This commit set provides support for writing alternate titles for the Rules in the XCCDF content in scap-security-guide. Although this defies a strategy of leveraging a common body of high-quality SCAP content and incurs additional costs, it was expressed as a necessity.
To synchronize an alternate titles file (currently only for the STIG profile): $ make alt-titles
This will cause input/utils/sync-alt-titles.py to includes a placeholder for an alternate Rule title for every Rule in the specified (currently only stig-server) Profile. The short title is also included and synchronized as an aide to data entry.
A new transform (xccdf-alt-titles.xslt) performs replacement of the concise, broadly-acceptable title with whatever title language is desired instead. Currently, this is activated in the Makerule table-stig.
Jeffrey Blank (4): new file (alt-titles-stig.xml) that enables entering alternate titles for Rules new transform to replace concise, broadly-acceptable titles with alternative titles in XCCDF helper script to create alternate titles files and link it to Rules in a XCCDF Profile * short title is also synchronized as an aide to data entry added new Makerules to insert alternate titles, create STIG tables with them
RHEL6/Makefile | 11 +- RHEL6/input/auxiliary/alt-titles-stig.xml | 455 +++++++++++++++++++++++++++++ RHEL6/transforms/xccdf-alt-titles.xslt | 36 +++ RHEL6/utils/sync-alt-titles.py | 84 ++++++ 4 files changed, 584 insertions(+), 2 deletions(-) create mode 100644 RHEL6/input/auxiliary/alt-titles-stig.xml create mode 100644 RHEL6/transforms/xccdf-alt-titles.xslt create mode 100755 RHEL6/utils/sync-alt-titles.py
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/auxiliary/alt-titles-stig.xml | 455 +++++++++++++++++++++++++++++ 1 files changed, 455 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/auxiliary/alt-titles-stig.xml
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml new file mode 100644 index 0000000..342ec65 --- /dev/null +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -0,0 +1,455 @@ +<?xml version="1.0"?> +<titles xmlns="http://checklists.nist.gov/xccdf/1.1" id="stig"> +<!-- This file can be used to specify alternative titles. + The rule attribute is used to identify the Rule with which to associate the title. + The shorttitle attribute is provided as an aide to data entry. + The xccdf-alt-titles.xslt transform can be used to synchronize the rule and + shorttitle attributes with a particular XCCDF profile automatically. --> +<title rule="partition_for_tmp" shorttitle="Ensure /tmp Located On Separate Partition"> +It is required that the /tmp partition is located on a separate partition. +</title> +<title rule="partition_for_var" shorttitle="Ensure /var Located On Separate Partition"> +It is required that the /var partition is located on a separate partition. +</title> +<title rule="partition_for_var_log" shorttitle="Ensure /var/log Located On Separate Partition"> +It is required that the /var/log partition is located on a separate partition. +</title> +<title rule="partition_for_var_log_audit" shorttitle="Ensure /var/log/audit Located On Separate Partition"> +</title> +<title rule="partition_for_home" shorttitle="Ensure /home Located On Separate Partition"> +</title> +<title rule="partition_for_tmp" shorttitle="Ensure /tmp Located On Separate Partition"> +</title> +<title rule="partition_for_var" shorttitle="Ensure /var Located On Separate Partition"> +</title> +<title rule="partition_for_var_log" shorttitle="Ensure /var/log Located On Separate Partition"> +</title> +<title rule="partition_for_var_log_audit" shorttitle="Ensure /var/log/audit Located On Separate Partition"> +</title> +<title rule="partition_for_home" shorttitle="Ensure /home Located On Separate Partition"> +</title> +<title rule="ensure_redhat_gpgkey_installed" shorttitle="Ensure Red Hat GPG Key Installed"> +</title> +<title rule="security_patches_up_to_date" shorttitle="Ensure Software Patches Installed"> +</title> +<title rule="ensure_gpgcheck_globally_activated" shorttitle="Ensure gpgcheck Enabled In Main Yum Configuration"> +</title> +<title rule="ensure_gpgcheck_never_disabled" shorttitle="Ensure gpgcheck Enabled For All Yum Package Repositories"> +</title> +<title rule="install_aide" shorttitle="Install AIDE"> +</title> +<title rule="aide_periodic_cron_checking" shorttitle="Configure Periodic Execution of AIDE"> +</title> +<title rule="rpm_verify_permissions" shorttitle="Verify File Permissions with RPM"> +</title> +<title rule="kernel_module_usb-storage_disabled" shorttitle="Disable Modprobe Loading of USB Storage Driver"> +</title> +<title rule="service_autofs_disabled" shorttitle="Disable the Automounter"> +</title> +<title rule="userowner_shadow_file" shorttitle="Verify User Who Owns shadow File"> +</title> +<title rule="groupowner_shadow_file" shorttitle="Verify Group Who Owns shadow File"> +</title> +<title rule="perms_shadow_file" shorttitle="Verify Permissions on shadow File"> +</title> +<title rule="userowner_gshadow_file" shorttitle="Verify User Who Owns gshadow File"> +</title> +<title rule="groupowner_gshadow_file" shorttitle="Verify Group Who Owns gshadow File"> +</title> +<title rule="perms_gshadow_file" shorttitle="Verify Permissions on gshadow File"> +</title> +<title rule="userowner_passwd_file" shorttitle="Verify User Who Owns passwd File"> +</title> +<title rule="groupowner_passwd_file" shorttitle="Verify Group Who Owns passwd File"> +</title> +<title rule="file_permissions_etc_passwd" shorttitle="Verify Permissions on passwd File"> +</title> +<title rule="file_permissions_library_dirs" shorttitle="Verify that Shared Library Files Have Restrictive Permissions"> +</title> +<title rule="file_ownership_library_dirs" shorttitle="Verify that Shared Library Files Have Root Ownership"> +</title> +<title rule="file_permissions_binary_dirs" shorttitle="Verify that System Executables Have Restrictive Permissions"> +</title> +<title rule="file_ownership_binary_dirs" shorttitle="Verify that System Executables Have Root Ownership"> +</title> +<title rule="sticky_world_writable_dirs" shorttitle="Verify that All World-Writable Directories Have Sticky Bits Set"> +</title> +<title rule="no_files_unowned_by_user" shorttitle="Ensure All Files Are Owned by a User"> +</title> +<title