[PATCH 0/2] Minor OCIL additions
by David Smith
David Smith (2):
added OCIL checks
commented out vestige of variable display
RHEL6/input/services/ftp.xml | 6 +++-
RHEL6/input/services/ldap.xml | 4 +++
RHEL6/input/services/mail.xml | 5 ++++
RHEL6/input/services/ssh.xml | 23 ++++++++++++++++++++++
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 5 +--
5 files changed, 38 insertions(+), 5 deletions(-)
11 years, 7 months
macro notes / authoring
by Jeffrey Blank
For our viewers at home who are seeing some of the recent commits and
wondering what's up:
In the "shorthand XCCDF" in input/system and input/services, we've got
stuff like:
<ocil><package-check-macro package="xinetd" /> </ocil>
The package-remove-macro (and many other macros) are defined in
transforms/shorthand2xccdf.xslt, which inserts the lines of text that
you'd expect to see for a manual check. In this case, it's text that
describes how you'd check to see whether that package is installed. See:
<xsl:template match="package-check-macro">
Run the following command to determine if the
<xhtml:code><xsl:value-of select="@package"/></xhtml:code>
package is installed:
<xhtml:pre># rpm -q <xsl:value-of select="@package"/>
</xhtml:pre>
</xsl:template>
This way, if we need to change the language in the entire project that
describes how you check for a package being installed, it's easy to do
at once.
There is also support for adding boilerplate remarks with the text, by
providing the conditional clause which describes non-compliance. This
clause can be provided by adding a clause= attribute to the ocil tag.
(And yes, other transforms take care of generating the 100 lines of XML
that make it proper OCIL.)
A commit I've just made takes care of also adding that clause= attribute
automatically, for those checks which contain a macro. An example of
all of this coming together is in
RHEL6/output/rhel6-table-stig-server-shorttitles.html
(don't forget to git pull; make tables)
11 years, 7 months
[PATCH 0/4] automatic clause insertion for check texts with macros
by Jeffrey Blank
This is to allow easy generation of "if [clause], this is a finding" or whatever
robotic boilerplate text is needed, in the event that your state of compliance
is somehow not apparent after performing a manual check.
Jeffrey Blank (4):
fixes to check text for services
typo fixes to checks in auditing section
typo fixes for service checks
support for including clauses with macro-ized check texts
RHEL6/input/services/dns.xml | 4 +-
RHEL6/input/services/ftp.xml | 6 ++--
RHEL6/input/services/http.xml | 6 ++--
RHEL6/input/services/obsolete.xml | 17 +++++++------
RHEL6/input/services/smb.xml | 4 ++-
RHEL6/input/system/auditing.xml | 8 +++---
RHEL6/transforms/shorthand2xccdf.xslt | 28 +++++++++++++++++----
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +-
8 files changed, 47 insertions(+), 28 deletions(-)
11 years, 7 months
short-term goals update
by Jeffrey Blank
Very short term goal update:
Michael will work on adding "clause=" attributes to each <ocil> tag in
order to have statements like "If [clause], this is a finding" generated
automatically at the end of each check.
I will be working on getting the necessary transform for this working in
very short order (by making augmentations to the existing <ocil> to
<check> transform).
David will be working on the remaining check text items, such as for
PAM/password settings, gconf, and SSH.
The goal is to have the STIG and USGCB profiles in complete enough shape
such that meaningful conversations can be held about them at the
upcoming NIST IT Security Automation Conference in Baltimore next week.
Thanks,
Jeff
11 years, 7 months
[PATCH 0/5] support for generation of boilerplate remarks, validation fixes
by Jeffrey Blank
Through some abuse of the <check-export> facility in XCCDF, we can now
attach a clause to a body of manual checking instructions that can
be used as part of a boilerplate remark.
Also contained here are fixes to make the content validate.
Jeffrey Blank (5):
removal of duplicate OCIL checking text
temporary commenting of x windows listening Rule, until new version
is complete
adding transforms and Values support to enable automatic generation
of boilerplate text * if a "shorthand" OCIL / manual check
text is decorated with a clause attribute, then it can now
be used to generate a boilerplate remark which incorporates that
clause * for example, if your check needs to conclude with,
"If [clause], then this is a finding..." we can now generate
the boilerplate portions if the clause is provided. The clause can
also be used to construct a question in the true OCIL style
for the valid OCIL output.
added example clause for manual check text, to enable boilerplate
remark generation
removed duplicate OCIL check
RHEL6/input/guide.xslt | 6 ++++
RHEL6/input/profiles/common.xml | 2 +-
RHEL6/input/services/base.xml | 1 -
RHEL6/input/services/dhcp.xml | 2 +-
.../accounts/restrictions/password_storage.xml | 8 ------
RHEL6/input/system/network/ipsec.xml | 1 -
RHEL6/input/system/network/wireless.xml | 1 -
RHEL6/input/system/software/disk_partitioning.xml | 4 ++-
RHEL6/transforms/shorthand2xccdf.xslt | 26 +++++++++----------
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 4 +++
10 files changed, 27 insertions(+), 28 deletions(-)
11 years, 7 months
coming soon: re-ordering of check types within Rules
by Jeffrey Blank
... since evaluation of the XCCDF profiles is broken at the moment.
The XCCDF spec says that the first check type should be chosen, and this
will mean putting OVAL first. This is also logical since automated
checks are preferable to manual ones that are defined in OCIL.
This should only be a few lines of XSLT in
transforms/shorthand2xccdf.xslt, but I thought I'd mention that I'm
aware of it.
11 years, 7 months