This will also enable generation of OCIL.
Jeffrey Blank (2): changes to support "transitional" OCIL content (which is what we're calling our manual check text) added macro-ized package installation checks
RHEL6/Makefile | 2 +- RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++ RHEL6/input/system/software/integrity.xml | 1 + RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 7 files changed, 37 insertions(+), 8 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml
eval-common: - oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml + oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@
<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>
- <!-- expand reference to OCIL (inline) --> + <!-- expand reference to would-be OCIL (inline) --> <xsl:template match="Rule/ocil"> <check> - <xsl:attribute name="system"> - <xsl:value-of select="$ociluri" /> - </xsl:attribute> + <xsl:attribute name="system">ocil-transitional</xsl:attribute> + <xsl:if test="@clause"> + <check-export> + <xsl:attribute name="export-name">clause</xsl:attribute> + <xsl:attribute name="value-id"> + <xsl:value-of select="@clause" /> + </xsl:attribute> + </check-export> + </xsl:if> <check-content> <xsl:apply-templates select="node()"/> </check-content> @@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>
+ <xsl:template match="package-install-macro"> + The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command: + xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre> + </xsl:template> + + <xsl:template match="package-remove-macro"> + The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command: + xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre> + </xsl:template> + <xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition: - xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre> - It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition. + xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre> + It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>
<xsl:template match="service-disable-check-macro"> @@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>
+ <xsl:template match="package-check-macro"> + Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed: + xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre> + </xsl:template> + <!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW --> <!-- (expanding xhtml tags back into the xhtml namespace) --> <xsl:template match="br"> diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@
<xsl:template match="cdf:check"> - <xsl:if test="@system=$ociluri"> + <xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" /> </xsl:if> <xsl:if test="@system=$ovaluri">
Jeff -- Please retract my last ACK.
I skimmed this for content the first time around, and never actually applied the patch itself (doooh!) Just did, and it had errors.
JSYN -- Patch 2 applied cleanly.
When running a make clean; make eval-common on your recent branch, it errors out.
Will look into it some more.
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml
eval-common:
- oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
- oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@
<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>
<!-- expand reference to OCIL (inline) -->
<!-- expand reference to would-be OCIL (inline) -->
<xsl:template match="Rule/ocil"> <check>
<xsl:attribute name="system">
<xsl:value-of select="$ociluri" />
</xsl:attribute>
<xsl:attribute name="system">ocil-transitional</xsl:attribute>
<xsl:if test="@clause">
<check-export>
<xsl:attribute name="export-name">clause</xsl:attribute>
<xsl:attribute name="value-id">
<xsl:value-of select="@clause" />
</xsl:attribute>
</check-export>
</xsl:if> <check-content> <xsl:apply-templates select="node()"/> </check-content>
@@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>
- <xsl:template match="package-install-macro">
- The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command:
- xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
- <xsl:template match="package-remove-macro">
- The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command:
- xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
- <xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition:
- xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre>
- It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition.
xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre>
It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>
<xsl:template match="service-disable-check-macro">
@@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>
- <xsl:template match="package-check-macro">
- Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed:
- xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
<!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW -->
<!-- (expanding xhtml tags back into the xhtml namespace) -->
<xsl:template match="br">diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@
<xsl:template match="cdf:check">
<xsl:if test="@system=$ociluri">
</xsl:if> <xsl:if test="@system=$ovaluri"><xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" />
Can you be more specific?
Seeing: make: *** [eval-common] Error 2
does not indicate a new problem. Also note that "make content" must precede "make eval-common".
On 09/14/2012 03:38 PM, Michael J. McConachie wrote:
Jeff -- Please retract my last ACK.
I skimmed this for content the first time around, and never actually applied the patch itself (doooh!) Just did, and it had errors.
JSYN -- Patch 2 applied cleanly.
When running a make clean; make eval-common on your recent branch, it errors out.
Will look into it some more.
