I found that the processing of fixes that had things like "2>&1" or "<<END" just didn't work, so added the translation of those in the combinefixes.py. Also added the python version of combinefixes
Brian Millett (4): Changed the line to allow the combinechecks.py transform. Renamed the fix to match the rule name, otherwise it never was included Deleted the old combinefixes.sh added a new combinefixes.py writen in python and adds fixing of special characters "<",">","&"
RHEL6/Makefile | 2 +- RHEL6/input/fixes/bash/disable_vsftpd.sh | 3 +++ RHEL6/transforms/combinefixes.py | 37 ++++++++++++++++++++++++++++++++ RHEL6/transforms/combinefixes.sh | 17 --------------- 4 files changed, 41 insertions(+), 18 deletions(-) create mode 100644 RHEL6/input/fixes/bash/disable_vsftpd.sh create mode 100755 RHEL6/transforms/combinefixes.py delete mode 100755 RHEL6/transforms/combinefixes.sh
$(TRANS)/combinechecks.py $(IN)/checks > $(OUT)/unlinked-rhel6-oval.xml
Signed-off-by: Brian Millett bmillett@gmail.com --- RHEL6/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 31d56b0..b7dc36c 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -23,7 +23,7 @@ shorthand2xccdf: shorthand-guide xsltproc -o $(OUT)/unlinked-rhel6-ocil.xml $(TRANS)/xccdf-create-ocil.xslt $(OUT)/unlinked-rhel6-xccdf.xml xmllint --format --output $(OUT)/unlinked-rhel6-ocil.xml $(OUT)/unlinked-rhel6-ocil.xml xsltproc -o $(OUT)/unlinked-ocilrefs-rhel6-xccdf.xml $(TRANS)/xccdf-ocilcheck2ref.xslt $(OUT)/unlinked-rhel6-xccdf.xml - ./$(TRANS)/combinefixes.sh $(IN)/fixes/bash/ $(OUT)/bash-remediations.xml + ./$(TRANS)/combinefixes.py $(IN)/fixes/bash/ $(OUT)/bash-remediations.xml xsltproc -stringparam fixes "../$(OUT)/bash-remediations.xml" -o $(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt $(OUT)/unlinked-rhel6-xccdf.xml xmllint --format --output $(OUT)/unlinked-rhel6-xccdf.xml $(OUT)/unlinked-rhel6-xccdf.xml
On 3/29/13 9:54 AM, Brian Millett wrote:
$(TRANS)/combinechecks.py $(IN)/checks > $(OUT)/unlinked-rhel6-oval.xml
Signed-off-by: Brian Millett bmillett@gmail.com
RHEL6/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 31d56b0..b7dc36c 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -23,7 +23,7 @@ shorthand2xccdf: shorthand-guide xsltproc -o $(OUT)/unlinked-rhel6-ocil.xml $(TRANS)/xccdf-create-ocil.xslt $(OUT)/unlinked-rhel6-xccdf.xml xmllint --format --output $(OUT)/unlinked-rhel6-ocil.xml $(OUT)/unlinked-rhel6-ocil.xml xsltproc -o $(OUT)/unlinked-ocilrefs-rhel6-xccdf.xml $(TRANS)/xccdf-ocilcheck2ref.xslt $(OUT)/unlinked-rhel6-xccdf.xml
- ./$(TRANS)/combinefixes.sh $(IN)/fixes/bash/ $(OUT)/bash-remediations.xml
- ./$(TRANS)/combinefixes.py $(IN)/fixes/bash/ $(OUT)/bash-remediations.xml xsltproc -stringparam fixes "../$(OUT)/bash-remediations.xml" -o $(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt $(OUT)/unlinked-rhel6-xccdf.xml xmllint --format --output $(OUT)/unlinked-rhel6-xccdf.xml $(OUT)/unlinked-rhel6-xccdf.xml
Ack
