The XCCDF pointed to an OVAL check that did not exist because the contents of the OVAL check file did not match the filename. I renamed the OVAL check file to match its contents and updated the OVAL reference to point to the correct check.
- Maura Dailey
Maura Dailey (1): Renamed OVAL check file to match contents, then updated OVAL reference to point to said file.
.../checks/ensure_gpgcheck_never_disabled.xml | 26 -------------------- RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 26 ++++++++++++++++++++ RHEL6/input/system/software/updating.xml | 2 +- 3 files changed, 27 insertions(+), 27 deletions(-) delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml create mode 100644 RHEL6/input/checks/yum_gpgcheck_never_disabled.xml
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- .../checks/ensure_gpgcheck_never_disabled.xml | 26 -------------------- RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 26 ++++++++++++++++++++ RHEL6/input/system/software/updating.xml | 2 +- 3 files changed, 27 insertions(+), 27 deletions(-) delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml create mode 100644 RHEL6/input/checks/yum_gpgcheck_never_disabled.xml
diff --git a/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml b/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml deleted file mode 100644 index c3a0aec..0000000 --- a/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group> - <definition class="compliance" id="yum_gpgcheck_never_disabled" version="1"> - <metadata> - <title>All Yum Repos Ensure Package Signature Checking</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>To ensure that signature checking is not - disabled for any repos, ensure that the following line DOES - NOT appear in any repo configuration files in - /etc/yum.repos.d or elsewhere</description> - </metadata> - <criteria> - <criterion comment="check value of gpgcheck=0 in /etc/yum.repos.d/*" test_ref="test_yum_gpgcheck_never_disabled" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_yum_gpgcheck_never_disabled" comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" version="1"> - <ind:object object_ref="object_yum_gpgcheck_never_disabled" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" id="object_yum_gpgcheck_never_disabled" version="1"> - ind:path/etc/yum.repos.d</ind:path> - <ind:filename operation="pattern match">.*</ind:filename> - <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern> - <ind:instance datatype="int" operation="equals">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml b/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml new file mode 100644 index 0000000..c3a0aec --- /dev/null +++ b/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml @@ -0,0 +1,26 @@ +<def-group> + <definition class="compliance" id="yum_gpgcheck_never_disabled" version="1"> + <metadata> + <title>All Yum Repos Ensure Package Signature Checking</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>To ensure that signature checking is not + disabled for any repos, ensure that the following line DOES + NOT appear in any repo configuration files in + /etc/yum.repos.d or elsewhere</description> + </metadata> + <criteria> + <criterion comment="check value of gpgcheck=0 in /etc/yum.repos.d/*" test_ref="test_yum_gpgcheck_never_disabled" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_yum_gpgcheck_never_disabled" comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" version="1"> + <ind:object object_ref="object_yum_gpgcheck_never_disabled" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" id="object_yum_gpgcheck_never_disabled" version="1"> + ind:path/etc/yum.repos.d</ind:path> + <ind:filename operation="pattern match">.*</ind:filename> + <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index 9dbf8b8..95f10d9 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -95,7 +95,7 @@ installation ensures the provenance of the software and protects against malicious tampering. </rationale> <ident cce="26647-8" /> -<oval id="ensure_gpgcheck_never_disabled" /> +<oval id="yum_gpgcheck_never_disabled" /> <ref nist="SI-7,MA-1(b)" disa="352,663"/> <tested by="MM" on="20120928"/> </Rule>
In one of the recent merges, Jeff deleted this check, but not the prose. Should I delete the check?
- Maura Dailey
On 05/20/2013 11:52 AM, Maura Dailey wrote:
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
.../checks/ensure_gpgcheck_never_disabled.xml | 26 -------------------- RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 26 ++++++++++++++++++++ RHEL6/input/system/software/updating.xml | 2 +- 3 files changed, 27 insertions(+), 27 deletions(-) delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml create mode 100644 RHEL6/input/checks/yum_gpgcheck_never_disabled.xml
diff --git a/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml b/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml deleted file mode 100644 index c3a0aec..0000000 --- a/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group>
<definition class="compliance" id="yum_gpgcheck_never_disabled" version="1">
<metadata>
<title>All Yum Repos Ensure Package Signature Checking</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>To ensure that signature checking is notdisabled for any repos, ensure that the following line DOESNOT appear in any repo configuration files in/etc/yum.repos.d or elsewhere</description></metadata>
<criteria>
<criterion comment="check value of gpgcheck=0 in /etc/yum.repos.d/*" test_ref="test_yum_gpgcheck_never_disabled" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_yum_gpgcheck_never_disabled" comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" version="1">
- <ind:object object_ref="object_yum_gpgcheck_never_disabled" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" id="object_yum_gpgcheck_never_disabled" version="1">
- ind:path/etc/yum.repos.d</ind:path>
- <ind:filename operation="pattern match">.*</ind:filename>
- <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group> diff --git a/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml b/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml new file mode 100644 index 0000000..c3a0aec --- /dev/null +++ b/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml @@ -0,0 +1,26 @@ +<def-group>
<definition class="compliance" id="yum_gpgcheck_never_disabled" version="1">
<metadata>
<title>All Yum Repos Ensure Package Signature Checking</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>To ensure that signature checking is notdisabled for any repos, ensure that the following line DOESNOT appear in any repo configuration files in/etc/yum.repos.d or elsewhere</description></metadata>
<criteria>
<criterion comment="check value of gpgcheck=0 in /etc/yum.repos.d/*" test_ref="test_yum_gpgcheck_never_disabled" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_yum_gpgcheck_never_disabled" comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" version="1">
- <ind:object object_ref="object_yum_gpgcheck_never_disabled" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" id="object_yum_gpgcheck_never_disabled" version="1">
- ind:path/etc/yum.repos.d</ind:path>
- <ind:filename operation="pattern match">.*</ind:filename>
- <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index 9dbf8b8..95f10d9 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -95,7 +95,7 @@ installation ensures the provenance of the software and protects against malicious tampering.
