[PATCH 0/2] minor updates with manual checking text

List overview All Threads
Download

newer

older

[PATCH 0/3] support for generating...

Implementation of openscap

Jeffrey Blank

13 Sep 2012 13 Sep '12

3:54 p.m.

This will also enable generation of OCIL.

Jeffrey Blank (2): changes to support "transitional" OCIL content (which is what we're calling our manual check text) added macro-ized package installation checks

RHEL6/Makefile | 2 +- RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++ RHEL6/input/system/software/integrity.xml | 1 + RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 7 files changed, 37 insertions(+), 8 deletions(-)

Show replies by date

Jeffrey Blank

13 Sep 13 Sep

3:54 p.m.

New subject: [PATCH 1/2] changes to support "transitional" OCIL content (which is what we're calling our manual check text)

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml

eval-common: - oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml + oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@

<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>

-  +  <xsl:template match="Rule/ocil"> <check> - <xsl:attribute name="system"> - <xsl:value-of select="$ociluri" /> - </xsl:attribute> + <xsl:attribute name="system">ocil-transitional</xsl:attribute> + <xsl:if test="@clause"> + <check-export> + <xsl:attribute name="export-name">clause</xsl:attribute> + <xsl:attribute name="value-id"> + <xsl:value-of select="@clause" /> + </xsl:attribute> + </check-export> + </xsl:if> <check-content> <xsl:apply-templates select="node()"/> </check-content> @@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>

+ <xsl:template match="package-install-macro"> + The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command: + xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre> + </xsl:template> + + <xsl:template match="package-remove-macro"> + The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command: + xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre> + </xsl:template> + <xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition: - xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre> - It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition. + xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre> + It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>

<xsl:template match="service-disable-check-macro"> @@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>

+ <xsl:template match="package-check-macro"> + Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed: + xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre> + </xsl:template> +   <xsl:template match="br"> diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@

<xsl:template match="cdf:check"> - <xsl:if test="@system=$ociluri"> + <xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" /> </xsl:if> <xsl:if test="@system=$ovaluri">

-- 1.7.1

Michael J. McConachie

14 Sep 14 Sep

12:38 p.m.

New subject: [PATCH 1/2] changes to support "transitional" OCIL content (which is what we're calling our manual check text)

Jeff -- Please retract my last ACK.

I skimmed this for content the first time around, and never actually applied the patch itself (doooh!) Just did, and it had errors.

JSYN -- Patch 2 applied cleanly.

When running a make clean; make eval-common on your recent branch, it errors out.

Will look into it some more.

On 09/13/2012 03:54 PM, Jeffrey Blank wrote:

...

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml

eval-common:

oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@

<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>




<xsl:template match="Rule/ocil"> <check>
   <xsl:attribute name="system">
       <xsl:value-of select="$ociluri" />
   </xsl:attribute>
   <xsl:attribute name="system">ocil-transitional</xsl:attribute>
   <xsl:if test="@clause">
     <check-export>
     <xsl:attribute name="export-name">clause</xsl:attribute>
     <xsl:attribute name="value-id">
       <xsl:value-of select="@clause" />
     </xsl:attribute>
     </check-export>
   </xsl:if>
   <check-content>
   <xsl:apply-templates select="node()"/>
   </check-content>
@@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>

<xsl:template match="package-install-macro">

The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command:

xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>

<xsl:template match="package-remove-macro">

The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command:

xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>

<xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition:

xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre>

It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition.

xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre>

It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>

<xsl:template match="service-disable-check-macro">

@@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>

<xsl:template match="package-check-macro">

Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed:

xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>




<xsl:template match="br">

diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@

<xsl:template match="cdf:check">
   <xsl:if test="@system=$ociluri">
   <xsl:if test="@system=$ociltransitional">
<xsl:apply-templates select="cdf:check-content" />
</xsl:if> <xsl:if test="@system=$ovaluri">

Jeffrey Blank

1:47 p.m.

