Merge pull request #12951 from mpurg/ubuntu2404_cis_1.7.5

Extend dconf rules on Ubuntu to check if settings are locked
ComplianceAsCode · Jan 31, 2025 · 0f0466a · 0f0466a
2 parents 63be4a8 + dce05b7
commit 0f0466a
Show file tree

Hide file tree

Showing 18 changed files with 101 additions and 0 deletions.
diff --git a/...tem/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/...tem/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
@@ -3,6 +3,7 @@
 {{% if 'ubuntu' in product %}}
 {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}}
 {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}}
+{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "idle-delay", "local.d", "00-security-settings-lock") }}}
 {{% endif %}}
 
 {{{ bash_instantiate_variables("inactivity_timeout_value") }}}

diff --git a/...em/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml b/...em/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml
@@ -7,6 +7,9 @@
         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
         <criterion comment="idle delay has been configured" test_ref="test_screensaver_idle_delay" />
         <criterion comment="idle delay is set correctly" test_ref="test_screensaver_idle_delay_setting" />
+        {{% if 'ubuntu' in product %}}
+        <criterion comment="screensaver idle delay setting is locked" test_ref="test_screensaver_idle_delay_locked" />
+        {{% endif %}}
       </criteria>
     </criteria>
   </definition>
@@ -50,4 +53,19 @@
 
   <external_variable comment="inactivity timeout variable" datatype="int"
   id="inactivity_timeout_value" version="1" />
+
+{{% if 'ubuntu' in product %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+      comment="screensaver idle delay setting is locked"
+      id="test_screensaver_idle_delay_locked" version="1">
+    <ind:object object_ref="obj_screensaver_idle_delay_locked" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_screensaver_idle_delay_locked"
+  version="1">
+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/idle-delay$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
 </def-group>
diff --git a/...tware/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/comment.fail.sh b/...tware/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/comment.fail.sh
@@ -6,3 +6,7 @@
 clean_dconf_settings
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/session" "#idle-delay" "uint32 900" "local.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value.pass.sh b/...gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value.pass.sh
@@ -8,3 +8,7 @@ clean_dconf_settings
 
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "local.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/..._screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_not_locked.fail.sh b/..._screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_not_locked.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = dconf,gdm
+# variables = inactivity_timeout_value=900
+
+. $SHARED/dconf_test_functions.sh
+
+clean_dconf_settings
+
+add_dconf_profiles
+add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "local.d" "00-security-settings"
diff --git a/...me_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_wrong_db.fail.sh b/...me_screen_locking/dconf_gnome_screensaver_idle_delay/tests/correct_value_wrong_db.fail.sh
@@ -8,3 +8,7 @@ clean_dconf_settings
 
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "dummy.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...me/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/missing_profiles.fail.sh b/...me/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/missing_profiles.fail.sh
@@ -8,3 +8,4 @@
 clean_dconf_settings
 
 add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"
diff --git a/...e/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/setting_not_there.fail.sh b/...e/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/setting_not_there.fail.sh
@@ -5,3 +5,7 @@
 
 clean_dconf_settings
 add_dconf_profiles
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...e/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/wrong_value.fail.sh b/...e/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/tests/wrong_value.fail.sh
@@ -7,3 +7,7 @@
 clean_dconf_settings
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 2900" "local.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...tem/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh b/...tem/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
@@ -3,6 +3,7 @@
 {{% if 'ubuntu' in product %}}
 {{{ bash_enable_dconf_user_profile(profile="user", database="local") }}}
 {{{ bash_enable_dconf_user_profile(profile="gdm", database="gdm") }}}
+{{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}}
 {{% endif %}}
 
 {{{ bash_instantiate_variables("var_screensaver_lock_delay") }}}

diff --git a/...em/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml b/...em/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml
@@ -8,6 +8,9 @@
         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
         <criterion comment="screensaver lock delay is configured" test_ref="test_screensaver_lock_delay" />
         <criterion comment="lock delay is set correctly" test_ref="test_screensaver_lock_delay_setting" />
+        {{% if 'ubuntu' in product %}}
+        <criterion comment="screensaver lock delay setting is locked" test_ref="test_screensaver_lock_delay_locked" />
+        {{% endif %}}
       </criteria>
     </criteria>
   </definition>
@@ -51,4 +54,18 @@
 
   <external_variable comment="screensaver lock delay variable" datatype="int"
   id="var_screensaver_lock_delay" version="1" />
+
+{{% if 'ubuntu' in product %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+      comment="screensaver lock delay setting is locked"
+      id="test_screensaver_lock_delay_locked" version="1">
+    <ind:object object_ref="obj_screensaver_lock_delay_locked" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_screensaver_lock_delay_locked" version="1">
+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
 </def-group>
diff --git a/...tware/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/comment.fail.sh b/...tware/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/comment.fail.sh
@@ -6,3 +6,7 @@
 clean_dconf_settings
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/screensaver" "#lock-delay" "uint32 5" "local.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value.pass.sh b/...gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value.pass.sh
@@ -8,3 +8,7 @@ clean_dconf_settings
 
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "local.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/..._screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_not_locked.fail.sh b/..._screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_not_locked.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = dconf,gdm
+# variables = var_screensaver_lock_delay=5
+
+. $SHARED/dconf_test_functions.sh
+
+clean_dconf_settings
+
+add_dconf_profiles
+add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "local.d" "00-security-settings"
diff --git a/...me_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_wrong_db.fail.sh b/...me_screen_locking/dconf_gnome_screensaver_lock_delay/tests/correct_value_wrong_db.fail.sh
@@ -7,3 +7,7 @@
 clean_dconf_settings
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "dummy.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...me/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/missing_profiles.fail.sh b/...me/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/missing_profiles.fail.sh
@@ -8,3 +8,4 @@
 clean_dconf_settings
 
 add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 5" "local.d" "00-security-settings"
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings"
diff --git a/...e/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/setting_not_there.fail.sh b/...e/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/setting_not_there.fail.sh
@@ -5,3 +5,7 @@
 
 add_dconf_profiles
 clean_dconf_settings
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings"
+{{% endif %}}
diff --git a/...e/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/wrong_value.fail.sh b/...e/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/tests/wrong_value.fail.sh
@@ -7,3 +7,7 @@
 clean_dconf_settings
 add_dconf_profiles
 add_dconf_setting "org/gnome/desktop/screensaver" "lock-delay" "uint32 10" "local.d" "00-security-settings"
+
+{{% if 'ubuntu' in product %}}
+add_dconf_lock "org/gnome/desktop/screensaver" "lock-delay" "local.d" "00-security-settings"
+{{% endif %}}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,3 +8,4 @@
		clean_dconf_settings

		add_dconf_setting "org/gnome/desktop/session" "idle-delay" "uint32 900" "local.d" "00-security-settings"
		add_dconf_lock "org/gnome/desktop/screensaver" "idle-delay" "local.d" "00-security-settings"