Signed-off-by: Jeffrey Blank <bl...@eclipse.ncsc.mil>
---
RHEL6/input/guide.xslt | 6 +++++
RHEL6/transforms/shorthand2xccdf.xslt | 26 ++++++++++-----------
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 4 +++
3 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/RHEL6/input/guide.xslt b/RHEL6/input/guide.xslt
index 5a0de5e..45793f0 100644
--- a/RHEL6/input/guide.xslt
+++ b/RHEL6/input/guide.xslt
@@ -4,6 +4,12 @@
<xsl:template match="Benchmark">
<xsl:copy>
<xsl:copy-of select="@*|node()" />
+ <Value id="conditional_clause" type="string" operator="equals">
+ <title>A conditional clause for check statements.</title>
+ <description>A conditional clause for check
statements.</description>
+ <value>This is a placeholder.</value>
+ </Value>
+
<xsl:apply-templates select="document('intro/intro.xml')" />
<xsl:apply-templates select="document('system/system.xml')" />
<xsl:apply-templates select="document('services/services.xml')" />
diff --git a/RHEL6/transforms/shorthand2xccdf.xslt
b/RHEL6/transforms/shorthand2xccdf.xslt
index 2ab6442..82b6769 100644
--- a/RHEL6/transforms/shorthand2xccdf.xslt
+++ b/RHEL6/transforms/shorthand2xccdf.xslt
@@ -187,10 +187,8 @@ exclude-result-prefixes="xccdf xhtml">
<xsl:attribute name="system">ocil-transitional</xsl:attribute>
<xsl:if test="@clause">
<check-export>
- <xsl:attribute name="export-name">clause</xsl:attribute>
- <xsl:attribute name="value-id">
- <xsl:value-of select="@clause" />
- </xsl:attribute>
+ <xsl:attribute name="export-name"><xsl:value-of select="@clause"
/></xsl:attribute>
+ <xsl:attribute name="value-id">conditional_clause</xsl:attribute>
</check-export>
</xsl:if>
<check-content>
@@ -221,7 +219,7 @@ exclude-result-prefixes="xccdf xhtml">
<xhtml:pre>$ sysctl <xsl:value-of select="@sysctl"/></xhtml:pre>
The output of the command should indicate a value of
<xhtml:code><xsl:value-of select="@value"/></xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify
- that it is not set improperly in <tt>/etc/sysctl.conf</tt>.
+ that it is not set improperly in <xhtml:code>/etc/sysctl.conf</xhtml:code>.
</xsl:template>
<xsl:template match="fileperms-desc-macro">
@@ -295,7 +293,7 @@ exclude-result-prefixes="xccdf xhtml">
<xsl:template match="service-disable-check-macro">
It is prudent to check that the <xhtml:code><xsl:value-of
select="@service"/></xhtml:code> service is disabled in system boot
- configuration via <tt>chkconfig</tt> and not currently running on the
system (runtime configuration).
+ configuration via <xhtml:code>chkconfig</xhtml:code> and not currently
running on the system (runtime configuration).
Run the following command to verify <xhtml:code><xsl:value-of
select="@service"/></xhtml:code> is disabled through current
runtime configuration:
@@ -329,26 +327,26 @@ exclude-result-prefixes="xccdf xhtml">
<xsl:template match="module-disable-macro">
To configure the system to prevent the <xhtml:code><xsl:value-of
select="@module"/></xhtml:code>
-kernel module from being loaded, add the following line to a file in the
directory <tt>/etc/modprobe.d</tt>:
-<pre xml:space="preserve">install <xsl:value-of select="@module"/>
/bin/true</pre>
+kernel module from being loaded, add the following line to a file in the
directory <xhtml:code>/etc/modprobe.d</xhtml:code>:
+<xhtml:pre xml:space="preserve">install <xsl:value-of select="@module"/>
/bin/true</xhtml:pre>
</xsl:template>
<xsl:template match="module-disable-check-macro">
If the system is configured to prevent the loading of the
<xhtml:code><xsl:value-of select="@module"/></xhtml:code> kernel module,
-it will contain lines inside any file in <tt>/etc/modprobe.d</tt> or the
deprecated<tt>/etc/modprobe.conf</tt>.
+it will contain lines inside any file in
<xhtml:code>/etc/modprobe.d</xhtml:code> or the
deprecated<xhtml:code>/etc/modprobe.conf</xhtml:code>.
These lines instruct the module loading system to run another program (such as
-<tt>/bin/true</tt>) upon a module <tt>install</tt> event.
-Run the following command to search for such lines in all files in
<tt>/etc/modprobe.d</tt>
-and the deprecated <tt>/etc/modprobe.conf</tt>:
-<pre xml:space="preserve">$ grep -r <xsl:value-of select="@module"/>
/etc/modprobe.conf /etc/modprobe.d</pre>
+<xhtml:code>/bin/true</xhtml:code>) upon a module
<xhtml:code>install</xhtml:code> event.
+Run the following command to search for such lines in all files in
<xhtml:code>/etc/modprobe.d</xhtml:code>
+and the deprecated <xhtml:code>/etc/modprobe.conf</xhtml:code>:
+<xhtml:pre xml:space="preserve">$ grep -r <xsl:value-of select="@module"/>
/etc/modprobe.conf /etc/modprobe.d</xhtml:pre>
</xsl:template>
<xsl:template match="audit-syscall-check-macro">
To determine if the system is configured to audit calls to
the <xhtml:code><xsl:value-of select="@syscall"/></xhtml:code>
system call, run the following command:
-<pre xml:space="preserve"># auditctl -l | grep syscall | grep <xsl:value-of
select="@syscall"/></pre>
+<xhtml:pre xml:space="preserve"># auditctl -l | grep syscall | grep
<xsl:value-of select="@syscall"/></xhtml:pre>
If the system is configured to audit this activity, it will return a line.
</xsl:template>
diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt
b/RHEL6/transforms/xccdf2table-profileccirefs.xslt
index 1d9758f..e047cfd 100644
--- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt
+++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt
@@ -149,6 +149,10 @@
<xsl:template match="cdf:check">
<xsl:if test="@system=$ociltransitional">
<xsl:apply-templates select="cdf:check-content" />
+ <!-- print clause with "finding" text -->
+ <xsl:if test="cdf:check-export">
+ <br/>If <xsl:value-of
select="cdf:check-export/@export-name" />, this is a finding.
+ </xsl:if>
</xsl:if>
<xsl:if test="@system=$ovaluri">
<xsl:for-each select="cdf:check-export">
--
1.7.1
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
