--- RHEL6/input/profiles/STIG-server.xml | 2 +- RHEL6/input/profiles/test.xml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 5f67335..3fa5add 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -66,7 +66,7 @@ <refine-value idref="user_umask_value" selector="077"/>
-<select idref="daemon_umask" selected="true" /> +<select idref="set_daemon_umask" selected="true" /> <refine-value idref="var_umask_for_daemons" selector="027"/>
diff --git a/RHEL6/input/profiles/test.xml b/RHEL6/input/profiles/test.xml index 9f0bd50..7742b31 100644 --- a/RHEL6/input/profiles/test.xml +++ b/RHEL6/input/profiles/test.xml @@ -9,7 +9,6 @@ <select idref="package_rsyslog_installed" selected="true"/> <select idref="service_rsyslog_enabled" selected="true"/> <select idref="disable_vsftpd" selected="true"/> -<select idref="set_daemon_umask" selected="true"/> <select idref="set_selinux_state" selected="true"/> <select idref="password_require_digits" selected="true"/> <select idref="tftpd_uses_secure_mode" selected="true"/> @@ -52,7 +51,7 @@ <refine-value idref="user_umask_value" selector="077"/>
-<select idref="daemon_umask" selected="true" /> +<select idref="set_daemon_umask" selected="true"/> <refine-value idref="var_umask_for_daemons" selector="027"/>
thanks -- please push!
On 11/21/2012 07:40 AM, Simon Lukasik wrote:
RHEL6/input/profiles/STIG-server.xml | 2 +- RHEL6/input/profiles/test.xml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 5f67335..3fa5add 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -66,7 +66,7 @@
<refine-value idref="user_umask_value" selector="077"/>
-<select idref="daemon_umask" selected="true" /> +<select idref="set_daemon_umask" selected="true" />
<refine-value idref="var_umask_for_daemons" selector="027"/>
diff --git a/RHEL6/input/profiles/test.xml b/RHEL6/input/profiles/test.xml index 9f0bd50..7742b31 100644 --- a/RHEL6/input/profiles/test.xml +++ b/RHEL6/input/profiles/test.xml @@ -9,7 +9,6 @@
<select idref="package_rsyslog_installed" selected="true"/> <select idref="service_rsyslog_enabled" selected="true"/> <select idref="disable_vsftpd" selected="true"/> -<select idref="set_daemon_umask" selected="true"/> <select idref="set_selinux_state" selected="true"/> <select idref="password_require_digits" selected="true"/> <select idref="tftpd_uses_secure_mode" selected="true"/> @@ -52,7 +51,7 @@ <refine-value idref="user_umask_value" selector="077"/>
-<select idref="daemon_umask" selected="true" /> +<select idref="set_daemon_umask" selected="true"/>
<refine-value idref="var_umask_for_daemons" selector="027"/>
On 11/21/2012 05:48 PM, Jeffrey Blank wrote:
thanks -- please push!
Pushed. But I've just noticed there are two more bugs like this. The command:
$ xpath ssg-rhel6-xccdf.xml \ '//Profile/select[@idref = //Group/@id]/@idref'
founds:
idref="ftp_limit_users"-- NODE -- idref="ftp_configure_firewall"
We should really not be selecting the Groups but the Rules.
However, I cannot fix this. As not being the content author, I am sure whether we want to have all the Rules of the given group (ftp_limit_users) to be selected. Could someone please check?
Also, would it make sense to include such xpath check in the build process?
Thanks,
-- Simon Lukasik
Oops, scratch that. I've just realized that these groups doesn't have any rule yet.
Thus, more correct xpath check would be:
xpath ssg-rhel6-xccdf.xml '//Profile/select[(@selected != "false" or @selected != "0") and @idref = //Group[/Rule]/@id]/@idref'
which is passing right now.
On 11/22/2012 07:27 PM, Simon Lukasik wrote:
On 11/21/2012 05:48 PM, Jeffrey Blank wrote:
thanks -- please push!
Pushed. But I've just noticed there are two more bugs like this. The command:
$ xpath ssg-rhel6-xccdf.xml \ '//Profile/select[@idref = //Group/@id]/@idref'founds:
idref="ftp_limit_users"-- NODE -- idref="ftp_configure_firewall"We should really not be selecting the Groups but the Rules.
However, I cannot fix this. As not being the content author, I am sure whether we want to have all the Rules of the given group (ftp_limit_users) to be selected. Could someone please check?
Also, would it make sense to include such xpath check in the build process?
Thanks,
-- Simon Lukasik _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Thanks very much for checking on this, Simon.
And you're entirely right: we want only to select Rules and not Groups for the profiles. We'll try to clean it up.
I don't think anyone is using the ftp profile (though I could be wrong!) so it wasn't being carefuly tested (as far as I know).
And yes -- it would absolutely make sense to include such an xpath check in the build process. (And it's much cleaner than some of the python in utils/verify-references.py...)
Probably there should be a new Makerule which runs several tests against the content, including the existing validate Makerule. If anyone is volunteering, let me know!
Thanks very much again. Jeff
On 11/22/2012 02:26 PM, Simon Lukasik wrote:
Oops, scratch that. I've just realized that these groups doesn't have any rule yet.
Thus, more correct xpath check would be:
xpath ssg-rhel6-xccdf.xml '//Profile/select[(@selected != "false" or@selected != "0") and @idref = //Group[/Rule]/@id]/@idref'
which is passing right now.
On 11/22/2012 07:27 PM, Simon Lukasik wrote:
On 11/21/2012 05:48 PM, Jeffrey Blank wrote:
thanks -- please push!
Pushed. But I've just noticed there are two more bugs like this. The command:
$ xpath ssg-rhel6-xccdf.xml \ '//Profile/select[@idref = //Group/@id]/@idref'founds:
idref="ftp_limit_users"-- NODE -- idref="ftp_configure_firewall"We should really not be selecting the Groups but the Rules.
However, I cannot fix this. As not being the content author, I am sure whether we want to have all the Rules of the given group (ftp_limit_users) to be selected. Could someone please check?
Also, would it make sense to include such xpath check in the build process?
Thanks,
-- Simon Lukasik _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Šimon Lukašík -
Šimon Lukašík