rule="world_writable_files_system_ownership" shorttitle="Ensure All World-Writable Directories Are Owned by a System Account"> +</title> +<title rule="disable_users_coredumps" shorttitle="Disable Core Dumps for All Users"> +</title> +<title rule="enable_execshield" shorttitle="Enable ExecShield"> +</title> +<title rule="enable_randomize_va_space" shorttitle="Enable Randomized Layout of Virtual Address Space"> +</title> +<title rule="enable_selinux_bootloader" shorttitle="Ensure SELinux Not Disabled in /etc/grub.conf"> +</title> +<title rule="set_selinux_state" shorttitle="Ensure SELinux State is Enforcing"> +</title> +<title rule="set_selinux_policy" shorttitle="Configure SELinux Policy"> +</title> +<title rule="selinux_unlabeled_device_files" shorttitle="Ensure No Device Files are Unlabeled by SELinux"> +</title> +<title rule="restrict_root_console_logins" shorttitle="Restrict Virtual Console Root Logins"> +</title> +<title rule="restrict_serial_port_logins" shorttitle="Restrict Serial Port Root Logins"> +</title> +<title rule="no_shelllogin_for_systemaccounts" shorttitle="Ensure that System Accounts Do Not Run a Shell Upon Login"> +</title> +<title rule="no_uidzero_except_root" shorttitle="Verify Only Root Has UID 0"> +</title> +<title rule="no_empty_passwords" shorttitle="Prevent Log In to Accounts With Empty Password"> +</title> +<title rule="no_hashes_outside_shadow" shorttitle="Verify All Account Password Hashes are Shadowed"> +</title> +<title rule="no_netrc_files" shorttitle="Verify No netrc Files Exist"> +</title> +<title rule="password_min_len" shorttitle="Set Password Minimum Length in login.defs"> +</title> +<title rule="password_min_age" shorttitle="Set Password Minimum Age"> +</title> +<title rule="password_max_age" shorttitle="Set Password Maximum Age"> +</title> +<title rule="password_warn_age" shorttitle="Set Password Warning Age"> +</title> +<title rule="account_disable_post_pw_expiration" shorttitle="Set Account Expiration Following Inactivity"> +</title> +<title rule="no_nis_inclusions_shadow" shorttitle="Remove Legacy + Entries From /etc/shadow"> +</title> +<title rule="no_nis_inclusions_group" shorttitle="Remove Legacy + Entries From /etc/group"> +</title> +<title rule="no_nis_inclusions_passwd" shorttitle="Remove Legacy + Entries From /etc/passwd"> +</title> +<title rule="password_retry" shorttitle="Set Password Retry Prompts Permitted Per-session"> +</title> +<title rule="password_require_digits" shorttitle="Set Password Strength Minimum Digit Characters"> +</title> +<title rule="password_require_uppercases" shorttitle="Set Password Strength Minimum Uppercase Characters"> +</title> +<title rule="password_require_specials" shorttitle="Set Password Strength Minimum Special Characters"> +</title> +<title rule="password_require_lowercases" shorttitle="Set Password Strength Minimum Lowercase Characters"> +</title> +<title rule="password_require_diffchars" shorttitle="Set Password Strength Minimum Different Characters"> +</title> +<title rule="deny_password_attempts" shorttitle="Set Deny For Failed Password Attempts"> +</title> +<title rule="set_password_hashing_algorithm" shorttitle="Set Password Hashing Algorithm"> +</title> +<title rule="limiting_password_reuse" shorttitle="Limit Password Reuse"> +</title> +<title rule="max_concurrent_login_sessions" shorttitle="Limit the Number of Concurrent Login Sessions Allowed Per User"> +</title> +<title rule="user_umask_bashrc" shorttitle="Ensure the Default Bash Umask is Set Correctly"> +</title> +<title rule="user_umask_cshrc" shorttitle="Ensure the Default C Shell Umask is Set Correctly"> +</title> +<title rule="user_umask_profile" shorttitle="Ensure the Default Umask is Set Correctly in /etc/profile"> +</title> +<title rule="user_umask_logindefs" shorttitle="Ensure the Default Umask is Set Correctly in login.defs"> +</title> +<title rule="user_owner_grub_conf" shorttitle="Verify /boot/grub/grub.conf User Ownership"> +</title> +<title rule="group_owner_grub_conf" shorttitle="Verify /boot/grub/grub.conf Group Ownership"> +</title> +<title rule="permissions_grub_conf" shorttitle="Verify /boot/grub/grub.conf Permissions"> +</title> +<title rule="bootloader_password" shorttitle="Set Boot Loader Password"> +</title> +<title rule="require_singleuser_auth" shorttitle="Require Authentication for Single User Mode"> +</title> +<title rule="disable_interactive_boot" shorttitle="Disable Interactive Boot"> +</title> +<title rule="set_screensaver_inactivity_timeout" shorttitle="Set GNOME Login Inactivity Timeout"> +</title> +<title rule="enable_screensaver_after_idle" shorttitle="GNOME Desktop Screensaver Mandatory Use"> +</title> +<title rule="enable_screensaver_password_lock" shorttitle="Enable Screen Lock Activation After Idle Period"> +</title> +<title rule="set_blank_screensaver" shorttitle="Implement Blank Screen Saver"> +</title> +<title rule="install_vlock_package" shorttitle="Install the vlock Package"> +</title> +<title rule="set_system_login_banner" shorttitle="Modify the System Login Banner"> +</title> +<title rule="enable_gdm_login_banner" shorttitle="Enable GUI Warning Banner"> +</title> +<title rule="set_gdm_login_banner_text" shorttitle="Set GUI Warning Banner Text"> +</title> +<title rule="disable_sysctl_ipv4_default_send_redirects" shorttitle="Disable Kernel Parameter for Sending ICMP Redirects by Default"> +</title> +<title rule="disable_sysctl_ipv4_all_send_redirects" shorttitle="Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces"> +</title> +<title rule="disable_sysctl_ipv4_ip_forward" shorttitle="Disable Kernel Parameter for IP Forwarding"> +</title> +<title rule="set_sysctl_net_ipv4_conf_all_accept_source_route" shorttitle="Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces"> +</title> +<title rule="set_sysctl_net_ipv4_conf_all_accept_redirects" shorttitle="Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces"> +</title> +<title rule="set_sysctl_net_ipv4_conf_all_secure_redirects" shorttitle="Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces"> +</title> +<title rule="set_sysctl_net_ipv4_conf_all_log_martians" shorttitle="Enable Kernel Parameter to Log Martian Packets"> +</title> +<title rule="set_sysctl_net_ipv4_conf_default_accept_source_route" shorttitle="Disable Kernel Parameter for Accepting Source-Routed Packets By