail

Additional info:
Due to OVAL design, we need to either have dconf probe, or dbus probe to truly solve the problem.

Comment 2 Marek Haicman 2018-09-20 13:23:58 UTC
Hello Ray, do you have any tips that could work regarding this issue? Basically - in OVAL, we currently have no option to communicate over dbus, or execute commands. Our best bet is reading files on the file system. Is there a way dconf can show db contents continuously on FS? Or are dbus and dconf command line the only ways to get the contents?

Comment 3 Ray Strode [halfline] 2018-09-27 11:57:10 UTC
hey sorry for the slow response on this.

dconf can be configured to use text based keyfiles as it's data backend:


but that's not the recommended default. It's main purpose is to provide better reliability over NFS.

Note, dconf doesn't use dbus for *reading*. it only uses dconf for writing.  so it should be possible to monitor the database if you can add a runtime dependency to libdconf.

Comment 8 Watson Yuuma Sato 2019-02-25 08:51:50 UTC
Fixed by upstream in https://github.com/ComplianceAsCode/content/pull/3725
And improved user experience in https://github.com/ComplianceAsCode/content/pull/3755

Note You need to log in before you can comment on or make changes to this bug.