Shawn (et al),
The ticketing system shows me you'd opened up a bunch of tickets to add
a "New rule" for items which were in the old RHEL 5 USGCB profile.
Okay, great, this helps with ensuring there is continuation of that
profile/baseline with some consistency.
A few notes:
1) I've been able to close some of the tickets as "fixed", providing
explanation as to why. Some of them are being handled through other
mechanisms for RHEL 6.
2) If anybody starts executing on the other tickets, the goal is NOT to
add new rules as the ticket says, but rather to conduct investigation to
see if the Rule is applicable to RHEL 6 in the same way it was
applicable to RHEL 5.
3) In the ticket titles, there is some of the odd CCE language which
talks about disabling/enabling things "as appropriate". That's fine as
an identifier (and the RHEL 6 USGCB did use some of this language).
However, this style of language, which is intended for neither a human
nor a machine, should never appear in the project's XCCDF. (Just in case
anybody gets any ideas.)
Technology and Systems Analysis / Network Components
NSA Information Assurance
I'm trying to get started with making the latest clone from the git
repository and I get the following error:
[bpm]$ git clone
Cloning into 'scap-security-guide'...
remote: Counting objects: 14016, done.
remote: Compressing objects: 100% (5257/5257), done.
remote: Total 14016 (delta 10574), reused 10664 (delta 7718)
Receiving objects: 100% (14016/14016), 3.18 MiB | 2.17 MiB/s, done.
Resolving deltas: 100% (10574/10574), done.
[bpm]$ cd scap-security-guide/RHEL6/
[bpm]$ make all
xsltproc -o output/rhel6-shorthand.xml input/guide.xslt input/guide.xml
xmllint --format --output output/rhel6-shorthand.xml
xsltproc -o output/unlinked-noprofiles-rhel6-xccdf.xml
compilation error: file transforms/shorthand2xccdf.xslt line 19 element
xsl:attribute: The attribute name 'xmlns' is not allowed.
make: *** [shorthand2xccdf] Error 5
I've a fedora 18 , x86_64 installation.
"Shifts in paradigms
often cause nose bleeds."
There are a few more coming that need more testing or aren't working correctly, but here's a small batch for now.
The behavior recurse="files" was deprecated, so I changed it to the normal "symlinks and directories". Also, the
environment variable tests were updated and replaced by the environmentvariable58 tests, objects, and states.
One check I can't submit an update to yet that has a similar problem is "accounts_root_path_dirs_no_write". I was
cleaning it up and replacing the deprecated check when I noticed that the check is not actually working correctly.
Specifying a single path in file_object gets the correct result of true or false, but passing in a variable with
multiple values (PATH, split into multiple strings) appears to always fail with "does not exist".
- Maura Dailey
Maura Dailey (3):
Replacing deprecated <ind:environmentvariable_...> tags with
Removing deprecated recurse=files behavior.
Removing deprecated recurse="files" behavior
.../checks/accounts_dangerous_path_for_root.xml | 53 ++++++++++----------
.../input/checks/file_permissions_ungroupowned.xml | 4 +-
RHEL6/input/checks/file_permissions_unowned.xml | 4 +-
3 files changed, 31 insertions(+), 30 deletions(-)
Most of this was just cleanup. Within the services and system directories, "RHEL6" and "RHEL 6" appeared nearly the same number of times -- this patch changes all of them to "RHEL 6" for consistency.
David Smith (3):
removed extraneous comma
additional copy editing
RHEL6/input/intro/intro.xml | 2 +-
RHEL6/input/services/dns.xml | 2 +-
RHEL6/input/services/ldap.xml | 2 +-
RHEL6/input/services/mail.xml | 2 +-
RHEL6/input/services/nfs.xml | 2 +-
RHEL6/input/services/obsolete.xml | 2 +-
RHEL6/input/services/services.xml | 8 ++++----
RHEL6/input/system/accounts/accounts.xml | 2 +-
RHEL6/input/system/logging.xml | 2 +-
RHEL6/input/system/network/iptables.xml | 6 +++---
RHEL6/input/system/network/wireless.xml | 2 +-
RHEL6/input/system/selinux.xml | 4 ++--
12 files changed, 18 insertions(+), 18 deletions(-)
I based this on the existing disable GNOME automounting check. I've run the command to disable it manually
and checked its output against what my script checks for with testcheck.py and everything seems to work
- Maura Dailey
Maura Dailey (1):
Adding check for disabling GNOME thumbnailers in gconf
.../checks/gconf_gnome_disable_thumbnailers.xml | 28 ++++++++++++++++++++
RHEL6/input/system/permissions/mounting.xml | 2 +-
2 files changed, 29 insertions(+), 1 deletions(-)
create mode 100644 RHEL6/input/checks/gconf_gnome_disable_thumbnailers.xml
The XCCDF pointed to an OVAL check that did not exist because the contents of
the OVAL check file did not match the filename. I renamed the OVAL check file
to match its contents and updated the OVAL reference to point to the correct
- Maura Dailey
Maura Dailey (1):
Renamed OVAL check file to match contents, then updated OVAL
reference to point to said file.
.../checks/ensure_gpgcheck_never_disabled.xml | 26 --------------------
RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 26 ++++++++++++++++++++
RHEL6/input/system/software/updating.xml | 2 +-
3 files changed, 27 insertions(+), 27 deletions(-)
delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml
create mode 100644 RHEL6/input/checks/yum_gpgcheck_never_disabled.xml