ACK
----- Original Message ----- From: "Jeffrey Blank" blank@eclipse.ncsc.mil To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, July 12, 2012 11:15:11 AM Subject: [PATCH] support for adding notes to RHEL 5 STIG content, for transparent migration to consensus
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/Makefile | 1 + RHEL6/input/auxiliary/transition_notes.xml | 31 ++++ RHEL6/transforms/xccdf2table-stig-addnotes.xslt | 172 +++++++++++++++++++++++ 3 files changed, 204 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/auxiliary/transition_notes.xml create mode 100644 RHEL6/transforms/xccdf2table-stig-addnotes.xslt
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 9aa58c8..21676e0 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -57,6 +57,7 @@ table-stigs: xsltproc -o $(OUT)/rhel5-table-stig.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf.xml xsltproc -o $(OUT)/rhel5-table-stig-manual.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml xsltproc --html -o $(OUT)/rhel5-table-stig-manual-ccisorted.html $(TRANS)/table-sortbyref.xslt $(OUT)/rhel5-table-stig-manual.html + xsltproc -o $(OUT)/rhel5-table-stig-manual-withnotes.html $(TRANS)/xccdf2table-stig-addnotes.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml xsltproc -o $(OUT)/rhel6-xccdf-stigformat.xml $(TRANS)/xccdf2stigformat.xslt $(OUT)/rhel6-xccdf.xml xsltproc -stringparam profile "stig-server" -o $(OUT)/rhel6-table-stig-server.html $(TRANS)/xccdf2table-profileccirefs.xslt $(OUT)/rhel6-xccdf-stigformat.xml
diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml new file mode 100644 index 0000000..3fa0aa0 --- /dev/null +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -0,0 +1,31 @@ +<notegroup> +<!-- This file enables documentation of how the RHEL 5 STIG requirements + will be migrated to consensus for RHEL 6. --> + +<note ref="" auth="WS"> +This is superceded by the system-wide check for improper permissions provided +by the package manager. Automating this check became possible with OVAL 5.8. +</note> + +<note ref="" auth="JB"> +The security argument is not apparent or salient. +</note> + +<note ref="" auth=""> +This is covered in the RHEL6 content. +</note> + +<note ref="" auth=""> +This is covered in the RHEL6 content in a slightly different manner. +</note> + +<note ref="" auth=""> +The intent of the check procedure is not clear. +</note> + +<note ref="789,790,791" auth="JB"> +NIS/NIS+/yp should be disabled, as stated in a Rule in the RHEL 6 content. +NIS/NIS+/yp are obsolete and should not be running on any modern system. +</note> + +</notegroup> diff --git a/RHEL6/transforms/xccdf2table-stig-addnotes.xslt b/RHEL6/transforms/xccdf2table-stig-addnotes.xslt new file mode 100644 index 0000000..bd6cb0f --- /dev/null +++ b/RHEL6/transforms/xccdf2table-stig-addnotes.xslt @@ -0,0 +1,172 @@ +<?xml version="1.0" encoding="utf-8" standalone="yes"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E + +<!-- the file for notes is hard-coded below --> + +<xsl:variable name="notefile">../input/auxiliary/transition_notes.xml</xsl:variable> +<xsl:variable name="notegroup" select="document($notefile)/notegroup" /> + +<xsl:include href="constants.xslt"/> + + <xsl:template match="/"> + <html> + <head> + <title>Rules In <xsl:value-of select="/cdf:Benchmark/cdf:title" /> with Notes for Transition to RHEL 6 Consensus</title> + </head> + <body> + <br/> + <br/> + <div style="text-align: center; font-size: x-large; font-weight:bold"> + Rules In <i><xsl:value-of select="/cdf:Benchmark/cdf:title" /></i> with Notes for Transition to RHEL 6 Consensus + </div> + <br/> + <br/> + <xsl:apply-templates select="cdf:Benchmark"/> + </body> + </html> + </xsl:template> + + + <xsl:template match="cdf:Benchmark"> + <style type="text/css"> + table + { + border-collapse:collapse; + } + table,th, td + { + border: 1px solid black; + vertical-align: top; + padding: 3px; + } + thead + { + display: table-header-group; + font-weight: bold; + } + </style> + <table> + <thead> + <td>V-ID</td> + <td>GEN-ID</td> + <td>Title</td> + <td>Description</td> + <td>Fixtext</td> + <td>Notes</td> + </thead> + + <xsl:apply-templates select=".