On Thu, Jan 31, 2013 at 9:49 AM, Mike Palmiotto <[email protected]>wrote:
> On 1/31/2013 9:38 AM, Brian Millett wrote: > >> I'm really interested in adding fixes, or having a set of fixes I can >> apply to >> the xccdf for rhel6. I've looked at the line in the Makefile: >> >> xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o >> $(OUT)/unlinked-rhel6-xccdf.**xml $(TRANS)/xccdf-addfixes.xslt >> $(OUT)/unlinked-rhel6-xccdf.**xml >> >> and it looks like, following the bas-ks.xml, I can create a file with >> each fix >> as long as each fix-id is the same as the rule-id so that the fix can be >> merged with the appropriate rule into a final xccdf.xml file. >> > > When you say fix-id, do you mean the rule attribute for each fix tag? > Ok, silly me, I went back and looked at the bash-ks.xml and I had totally miss read the fix. In the bash-ks.xml a fix is as <fix rule="disable_vsftp">service vsftpd stop</fix> while in a xccdf Rule tag, the fix is as <fix id="service_restorecond_enabled" reboot="false" platform="" system="">chkconfig restorecond on</fix> So, I didn't grok the "id=" vs the "rule=". That makes sense. So the bash-ks.xml is <fix-group id="bash" system="urn:xccdf:fix:script:bash" xmlns=" http://checklists.nist.gov/xccdf/1.1";> <fix rule="password_min_len">##According to the OVAL check, there are two places to check for the MINLEN #1 in /etc/login.defs sed --follow-symlinks -i '/^PASS_MIN_LEN/s/[0-9][0-9]*/14/' /etc/login.defs # and # 2 in /etc/pam.d/system-auth grep -q minlen /etc/pam.d/system-auth if [ $? = "0" ]; then sed --follow-symlinks -i '/pam_cracklib.so/s/minlen=[0-9]/minlen=14/' /etc/pam.d/system-auth else sed --follow-symlinks -i '/pam_cracklib.so/s/pam_cracklib.so/pam_cracklib.so minlen=14 /' /etc/pam.d/system-auth fi</fix> <fix rule="password_min_age">sed --follow-symlinks -i '/^PASS_MIN_DAYS/s/[0-9][0-9]*/7/' /etc/login.defs</fix> <fix rule="password_max_age">sed --follow-symlinks -i '/^PASS_MAX/s/[0-9][0-9]*/90/' /etc/login.defs</fix> <fix rule="password_warn_age">sed --follow-symlinks -i '/^PASS_WARN_AGE/s/[0-9][0-9]*/14/' /etc/login.defs</fix> <fix rule="account_disable_post_pw_expiration">sed --follow-symlinks -i '/^INACTIVE/s/[-]*[0-9][0-9]*/35/' /etc/default/useradd</fix> <fix rule="account_unique_name" /> <fix rule="password_retry">sed --follow-symlinks -i '/ pam_cracklib.so/s/retry=[0-9]/retry=3/' /etc/pam.d/system-auth</fix> <fix rule="password_require_consecrepeat">grep -q maxrepeat /etc/pam.d/system-auth if [ $? = "0" ]; then sed --follow-symlinks -i '/pam_cracklib.so/s/maxrepeat=[0-9]/maxrepeat=3/' /etc/pam.d/system-auth else sed --follow-symlinks -i '/pam_cracklib.so/s/pam_cracklib.so/pam_cracklib.so maxrepeat=3 /' /etc/pam.d/system-auth fi</fix> <fix rule="password_require_digits">grep -q dcredit /etc/pam.d/system-auth if [ $? = "0" ]; then sed --follow-symlinks -i '/pam_cracklib.so/s/dcredit=[0-9]/dcredit=1/' /etc/pam.d/system-auth else sed --follow-symlinks -i '/pam_cracklib.so/s/pam_cracklib.so/pam_cracklib.so dcredit=1 /' /etc/pam.d/system-auth fi</fix> <fix rule="password_require_uppercases">grep -q ucredit /etc/pam.d/system-auth if [ $? = "0" ]; then sed --follow-symlinks -i '/pam_cracklib.so/s/ucredit=[0-9]/ucredit=2/' /etc/pam.d/system-auth else sed --follow-symlinks -i '/pam_cracklib.so/s/pam_cracklib.so/pam_cracklib.so ucredit=2 /' /etc/pam.d/system-auth fi</fix> </fix-group> -- Brian Millett "Shifts in paradigms often cause nose bleeds." Greg Glenn
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
