From blank at eclipse.ncsc.mil Thu Aug 20 11:34:42 2015
Content-Type: multipart/mixed; boundary="===============8075322578421313493=="
MIME-Version: 1.0
From: Jeffrey Blank <blank at eclipse.ncsc.mil>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: New tested field for OVAL Checks
Date: Wed, 31 Jul 2013 19:07:48 -0400
Message-ID: <51F998C4.7020808@eclipse.ncsc.mil>
In-Reply-To: 51F9820B.1020401@eclipse.ncsc.mil

--===============8075322578421313493==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Looks great!

I'll see if I can throw some Python (or bash?) together to add empty
elements for the sake of convenience (unless Shawn would like to?).
Next, I'll try to update an existing transform to show a list of
requirements from a Profile (such as the STIG), along with indicators
(using green) about which have been tested.

Before long, we should have a nice publicly-viewable worksheet showing
progress on OVAL testing.



On 07/31/2013 05:30 PM, Maura Dailey wrote:
> Going forward, we're going to use <reference> tags inside of OVAL checks
> to track if they've been tested. An example is as follows:
> =

> |<reference ||source=3D"MED" ref_id=3D"20130731" ref_url=3D"test_attestat=
ion" />|
> =

> Source should uniquely identify the tester (here, I used my initials);
> ref_id should be in the format YYYYMMDD. We'll probably be adding empty
> tags into all the checks to get everyone started. This is similar to the
> <tested> tag in XCCDF, which is converted into an XCCDF <reference> tag
> during our build process.
> =

> Here is an example of the <reference> tag in an existing check. Note
> that it comes just after the description tag, inside of <metadata>.
> =

> |<def-group>||
> ||  <definition class=3D"compliance" id=3D"file_permissions_etc_group"
> version=3D"1">||
> ||    <metadata>||
> ||      <title>Verify permissions on 'group' file</title>||
> ||      <affected family=3D"unix">||
> ||        <platform>Red Hat Enterprise Linux 6</platform>||
> ||      </affected>||
> ||      <description>File permissions for /etc/group should be set
> correctly.</description>||
> ||      <reference source=3D"MED" ref_id=3D"20130731"
> ref_url=3D"test_attestation"/>||
> ||    </metadata>||
> ||    <criteria>||
> ||      <criterion test_ref=3D"file_permissions_etc_group_test" />||
> ||    </criteria>||
> ||  </definition>||
> ||  <unix:file_test check=3D"all" check_existence=3D"all_exist"
> comment=3D"Testing /etc/group permissions"
> id=3D"file_permissions_etc_group_test" version=3D"1">||
> ||    <unix:object object_ref=3D"file_permissions_etc_group_object" />||
> ||    <unix:state state_ref=3D"file_permissions_etc_group_state" />||
> ||  </unix:file_test>||
> ||  <unix:file_state id=3D"file_permissions_etc_group_state" version=3D"1=
">||
> ||    <unix:uread datatype=3D"boolean">true</unix:uread>||
> ||    <unix:uwrite datatype=3D"boolean">true</unix:uwrite>||
> ||    <unix:uexec datatype=3D"boolean">false</unix:uexec>||
> ||    <unix:gread datatype=3D"boolean">true</unix:gread>||
> ||    <unix:gwrite datatype=3D"boolean">false</unix:gwrite>||
> ||    <unix:gexec datatype=3D"boolean">false</unix:gexec>||
> ||    <unix:oread datatype=3D"boolean">true</unix:oread>||
> ||    <unix:owrite datatype=3D"boolean">false</unix:owrite>||
> ||    <unix:oexec datatype=3D"boolean">false</unix:oexec>||
> ||  </unix:file_state>||
> ||  <unix:file_object comment=3D"/etc/group"
> id=3D"file_permissions_etc_group_object" version=3D"1">||
> ||    <unix:path>/etc</unix:path>||
> ||    <unix:filename>group</unix:filename>||
> ||  </unix:file_object>||
> ||</def-group>|
> =

> - Maura Dailey
> =

> =

> =

> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>=20

--===============8075322578421313493==--