Default"> +</title> +<title rule="set_sysctl_net_ipv4_conf_default_secure_redirects" shorttitle="Disable Kernel Parameter for Accepting Secure Redirects By Default"> +</title> +<title rule="set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" shorttitle="Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests"> +</title> +<title rule="set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" shorttitle="Enable Kernel Parameter to Ignore Bogus ICMP Error Responses"> +</title> +<title rule="set_sysctl_net_ipv4_tcp_syncookies" shorttitle="Enable Kernel Parameter to Use TCP Syncookies"> +</title> +<title rule="set_sysctl_net_ipv4_conf_all_rp_filter" shorttitle="Enable Kernel Parameter to Use Reverse Path Filtering for All Interfaces"> +</title> +<title rule="set_sysctl_net_ipv4_conf_default_rp_filter" shorttitle="Enable Kernel Parameter to Use Reverse Path Filtering by Default"> +</title> +<title rule="service_bluetooth_disabled" shorttitle="Disable Bluetooth Service"> +</title> +<title rule="kernel_module_bluetooth_disabled" shorttitle="Disable Bluetooth Kernel Modules"> +</title> +<title rule="disable_ipv6_module_loading" shorttitle="Disable IPv6 Networking Support Automatic Loading"> +</title> +<title rule="set_sysctl_ipv6_default_accept_redirects" shorttitle="Disable Accepting IPv6 Redirects"> +</title> +<title rule="enable_ip6tables" shorttitle="Verify ip6tables Enabled"> +</title> +<title rule="enable_iptables" shorttitle="Verify iptables Enabled"> +</title> +<title rule="set_iptables_default_rule" shorttitle="Set Default Iptables Policy for Incoming Packets"> +</title> +<title rule="set_iptables_default_rule_forward" shorttitle="Set Default Iptables Policy for Forwarded Packets"> +</title> +<title rule="disable_protocol_dccp" shorttitle="Disable DCCP Support"> +</title> +<title rule="disable_protocol_sctp" shorttitle="Disable SCTP Support"> +</title> +<title rule="disable_protocol_rds" shorttitle="Disable RDS Support"> +</title> +<title rule="disable_protocol_tipc" shorttitle="Disable TIPC Support"> +</title> +<title rule="install_openswan" shorttitle="Install openswan Package"> +</title> +<title rule="package_rsyslog_installed" shorttitle="Ensure rsyslog is Installed"> +</title> +<title rule="service_rsyslog_enabled" shorttitle="Enable Rsyslog Service (rsyslog)"> +</title> +<title rule="userowner_rsyslog_files" shorttitle="Ensure Log Files Are Owned By Appropriate User"> +</title> +<title rule="groupowner_rsyslog_files" shorttitle="Ensure Log Files Are Owned By Appropriate Group"> +</title> +<title rule="rsyslog_file_permissions" shorttitle="Ensure System Log Files Have Correct Permissions"> +</title> +<title rule="rsyslog_send_messages_to_logserver" shorttitle="Ensure Logs Sent To Remote Host"> +</title> +<title rule="ensure_logrotate_activated" shorttitle="Ensure Logrotate Runs Periodically"> +</title> +<title rule="enable_auditd_service" shorttitle="Enable auditd Service"> +</title> +<title rule="enable_auditd_bootloader" shorttitle="Enable Auditing for Processes Which Start Prior to the Audit Daemon"> +</title> +<title rule="configure_auditd_num_logs" shorttitle="Configure auditd Number of Logs Retained"> +</title> +<title rule="configure_auditd_max_log_file" shorttitle="Configure auditd Max Log File Size"> +</title> +<title rule="configure_auditd_max_log_file_action" shorttitle="Configure auditd max_log_file_action Upon Reaching Maximum Log Size"> +</title> +<title rule="configure_auditd_space_left_action" shorttitle="Configure auditd space_left Action on Low Disk Space"> +</title> +<title rule="configure_auditd_admin_space_left_action" shorttitle="Configure auditd admin_space_left Action on Low Disk Space"> +</title> +<title rule="configure_auditd_action_mail_acct" shorttitle="Configure auditd mail_acct Action on Low Disk Space"> +</title> +<title rule="audit_rules_time_adjtimex" shorttitle="Record attempts to alter time through adjtimex"> +</title> +<title rule="audit_rules_time_settimeofday" shorttitle="Record attempts to alter time through settimeofday"> +</title> +<title rule="audit_rules_time_stime" shorttitle="Record Attempts to Alter Time Through stime"> +</title> +<title rule="audit_rules_time_clock_settime" shorttitle="Record Attempts to Alter Time Through clock_settime"> +</title> +<title rule="audit_rules_time_watch_localtime" shorttitle="Record Attempts to Alter the localtime File"> +</title> +<title rule="audit_account_changes" shorttitle="Record Events that Modify User/Group Information"> +</title> +<title rule="audit_network_modifications" shorttitle="Record Events that Modify the System's Network Environment"> +</title> +<title rule="audit_mac_changes" shorttitle="Record Events that Modify the System's Mandatory Access Controls"> +</title> +<title rule="audit_rules_dac_modification_chmod" shorttitle="Record Events that Modify the System's Discretionary Access Controls - chmod"> +</title> +<title rule="audit_rules_dac_modification_chown" shorttitle="Record Events that Modify the System's Discretionary Access Controls - chown"> +</title> +<title rule="audit_rules_dac_modification_fchmod" shorttitle="Record Events that Modify the System's Discretionary Access Controls - fchmod"> +</title> +<title rule="audit_rules_dac_modification_fchmodat" shorttitle="Record Events that Modify the System's Discretionary Access Controls - fchmodat"> +</title> +<title rule="audit_rules_dac_modification_fchown" shorttitle="Record Events that Modify the System's Discretionary Access Controls - fchown"> +</title> +<title rule="audit_rules_dac_modification_fchownat" shorttitle="Record Events that Modify the System's Discretionary Access Controls - fchownat"> +</title> +<title rule="audit_rules_dac_modification_fremovexattr" shorttitle="Record Events that Modify the System's Discretionary Access Controls - fremovexattr"> +</title> +<title rule="audit_rules_dac_modification_fsetxattr" shorttitle="Record Events that Modify the System's Discretionary Access Controls - fsetxattr"> +</title> +<title rule="audit_rules_dac_modification_lchown" shorttitle="Record Events that Modify the System's Discretionary Access Controls - lchown"> +</title> +<title rule="audit_rules_dac_modification_lremovexattr" shorttitle="Record Events that Modify the System's Discretionary Access Controls - lremovexattr"> +</title> +<title