Stabilization: sle16 create anssi profile

[teacup-on-rockingchair]

Description:

• Stabilization PR for change in PR SLE16 create ANSSI profiles #14412

Rationale:

• Add anssi profiles for SLE16

Review Hints:

• See PR SLE16 create ANSSI profiles #14412

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
 The system's default desktop environment, GNOME3, will mount
 devices and removable media (such as DVDs, CDs and USB flash drives) whenever
 they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount to false in /etc/dconf/db/local.d/00-security-settings.
 For example:
 [org/gnome/desktop/media-handling]
 automount=false
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/media-handling/automount
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.media-handling automount
 If properly configured, the output for automount should be false.
 To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount' /etc/dconf/db/local.d/locks/*
 If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
       Is it the case that GNOME automounting is not disabled?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,6 +2,7 @@
 if rpm --quiet -q gdm; then
 
 # apply fix for enable_dconf_user_profile, OVAL checks it
+
 
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
 The system's default desktop environment, GNOME3, will mount
 devices and removable media (such as DVDs, CDs and USB flash drives) whenever
 they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
+automount-open to false in /etc/dconf/db/local.d/00-security-settings.
 For example:
 [org/gnome/desktop/media-handling]
 automount-open=false
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/media-handling/automount-open
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.media-handling automount-open
 If properly configured, the output for automount-openshould be false.
 To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
 If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
       Is it the case that GNOME automounting is not disabled?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,6 +2,7 @@
 if rpm --quiet -q gdm; then
 
 # apply fix for enable_dconf_user_profile, OVAL checks it
+
 
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
 The system's default desktop environment, GNOME3, will mount
 devices and removable media (such as DVDs, CDs and USB flash drives) whenever
 they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
 For example:
 [org/gnome/desktop/media-handling]
 autorun-never=true
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/media-handling/autorun-never
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.media-handling autorun-never
 If properly configured, the output for autorun-nevershould be true.
 To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
 If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
       Is it the case that GNOME autorun is not disabled?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
 By default, GNOME does not require credentials when using Vino for
 remote access. To configure the system to require remote credentials, add or set
 authentication-methods to ['vnc'] in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
 [org/gnome/Vino]
 authentication-methods=['vnc']
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/Vino/authentication-methods
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.Vino authentication-methods
 If properly configured, the output should be false.
 To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
+$ grep authentication-methods /etc/dconf/db/local.d/locks/*
 If properly configured, the output should be
 /org/gnome/Vino/authentication-methods
       Is it the case that wireless network notification is enabled and not disabled?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
 By default, GNOME requires encryption when using Vino for remote access.
 To prevent remote access encryption from being disabled, add or set
 require-encryption to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
 [org/gnome/Vino]
 require-encryption=true
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/Vino/require-encryption
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.Vino require-encrpytion
 If properly configured, the output should be true.
 To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
+$ grep require-encryption /etc/dconf/db/local.d/locks/*
 If properly configured, the output should be
 /org/gnome/Vino/require-encryption
       Is it the case that remote access connections are not encrypted?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
 [description]:
 To activate the screensaver in the GNOME3 desktop after a period of inactivity,
 add or set idle-activation-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 idle-activation-enabled=true
 Once the setting has been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/idle-activation-enabled
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
 If properly configured, the output should be true.
 To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
 If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
       Is it the case that idle-activation-enabled is not enabled or configured?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
 
 [description]:
 The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
-and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
+and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
 
          
 For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/gdm.d/00-security-settings:
+/etc/dconf/db/local.d/00-security-settings:
 [org/gnome/desktop/session]
 idle-delay=uint32 900
 

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.session idle-delay
 If properly configured, the output should be 'uint32 '.
 To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
+$ grep idle-delay /etc/dconf/db/local.d/locks/*
 If properly configured, the output should be /org/gnome/desktop/session/idle-delay
       Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,7 +2,6 @@
 if rpm --quiet -q gdm; then
 
 inactivity_timeout_value=''
-
 
 
 # Check for setting in any of the DConf db directories

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
 To activate the locking delay of the screensaver in the GNOME3 desktop when
 the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
           in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
          

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,8 +1,10 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm; then
 
+# apply fix for enable_dconf_user_profile, OVAL checks it
+
+
 var_screensaver_lock_delay=''
-
 
 
 # Check for setting in any of the DConf db directories

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
 [description]:
 To activate locking of the screensaver in the GNOME3 desktop when it is activated,
 add or set lock-enabled to true in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 lock-enabled=true
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/lock-enabled
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
 $ gsettings get org.gnome.desktop.screensaver lock-enabled
 If properly configured, the output should be true.
 To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
+$ grep lock-enabled /etc/dconf/db/local.d/locks/*
 If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
       Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
       
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
 - name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
     Lock After Idle Period
   community.general.ini_file:
-    dest: /etc/dconf/db/gdm.d/00-security-settings
+    dest: /etc/dconf/db/local.d/00-security-settings
     section: org/gnome/desktop/lockdown
     option: disable-lock-screen
     value: 'false'
@@ -105,7 +105,7 @@
 - name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
     of GNOME disable-lock-screen
   ansible.builtin.lineinfile:
-    path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
     regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
     line: /org/gnome/desktop/lockdown/disable-lock-screen
     create: true

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
 [description]:
 To set the screensaver mode in the GNOME3 desktop to a blank screen,
 add or set picture-uri to string '' in
-/etc/dconf/db/gdm.d/00-security-settings. For example:
+/etc/dconf/db/local.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 picture-uri=string ''
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/picture-uri
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
 If properly configured, the output should be ''.
 
 To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
+$ grep picture-uri /etc/dconf/db/local.d/locks/*
 If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
       Is it the case that it is not set or configured properly?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
 [description]:
 If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
 by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/lock-delay
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
 If properly configured, the output should return:
 /org/gnome/desktop/screensaver/lock-delay
       Is it the case that GNOME3 session settings are not locked or configured properly?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
 [description]:
 If not already configured, ensure that users cannot change GNOME3 session idle settings
 by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/session/idle-delay
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
 If properly configured, the output should return:
 /org/gnome/desktop/session/idle-delay
       Is it the case that idle-delay is not locked?