scap-security-guide May 2013

scap-security-guide@lists.fedorahosted.org

12 participants
55 discussions

[PATCH] transform designed to remove the 'tested by' information
by David Smith 07 May '13

07 May '13

--- RHEL6/transforms/xccdf-removetested.xslt | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) create mode 100644 RHEL6/transforms/xccdf-removetested.xslt diff --git a/RHEL6/transforms/xccdf-removetested.xslt b/RHEL6/transforms/xccdf-removetested.xslt new file mode 100644 index 0000000..e94f3da --- /dev/null +++ b/RHEL6/transforms/xccdf-removetested.xslt @@ -0,0 +1,23 @@ +<?xml version="1.0"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" +xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf"> + + + + +  + <xsl:template match="dc:contributor"> + </xsl:template> + +  + <xsl:template match="dc:date"> + </xsl:template> + +  + <xsl:template match="@*|node()"> + <xsl:copy> + <xsl:apply-templates select="@*|node()" /> + </xsl:copy> + </xsl:template> + +</xsl:stylesheet> -- 1.7.1

2 1

[PATCH] Removing a newline to fix XHTML formatting
by Maura Dailey 06 May '13

06 May '13

'<fix>' tags were surrounded with newlines in the final XHTML, which made formatting and padding uneven. This tiny fix leaves the initial and final newlines, but doesn't add additional newlines to the end of the body of the fix block. The resulting XHTML looks a little strange in source but displays properly. It's possible to remove the newline in the first out.write() call to create a neater solution in source with no surrounding blank lines at all, but this requires that the XSL transforms which create the final XHTML guide to be edited as well. (The <code> tags normally inserted by the XSL transforms for <fix> tags in dbout.html for db:programlisting have to be removed.) Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- RHEL6/transforms/combinefixes.py | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RHEL6/transforms/combinefixes.py b/RHEL6/transforms/combinefixes.py index 307cac3..f9d8b7f 100755 --- a/RHEL6/transforms/combinefixes.py +++ b/RHEL6/transforms/combinefixes.py @@ -32,7 +32,7 @@ def main(): body = body + encode(f.read()) fixName = os.path.splitext(filename)[0] out.write("<fix rule=\""+fixName+"\">\n") - out.write(body+"\n") + out.write(body.rstrip()) out.write("</fix>\n") out.write(fixGroupFooter) @@ -45,7 +45,7 @@ def main(): body = body + encode(f.read()) fixName = os.path.splitext(filename)[0] out.write("<fix-common id=\""+fixName+"\">\n") - out.write(body+"\n") + out.write(body.rstrip()) out.write("</fix-common>\n") out.write(fixCommonGroupFooter) -- 1.7.1

2 1

[PATCH 0/2] *** SUBJECT HERE ***
by Jeffrey Blank 06 May '13

06 May '13

*** BLURB HERE *** Jeffrey Blank (2): removed obsolete LDAP guidance, checks deletion of manual audit profile, OVAL for obsolete ldap server checks RHEL6/input/checks/iptables_ldap_enabled.xml | 68 ---- .../ldap_server_config_bdb_file_security.xml | 22 -- .../ldap_server_config_certificate_files.xml | 242 -------------- .../ldap_server_config_directory_file_security.xml | 22 -- RHEL6/input/checks/ldap_server_config_logging.xml | 115 ------- .../input/checks/ldap_server_config_olcaccess.xml | 56 --- .../input/checks/ldap_server_config_olcrootpw.xml | 32 -- .../ldap_server_config_olcsecurity_simple_bind.xml | 31 -- .../checks/ldap_server_config_olcsecurity_tls.xml | 31 -- .../input/checks/ldap_server_config_olcsuffix.xml | 31 -- .../ldap_server_config_olctlsciphersuite.xml | 36 -- RHEL6/input/profiles/manual_audits.xml | 39 --- RHEL6/input/services/ldap.xml | 351 ++----------------- 13 files changed, 37 insertions(+), 1039 deletions(-) delete mode 100644 RHEL6/input/checks/iptables_ldap_enabled.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_bdb_file_security.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_certificate_files.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_directory_file_security.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_logging.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_olcaccess.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_olcrootpw.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_olcsecurity_simple_bind.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_olcsecurity_tls.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_olcsuffix.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_olctlsciphersuite.xml delete mode 100644 RHEL6/input/profiles/manual_audits.xml

2 3

scap-security-guide v0.1-10 released -- now with JBossEAP5!
by Shawn Wells 02 May '13

02 May '13

Friends, A rebase of the scap-security-guide RPM was *long* overdue! Please see the "Consume" section of the project wiki for download information: https://fedorahosted.org/scap-security-guide/ Highlights of SSG v0.1-10 include: - JBossEAP5 content! Utilizing content from the SCAP Security Guide project, on 29-JAN-2013 Red Hat corporately submitted paperwork to DISA FSO to begin the JBossEAP5 STIG process. SSG v0.1-10 reflects the OCIL, OVAL, and XCCDF content of this submission. Please refer to /usr/share/xml/scap/ssg/guide/JBossEAP5_Guide.html for details. We look forward to your feedback via the SSG mailing list! [1] - `man scap-security-guide` now provides sample usage of the content. - Several bugfixes relating to OVAL content. Many thanks to Brian Millet, Kenneth Stailey, Logan Rodrian, and all other members of the SSG community for the reports and patches! - The RHEL6 STIG profile was renamed "stig-rhel6-server" - A RHEL6 checklist has been included (/usr/share/xml/scap/ssg/guidestig-rhel6-server-guide.html). This outlines what specific rules are currently part of the profile. - A number of updates against NIST 800-53 mappings has been completed. Please see files under /usr/share/xml/scap/ssg/policytables/. [1] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

1 1

[PATCH 0/3] changing some Rules to Groups
by Jeffrey Blank 02 May '13

02 May '13

Some prose from another source was added to the project as Rules and not as Groups. As the original author of that source text, the intent was to educate users for some special use cases and not to create compliance requirements. If a compliance purpose is deemed necessary for those particular special-case items, they would also need to be rewritten in a far more granular fashion. Jeffrey Blank (3): removed alt-titles-stig file, which is superseded by the stig-overlay file changed some iptables and ipv6 Rules to Groups removed use of non-granular and special-case Rules from some Profiles

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide May 2013