[PATCH 1/3] [RHEL/6, RHEL/7, shared] Fix "Invalid OVAL definition referenced by XCCDF Rule: install_vsftpd" utils/verify-references.py issue
On 5/22/14, 1:16 PM, Jan Lieskovsky wrote:
0001-RHEL-6-RHEL-7-shared-Fix-Invalid-OVAL-definition-ref.patch
From 28bf796f5adf6658adf55896bf40e1b93de67d43 Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Thu, 22 May 2014 16:38:24 +0200 Subject: [PATCH 1/3] [RHEL/6, RHEL/7, shared] Fix "Invalid OVAL definition referenced by XCCDF Rule: install_vsftpd" utils/verify-references.py issue
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
RHEL/6/input/checks/package_vsftpd_installed.xml | 1 + .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/profiles/ftp.xml | 2 +- RHEL/6/input/services/ftp.xml | 2 +- RHEL/7/input/checks/package_vsftpd_installed.xml | 1 + RHEL/7/input/services/ftp.xml | 2 +- shared/fixes/bash/package_vsftpd_installed.sh | 1 + shared/oval/package_vsftpd_installed.xml | 27 ++++++++++++++++++++++ 8 files changed, 34 insertions(+), 3 deletions(-) create mode 120000 RHEL/6/input/checks/package_vsftpd_installed.xml create mode 120000 RHEL/7/input/checks/package_vsftpd_installed.xml create mode 100644 shared/fixes/bash/package_vsftpd_installed.sh create mode 100644 shared/oval/package_vsftpd_installed.xml
diff --git a/RHEL/6/input/checks/package_vsftpd_installed.xml b/RHEL/6/input/checks/package_vsftpd_installed.xml new file mode 120000 index 0000000..7957a23 --- /dev/null +++ b/RHEL/6/input/checks/package_vsftpd_installed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_vsftpd_installed.xml \ No newline at end of file diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index ef6e737..dc0ae21 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -13,3 +13,4 @@ postfix psacct rsyslog screen +vsftpd diff --git a/RHEL/6/input/profiles/ftp.xml b/RHEL/6/input/profiles/ftp.xml index 5bbb931..bc1682a 100644 --- a/RHEL/6/input/profiles/ftp.xml +++ b/RHEL/6/input/profiles/ftp.xml @@ -3,7 +3,7 @@
<!--<Profile id="ftp" extends="server" xmlns="http://checklists.nist.gov/xccdf/1.1" > -->
<title>ftp</title> <description>This profile is for FTP servers.</description> -<select idref="install_vsftpd" selected="true"/> +<select idref="package_vsftpd_installed" selected="true"/> <select idref="ftp_log_transactions" selected="true"/> <select idref="ftp_present_banner" selected="true"/> <select idref="ftp_restrict_to_anon" selected="true"/> diff --git a/RHEL/6/input/services/ftp.xml b/RHEL/6/input/services/ftp.xml index ef3ad28..993d6cd 100644 --- a/RHEL/6/input/services/ftp.xml +++ b/RHEL/6/input/services/ftp.xml @@ -55,7 +55,7 @@ accidental activation. <Group id="ftp_use_vsftpd"> <title>Use vsftpd to Provide FTP Service if Necessary</title>
-<Rule id="install_vsftpd"> +<Rule id="package_vsftpd_installed">
This content is great. You've changed an XCCDF name without updating the XCCDF profiles, though ;)
Please submit a patch to update profiles/*
<title>Install vsftpd Package</title> <description>If this machine must operate as an FTP server, install the <tt>vsftpd</tt> package via the standard channels. <pre># yum install vsftpd</pre> diff --git a/RHEL/7/input/checks/package_vsftpd_installed.xml b/RHEL/7/input/checks/package_vsftpd_installed.xml new file mode 120000 index 0000000..7957a23 --- /dev/null +++ b/RHEL/7/input/checks/package_vsftpd_installed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_vsftpd_installed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/ftp.xml b/RHEL/7/input/services/ftp.xml index e4f76d4..c62618c 100644 --- a/RHEL/7/input/services/ftp.xml +++ b/RHEL/7/input/services/ftp.xml @@ -55,7 +55,7 @@ accidental activation. <Group id="ftp_use_vsftpd"> <title>Use vsftpd to Provide FTP Service if Necessary</title>
-<Rule id="install_vsftpd"> +<Rule id="package_vsftpd_installed">