Signed-off-by: Brian Millett bmillett@gmail.com --- RHEL6/input/fixes/bash/disable_vsftpd.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 RHEL6/input/fixes/bash/disable_vsftpd.sh
diff --git a/RHEL6/input/fixes/bash/disable_vsftpd.sh b/RHEL6/input/fixes/bash/disable_vsftpd.sh new file mode 100644 index 0000000..a9d4d72 --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_vsftpd.sh @@ -0,0 +1,3 @@ +if service vsftpd status >/dev/null; then + service vsftpd stop +fi
On 3/29/13 9:54 AM, Brian Millett wrote:
Signed-off-by: Brian Millett bmillett@gmail.com
RHEL6/input/fixes/bash/disable_vsftpd.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 RHEL6/input/fixes/bash/disable_vsftpd.sh
diff --git a/RHEL6/input/fixes/bash/disable_vsftpd.sh b/RHEL6/input/fixes/bash/disable_vsftpd.sh new file mode 100644 index 0000000..a9d4d72 --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_vsftpd.sh @@ -0,0 +1,3 @@ +if service vsftpd status >/dev/null; then
- service vsftpd stop
+fi
As OVAL performs a conditional check already there's no need for the bash scripts to repeat one. In the long run we'll want to remove the conditional checks... but for now, Ack
On Fri, 29 Mar 2013 12:48:04 -0400 Shawn Wells shawn@redhat.com wrote:
On 3/29/13 9:54 AM, Brian Millett wrote:
Signed-off-by: Brian Millett bmillett@gmail.com
RHEL6/input/fixes/bash/disable_vsftpd.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 RHEL6/input/fixes/bash/disable_vsftpd.sh
diff --git a/RHEL6/input/fixes/bash/disable_vsftpd.sh b/RHEL6/input/fixes/bash/disable_vsftpd.sh new file mode 100644 index 0000000..a9d4d72 --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_vsftpd.sh @@ -0,0 +1,3 @@ +if service vsftpd status >/dev/null; then
- service vsftpd stop
+fi
As OVAL performs a conditional check already there's no need for the bash scripts to repeat one. In the long run we'll want to remove the conditional checks... but for now, Ack
Ok, I was wondering about that. I guess I'm paranoid.
I pushed the changes, hope I didn't screw up.
On 3/29/13 2:27 PM, Brian Millett wrote:
On Fri, 29 Mar 2013 12:48:04 -0400 Shawn Wellsshawn@redhat.com wrote:
On 3/29/13 9:54 AM, Brian Millett wrote:
Signed-off-by: Brian Millettbmillett@gmail.com
RHEL6/input/fixes/bash/disable_vsftpd.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 RHEL6/input/fixes/bash/disable_vsftpd.sh
diff --git a/RHEL6/input/fixes/bash/disable_vsftpd.sh b/RHEL6/input/fixes/bash/disable_vsftpd.sh new file mode 100644 index 0000000..a9d4d72 --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_vsftpd.sh @@ -0,0 +1,3 @@ +if service vsftpd status >/dev/null; then
- service vsftpd stop
+fi
As OVAL performs a conditional check already there's no need for the bash scripts to repeat one. In the long run we'll want to remove the conditional checks... but for now, Ack
Ok, I was wondering about that. I guess I'm paranoid.
I pushed the changes, hope I didn't screw up.
Changes show up in my repo after a git pull, and fixes showup in the XCCDF. All looks well. Thanks for the patches!
