On Thu, 31 Jan 2013 13:56:41 -0500
Mike Palmiotto <mpalmiotto(a)tresys.com> wrote:
On 1/31/2013 11:20 AM, Brian Millett wrote:
> On Thu, Jan 31, 2013 at 9:49 AM, Mike Palmiotto
> <mpalmiotto(a)tresys.com>wrote:
>
>> On 1/31/2013 9:38 AM, Brian Millett wrote:
>>
>>> I'm really interested in adding fixes, or having a set of fixes I can
>>> apply to
>>> the xccdf for rhel6. I've looked at the line in the Makefile:
>>>
>>> xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o
>>> $(OUT)/unlinked-rhel6-xccdf.**xml $(TRANS)/xccdf-addfixes.xslt
>>> $(OUT)/unlinked-rhel6-xccdf.**xml
>>>
>>> and it looks like, following the bas-ks.xml, I can create a file with
>>> each fix
>>> as long as each fix-id is the same as the rule-id so that the fix can be
>>> merged with the appropriate rule into a final xccdf.xml file.
>>>
>>
>> When you say fix-id, do you mean the rule attribute for each fix tag?
>>
>
> Ok, silly me, I went back and looked at the bash-ks.xml and I had totally
> miss read the fix.
>
> In the bash-ks.xml a fix is as
>
> <fix rule="disable_vsftp">service vsftpd stop</fix>
>
> while in a xccdf Rule tag, the fix is as
>
> <fix id="service_restorecond_enabled" reboot="false"
platform=""
> system="">chkconfig restorecond on</fix>
>
>
> So, I didn't grok the "id=" vs the "rule=".
>
> That makes sense.
>
> So the bash-ks.xml is
>
> <fix-group id="bash" system="urn:xccdf:fix:script:bash"
xmlns="
<snip>
> fi</fix>
> </fix-group>
You've got it.
<snip if really good info >
Good stuff. Thanks
I've been trying to get the sample bash-ks.xml to work, but when I run
make
no fixes referenced in the bask-ks.xml gets added to the
finalized xccdf.xml file.
I removed the comment in the Makefile so the xccdf-addfixes.xslt is fired, but
not output.
Kind of wanted to take baby steps with just the supplied before I dive into
other projects/efforts to add fixes.
Thanks.
--