adding "fix"es to the xccdf
by Brian Millett
I'm really interested in adding fixes, or having a set of fixes I can apply to
the xccdf for rhel6. I've looked at the line in the Makefile:
xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o
$(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt
$(OUT)/unlinked-rhel6-xccdf.xml
and it looks like, following the bas-ks.xml, I can create a file with each fix
as long as each fix-id is the same as the rule-id so that the fix can be
merged with the appropriate rule into a final xccdf.xml file.
At least, that is what it seems. I uncommented the line in the Makefile and
remade it, however, nothing was added to the final xccdf.xml file, and there
are not any make errors, so
Any documentation or ideas where to look?
Thanks.
--
Brian Millett
"My brain feels like its been sucked out through my ear."
-- [ Londo, "Born to the Purple"]
11 years, 2 months
Getting the umask tests/checks to finally work
by Brian Millett
See attached patch for the following files
scap-security-guide/RHEL6/input/system/accounts/session.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_etc_profile.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_bash_users.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_csh.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_login_defs.xml
scap-security-guide/RHEL6/input/profiles/usgcb-rhel6-server.xml
scap-security-guide/RHEL6/input/profiles/common.xml
scap-security-guide/RHEL6/input/profiles/maritz-rhel6-server.xml
scap-security-guide/RHEL6/input/profiles/test.xml
scap-security-guide/RHEL6/input/profiles/stig-rhel6-server.xml
result now are
Ensure the Default Bash Umask is Set Correctly fail
Ensure the Default C Shell Umask is Set Correctly fail
Ensure the Default Umask is Set Correctly in /etc/profile fail
Ensure the Default Umask is Set Correctly in login.defs pass
Set Daemon Umask fail
--
Brian Millett
"If anyone asks, say it fell from the sky."
-- [ Delenn to Sinclair (re: Vorlon files), "The Gathering"]
11 years, 2 months
[PATCH] fix for typo'ed refine-values
by Jeffrey Blank
Thanks very much to Brian Millett for his testing.
And perhaps at some point we'll consistently rename all
Values to end in "_value" or begin with "var_" , but that's
a foppish concern that can wait for now...
Jeffrey Blank (1):
fixed typo in refine-value for user umasks
RHEL6/input/profiles/stig-rhel6-server.xml | 4 +---
RHEL6/input/profiles/test.xml | 2 +-
2 files changed, 2 insertions(+), 4 deletions(-)
11 years, 2 months
a small problem with some profiles umask_user_value is user_umask_value
by Brian Millett
Ensure the Default Bash Umask is Set Correctly *error* Ensure the
Default C Shell Umask is Set Correctly *error* Ensure the Default Umask
is Set Correctly in /etc/profile *error* Ensure the Default Umask is Set
Correctly in login.defs *error*
I was pulling out my hair (and I don't have much left anyways) why the
umask_bashrc, umask_cshrc, etc were giving the results of "error" during an
evaluation. Well, come to find out the variables are typoed, (
user_umask_value instead of umask_user_value) so
cd scap-security-guide/RHEL6/input/profiles
perl -pi -e 's/user_umask_value/umask_user_value/' $(grep -Rl
user_umask_value *)
fixes that problem.
--
Brian Millett
"Shifts in paradigms
often cause nose bleeds."
Greg Glenn
11 years, 2 months
playing with the testcheck.py yields errors
by Brian Millett
Ok, so I've a rhel-6.3 system
[root@localhost checks]# uname -r
2.6.32-279.19.1.el6.x86_64
[root@localhost checks]# rpm -qa | grep libxslt
libxslt-1.1.26-2.el6_3.1.x86_64
I've been looking at the RHEL6/input/checks to see how it is done, and I
wanted to test the checks. So following the documentation
https://fedorahosted.org/scap-security-guide/wiki/newoval, I ran
'sshd_idle_timeout_value=30 ./testcheck.py sshd_idle_timeout.xml' and got
the following error:
[root@localhost checks]# sshd_idle_timeout_value=30 ./testcheck.py
sshd_idle_timeout.xml
external_variable with id : sshd_idle_timeout_value
Evaluating with OVAL tempfile : /tmp/sshd_idle_timeoutUDK_FW.xml
File '/tmp/sshd_idle_timeoutUDK_FW.xml' line 7: Element '{
http://oval.mitre.org/XMLSchema/oval-definitions-5}definition', attribute
'id': [facet 'pattern'] The value
'oval:oval:scap-security-guide.testing:def:108' is not accepted by the
pattern 'oval:[A-Za-z0-9_\-\.]+:def:[1-9][0-9]*'.