</rationale> <ident cce="26647-8" /> -<oval id="ensure_gpgcheck_never_disabled" /> +<oval id="yum_gpgcheck_never_disabled" /> <ref nist="SI-7,MA-1(b)" disa="352,663"/> <tested by="MM" on="20120928"/> </Rule>
What happened here is a consequence of an earlier jaunt at renaming things. We need the check. We also need the name of the check (as referenced by the XCCDF), the ID of the OVAL definition, and the OVAL filename, to match. Do whatever it takes to make these match.
Future iterations of this toolkit will take care of this automatically.
On 05/20/2013 04:17 PM, Maura Dailey wrote:
In one of the recent merges, Jeff deleted this check, but not the prose. Should I delete the check?
- Maura Dailey
On 05/20/2013 11:52 AM, Maura Dailey wrote:
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
.../checks/ensure_gpgcheck_never_disabled.xml | 26
RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 26 ++++++++++++++++++++ RHEL6/input/system/software/updating.xml | 2 +- 3 files changed, 27 insertions(+), 27 deletions(-) delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml create mode 100644 RHEL6/input/checks/yum_gpgcheck_never_disabled.xml
diff --git a/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml b/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml deleted file mode 100644 index c3a0aec..0000000 --- a/RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group>
- <definition class="compliance" id="yum_gpgcheck_never_disabled"
version="1">
<metadata>
<title>All Yum Repos Ensure Package Signature Checking</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>To ensure that signature checking is notdisabled for any repos, ensure that the following line DOESNOT appear in any repo configuration files in/etc/yum.repos.d or elsewhere</description></metadata>
<criteria>
<criterion comment="check value of gpgcheck=0 in/etc/yum.repos.d/*" test_ref="test_yum_gpgcheck_never_disabled" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all"
check_existence="none_exist" id="test_yum_gpgcheck_never_disabled" comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" version="1">
- <ind:object object_ref="object_yum_gpgcheck_never_disabled" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="gpgcheck=0 should not exist
in any repo file within /etc/yum.repos.d" id="object_yum_gpgcheck_never_disabled" version="1">
- ind:path/etc/yum.repos.d</ind:path>
- <ind:filename operation="pattern match">.*</ind:filename>
- <ind:pattern operation="pattern
match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group> diff --git a/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml b/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml new file mode 100644 index 0000000..c3a0aec --- /dev/null +++ b/RHEL6/input/checks/yum_gpgcheck_never_disabled.xml @@ -0,0 +1,26 @@ +<def-group>
- <definition class="compliance" id="yum_gpgcheck_never_disabled"
version="1">
<metadata>
<title>All Yum Repos Ensure Package Signature Checking</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>To ensure that signature checking is notdisabled for any repos, ensure that the following line DOESNOT appear in any repo configuration files in/etc/yum.repos.d or elsewhere</description></metadata>
<criteria>
<criterion comment="check value of gpgcheck=0 in/etc/yum.repos.d/*" test_ref="test_yum_gpgcheck_never_disabled" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all"
check_existence="none_exist" id="test_yum_gpgcheck_never_disabled" comment="gpgcheck=0 should not exist in any repo file within /etc/yum.repos.d" version="1">
- <ind:object object_ref="object_yum_gpgcheck_never_disabled" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="gpgcheck=0 should not exist
in any repo file within /etc/yum.repos.d" id="object_yum_gpgcheck_never_disabled" version="1">
- ind:path/etc/yum.repos.d</ind:path>
- <ind:filename operation="pattern match">.*</ind:filename>
- <ind:pattern operation="pattern
match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index 9dbf8b8..95f10d9 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -95,7 +95,7 @@ installation ensures the provenance of the software and protects against malicious tampering.
</rationale> <ident cce="26647-8" /> -<oval id="ensure_gpgcheck_never_disabled" /> +<oval id="yum_gpgcheck_never_disabled" /> <ref nist="SI-7,MA-1(b)" disa="352,663"/> <tested by="MM" on="20120928"/> </Rule>
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Maura Dailey