Make sure that the dconf databases are up-to-date with regards to respective keyfiles
An XCCDF Rule
Description
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
dconf updatecommand. More specifically, content present in the following directories:
/etc/dconf/db/distro.d
/etc/dconf/db/local.d
Rationale
Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.
- ID
- xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
- Severity
- High
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
dconf update
else
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- PCI-DSS-Req-6.2
- PCI-DSSv4-8.2.8