Signed-off-by: Brian Millett bmillett@gmail.com --- RHEL6/transforms/combinefixes.sh | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100755 RHEL6/transforms/combinefixes.sh
diff --git a/RHEL6/transforms/combinefixes.sh b/RHEL6/transforms/combinefixes.sh deleted file mode 100755 index e351b1e..0000000 --- a/RHEL6/transforms/combinefixes.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -## First argument: directory with .sh scripts -## Second argument: where to put combined xml file - -shopt -s nullglob -echo "<fix-group id="bash" system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1%5C%22%3E" > $2 - -for fixScript in $1/*.sh; do - fixName=`echo $fixScript | awk -F/ ' { print $NF } ' | awk -F. ' { print $1 }'` - fixContent=`cat $fixScript` - echo "<fix rule="$fixName">" >>$2 - cat $fixScript | while read fixLine; do echo $fixLine >>$2; done - echo "</fix>" >>$2 -done - -echo "</fix-group>" >>$2
On 3/29/13 9:54 AM, Brian Millett wrote:
Signed-off-by: Brian Millett bmillett@gmail.com
RHEL6/transforms/combinefixes.sh | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100755 RHEL6/transforms/combinefixes.sh
diff --git a/RHEL6/transforms/combinefixes.sh b/RHEL6/transforms/combinefixes.sh deleted file mode 100755 index e351b1e..0000000 --- a/RHEL6/transforms/combinefixes.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash
-## First argument: directory with .sh scripts -## Second argument: where to put combined xml file
-shopt -s nullglob -echo "<fix-group id="bash" system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1%5C%22%3E" > $2
-for fixScript in $1/*.sh; do
- fixName=`echo $fixScript | awk -F/ ' { print $NF } ' | awk -F. ' { print $1 }'`
- fixContent=`cat $fixScript`
- echo "<fix rule="$fixName">" >>$2
- cat $fixScript | while read fixLine; do echo $fixLine >>$2; done
- echo "</fix>" >>$2
-done
-echo "</fix-group>" >>$2
Ack
Signed-off-by: Brian Millett bmillett@gmail.com --- RHEL6/transforms/combinefixes.py | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 RHEL6/transforms/combinefixes.py
diff --git a/RHEL6/transforms/combinefixes.py b/RHEL6/transforms/combinefixes.py new file mode 100755 index 0000000..4c4bb55 --- /dev/null +++ b/RHEL6/transforms/combinefixes.py @@ -0,0 +1,37 @@ +#!/usr/bin/python + +import sys, os + +header = '''<fix-group id="bash" system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1">\n''' +footer = '</fix-group>\n' + +def encode(text): + text = text.replace('&','&') + text = text.replace('>','>') + text = text.replace('<','<') + return text + +def main(): + if len(sys.argv) < 2: + print "Provide a directory name, which contains the fixes." + sys.exit(1) + + fixDir = sys.argv[1] + output = sys.argv[2] + out = open(output,'w') + out.write(header) + for filename in os.listdir(fixDir): + if filename.endswith(".sh"): + body = "" + with open( fixDir + "/" + filename, 'r') as f: + body = body + encode(f.read()) + fixName = os.path.splitext(filename)[0] + out.write("<fix rule=""+fixName+"">\n") + out.write(body+"\n") + out.write("</fix>\n") + + out.write(footer) + sys.exit(0) + +if __name__ == "__main__": + main()
On 3/29/13 9:54 AM, Brian Millett wrote:
Signed-off-by: Brian Millett bmillett@gmail.com
RHEL6/transforms/combinefixes.py | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 RHEL6/transforms/combinefixes.py
diff --git a/RHEL6/transforms/combinefixes.py b/RHEL6/transforms/combinefixes.py new file mode 100755 index 0000000..4c4bb55 --- /dev/null +++ b/RHEL6/transforms/combinefixes.py @@ -0,0 +1,37 @@ +#!/usr/bin/python
+import sys, os
+header = '''<fix-group id="bash" system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1">\n''' +footer = '</fix-group>\n'
+def encode(text):
- text = text.replace('&','&')
- text = text.replace('>','>')
- text = text.replace('<','<')
- return text
+def main():
- if len(sys.argv) < 2:
print "Provide a directory name, which contains the fixes."sys.exit(1)- fixDir = sys.argv[1]
- output = sys.argv[2]
- out = open(output,'w')
- out.write(header)
- for filename in os.listdir(fixDir):
if filename.endswith(".sh"):body = ""with open( fixDir + "/" + filename, 'r') as f:body = body + encode(f.read())fixName = os.path.splitext(filename)[0]out.write("<fix rule=\""+fixName+"\">\n")out.write(body+"\n")out.write("</fix>\n")- out.write(footer)
- sys.exit(0)
+if __name__ == "__main__":
- main()
Ack
scap-security-guide@lists.fedorahosted.org
-
Brian Millett -
Shawn Wells