new testing tag
by Jeffrey Blank
A new <tested> tag can now be added to Rules.
This will be a way to document when:
1) The fix text has been proofread and exercised.
2) The check text has been proofread and exercised.
3) A positive and negative test result can be obtained using the fix
text (description) and its check text.
This should ensure at least syntactic correctness for all Rules. A
second round of testing (from a different person) will involve
verification that the system behaves as configured.
I'll be adding support to the transforms to show this in tables (with
color coding), and also to move the information into comments (or some
other valid storage area in XCCDF).
Michael mentioned that he's going to start testing, so hopefully this
will enable that.
See example tag below (at bottom):
<Rule id="partition_for_tmp">
<title>Ensure /tmp Located On Separate Partition</title>
<description>
The <tt>/tmp</tt> directory is a world-writable directory used
for temporary file storage. Ensure that it has its own partition or
logical volume at installation time, or migrate it using LVM.
</description>
<ocil><partition-check-macro part="/tmp"/></ocil>
<rationale>
The <tt>/tmp</tt> partition is used as temporary storage by many programs.
Placing <tt>/tmp</tt> in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
</rationale>
<ident cce="14161-4"/>
<oval id="mount_tmp_own_partition" />
<ref nist="CM-6" />
<tested by="MM" on="20120927">
</Rule>
11 years, 6 months
[PATCH] additional OCIL check text
by David Smith
added several OCIL checks
David Smith (1):
additional OCIL checks
RHEL6/input/services/ldap.xml | 7 +++++++
RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++
RHEL6/input/services/ntp.xml | 8 ++++++++
RHEL6/input/services/ssh.xml | 6 ++++++
RHEL6/input/system/logging.xml | 5 ++---
RHEL6/input/system/permissions/mounting.xml | 6 ++++++
6 files changed, 54 insertions(+), 3 deletions(-)
11 years, 6 months
MISC additions query
by Michael J. McConachie
Jeff,
I finished adding "this is a finding" clauses to pre-existing <ocil>
tags; I would like to start on the blank rows in the OCIL/check text
column and insert (at a minimum) <ocil clause="(this is a finding)"> on
each one, so that at least we have that step done for every row on the
ST page.
The we can auto-fill the bulk of the verbiage that's left to do with
macros at a later time as they are established, right?
Does this sound good? If so, I'll get started on adding the checks to
those remaining blank boxes.
R/S
--
Red Hat Consulting
Michael J. McConachie, RHCE
Consultant - Red Hat, Inc.
michael(a)redhat.com
11 years, 6 months
[PATCH] new sshd check macro
by Jeffrey Blank
For SSH (and other configurations), we want to preserve the ability to not flag non-compliance if the default (unspecified) is compliant. It reduces costs, which makes for a more compelling (less uncompelling?) argument for C&A activities.
The wording of this is rough and definitely not final. After all the other checks and profile inclusion
adjustments are complete, and when we get to copy editing, it will undoubtedly be improved.
Jeffrey Blank (1):
added new macro for SSH checks (rough wording for now), and used it
RHEL6/input/services/ssh.xml | 15 +++++++++++++++
RHEL6/transforms/shorthand2xccdf.xslt | 21 ++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletions(-)
11 years, 6 months
[PATCH] added OCIL check text
by David Smith
added and modified a few things, including using gconftool-2 itself to query gconf values
David Smith (1):
OCIL text additions and modifications
RHEL6/input/services/nfs.xml | 10 +++++++
RHEL6/input/system/accounts/physical.xml | 26 ++++++++++----------
.../accounts/restrictions/password_expiration.xml | 2 +-
3 files changed, 24 insertions(+), 14 deletions(-)
11 years, 6 months