//cdf:Group" /> + </table> + </xsl:template> + + + <xsl:template name="rule-output"> + <xsl:param name="vulnid"/> + <tr> + <td><xsl:value-of select="@id"/></td> + <!--<td> <xsl:value-of select="cdf:ident" /></td>--> + <td> <xsl:value-of select="cdf:title" /></td> + <td> <xsl:value-of select="cdf:Rule/cdf:title" /></td> + <td> <xsl:call-template name="extract-vulndiscussion"><xsl:with-param name="desc" select="cdf:Rule/cdf:description"/></xsl:call-template> </td> + <td> <xsl:apply-templates select="cdf:Rule/cdf:fixtext"/> </td> + <td> <xsl:call-template name="print-notes"><xsl:with-param name="vulnid" select="@id"/></xsl:call-template> </td> + </tr> + </xsl:template> + + + <xsl:template match="cdf:Group"> + <xsl:call-template name="rule-output" select="cdf:Rule"> + <xsl:with-param name="vulnid" select="@id" /> + </xsl:call-template> + </xsl:template> + + + <xsl:template name="print-notes"> + <xsl:param name="vulnid"/> + <xsl:for-each select="$notegroup/note"> + <table> + <xsl:call-template name="search_vulnidlist" select="note"> + <xsl:with-param name="vulnid_sought" select="$vulnid" /> + <xsl:with-param name="vulnid_list" select="@ref" /> + </xsl:call-template> + </table> + </xsl:for-each> + + </xsl:template> + + + <xsl:template name="search_vulnidlist"> + <xsl:param name="vulnid_sought"/> + <xsl:param name="vulnid_list"/> + <xsl:variable name="delim" select="','" /> + xsl:choose + <xsl:when test="$delim and contains($vulnid_list, $delim)"> + <xsl:call-template name="note-output" > + <xsl:with-param name="vulnid_sought" select="$vulnid_sought" /> + <xsl:with-param name="vulnid_found" select="substring-before($vulnid_list, $delim)" /> + </xsl:call-template> + + <!-- recurse for additional vuln ids in list --> + <xsl:call-template name="search_vulnidlist"> + <xsl:with-param name="vulnid_sought" select="$vulnid_sought" /> + <xsl:with-param name="vulnid_list" select="substring-after($vulnid_list, $delim)" /> + </xsl:call-template> + </xsl:when> + + xsl:otherwise + <xsl:call-template name="note-output" > + <xsl:with-param name="vulnid_sought" select="$vulnid_sought" /> + <xsl:with-param name="vulnid_found" select="$vulnid_list" /> + </xsl:call-template> + </xsl:otherwise> + + </xsl:choose> + </xsl:template> + + + <!-- output note text if vuln ID matches --> + <xsl:template name="note-output"> + <xsl:param name="vulnid_sought"/> + <xsl:param name="vulnid_found"/> + + <xsl:variable name="vulnid_expanded" select="concat('V-', $vulnid_found)" /> + <xsl:if test="$vulnid_sought=$vulnid_expanded"> + <tr><td><xsl:value-of select="@auth"/>: <xsl:value-of select="." /></td></tr> + </xsl:if> + + </xsl:template> + + + <!-- return only the text between the "VulnDiscussion" (non-XCCDF) tags --> + <!-- this should be removed as soon as SRGs include only a description instead of odd tags --> + <xsl:template name="extract-vulndiscussion"> + <xsl:param name="desc"/> + <xsl:variable name="desc_info" select="substring-before($desc, '</VulnDiscussion>')"/> + <xsl:value-of select="substring-after($desc_info, '<VulnDiscussion>')"/> + </xsl:template> + + + + + <!-- getting rid of XHTML namespace --> + <xsl:template match="xhtml:*"> + <xsl:element name="{local-name()}"> + <xsl:apply-templates select="node()|@*"/> + </xsl:element> + </xsl:template> + + <xsl:template match="@*|node()"> + xsl:copy + <xsl:apply-templates select="@*|node()"/> + </xsl:copy> + </xsl:template> + + <xsl:template match="cdf:description"> + <xsl:apply-templates select="@*|node()" /> + </xsl:template> + + <xsl:template match="cdf:rationale"> + <xsl:apply-templates select="@*|node()" /> + </xsl:template> + +</xsl:stylesheet>