<title>Install vsftpd Package</title> <description>If this machine must operate as an FTP server, install the <tt>vsftpd</tt> package via the standard channels. <pre># yum install vsftpd</pre> diff --git a/shared/fixes/bash/package_vsftpd_installed.sh b/shared/fixes/bash/package_vsftpd_installed.sh new file mode 100644 index 0000000..5d56d77 --- /dev/null +++ b/shared/fixes/bash/package_vsftpd_installed.sh @@ -0,0 +1 @@ +yum -y install vsftpd diff --git a/shared/oval/package_vsftpd_installed.xml b/shared/oval/package_vsftpd_installed.xml new file mode 100644 index 0000000..84a0bbe --- /dev/null +++ b/shared/oval/package_vsftpd_installed.xml @@ -0,0 +1,27 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_vsftpd_installed" + version="1"> + <metadata> + <title>Package vsftpd Installed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package vsftpd should be installed.</description> + <reference source="JL" ref_id="20140522" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package vsftpd is installed" + test_ref="test_package_vsftpd_installed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="all_exist" + id="test_package_vsftpd_installed" version="1" + comment="package vsftpd is installed"> + <linux:object object_ref="obj_package_vsftpd_installed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_vsftpd_installed" version="1"> + <linux:name>vsftpd</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, May 22, 2014 7:39:43 PM Subject: Re: [PATCH 1/3] [RHEL/6, RHEL/7, shared] Fix "Invalid OVAL definition referenced by XCCDF Rule: install_vsftpd" utils/verify-references.py issue
On 5/22/14, 1:16 PM, Jan Lieskovsky wrote:
0001-RHEL-6-RHEL-7-shared-Fix-Invalid-OVAL-definition-ref.patch From 28bf796f5adf6658adf55896bf40e1b93de67d43 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Thu, 22 May 2014 16:38:24 +0200 Subject: [PATCH 1/3] [RHEL/6, RHEL/7, shared] Fix "Invalid OVAL definition referenced by XCCDF Rule: install_vsftpd" utils/verify-references.py issue
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- RHEL/6/input/checks/package_vsftpd_installed.xml | 1 + .../input/checks/templates/packages_installed.csv | 1 + RHEL/6/input/profiles/ftp.xml | 2 +- RHEL/6/input/services/ftp.xml | 2 +- RHEL/7/input/checks/package_vsftpd_installed.xml | 1 + RHEL/7/input/services/ftp.xml | 2 +- shared/fixes/bash/package_vsftpd_installed.sh | 1 + shared/oval/package_vsftpd_installed.xml | 27 ++++++++++++++++++++++ 8 files changed, 34 insertions(+), 3 deletions(-) create mode 120000 RHEL/6/input/checks/package_vsftpd_installed.xml create mode 120000 RHEL/7/input/checks/package_vsftpd_installed.xml create mode 100644 shared/fixes/bash/package_vsftpd_installed.sh create mode 100644 shared/oval/package_vsftpd_installed.xml
diff --git a/RHEL/6/input/checks/package_vsftpd_installed.xml b/RHEL/6/input/checks/package_vsftpd_installed.xml new file mode 120000 index 0000000..7957a23 --- /dev/null +++ b/RHEL/6/input/checks/package_vsftpd_installed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_vsftpd_installed.xml \ No newline at end of file diff --git a/RHEL/6/input/checks/templates/packages_installed.csv b/RHEL/6/input/checks/templates/packages_installed.csv index ef6e737..dc0ae21 100644 --- a/RHEL/6/input/checks/templates/packages_installed.csv +++ b/RHEL/6/input/checks/templates/packages_installed.csv @@ -13,3 +13,4 @@ postfix psacct rsyslog screen +vsftpd diff --git a/RHEL/6/input/profiles/ftp.xml b/RHEL/6/input/profiles/ftp.xml index 5bbb931..bc1682a 100644 --- a/RHEL/6/input/profiles/ftp.xml +++ b/RHEL/6/input/profiles/ftp.xml @@ -3,7 +3,7 @@
<!--<Profile id="ftp" extends="server" xmlns= "http://checklists.nist.gov/xccdf/1.1" > -->