rule="audit_rules_dac_modification_lsetxattr" shorttitle="Record Events that Modify the System's Discretionary Access Controls - lsetxattr"> +</title> +<title rule="audit_rules_dac_modification_removexattr" shorttitle="Record Events that Modify the System's Discretionary Access Controls - removexattr"> +</title> +<title rule="audit_rules_dac_modification_setxattr" shorttitle="Record Events that Modify the System's Discretionary Access Controls - setxattr"> +</title> +<title rule="audit_file_access" shorttitle="Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)"> +</title> +<title rule="audit_privileged_commands" shorttitle="Ensure auditd Collects Information on the Use of Privileged Commands"> +</title> +<title rule="audit_media_exports" shorttitle="Ensure auditd Collects Information on Exporting to Media (successful)"> +</title> +<title rule="audit_file_deletions" shorttitle="Ensure auditd Collects File Deletion Events by User"> +</title> +<title rule="audit_sysadmin_actions" shorttitle="Ensure auditd Collects System Administrator Actions"> +</title> +<title rule="audit_kernel_module_loading" shorttitle="Ensure auditd Collects Information on Kernel Module Loading and Unloading"> +</title> +<title rule="disable_xinetd" shorttitle="Disable xinetd Service"> +</title> +<title rule="uninstall_xinetd" shorttitle="Uninstall xinetd Package"> +</title> +<title rule="disable_telnet_service" shorttitle="Disable telnet Service"> +</title> +<title rule="uninstall_telnet_server" shorttitle="Uninstall telnet-server Package"> +</title> +<title rule="uninstall_rsh-server" shorttitle="Uninstall rsh-server Package"> +</title> +<title rule="disable_rexec" shorttitle="Disable rexec Service"> +</title> +<title rule="disable_rsh" shorttitle="Disable rsh Service"> +</title> +<title rule="disable_rlogin" shorttitle="Disable rlogin Service"> +</title> +<title rule="no_rsh_trust_files" shorttitle="Remove Rsh Trust Files"> +</title> +<title rule="uninstall_ypserv" shorttitle="Uninstall ypserv Package"> +</title> +<title rule="disable_ypbind" shorttitle="Disable ypbind Service"> +</title> +<title rule="disable_tftp" shorttitle="Disable tftp Service"> +</title> +<title rule="uninstall_tftp-server" shorttitle="Uninstall tftp-server Package"> +</title> +<title rule="tftpd_uses_secure_mode" shorttitle="Ensure TFTP Daemon Uses Secure Mode"> +</title> +<title rule="service_abrtd_disabled" shorttitle="Disable Automatic Bug Reporting Tool (abrtd)"> +</title> +<title rule="service_atd_disabled" shorttitle="Disable At Service (atd)"> +</title> +<title rule="service_ntpdate_disabled" shorttitle="Disable ntpdate Service (ntpdate)"> +</title> +<title rule="service_oddjobd_disabled" shorttitle="Disable Odd Job Daemon (oddjobd)"> +</title> +<title rule="service_qpidd_disabled" shorttitle="Disable Apache Qpid (qpidd)"> +</title> +<title rule="service_rdisc_disabled" shorttitle="Disable Network Router Discovery Daemon (rdisc)"> +</title> +<title rule="service_rhnsd_disabled" shorttitle="Disable Red Hat Network Service (rhnsd)"> +</title> +<title rule="service_sysstat_disabled" shorttitle="Disable System Statistics Reset Service (sysstat)"> +</title> +<title rule="enable_cron" shorttitle="Enable cron Service"> +</title> +<title rule="disable_at" shorttitle="Disable atd Service"> +</title> +<title rule="sshd_allow_only_protocol2" shorttitle="Allow Only SSH Protocol 2"> +</title> +<title rule="sshd_set_idle_timeout" shorttitle="Set SSH Idle Timeout Interval"> +</title> +<title rule="sshd_set_keepalive" shorttitle="Set SSH Client Alive Count"> +</title> +<title rule="sshd_disable_rhosts" shorttitle="Disable SSH Support for .rhosts Files"> +</title> +<title rule="disable_host_auth" shorttitle="Disable Host-Based Authentication"> +</title> +<title rule="sshd_disable_root_login" shorttitle="Disable SSH Root Login"> +</title> +<title rule="sshd_disable_empty_passwords" shorttitle="Disable SSH Access via Empty Passwords"> +</title> +<title rule="sshd_enable_warning_banner" shorttitle="Enable SSH Warning Banner"> +</title> +<title rule="sshd_do_not_permit_user_env" shorttitle="Do Not Allow SSH Environment Options"> +</title> +<title rule="sshd_use_approved_ciphers" shorttitle="Use Only Approved Ciphers"> +</title> +<title rule="disable_xwindows_with_runlevel" shorttitle="Disable X Windows Startup By Setting Runlevel"> +</title> +<title rule="packagegroup_xwindows_remove" shorttitle="Remove the X Windows Package Group"> +</title> +<title rule="xwindows_remote_listening" shorttitle="Disable X Window System Listening"> +</title> +<title rule="disable_avahi" shorttitle="Disable Avahi Server Software"> +</title> +<title rule="disable_dhcp_server" shorttitle="Disable DHCP Service"> +</title> +<title rule="uninstall_dhcp_server" shorttitle="Uninstall DHCP Server Package"> +</title> +<title rule="disable_dhcp_client" shorttitle="Disable DHCP Client"> +</title> +<title rule="enable_ntpd" shorttitle="Enable the NTP Daemon"> +</title> +<title rule="ntpd_specify_remote_server" shorttitle="Specify a Remote NTP Server"> +</title> +<title rule="postfix_network_listening" shorttitle="Disable Postfix Network Listening"> +</title> +<title rule="ldap_client_start_tls" shorttitle="Configure LDAP to Use TLS For All Transactions"> +</title> +<title rule="ldap_client_tls_cacertpath" shorttitle="Configure Certificate Directives for LDAP Use of TLS"> +</title> +<title rule="package_openldap-servers_removed" shorttitle="Uninstall openldap-servers Package"> +</title> +<title rule="service_nfs_disabled" shorttitle="Disable Network File System (nfs)"> +</title> +<title rule="service_rpcsvcgssd_disabled" shorttitle="Disable Secure RPC Server Service (rpcsvcgssd)"> +</title> +<title rule="use_nodev_option_on_nfs_mounts" shorttitle="Mount Remote Filesystems with nodev"> +</title> +<title rule="use_nosuid_option_on_nfs_mounts" shorttitle="Mount Remote Filesystems with nosuid"> +</title> +<title rule="no_insecure_locks_exports" shorttitle="Ensure Insecure File Locking is Not Allowed"> +</title> +<title rule="disable_dns_server" shorttitle="Disable DNS Server"> +</title> +<title rule="uninstall_bind" shorttitle="Uninstall bind Package"> +</title> +<title rule="disable_vsftpd" shorttitle="Disable vsftpd Service"> +</title> +<title rule="uninstall_vsftpd" shorttitle="Uninstall vsftpd