New subject: [PATCH 1/2] changes to support "transitional" OCIL content (which is what we're calling our manual check text)

Can you be more specific?

Seeing: make: *** [eval-common] Error 2

does not indicate a new problem. Also note that "make content" must precede "make eval-common".

On 09/14/2012 03:38 PM, Michael J. McConachie wrote:

...

Jeff -- Please retract my last ACK.

I skimmed this for content the first time around, and never actually applied the patch itself (doooh!) Just did, and it had errors.

JSYN -- Patch 2 applied cleanly.

When running a make clean; make eval-common on your recent branch, it errors out.

Will look into it some more.

MM

On 09/13/2012 03:54 PM, Jeffrey Blank wrote:

...
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml

eval-common:

oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@

<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>




<xsl:template match="Rule/ocil"> <check>
   <xsl:attribute name="system">
       <xsl:value-of select="$ociluri" />
   </xsl:attribute>
   <xsl:attribute name="system">ocil-transitional</xsl:attribute>
   <xsl:if test="@clause">
     <check-export>
     <xsl:attribute name="export-name">clause</xsl:attribute>
     <xsl:attribute name="value-id">
       <xsl:value-of select="@clause" />
     </xsl:attribute>
     </check-export>
   </xsl:if>
   <check-content>
   <xsl:apply-templates select="node()"/>
   </check-content>
@@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>

<xsl:template match="package-install-macro">

The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command:

xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>

<xsl:template match="package-remove-macro">

The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command:

xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>

<xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition:

xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre>

It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition.

xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre>

It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>

<xsl:template match="service-disable-check-macro">

@@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>

<xsl:template match="package-check-macro">

Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed:

xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>




<xsl:template match="br">

diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@

<xsl:template match="cdf:check">
   <xsl:if test="@system=$ociluri">
   <xsl:if test="@system=$ociltransitional">
<xsl:apply-templates select="cdf:check-content" />
</xsl:if> <xsl:if test="@system=$ovaluri">
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

-- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance

Michael J. McConachie

1:55 p.m.

New subject: [PATCH 1/2] changes to support "transitional" OCIL content (which is what we're calling our manual check text)

Disregard; I'll PM you.

Thanks,

On 09/14/2012 01:47 PM, Jeffrey Blank wrote:

...

Can you be more specific?

Seeing: make: *** [eval-common] Error 2

does not indicate a new problem. Also note that "make content" must precede "make eval-common".

On 09/14/2012 03:38 PM, Michael J. McConachie wrote:

...
Jeff -- Please retract my last ACK.

I skimmed this for content the first time around, and never actually applied the patch itself (doooh!) Just did, and it had errors.

JSYN -- Patch 2 applied cleanly.

When running a make clean; make eval-common on your recent branch, it errors out.

Will look into it some more.

MM

On 09/13/2012 03:54 PM, Jeffrey Blank wrote:

...
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/Makefile | 2 +- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 8049db1..27464bd 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -95,7 +95,7 @@ eval-ftp: oscap xccdf eval --profile ftp $(OUT)/rhel6-xccdf-$(ID).xml

eval-common:

oscap xccdf eval --profile common --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

oscap xccdf eval --profile common --oval-results --results /tmp/results-test.xml $(OUT)/rhel6-xccdf-$(ID).xml

# items in dist are expected for distribution in an rpm dist: tables guide content diff --git a/RHEL6/transforms/constants.xslt b/RHEL6/transforms/constants.xslt index 29ce690..3159cc9 100644 --- a/RHEL6/transforms/constants.xslt +++ b/RHEL6/transforms/constants.xslt @@ -14,4 +14,5 @@

<xsl:variable name="ovaluri">http://oval.mitre.org/XMLSchema/oval-definitions-5</xsl:variable> <xsl:variable name="ociluri">http://www.mitre.org/ocil/2</xsl:variable> +<xsl:variable name="ociltransitional">ocil-transitional</xsl:variable> </xsl:stylesheet> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 200fb37..d899f48 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -166,12 +166,18 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>