<title>ftp</title> <description>This profile is for FTP servers.</description> -<select idref="install_vsftpd" selected="true"/> +<select idref="package_vsftpd_installed" selected="true"/> <select idref="ftp_log_transactions" selected="true"/> <select idref="ftp_present_banner" selected="true"/> <select idref="ftp_restrict_to_anon" selected="true"/> diff --git a/RHEL/6/input/services/ftp.xml b/RHEL/6/input/services/ftp.xml index ef3ad28..993d6cd 100644 --- a/RHEL/6/input/services/ftp.xml +++ b/RHEL/6/input/services/ftp.xml @@ -55,7 +55,7 @@ accidental activation. <Group id="ftp_use_vsftpd"> <title>Use vsftpd to Provide FTP Service if Necessary</title>
-<Rule id="install_vsftpd"> +<Rule id="package_vsftpd_installed">
This content is great. You've changed an XCCDF name without updating the XCCDF profiles, though ;)
Please submit a patch to update profiles/*
Thanks for the review, Shawn. FWICT the original "install_vsftpd" rule was used in RHEL/6/input/profiles/ftp.xml profile only:
.. scap-security-guide]$ grep -rHn ""install_vsftpd" * | more RHEL/6/input/profiles/ftp.xml:6:<select idref="install_vsftpd" selected="true"/> RHEL/6/input/services/ftp.xml:58:<Rule id="install_vsftpd"> RHEL/7/input/services/ftp.xml:58:<Rule id="install_vsftpd">
and that ftp.xml profile got updated within the patch. There are couple of more occurrences of 'uninstall_vsftpd' (which should be probably moved to package_vsftpd_removed), but I didn't touch those, since didn't touch uninstall vsftpd rule (can be done next time).
Not sure what you mean by 'Please submit a patch to update profiles/*' above? Like add reference to this rule into other profiles too (where it's not present yet)? If so, can you list into which of them it should be added?
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
<title>Install vsftpd Package</title> <description>If this machine must operate as an FTP server, install the <tt>vsftpd</tt> package via the standard channels. <pre># yum install vsftpd</pre> diff --git a/RHEL/7/input/checks/package_vsftpd_installed.xml b/RHEL/7/input/checks/package_vsftpd_installed.xml new file mode 120000 index 0000000..7957a23 --- /dev/null +++ b/RHEL/7/input/checks/package_vsftpd_installed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_vsftpd_installed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/ftp.xml b/RHEL/7/input/services/ftp.xml index e4f76d4..c62618c 100644 --- a/RHEL/7/input/services/ftp.xml +++ b/RHEL/7/input/services/ftp.xml @@ -55,7 +55,7 @@ accidental activation. <Group id="ftp_use_vsftpd"> <title>Use vsftpd to Provide FTP Service if Necessary</title>
-<Rule id="install_vsftpd"> +<Rule id="package_vsftpd_installed">
<title>Install vsftpd Package</title> <description>If this machine must operate as an FTP server, install the <tt>vsftpd</tt> package via the standard channels. <pre># yum install vsftpd</pre> diff --git a/shared/fixes/bash/package_vsftpd_installed.sh b/shared/fixes/bash/package_vsftpd_installed.sh new file mode 100644 index 0000000..5d56d77 --- /dev/null +++ b/shared/fixes/bash/package_vsftpd_installed.sh @@ -0,0 +1 @@ +yum -y install vsftpd diff --git a/shared/oval/package_vsftpd_installed.xml b/shared/oval/package_vsftpd_installed.xml new file mode 100644 index 0000000..84a0bbe --- /dev/null +++ b/shared/oval/package_vsftpd_installed.xml @@ -0,0 +1,27 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_vsftpd_installed" + version="1"> + <metadata> + <title>Package vsftpd Installed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package vsftpd should be installed.</description> + <reference source="JL" ref_id="20140522" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package vsftpd is installed" + test_ref="test_package_vsftpd_installed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="all_exist" + id="test_package_vsftpd_installed" version="1" + comment="package vsftpd is installed"> + <linux:object object_ref="obj_package_vsftpd_installed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_vsftpd_installed" version="1"> + <linux:name>vsftpd</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jan Lieskovsky -
Shawn Wells