Package"> +</title> +<title rule="ftp_present_banner" shorttitle="Create Warning Banners for All FTP Users"> +</title> +<title rule="disable_httpd" shorttitle="Disable httpd Service"> +</title> +<title rule="uninstall_httpd" shorttitle="Uninstall httpd Package"> +</title> +<title rule="disable_dovecot" shorttitle="Disable Dovecot Service"> +</title> +<title rule="uninstall_dovecot" shorttitle="Uninstall dovecot Package"> +</title> +<title rule="disable_smb_server" shorttitle="Disable Samba"> +</title> +<title rule="require_smb_client_signing" shorttitle="Require Client SMB Packet Signing, if using smbclient"> +</title> +<title rule="require_smb_client_signing_mount.cifs" shorttitle="Require Client SMB Packet Signing, if using mount.cifs"> +</title> +<title rule="disable_squid" shorttitle="Disable Squid"> +</title> +<title rule="uninstall_squid" shorttitle="Uninstall squid Package"> +</title> +<title rule="disable_snmpd" shorttitle="Disable snmpd Service"> +</title> +<title rule="uninstall_net-snmp" shorttitle="Uninstall net-snmp Package"> +</title> +</titles>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/transforms/xccdf-alt-titles.xslt | 36 ++++++++++++++++++++++++++++++++ 1 files changed, 36 insertions(+), 0 deletions(-) create mode 100644 RHEL6/transforms/xccdf-alt-titles.xslt
diff --git a/RHEL6/transforms/xccdf-alt-titles.xslt b/RHEL6/transforms/xccdf-alt-titles.xslt new file mode 100644 index 0000000..e5434cd --- /dev/null +++ b/RHEL6/transforms/xccdf-alt-titles.xslt @@ -0,0 +1,36 @@ +<?xml version="1.0"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf"> + +<!-- This transform expects a stringparam "alttitles" specifying a filename + containing a list of alternative titles. It replaces existing titles + in the Rules specified inside the titles file. --> + +<xsl:variable name="titles" select="document($alttitles)/xccdf:titles" /> + + <xsl:template match="xccdf:Rule"> + xsl:copy + <xsl:apply-templates select="@*"/> + <xsl:variable name="rule_id" select="@id"/> + <xsl:for-each select="$titles/xccdf:title"> + <xsl:if test="@rule=$rule_id"> + <!-- copy in the new title --> + <xsl:element name="title" namespace="http://checklists.nist.gov/xccdf/1.1%22%3E + <xsl:value-of select="text()"/> + </xsl:element> + </xsl:if> + </xsl:for-each> + <!-- copy everything else that isn't the title--> + <xsl:apply-templates select="node()[not(self::xccdf:title)]"/> + + </xsl:copy> + </xsl:template> + + + <!-- copy everything else through to final output --> + <xsl:template match="@*|node()"> + xsl:copy + <xsl:apply-templates select="@*|node()" /> + </xsl:copy> + </xsl:template> + +</xsl:stylesheet>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/utils/sync-alt-titles.py | 84 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 84 insertions(+), 0 deletions(-) create mode 100755 RHEL6/utils/sync-alt-titles.py
diff --git a/RHEL6/utils/sync-alt-titles.py b/RHEL6/utils/sync-alt-titles.py new file mode 100755 index 0000000..80db6b8 --- /dev/null +++ b/RHEL6/utils/sync-alt-titles.py @@ -0,0 +1,84 @@ +#!/usr/bin/python + +import sys, os, optparse +import lxml.etree as ET + +# +# This script is designed to synchronize an alternative-titles file, which allows +# for specifying (and later inserting) titles of an alternate format into the +# main body of XCCDF content. +# +# It requires three arguments: an XCCDF file with Rules (which already have +# titles), a profile name (that specifies the Rules for which to populate the +# alternative-titles file), and the name of the alternative-titles file. +# + +xccdf_ns = "http://checklists.nist.gov/xccdf/1.1" +oval_ns = "http://oval.mitre.org/XMLSchema/oval-definitions-5" + +def parse_options(): + usage = "usage: %prog -p profile -f titlesfile xccdf_file" + parser = optparse.OptionParser(usage=usage, version="%prog ") + # only some options are on by default + parser.add_option("-p", "--profile", default=False, action="store", dest="profile_name", + help="provide title-holders for Rules in this XCCDF Profile") + parser.add_option("-f", "--titles-file", default=False, action="store", dest="titlesfile", + help="an alternate titles file, in which to populate title-holders") + parser.add_option("-r", "--read-only", default=False, action="store_true", dest="readonly", + help="print changes that would be made, but do not make them") + (options, args) = parser.parse_args() + if len(args) < 1 or not options.profile_name or not options.titlesfile: + parser.print_help() + sys.exit(1) + return (options, args) + + +def get_profileruleids(xccdftree, profile_name): + ruleids = [] + while profile_name: + profile = xccdftree.find(".//{%s}Profile[@id='%s']" % (xccdf_ns, profile_name)) + if profile is None: + sys.exit("Specified XCCDF Profile %s was not found.") + for select in profile.findall(".//{%s}select" % xccdf_ns): + ruleids.append(select.get("idref")) + profile_name = profile.get("extends") + + return ruleids + +def main(): + (options, args) = parse_options() + xccdffilename = args[0] + + # extract all of the rules within the xccdf + xccdftree = ET.parse(xccdffilename) + rules = xccdftree.findall(".//{%s}Rule" % xccdf_ns) + + profile_ruleids = get_profileruleids(xccdftree, options.profile_name) + prunedrules = rules[:] + for rule in rules: + if rule.get("id") not in profile_ruleids: + prunedrules.remove(rule) + rules = prunedrules + + titlestree = ET.parse(options.titlesfile) + alttitles = titlestree.findall(".//{%s}title" % xccdf_ns) + alttitles_rulerefs = [alttitle.get("rule") for alttitle in alttitles] + + for rule in rules: + ruleid = rule.get("id") + if ruleid not in alttitles_rulerefs: + titleholder = ET.SubElement(titlestree.getroot(), "title") + titleholder.text = "\n" + else: + titleholder = titlestree.find("./{"+xccdf_ns+"}title[@rule='"+ruleid+"']") + titleholder.attrib['rule'] = rule.get("id") + shorttitle = rule.find("./{%s}title" % xccdf_ns) + titleholder.attrib['shorttitle'] = shorttitle.text + + titlestree.write(options.titlesfile, pretty_print=True) + + sys.exit(0) + +if __name__ == "__main__": + main() +
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/Makefile | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index a85767a..8049db1 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -2,6 +2,7 @@ IN = input OUT = output TRANS = transforms REFS = references +UTILS = utils DIST = dist ID = scap-security-guide