<xsl:template match="Rule/ocil"> <check>
   <xsl:attribute name="system">
       <xsl:value-of select="$ociluri" />
   </xsl:attribute>
   <xsl:attribute name="system">ocil-transitional</xsl:attribute>
   <xsl:if test="@clause">
     <check-export>
     <xsl:attribute name="export-name">clause</xsl:attribute>
     <xsl:attribute name="value-id">
       <xsl:value-of select="@clause" />
     </xsl:attribute>
     </check-export>
   </xsl:if>
   <check-content>
   <xsl:apply-templates select="node()"/>
   </check-content>
@@ -205,10 +211,20 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre# chkconfig <xsl:value-of select="@service"/> on</xhtml:pre> </xsl:template>

<xsl:template match="package-install-macro">

The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be installed with the following command:

xhtml:pre# yum install <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>

<xsl:template match="package-remove-macro">

The xhtml:code<xsl:value-of select="@package"/></xhtml:code> package can be removed with the following command:

xhtml:pre# yum erase <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>

<xsl:template match="partition-check-macro"> Run the following command to verify that xhtml:code<xsl:value-of select="@part"/></xhtml:code> lives on its own partition:

xhtml:pre# df -h <xsl:value-of select="@part"/> | grep "<xsl:value-of select="@part"/>"</xhtml:pre>

It will return a line for "<xsl:value-of select="@part"/>" if it is on its own partition.

xhtml:pre# df -h <xsl:value-of select="@part"/> </xhtml:pre>

It will return a line for xhtml:code<xsl:value-of select="@part"/></xhtml:code> if it is on its own partition. </xsl:template>

<xsl:template match="service-disable-check-macro">

@@ -225,6 +241,11 @@ exclude-result-prefixes="xccdf xhtml"> If the service is enabled, it should return: xhtml:pre<xsl:value-of select="@service"/> is running...</xhtml:pre> </xsl:template>

<xsl:template match="package-check-macro">

Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed:

xhtml:pre# rpm -q <xsl:value-of select="@package"/></xhtml:pre>

</xsl:template>




<xsl:template match="br">

diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index f5d22c1..1d9758f 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -147,7 +147,7 @@

<xsl:template match="cdf:check">
   <xsl:if test="@system=$ociluri">
   <xsl:if test="@system=$ociltransitional">
<xsl:apply-templates select="cdf:check-content" />
</xsl:if> <xsl:if test="@system=$ovaluri">
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Jeffrey Blank

13 Sep 13 Sep

3:54 p.m.

New subject: [PATCH 2/2] added macro-ized package installation checks

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++++ RHEL6/input/system/software/integrity.xml | 1 + 3 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 717c3b7..4ee17bb 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -37,6 +37,7 @@ implementation flaws and should be disabled if possible. run the following command: <pre># yum erase bind</pre> </description> +<ocil><package-remove-macro package="package_bind_removed" /> </ocil> <rationale> If there is no need to make DNS server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 91d7884..874d27e 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -45,6 +45,7 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> +<ocil><package-remove-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. @@ -84,6 +85,7 @@ subject to man-in-the-middle attacks. <description>The <tt>telnet-server</tt> package can be uninstalled with the following command: <pre># yum erase telnet-server</pre></description> +<ocil><package-remove-macro package="telnet-server" /> </ocil> <rationale> Removing the <tt>telnet-server</tt> package decreases the risk of the telnet service's accidental (or intentional) activation. @@ -107,6 +109,7 @@ model.</description> the following command: <pre># yum erase rsh-server</pre> </description> +<ocil><package-remove-macro package="rsh-server" /> </ocil> <rationale>The <tt>rsh-server</tt> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) @@ -197,6 +200,7 @@ important authentication information.</description> the following command: <pre># yum erase ypserv</pre> </description> +<ocil><package-remove-macro package="ypserv" /> </ocil> <rationale>Removing the <tt>ypserv</tt> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. </rationale> @@ -252,6 +256,7 @@ as a tftp server, which does not provide encryption or authentication. command: <pre># yum erase tftp-server</pre> </description> +<ocil><package-remove-macro package="tftp-server" /> </ocil> <rationale> Removing the <tt>tftp-server</tt> package decreases the risk of the accidental (or intentional) activation of tftp services. diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index c31087d..6c24ce9 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -31,6 +31,7 @@ configurable, with further configuration information located in Install the AIDE package with the command: <pre># yum install aide</pre> </description> +<ocil><package-check-macro package="aide"/></ocil> <rationale> The AIDE package must be installed if it is to be available for integrity checking. </rationale>

