Through some abuse of the <check-export> facility in XCCDF, we can now attach a clause to a body of manual checking instructions that can be used as part of a boilerplate remark.
Also contained here are fixes to make the content validate.
Jeffrey Blank (5): removal of duplicate OCIL checking text temporary commenting of x windows listening Rule, until new version is complete adding transforms and Values support to enable automatic generation of boilerplate text * if a "shorthand" OCIL / manual check text is decorated with a clause attribute, then it can now be used to generate a boilerplate remark which incorporates that clause * for example, if your check needs to conclude with, "If [clause], then this is a finding..." we can now generate the boilerplate portions if the clause is provided. The clause can also be used to construct a question in the true OCIL style for the valid OCIL output. added example clause for manual check text, to enable boilerplate remark generation removed duplicate OCIL check
RHEL6/input/guide.xslt | 6 ++++ RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/services/base.xml | 1 - RHEL6/input/services/dhcp.xml | 2 +- .../accounts/restrictions/password_storage.xml | 8 ------ RHEL6/input/system/network/ipsec.xml | 1 - RHEL6/input/system/network/wireless.xml | 1 - RHEL6/input/system/software/disk_partitioning.xml | 4 ++- RHEL6/transforms/shorthand2xccdf.xslt | 26 +++++++++---------- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 4 +++ 10 files changed, 27 insertions(+), 28 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/base.xml | 1 - RHEL6/input/services/dhcp.xml | 2 +- RHEL6/input/system/network/ipsec.xml | 1 - RHEL6/input/system/network/wireless.xml | 1 - 4 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index 1e29627..eba13df 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -400,7 +400,6 @@ RHN server or satellite and managed as such. <rationale>Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments.</rationale> -<ocil><service-disable-ocil-macro service="rhnsd" /></ocil> <ident cce="3416-5" /> <oval id="service_rhnsd_disabled" /> <ref nist="CM-6, CM-7" disa="382" /> diff --git a/RHEL6/input/services/dhcp.xml b/RHEL6/input/services/dhcp.xml index 51dbba5..2c33e4f 100644 --- a/RHEL6/input/services/dhcp.xml +++ b/RHEL6/input/services/dhcp.xml @@ -56,7 +56,7 @@ DHCP server if there is one. the dhcp package can be uninstalled. <package-remove-macro package="dhcp" /> </description> -<ocil><package-remove-check-macro package="dhcp" /></ocil> +<ocil><package-check-macro package="dhcp" /></ocil> <rationale> Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. diff --git a/RHEL6/input/system/network/ipsec.xml b/RHEL6/input/system/network/ipsec.xml index 98e3c5d..6087fa9 100644 --- a/RHEL6/input/system/network/ipsec.xml +++ b/RHEL6/input/system/network/ipsec.xml @@ -17,7 +17,6 @@ untrusted networks. <package-install-macro package="openswan"/> to initiate a secure VPN connection protects information when it is transmitted over a wide area network. </rationale> -<ocil><package-check-macro package="openswan"/></ocil> <!--<ident cce="TODO" />--> <oval id="package_openswan_installed" /> <ref nist="AC-17, MA-4, SC-9" disa="1130,1131,1135" /> diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index 8355b95..7686390 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -97,7 +97,6 @@ the need to install such a driver first. connections to to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.</rationale> -<ocil><service-disable-check-macro service="bluetooth" /></ocil> <ident cce="4355-4" /> <oval id="service_bluetooth_disabled" /> <ref nist="AC-18, CM-6, CM-7" disa="85" />
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/profiles/common.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 72324e3..93642aa 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -165,7 +165,7 @@ <select idref="sshd_enable_warning_banner" selected="true"/> <select idref="sshd_do_not_permit_user_env" selected="true"/> <select idref="sshd_use_approved_ciphers" selected="true"/> -<select idref="xwindows_remote_listening" selected="true"/> +<!-- <select idref="xwindows_remote_listening" selected="true"/> Rule to be rewritten to refer to /etc/gdm/custom.conf --> <select idref="disable_avahi" selected="true"/> <select idref="disable_dhcp_server" selected="true"/> <select idref="uninstall_dhcp_server" selected="true"/>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/guide.xslt | 6 +++++ RHEL6/transforms/shorthand2xccdf.xslt | 26 ++++++++++----------- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 4 +++ 3 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/RHEL6/input/guide.xslt b/RHEL6/input/guide.xslt index 5a0de5e..45793f0 100644 --- a/RHEL6/input/guide.xslt +++ b/RHEL6/input/guide.xslt @@ -4,6 +4,12 @@ <xsl:template match="Benchmark"> xsl:copy <xsl:copy-of select="@*|node()" /> + <Value id="conditional_clause" type="string" operator="equals"> + <title>A conditional clause for check statements.</title> + <description>A conditional clause for check statements.</description> + <value>This is a placeholder.</value> + </Value> + <xsl:apply-templates select="document('intro/intro.xml')" /> <xsl:apply-templates select="document('system/system.xml')" /> <xsl:apply-templates select="document('services/services.xml')" /> diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 2ab6442..82b6769 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -187,10 +187,8 @@ exclude-result-prefixes="xccdf xhtml"> <xsl:attribute name="system">ocil-transitional</xsl:attribute> <xsl:if test="@clause"> <check-export> - <xsl:attribute name="export-name">clause</xsl:attribute> - <xsl:attribute name="value-id"> - <xsl:value-of select="@clause" /> - </xsl:attribute> + <xsl:attribute name="export-name"><xsl:value-of select="@clause" /></xsl:attribute> + <xsl:attribute name="value-id">conditional_clause</xsl:attribute> </check-export> </xsl:if> <check-content> @@ -221,7 +219,7 @@ exclude-result-prefixes="xccdf xhtml"> xhtml:pre$ sysctl <xsl:value-of select="@sysctl"/></xhtml:pre> The output of the command should indicate a value of xhtml:code<xsl:value-of select="@value"/></xhtml:code>. If this value is not the default value, investigate how it could have been adjusted at runtime, and verify - that it is not set improperly in <tt>/etc/sysctl.conf</tt>. + that it is not set improperly in xhtml:code/etc/sysctl.conf</xhtml:code>. </xsl:template>
<xsl:template match="fileperms-desc-macro"> @@ -295,7 +293,7 @@ exclude-result-prefixes="xccdf xhtml">
<xsl:template match="service-disable-check-macro"> It is prudent to check that the xhtml:code<xsl:value-of select="@service"/></xhtml:code> service is disabled in system boot - configuration via <tt>chkconfig</tt> and not currently running on the system (runtime configuration). + configuration via xhtml:codechkconfig</xhtml:code> and not currently running on the system (runtime configuration).
