Skip to content

Make sure that the dconf databases are up-to-date with regards to respective keyfiles

An XCCDF Rule

Description

By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the

dconf update
command. More specifically, content present in the following directories:
/etc/dconf/db/gdm.d
/etc/dconf/db/local.d

Rationale

Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.

ID
xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Severity
High
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

dconf update

else

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-6.2
  - PCI-DSSv4-8.2