-- 1.7.1

Michael J. McConachie

14 Sep 14 Sep

10:53 a.m.

New subject: [PATCH 2/2] added macro-ized package installation checks

Hi Jeff, ACK.

This is EXACTLY what I was talking to Shawn about a few weeks ago - great job!

Looks good.

Thanks,

On 09/13/2012 03:54 PM, Jeffrey Blank wrote:

...

Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil

RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++++ RHEL6/input/system/software/integrity.xml | 1 + 3 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 717c3b7..4ee17bb 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -37,6 +37,7 @@ implementation flaws and should be disabled if possible. run the following command:

<pre># yum erase bind</pre>

</description> +<ocil><package-remove-macro package="package_bind_removed" /> </ocil> <rationale> If there is no need to make DNS server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 91d7884..874d27e 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -45,6 +45,7 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> +<ocil><package-remove-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. @@ -84,6 +85,7 @@ subject to man-in-the-middle attacks. <description>The <tt>telnet-server</tt> package can be uninstalled with the following command: <pre># yum erase telnet-server</pre></description> +<ocil><package-remove-macro package="telnet-server" /> </ocil> <rationale> Removing the <tt>telnet-server</tt> package decreases the risk of the telnet service's accidental (or intentional) activation. @@ -107,6 +109,7 @@ model.</description> the following command: <pre># yum erase rsh-server</pre> </description> +<ocil><package-remove-macro package="rsh-server" /> </ocil> <rationale>The <tt>rsh-server</tt> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) @@ -197,6 +200,7 @@ important authentication information.</description> the following command: <pre># yum erase ypserv</pre> </description> +<ocil><package-remove-macro package="ypserv" /> </ocil> <rationale>Removing the <tt>ypserv</tt> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. </rationale> @@ -252,6 +256,7 @@ as a tftp server, which does not provide encryption or authentication. command: <pre># yum erase tftp-server</pre> </description> +<ocil><package-remove-macro package="tftp-server" /> </ocil> <rationale> Removing the <tt>tftp-server</tt> package decreases the risk of the accidental (or intentional) activation of tftp services. diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index c31087d..6c24ce9 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -31,6 +31,7 @@ configurable, with further configuration information located in Install the AIDE package with the command: <pre># yum install aide</pre> </description> +<ocil><package-check-macro package="aide"/></ocil> <rationale> The AIDE package must be installed if it is to be available for integrity checking. </rationale>

Michael J. McConachie

10:52 a.m.

Hi Jeff, ACK. Looks good.

Thanks,

On 09/13/2012 03:54 PM, Jeffrey Blank wrote:

...

This will also enable generation of OCIL.

Jeffrey Blank (2): changes to support "transitional" OCIL content (which is what we're calling our manual check text) added macro-ized package installation checks

RHEL6/Makefile | 2 +- RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++ RHEL6/input/system/software/integrity.xml | 1 + RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/shorthand2xccdf.xslt | 33 ++++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 7 files changed, 37 insertions(+), 8 deletions(-)

scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

4305

Age (days ago)

4306

Last active (days ago)

scap-security-guide@lists.fedorahosted.org

7 comments

2 participants

tags (0)

participants (2)

Jeffrey Blank
Michael J. McConachie