@@ -14,7 +15,7 @@ shorthand-guide: shorthand2xccdf: shorthand-guide xsltproc -o $(OUT)/rhel6-xccdf-noprofiles.xml $(TRANS)/shorthand2xccdf.xslt $(OUT)/rhel6-shorthand.xml xsltproc -stringparam profile "allprofiles" -o $(OUT)/rhel6-xccdf.xml $(TRANS)/xccdf-addprofiles.xslt $(OUT)/rhel6-xccdf-noprofiles.xml - xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o $(OUT)/rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt $(OUT)/rhel6-xccdf.xml +# xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o $(OUT)/rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt $(OUT)/rhel6-xccdf.xml # xsltproc -stringparam fixes "../$(IN)/fixes/puppet-example.xml" -o $(OUT)/rhel6-xccdf.html $(TRANS)/xccdf-addfixes.xslt $(OUT)/rhel6-xccdf.xml xmllint --format --output $(OUT)/rhel6-xccdf.xml $(OUT)/rhel6-xccdf.xml
@@ -22,7 +23,6 @@ checks: xmlwf $(IN)/checks/*.xml $(TRANS)/combinechecks.py $(IN)/checks > $(OUT)/rhel6-oval.xml xmllint --format --output $(OUT)/rhel6-oval.xml $(OUT)/rhel6-oval.xml -# SCC might return someday
guide: shorthand-guide shorthand2xccdf @@ -65,10 +65,17 @@ table-stigs: xsltproc --html -o $(OUT)/rhel5-table-stig-manual-ccisorted.html $(TRANS)/table-sortbyref.xslt $(OUT)/rhel5-table-stig-manual.html xsltproc -stringparam notes "../$(IN)/auxiliary/transition_notes.xml" -o $(OUT)/rhel5-table-stig-manual-withnotes.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml xsltproc -o $(OUT)/rhel6-xccdf-stigformat.xml $(TRANS)/xccdf2stigformat.xslt $(OUT)/rhel6-xccdf.xml +# temporarily retain an output file showing the short titles as well, for convenience + xsltproc -stringparam profile "stig-server" -o $(OUT)/rhel6-table-stig-server-shorttitles.html $(TRANS)/xccdf2table-profileccirefs.xslt $(OUT)/rhel6-xccdf-stigformat.xml + xsltproc -stringparam alttitles "../$(IN)/auxiliary/alt-titles-stig.xml" -o $(OUT)/rhel6-xccdf-stigformat.xml $(TRANS)/xccdf-alt-titles.xslt $(OUT)/rhel6-xccdf-stigformat.xml xsltproc -stringparam profile "stig-server" -o $(OUT)/rhel6-table-stig-server.html $(TRANS)/xccdf2table-profileccirefs.xslt $(OUT)/rhel6-xccdf-stigformat.xml
tables: table-idents table-refs table-profilenistrefs table-srgmap table-stigs
+alt-titles: shorthand2xccdf + $(UTILS)/sync-alt-titles.py -p stig-server -f $(IN)/auxiliary/alt-titles-stig.xml $(OUT)/rhel6-xccdf.xml + XMLLINT_INDENT="" xmllint --format --output $(IN)/auxiliary/alt-titles-stig.xml $(IN)/auxiliary/alt-titles-stig.xml + content: shorthand-guide shorthand2xccdf guide checks # the relabelids.py script chdirs to ./output, so refer to files from there. # its second argument controls the IDs, as well as the output filenames.
On 9/4/12 9:56 AM, Jeffrey Blank wrote:
- xsltproc -stringparam profile "stig-server" -o $(OUT)/rhel6-table-stig-server-shorttitles.html $(TRANS)/xccdf2table-profileccirefs.xslt $(OUT)/rhel6-xccdf-stigformat.xml
Shall we update the STIG wiki "Draft Settings for RHEL 6 STIG" page to reflect the change from rhel6-table-stig-server [1] to server-shorttitles [2]?
In fact, is rhel6-table-stig-server still needed?
[1] http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-table... [2] http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-table...
Let's add it as an additional link. Format however you think makes sense.
When there is a substantial body of alt-titles available we'll retire the other one. Til then it's helpful to be able to see.
On 09/04/2012 07:32 PM, Shawn Wells wrote:
On 9/4/12 9:56 AM, Jeffrey Blank wrote:
- xsltproc -stringparam profile "stig-server" -o
$(OUT)/rhel6-table-stig-server-shorttitles.html $(TRANS)/xccdf2table-profileccirefs.xslt $(OUT)/rhel6-xccdf-stigformat.xml
Shall we update the STIG wiki "Draft Settings for RHEL 6 STIG" page to reflect the change from rhel6-table-stig-server [1] to server-shorttitles [2]?
In fact, is rhel6-table-stig-server still needed?
[1] http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-table...
[2] http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-table...
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On Sep 4, 2012, at 9:57 AM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This commit set provides support for writing alternate titles for the Rules in the XCCDF content in scap-security-guide. Although this defies a strategy of leveraging a common body of high-quality SCAP content and incurs additional costs, it was expressed as a necessity.
If there is concern over a rule title can't we come to a consensus on it instead of having each rule define several alternate titles? What is driving this requirement?
To synchronize an alternate titles file (currently only for the STIG profile): $ make alt-titles
This will cause input/utils/sync-alt-titles.py to includes a placeholder for an alternate Rule title for every Rule in the specified (currently only stig-server) Profile. The short title is also included and synchronized as an aide to data entry.
A new transform (xccdf-alt-titles.xslt) performs replacement of the concise, broadly-acceptable title with whatever title language is desired instead. Currently, this is activated in the Makerule table-stig.
Jeffrey Blank (4): new file (alt-titles-stig.xml) that enables entering alternate titles for Rules new transform to replace concise, broadly-acceptable titles with alternative titles in XCCDF helper script to create alternate titles files and link it to Rules in a XCCDF Profile * short title is also synchronized as an aide to data entry added new Makerules to insert alternate titles, create STIG tables with them
RHEL6/Makefile | 11 +- RHEL6/input/auxiliary/alt-titles-stig.xml | 455 +++++++++++++++++++++++++++++ RHEL6/transforms/xccdf-alt-titles.xslt | 36 +++ RHEL6/utils/sync-alt-titles.py | 84 ++++++ 4 files changed, 584 insertions(+), 2 deletions(-) create mode 100644 RHEL6/input/auxiliary/alt-titles-stig.xml create mode 100644 RHEL6/transforms/xccdf-alt-titles.xslt create mode 100755 RHEL6/utils/sync-alt-titles.py
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
DISA FSO. And I tried to make it clear that it is very problematic with regard to their stated strategy (as well as our strategy of reducing duplication). But this is within the bounds of the project's flexibility, and is done in a way that later convergence would still be easy.