Looking into the code, I see that idtranslate.idtranslator already is
adding the namespace to the id
str_id = "%s:%s:%s:%d" % (namespace_to_prefix(tagname), self.content_id,
tagname_to_abbrev(tagname), i)
So the 'oval:oval:scap-security-guide.testing:def:108' being generated is
redundant. the following patch fixes that.
[root@localhost checks]# diff -wruN testcheck.py.orig ./testcheck.py
--- testcheck.py.orig 2013-02-05 10:54:44.579854555 -0600
+++ ./testcheck.py 2013-02-05 10:54:57.889884072 -0600
@@ -102,7 +102,7 @@
if element.getchildren():
ovaltree.append(element)
# re-map all the element ids from meaningful names to meaningless
numbers
- testtranslator = idtranslate.idtranslator("testids.ini",
"oval:scap-security-guide.testing")
+ testtranslator = idtranslate.idtranslator("testids.ini",
"scap-security-guide.testing")
ovaltree = testtranslator.translate(ovaltree)
(ovalfile, fname) = tempfile.mkstemp(prefix=defname,suffix=".xml")
os.write(ovalfile, ET.tostring(ovaltree))
so now
[root@localhost checks]# sshd_idle_timeout_value=30 ./testcheck.py
sshd_idle_timeout.xml
external_variable with id : sshd_idle_timeout_value
Evaluating with OVAL tempfile : /tmp/sshd_idle_timeoutt_n33_.xml
Definition oval:scap-security-guide.testing:def:111: false
Definition oval:scap-security-guide.testing:def:109: false
Definition oval:scap-security-guide.testing:def:108: false
Evaluation done.
--
Brian Millett
"Shifts in paradigms
often cause nose bleeds."
Greg Glenn
11 years, 2 months
[PATCH] fixed bug which unnecessarily prepended "oval:" to IDs
by Jeffrey Blank
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/checks/testcheck.py | 10 +---------
1 files changed, 1 insertions(+), 9 deletions(-)
diff --git a/RHEL6/input/checks/testcheck.py b/RHEL6/input/checks/testcheck.py
index 3b410dd..66b8381 100755
--- a/RHEL6/input/checks/testcheck.py
+++ b/RHEL6/input/checks/testcheck.py
@@ -102,20 +102,12 @@ def main():
if element.getchildren():
ovaltree.append(element)
# re-map all the element ids from meaningful names to meaningless numbers
- testtranslator = idtranslate.idtranslator("testids.ini", "oval:scap-security-guide.testing")
+ testtranslator = idtranslate.idtranslator("testids.ini", "scap-security-guide.testing")
ovaltree = testtranslator.translate(ovaltree)
(ovalfile, fname) = tempfile.mkstemp(prefix=defname,suffix=".xml")
os.write(ovalfile, ET.tostring(ovaltree))
os.close(ovalfile)
print "Evaluating with OVAL tempfile : " + fname
- # temporary workaround for fedora/redhat oscap version differences
- # (distname, distversion, distcodename) = platform.linux_distribution(full_distribution_name=0)
- # if distname == 'redhat':
- # subprocess.call("oscap oval eval --result-file "+ fname + "-results " + fname, shell=True)
- # else:
-
- # content requires OVAL 5.8 support, which is only supported by openscap 0.8 or later
- # for RHEL 6, this implies installing openscap from source until RPM is released
subprocess.call("oscap oval eval --results "+ fname + "-results " + fname, shell=True)
# perhaps delete tempfile?
definitions = ET.Element("definitions")
--
1.7.1
11 years, 2 months