Run the following command to verify xhtml:code<xsl:value-of select="@service"/></xhtml:code> is disabled through current runtime configuration: @@ -329,26 +327,26 @@ exclude-result-prefixes="xccdf xhtml">
<xsl:template match="module-disable-macro"> To configure the system to prevent the xhtml:code<xsl:value-of select="@module"/></xhtml:code> -kernel module from being loaded, add the following line to a file in the directory <tt>/etc/modprobe.d</tt>: -<pre xml:space="preserve">install <xsl:value-of select="@module"/> /bin/true</pre> +kernel module from being loaded, add the following line to a file in the directory xhtml:code/etc/modprobe.d</xhtml:code>: +<xhtml:pre xml:space="preserve">install <xsl:value-of select="@module"/> /bin/true</xhtml:pre> </xsl:template>
<xsl:template match="module-disable-check-macro"> If the system is configured to prevent the loading of the xhtml:code<xsl:value-of select="@module"/></xhtml:code> kernel module, -it will contain lines inside any file in <tt>/etc/modprobe.d</tt> or the deprecated<tt>/etc/modprobe.conf</tt>. +it will contain lines inside any file in xhtml:code/etc/modprobe.d</xhtml:code> or the deprecatedxhtml:code/etc/modprobe.conf</xhtml:code>. These lines instruct the module loading system to run another program (such as -<tt>/bin/true</tt>) upon a module <tt>install</tt> event. -Run the following command to search for such lines in all files in <tt>/etc/modprobe.d</tt> -and the deprecated <tt>/etc/modprobe.conf</tt>: -<pre xml:space="preserve">$ grep -r <xsl:value-of select="@module"/> /etc/modprobe.conf /etc/modprobe.d</pre> +xhtml:code/bin/true</xhtml:code>) upon a module xhtml:codeinstall</xhtml:code> event. +Run the following command to search for such lines in all files in xhtml:code/etc/modprobe.d</xhtml:code> +and the deprecated xhtml:code/etc/modprobe.conf</xhtml:code>: +<xhtml:pre xml:space="preserve">$ grep -r <xsl:value-of select="@module"/> /etc/modprobe.conf /etc/modprobe.d</xhtml:pre> </xsl:template>
<xsl:template match="audit-syscall-check-macro"> To determine if the system is configured to audit calls to the xhtml:code<xsl:value-of select="@syscall"/></xhtml:code> system call, run the following command: -<pre xml:space="preserve"># auditctl -l | grep syscall | grep <xsl:value-of select="@syscall"/></pre> +<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep <xsl:value-of select="@syscall"/></xhtml:pre> If the system is configured to audit this activity, it will return a line. </xsl:template>
diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index 1d9758f..e047cfd 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -149,6 +149,10 @@ <xsl:template match="cdf:check"> <xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" /> + <!-- print clause with "finding" text --> + <xsl:if test="cdf:check-export"> + <br/>If <xsl:value-of select="cdf:check-export/@export-name" />, this is a finding. + </xsl:if> </xsl:if> <xsl:if test="@system=$ovaluri"> <xsl:for-each select="cdf:check-export">
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/system/software/disk_partitioning.xml | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index e678d61..1c4d260 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -31,7 +31,9 @@ The <tt>/tmp</tt> directory is a world-writable directory used for temporary file storage. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. </description> -<ocil><partition-check-macro part="/tmp"/></ocil> +<ocil clause="no line is returned"> +<partition-check-macro part="/tmp"/> +</ocil> <rationale> The <tt>/tmp</tt> partition is used as temporary storage by many programs. Placing <tt>/tmp</tt> in its own partition enables the setting of more
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- .../accounts/restrictions/password_storage.xml | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 8943c7c..b030ad4 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -85,14 +85,6 @@ Unencrypted passwords for remote FTP servers may be stored in <tt>.netrc</tt> files. DoD policy requires passwords be encrypted in storage and not used in access scripts. </rationale> -<ocil>Check the system for the existence of <tt>.netrc</tt> files by -running the following command: -<pre># find / -name .netrc</pre> - -Output indicates the presense of <tt>.netrc</tt> files. Remove <tt>.netrc</tt> -files wherever possible. If <tt>.netrc</tt> files are required for -mission functionality their existence and risk mitigation steps should be -documented.</ocil> <ident cce="TODO" /> <oval id="TODO" /> <ref nist="IA-5" disa="196" />
scap-security-guide@lists.fedorahosted.org