On 09/04/2012 12:46 PM, Kevin Spargur wrote:
On Sep 4, 2012, at 9:57 AM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This commit set provides support for writing alternate titles for the Rules in the XCCDF content in scap-security-guide. Although this defies a strategy of leveraging a common body of high-quality SCAP content and incurs additional costs, it was expressed as a necessity.
If there is concern over a rule title can't we come to a consensus on it instead of having each rule define several alternate titles? What is driving this requirement?
To synchronize an alternate titles file (currently only for the STIG profile): $ make alt-titles
This will cause input/utils/sync-alt-titles.py to includes a placeholder for an alternate Rule title for every Rule in the specified (currently only stig-server) Profile. The short title is also included and synchronized as an aide to data entry.
A new transform (xccdf-alt-titles.xslt) performs replacement of the concise, broadly-acceptable title with whatever title language is desired instead. Currently, this is activated in the Makerule table-stig.
Jeffrey Blank (4): new file (alt-titles-stig.xml) that enables entering alternate titles for Rules new transform to replace concise, broadly-acceptable titles with alternative titles in XCCDF helper script to create alternate titles files and link it to Rules in a XCCDF Profile * short title is also synchronized as an aide to data entry added new Makerules to insert alternate titles, create STIG tables with them
RHEL6/Makefile | 11 +- RHEL6/input/auxiliary/alt-titles-stig.xml | 455 +++++++++++++++++++++++++++++ RHEL6/transforms/xccdf-alt-titles.xslt | 36 +++ RHEL6/utils/sync-alt-titles.py | 84 ++++++ 4 files changed, 584 insertions(+), 2 deletions(-) create mode 100644 RHEL6/input/auxiliary/alt-titles-stig.xml create mode 100644 RHEL6/transforms/xccdf-alt-titles.xslt create mode 100755 RHEL6/utils/sync-alt-titles.py
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 09/04/2012 01:01 PM, Jeffrey Blank wrote:
DISA FSO. And I tried to make it clear that it is very problematic with regard to their stated strategy (as well as our strategy of reducing duplication). But this is within the bounds of the project's flexibility, and is done in a way that later convergence would still be easy.
This appears to enable alternate titles for assembled benchmarks in different venues.
It is highly likely that any DISA FSO titleing will not be appropriate for all other venues.
Thus, the <title> for a <Rule> (and likely <Group>s and <Profile>s, possible <Value>s) becomes a 1-n attribute of such, and each instance will need a domain-specific (e.g., DISA FSO) unique identifier that may apply to things other than titles (<Rule> ids, descriptions, warnings, rationales, etc).
ACK.
I would like at some later time to discuss a syntax for benchmark fragments, an XML Schema or other suitable schema for such, inclusive of such issues like variant titles. This would foster more rigor of maintenance of individual fragments.
It is highly likely that any DISA FSO titleing will not be appropriate for all other venues.
Right. And while it would be ideal and efficient for everyone to be flexible and reach a consensus on language, if someone has special needs, we can try to accomodate.
I strongly encourage discussion on this matter as we find our way forward.
Thus, the <title> for a <Rule> (and likely <Group>s and <Profile>s, possible <Value>s) becomes a 1-n attribute of such, and each instance will need a domain-specific (e.g., DISA FSO) unique identifier that may apply to things other than titles (<Rule> ids, descriptions, warnings, rationales, etc).
Well, let's approach this very carefully, for a few different reasons. The Rule id is the one thing that we are planning to use as an (upstream) anchor. Issuers of the content (that leverage it) could use <note>s in their derivations to ensure a stable and maintainable mapping if they need to alter this. Creating alternate, additional descriptions, warnings, and rationales could at some point turn into hosting a complete fork of ourself, which would significantly increase maintenance and support costs.
I would like at some later time to discuss a syntax for benchmark fragments, an XML Schema or other suitable schema for such, inclusive of such issues like variant titles. This would foster more rigor of maintenance of individual fragments.
This makes sense. Currently, I am abusing the namespace declarations by declaring something in the XCCDF namespace that isn't, just to simplify re-insertion/transformation into final output...
On 09/04/2012 05:34 PM, Jeffrey Blank wrote:
It is highly likely that any DISA FSO titleing will not be appropriate for all other venues.
Right. And while it would be ideal and efficient for everyone to be flexible and reach a consensus on language, if someone has special needs, we can try to accomodate.
I strongly encourage discussion on this matter as we find our way forward.
Thus, the <title> for a <Rule> (and likely <Group>s and <Profile>s, possible <Value>s) becomes a 1-n attribute of such, and each instance will need a domain-specific (e.g., DISA FSO) unique identifier that may apply to things other than titles (<Rule> ids, descriptions, warnings, rationales, etc).
Well, let's approach this very carefully, for a few different reasons. The Rule id is the one thing that we are planning to use as an (upstream) anchor. Issuers of the content (that leverage it) could use <note>s in their derivations to ensure a stable and maintainable mapping if they need to alter this. Creating alternate, additional descriptions, warnings, and rationales could at some point turn into hosting a complete fork of ourself, which would significantly increase maintenance and support costs.
Yes, it (variants) will.
Variant <title>s are the camel's nose under the tent. The remainder of the camel would likely consist of <title>-like elements, such as all other prose elements.
I am unfortunately quite cynical, but it certainly seems after many years of watching this SCAP stuff evolve, that no sooner than some simple vehicle is proposed, there is a marked propensity to start warping it by adding fuzzy dice, oversize tires, underlighting, painting flames on the sides, attaching a raccoon tail to the antenna, and plastering the rear window and bumper with all sorts of decals and stickers including one that reads "If You Can Read This, Please Flip Me Back Over".
The fact that DISA FSO needs variant titles indicates that, despite years of adornments, the SCAP formats are not yet adequate for routine general use. The request is of course also quite self-serving.
Variant <title>s can be accommodated for now, simply. I think they are uniquely identified by the triple (<Rule>, DISA FSO, RHEL6), where the latter is assumed, unfortunately without explication.
As for element ids… things are not simple.
