{"description": "By default, DConf uses a binary database as a data backend.\nThe system-level database is compiled from keyfiles in the /etc/dconf/db/\ndirectory by the <pre>dconf update</pre> command. More specifically, content present\nin the following directories:\n<pre>/etc/dconf/db/gdm.d</pre>\n<pre>/etc/dconf/db/local.d</pre>", "rationale": "Unlike text-based keyfiles, the binary database is impossible to check by OVAL.\nTherefore, in order to evaluate dconf configuration, both have to be true at the same time -\nconfiguration files have to be compliant, and the database needs to be more recent than those keyfiles,\nwhich gives confidence that it reflects them.", "severity": "high", "references": {"hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(5)(ii)(A)"], "pcidss": ["Req-6.2"], "srg": ["SRG-OS-000480-GPOS-00227"], "pcidss4": ["8.2.8", "8.2"]}, "control_references": {"pcidss4": ["8.2.8", "8.2"]}, "components": [], "identifiers": {}, "ocil_clause": "The system-wide dconf databases are up-to-date with regards to respective keyfiles", "ocil": "In order to be sure that the databases are up-to-date, run the\n<pre>dconf update</pre>\ncommand as the administrator.", "oval_external_content": null, "fixtext": "Update the dconf databases by running the following command:\n\n$ sudo dconf update", "checktext": "Check the last modification time of the local databases, comparing it to the last modification time of the related keyfiles. The following command will check every dconf database and compare its modification time to the related system keyfiles:\n\nNote: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ function dconf_needs_update { for db in $(find /etc/dconf/db -maxdepth 1 -type f); do db_mtime=$(stat -c %Y \"$db\"); keyfile_mtime=$(stat -c %Y \"$db\".d/* | sort -n | tail -1); if [ -n \"$db_mtime\" ] && [ -n \"$keyfile_mtime\" ] && [ \"$db_mtime\" -lt \"$keyfile_mtime\" ]; then echo \"$db needs update\"; return 1; fi; done; }; dconf_needs_update\n\nIf the command has any output, then a dconf database needs updated and this is a finding.", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 effective dconf policy must match the policy keyfiles.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 effective dconf policy must match the policy keyfiles.", "vuldiscussion": "Unlike text-based keyfiles, the binary database is impossible to check through most automated and all manual means; therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.", "checktext": "Check the last modification time of the local databases, comparing it to the last modification time of the related keyfiles. The following command will check every dconf database and compare its modification time to the related system keyfiles:\n\nNote: This requirement assumes the use of the Ubuntu 22.04 default graphical user interface, the GNOME desktop environment. If the system does not have any graphical user interface installed, this requirement is Not Applicable.\n\n$ function dconf_needs_update { for db in $(find /etc/dconf/db -maxdepth 1 -type f); do db_mtime=$(stat -c %Y \"$db\"); keyfile_mtime=$(stat -c %Y \"$db\".d/* | sort -n | tail -1); if [ -n \"$db_mtime\" ] && [ -n \"$keyfile_mtime\" ] && [ \"$db_mtime\" -lt \"$keyfile_mtime\" ]; then echo \"$db needs update\"; return 1; fi; done; }; dconf_needs_update\n\nIf the command has any output, then a dconf database needs to be updated, and this is a finding.", "fixtext": "Update the dconf databases by running the following command:\n\n$ sudo dconf update"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Make sure that the dconf databases are up-to-date with regards to respective keyfiles", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml", "template": null}