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml
eval-common:
- oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
- oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@
<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>
<!-- expand reference to OCIL (inline) -->
<!-- expand reference to would-be OCIL (inline) -->
<xsl:template match="Rule/ocil"> <check>
<xsl:attribute name="system">
<xsl:value-of select="$ociluri" />
</xsl:attribute>
<xsl:attribute name="system">ocil-transitional</xsl:attribute>
<xsl:if test="@clause">
<check-export>
<xsl:attribute name="export-name">clause</xsl:attribute>
<xsl:attribute name="value-id">
<xsl:value-of select="@clause" />
</xsl:attribute>
</check-export>
</xsl:if> <check-content> <xsl:apply-templates select="node()"/> </check-content>
@@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>
- <xsl:template match="package-install-macro">
- The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command:
- xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
- <xsl:template match="package-remove-macro">
- The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command:
- xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
- <xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition:
- xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre>
- It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition.
xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre>
It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>
<xsl:template match="service-disable-check-macro">
@@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>
- <xsl:template match="package-check-macro">
- Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed:
- xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
<!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW -->
<!-- (expanding xhtml tags back into the xhtml namespace) -->
<xsl:template match="br">diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@
<xsl:template match="cdf:check">
<xsl:if test="@system=$ociluri">
</xsl:if> <xsl:if test="@system=$ovaluri"><xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" />
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Disregard; I'll PM you.
Thanks,
On 09/14/2012 01:47 PM, Jeffrey Blank wrote:
Can you be more specific?
Seeing: make: *** [eval-common] Error 2
does not indicate a new problem. Also note that "make content" must precede "make eval-common".
On 09/14/2012 03:38 PM, Michael J. McConachie wrote:
Jeff -- Please retract my last ACK.
I skimmed this for content the first time around, and never actually applied the patch itself (doooh!) Just did, and it had errors.
JSYN -- Patch 2 applied cleanly.
When running a make clean; make eval-common on your recent branch, it errors out.
Will look into it some more.
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml
eval-common:
- oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
- oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml
# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@
<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>
<!-- expand reference to OCIL (inline) -->
<!-- expand reference to would-be OCIL (inline) -->
<xsl:template match="Rule/ocil"> <check>
<xsl:attribute name="system">
<xsl:value-of select="$ociluri" />
</xsl:attribute>
<xsl:attribute name="system">ocil-transitional</xsl:attribute>
<xsl:if test="@clause">
<check-export>
<xsl:attribute name="export-name">clause</xsl:attribute>
<xsl:attribute name="value-id">
<xsl:value-of select="@clause" />
</xsl:attribute>
</check-export>
</xsl:if> <check-content> <xsl:apply-templates select="node()"/> </check-content>
@@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>
- <xsl:template match="package-install-macro">
- The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command:
- xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
- <xsl:template match="package-remove-macro">
- The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command:
- xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
- <xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition:
- xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre>
- It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition.
xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre>
It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>
<xsl:template match="service-disable-check-macro">
@@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>
- <xsl:template match="package-check-macro">
- Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed:
- xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre>
- </xsl:template>
<!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW -->
<!-- (expanding xhtml tags back into the xhtml namespace) -->
<xsl:template match="br">diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@
<xsl:template match="cdf:check">
<xsl:if test="@system=$ociluri">
</xsl:if> <xsl:if test="@system=$ovaluri"><xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" />
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++++ RHEL6/input/system/software/integrity.xml | 1 + 3 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 717c3b7..4ee17bb 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -37,6 +37,7 @@ implementation flaws and should be disabled if possible. run the following command: <pre># yum erase bind</pre> </description> +<ocil><package-remove-macro package="package_bind_removed" /> </ocil> <rationale> If there is no need to make DNS server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 91d7884..874d27e 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -45,6 +45,7 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> +<ocil><package-remove-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. @@ -84,6 +85,7 @@ subject to man-in-the-middle attacks. <description>The <tt>telnet-server</tt> package can be uninstalled with the following command: <pre># yum erase telnet-server</pre></description> +<ocil><package-remove-macro package="telnet-server" /> </ocil> <rationale> Removing the <tt>telnet-server</tt> package decreases the risk of the telnet service's accidental (or intentional) activation. @@ -107,6 +109,7 @@ model.</description> the following command: <pre># yum erase rsh-server</pre> </description> +<ocil><package-remove-macro package="rsh-server" /> </ocil> <rationale>The <tt>rsh-server</tt> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) @@ -197,6 +200,7 @@ important authentication information.</description> the following command: <pre># yum erase ypserv</pre> </description> +<ocil><package-remove-macro package="ypserv" /> </ocil> <rationale>Removing the <tt>ypserv</tt> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. </rationale> @@ -252,6 +256,7 @@ as a tftp server, which does not provide encryption or authentication. command: <pre># yum erase tftp-server</pre> </description> +<ocil><package-remove-macro package="tftp-server" /> </ocil> <rationale> Removing the <tt>tftp-server</tt> package decreases the risk of the accidental (or intentional) activation of tftp services. diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index c31087d..6c24ce9 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -31,6 +31,7 @@ configurable, with further configuration information located in Install the AIDE package with the command: <pre># yum install aide</pre> </description> +<ocil><package-check-macro package="aide"/></ocil> <rationale> The AIDE package must be installed if it is to be available for integrity checking. </rationale>
Hi Jeff, ACK.
This is EXACTLY what I was talking to Shawn about a few weeks ago - great job!
Looks good.
Thanks,
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++++ RHEL6/input/system/software/integrity.xml | 1 + 3 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 717c3b7..4ee17bb 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -37,6 +37,7 @@ implementation flaws and should be disabled if possible. run the following command:
<pre># yum erase bind</pre>
</description> +<ocil><package-remove-macro package="package_bind_removed" /> </ocil> <rationale> If there is no need to make DNS server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 91d7884..874d27e 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -45,6 +45,7 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> +<ocil><package-remove-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. @@ -84,6 +85,7 @@ subject to man-in-the-middle attacks. <description>The <tt>telnet-server</tt> package can be uninstalled with the following command: <pre># yum erase telnet-server</pre></description> +<ocil><package-remove-macro package="telnet-server" /> </ocil> <rationale> Removing the <tt>telnet-server</tt> package decreases the risk of the telnet service's accidental (or intentional) activation. @@ -107,6 +109,7 @@ model.</description> the following command: <pre># yum erase rsh-server</pre> </description> +<ocil><package-remove-macro package="rsh-server" /> </ocil> <rationale>The <tt>rsh-server</tt> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) @@ -197,6 +200,7 @@ important authentication information.</description> the following command: <pre># yum erase ypserv</pre> </description> +<ocil><package-remove-macro package="ypserv" /> </ocil> <rationale>Removing the <tt>ypserv</tt> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. </rationale> @@ -252,6 +256,7 @@ as a tftp server, which does not provide encryption or authentication. command: <pre># yum erase tftp-server</pre> </description> +<ocil><package-remove-macro package="tftp-server" /> </ocil> <rationale> Removing the <tt>tftp-server</tt> package decreases the risk of the accidental (or intentional) activation of tftp services. diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index c31087d..6c24ce9 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -31,6 +31,7 @@ configurable, with further configuration information located in Install the AIDE package with the command: <pre># yum install aide</pre> </description> +<ocil><package-check-macro package="aide"/></ocil> <rationale> The AIDE package must be installed if it is to be available for integrity checking. </rationale>
Hi Jeff, ACK. Looks good.
Thanks,
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
This will also enable generation of OCIL.
Jeffrey Blank (2): changes to support "transitional" OCIL content (which is what we're calling our manual check text) added macro-ized package installation checks
RHEL6/Makefile | 2 +- RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++ RHEL6/input/system/software/integrity.xml | 1 + RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 7 files changed, 37 insertions(+), 8 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org