NIST IR 7275 rev 4 http://csrc.nist.gov/publications/nistir/ir7275-rev4/nistir-7275r4_updated-march-2012_clean.pdf §6.2.3 makes the audacious assertion that all ids are "globally unique" (and must additionally labor under a rather idiosyncratic syntax). Previously, ids were unique within a benchmark document, and in fact are merely that as regarded from a pure XML prospect. I suspect the globally unique steamship will eventually founder on the rocks of practicality, but let's assume for now that identifiers can be coined and will have at least the properties of being unique to scap-security-guide as well as having moderate persistence, which suffices for scap-security-guide purposes.
Hopefully, those chosen will fulfill any unstated requirements of DISA FSO, which at least for <title>, indicate a desire to control at least prose attributes of <Rule>s (and here I'm using attribute in the abstract sense, not as an attribute of an XML element).
Having (rather) immutable ids is useful, though <ident> currently provides much latitude to associate <Rule>s with other things. Maintaining what are essentially <Rule>s as individual documents provides handy compartmentalization. These separate documents can be combined with others to form <Benchmark> documents which then are expected to have tidy identifiers for all other major XCCDF elements. This is quite messy (because of IR 7275), and I have not seen any intent thus far to do anything other than provide these in some suitable fashion as <Benchmark>s are assembled. I would not expect to do anything more, nor see anything to be gained by doing more.
It appears to me that the individual documents from which security guides can be assembled are in and of themselves unique identifiers, that one could (but need not since the containing document has a unique "URI") choose an NCName for each that is peculiar to scap-security-guide (i.e., is unique within the scap-security-guide domain) and use it in the «id» attribute of the <Rule> element, use only one id, that any arbitrary compilation/derivation might or might not preserve these chosen ids in any final assemblage, and that sufficient means exist to denote provenance in these assemblages without necessarily forcing scap-security-guide <Rule> ids to be anything in particular or having canonicality {1,1}.
For <Benchmark>, <Profile>, and <Group> element identifiers, the sky is the limit. I presume <Value> identifiers will of necessity track <Rule> identifiers.
In my opinion, <Rule>s and their identifiers should endure minor and major updates to RHEL without requiring change. They should be applicable to RHEL-equivalent distributions, and ideally applicable to other distributions when the <Rule> is catholic enough to be generally applicable (e.g., display an SSH banner).
I won't even mention OVAL identifiers.
On 09/04/2012 01:55 PM, Gary Gapinski wrote:
I would like at some later time to discuss a syntax for benchmark fragments, an XML Schema or other suitable schema for such, inclusive of such issues like variant titles. This would foster more rigor of maintenance of individual fragments.
I started looking at this with an eye to using NVDL and have some initial observations and questions.
I chose RHEL6/input/system/accounts/session.xml as a representative example fragment (there's probably a better term than "fragment" for such things, but I don't have one). It contains XCCDF <Group>s, <Value>s, <Rule>s, proto-OCIL, OVAL references, and other stuff.
I would hope that OVAL checks could eventually reside in the same document in which they are currently cited: namely, within the fragment containing the referencing XCCDF.
It appears that the project is currently targeting SCAP version 1.1 (based on the chosen namespace declaration for XCCDF output), thus the schema versions are XCCDF 1.1.4, OVAL 5.8, OCIL 2.0, CPE 2.2, and CCE 5. Eventual adoption of SCAP version 1.2 would change this to XCCDF 1.2, OVAL 5.10, and CPE 2.3.
Would both SCAP versions be simultaneously supported at some later time? (at the fragment level - obviously, the transformations that assemble the fragments must choose a single SCAP version for their result, and that in turn could be derived from the highest SCAP version level found in the fragments chosen for assembly). Seems like that would be the case. OVAL's lack of namespace precision for different versions makes this a bit more complicated in an NVDL environment, but handling that (multiple OVAL versions with identical namespaces) can be discussed at a later time.
Right off the bat, more explicit namespacing will be required. Things are currently relative and depend on the eventual transformation to assign namespace context. This means that fragments such as XCCDF, OVAL, and OCIL would need an explicit namespace declaration (not on every element, but at least at the top-level enclosing element) using XML prefixes or xmlns attributes, ditto embedded XHTML, and another namespace (one vaguely like http://fedorahosted.org/scap-security-guide/fragment/1.0) will be needed for other stuff like variant titles or anything else that is useful but not strictly XCCDF, OVAL, or OCIL. This other "stuff" is currently precursors such as <ocil>, <oval>, <ref>, etc., essentially anything that is not defined strictly as (in) XCCDF, OVAL, or OCIL. This other stuff will need a schema: i.e., a schema is needed for the structure of a fragment.
If things are explicitly relegated to their respective namespaces, then an NVDL description of a fragment seems achievable. This would allow the subordinate schemata such as XCCDF to be directly applied during schema-driven editing. An additional one or more schemata would be needed to describe the fragment itself.
NVDL is by no means essential, just handy. It is certainly possible to define a novel schema for a fragment that ensures reasonable quality of the portions that ultimately become XCCDF, OVAL, etc., since those schemata do not undergo frequent change, and a schema for a fragment is a necessary item in any case. This is particularly true if the components of a fragment are represented using more tractable syntaxes than OCIL and OVAL, such as is currently the case with the proto-OCIL and -OVAL syntaxes.
In other words, if one chooses to wear the various SCAP hair shirts for authoring, NVDL provides a way to apply the associated schemata while editing. No hair shirts, no need for NVDL.
Things such as alternate titles require more effort. For example, it's quite easy to say that a fragment can contain an XCCDF <Rule>, and have that <Rule> processed according to the XCCDF schema, and easy to say that the fragment can specify variant <title>s separately from the XCCDF <Rule> (one of the variants can be presumed to be selected in a transformation assembly), but it is _not_ so easy to ensure that a variant <title> can be interpreted in the context of the XCCDF in which it would ultimately reside - while editing the fragment using a schema-driven editor.
Less easy than that is ensuring the proper edit-time interpretation of an XCCDF <sub> in an XHTML portion of some XCCDF prose element which is cited as a variant value for the prose element. I would hope that such variations are eschewed, if only because they would occur outside the context in which they would otherwise afford the application of the normative schema for that context via NVDL.
In any case, if more rigor is to be obtained for fragment maintenance, which is somewhat the same as saying schema-driven editing is desirable, a bit of effort at some later convenient time would be required to transform the existing fragments into a better-defined and -normed syntax. If there is some accord on the desirability of this, I'd be happy to create the necessary examples, transform(s), and schemata.
scap-security-guide@lists.fedorahosted.org
-
Gary Gapinski -
Gary Gapinski
-
Jeffrey Blank -
Kevin Spargur -
Shawn Wells