>From 39f450cba9b2c9e0db994cb1703b9e13770cbfa3 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Mon, 15 Jul 2013 21:27:04 -0400
Subject: [PATCH 1/2] Added bash remediation check to verify-input-sanity.py
 BEFORE PATCH:

$ ./verify-input-sanity.py

  WARNING: XCCDF Rule "disable_logwatch_for_logserver" references OVAL check "logwatch_disabled_for_logserver" which does not exist
           problem occurs in file: src/input/system/logging.xml

  WARNING: XCCDF Rule "deny_password_attempts_unlock_time" references OVAL check "accounts_passwords_pam_faillock_unlock_time" which does not exist
           problem occurs in file: src/input/system/accounts/pam.xml

  WARNING: XCCDF Rule "deny_password_attempts_fail_interval" references OVAL check "accounts_passwords_pam_fail_interval" which does not exist
           problem occurs in file: src/input/system/accounts/pam.xml

  WARNING: XCCDF Rule "set_gdm_login_banner_text" references OVAL check "banner_gui_text_set" which does not exist
           problem occurs in file: src/input/system/accounts/banners.xml

  WARNING: XCCDF Rule "no_shelllogin_for_systemaccounts" references OVAL check "no_shelllogin_for_systemaccounts" which does not exist
           problem occurs in file: src/input/system/accounts/restrictions/root_logins.xml

Traceback (most recent call last):
  File "./verify-input-sanity.py", line 130, in <module>
    tree = ET.fromstring(xccdf_xml_contents)
  File "lxml.etree.pyx", line 2532, in lxml.etree.fromstring (src/lxml/lxml.etree.c:48270)
  File "parser.pxi", line 1545, in lxml.etree._parseMemoryDocument (src/lxml/lxml.etree.c:71812)
  File "parser.pxi", line 1424, in lxml.etree._parseDoc (src/lxml/lxml.etree.c:70673)
  File "parser.pxi", line 938, in lxml.etree._BaseParser._parseDoc (src/lxml/lxml.etree.c:67442)
  File "parser.pxi", line 539, in lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:63824)
  File "parser.pxi", line 625, in lxml.etree._handleParseResult (src/lxml/lxml.etree.c:64745)
  File "parser.pxi", line 565, in lxml.etree._raiseParseError (src/lxml/lxml.etree.c:64088)
lxml.etree.XMLSyntaxError: Comment not terminated
<!-- , line 8, column 6

AFTER PATCH:
$ ./verify-input-sanity.py

  WARNING: XCCDF Rule "uninstall_vsftpd" has no bash remediation file

  WARNING: XCCDF Rule "install_vsftpd" has no bash remediation file

..........
  WARNING: XCCDF Rule "disable_logwatch_for_logserver" has no bash remediation file

  WARNING: XCCDF Rule "disable_logwatch_for_logserver" references OVAL check "logwatch_disabled_for_logserver" which does not exist
           problem occurs in file: src/input/system/logging.xml

  WARNING: XCCDF Rule "enable_auditd_bootloader" has no bash remediation file

  WARNING: XCCDF Rule "configure_auditd_num_logs" has no bash remediation file
---
 RHEL6/utils/verify-input-sanity.py |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/RHEL6/utils/verify-input-sanity.py b/RHEL6/utils/verify-input-sanity.py
index 13046b6..f16ee84 100755
--- a/RHEL6/utils/verify-input-sanity.py
+++ b/RHEL6/utils/verify-input-sanity.py
@@ -99,6 +99,9 @@ for oval_check in oval_file_list:
 # want to make sure that a corresponding OVAL check exists in the src/input/checks directory. We print a relatively polite
 # warning if a XCCDF Rule references an OVAL check that does not exist.
 #
+# Additionally, this section will compare the XCCDF ID name to scan for a corresponding bash remediation script. If 
+# a bash remediation script is not found, a notification will be printed to the screen.
+#
 # Again, lots of regex-fu here. In their raw state the XCCDF files are not valid XML. The next iteration of this file may
 # add all of the XML complexity so that we can perform these validations by parsing XML.  That would form a more complete
 # solution.
@@ -130,6 +133,12 @@ for xccdf_file in xccdf_xml_files:
         tree = ET.fromstring(xccdf_xml_contents)
         # extract all of the rules that are defined within the XCCDF
         xccdf_rules = tree.findall(".//Rule")
+	# check that every XCCDF has matching bash remediation
+	for xccdf_rule in xccdf_rules:
+	    file_name = "./fixes/bash/" + xccdf_rule.get("id") + ".sh"
+	    if (not os.access(file_name, os.F_OK)):
+		print "  WARNING: XCCDF Rule \"" + xccdf_rule.get("id") + "\" has no bash remediation file\n"
+	# check that every XCCDF has matching OVAL
         for xccdf_rule in xccdf_rules:
             # extract any reference to an OVAL check
             oval_check_refs = xccdf_rule.findall(".//oval")
-- 
1.7.1