On 2/1/13 11:32 PM, Shawn Wells wrote:
On 2/1/13 3:44 PM, Brian Millett wrote:
RHEL-6, libxslt-1.1.26
Ok, so now when I try to make with fixes, the following errors happen:
Attribute nodes must be added before any child nodes to an element.
runtime error: file transforms/xccdf-addfixes.xslt line 37 element copy
The patch is
[root@localhost transforms]# diff -wruN xccdf-addfixes.xslt.orig
xccdf-addfixes.xslt
--- xccdf-addfixes.xslt.orig 2013-02-01 14:40:40.580808238 -0600
+++ xccdf-addfixes.xslt 2013-02-01 14:35:31.607797643 -0600
@@ -11,7 +11,8 @@
<xsl:template match="xccdf:Rule">
<xsl:copy>
<!-- deal with the fact that oscap demands fixes stand only
before checks -->
- <xsl:apply-templates select="@*|node()[not(self::xccdf:check)]"/>
+ <xsl:copy-of select="@*" />
+ <xsl:apply-templates select="node()[not(self::xccdf:check)]"/>
<xsl:variable name="rule_id" select="@id"/>
<xsl:for-each select="$fixgroup/xccdf:fix">
And it works.
Nice way to end the week!
Hmm, I think we're still missing something here. Here is everything I
do when running a build with fixes.... can you outline where we differ?
On my system:
$ cat /etc/redhat-release;rpm -qv openscap openscap-utils libxslt
libxslt-python
Red Hat Enterprise Linux Server release 6.3 (Santiago)
openscap-0.9.2-1.el6.x86_64
openscap-utils-0.9.2-1.el6.x86_64
libxslt-1.1.26-2.el6_3.1.x86_64
libxslt-python-1.1.26-2.el6_3.1.x86_64
Blow away my repo and reclone:
$ rm -Rf scap-security-guide/
$ git clone ssh://git.fedorahosted.org/git/scap-security-guide.git
Run make:
$ cd scap-security-guide/RHEL6/; make content
(no errors)
Change the build process to include fixes in the XCCDF content by
editing the Makefile:
@@ -23,7 +23,7 @@
xsltproc -o $(OUT)/unlinked-rhel6-ocil.xml
$(TRANS)/xccdf-create-ocil.xslt $(OUT)/unlinked-rhel6-xccdf.xml
xmllint --format --output $(OUT)/unlinked-rhel6-ocil.xml
$(OUT)/unlinked-rhel6-ocil.xml
xsltproc -o $(OUT)/unlinked-ocilrefs-rhel6-xccdf.xml
$(TRANS)/xccdf-ocilcheck2ref.xslt $(OUT)/unlinked-rhel6-xccdf.xml
-# xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o
$(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt
$(OUT)/unlinked-rhel6-xccdf.xml
+ xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o
$(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt
$(OUT)/unlinked-rhel6-xccdf.xml
xmllint --format --output $(OUT)/unlinked-rhel6-xccdf.xml
$(OUT)/unlinked-rhel6-xccdf.xml
Rerun the build:
$ make clean; make content
....
xsltproc -stringparam fixes "../input/fixes/bash-ks.xml" -o
output/unlinked-rhel6-xccdf.xml transforms/xccdf-addfixes.xslt
output/unlinked-rhel6-xccdf.xml
......
(no errors)
Verify the fix content is within ssg-rhel6-xccdf.xml:
<Rule id="install_aide" severity="medium" selected="false">
.......
<fix system="urn:xccdf:fix:script:bash">yum install aide</fix>
Run a scan:
oscap xccdf eval --profile stig-rhel6-server \
--results /tmp/stig-results.xml \
--report /tmp/stig-results.html \
--oval-results \
--cpe
/var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-cpe-dictionary.xml
\
/var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml
...........
(no errors)
Double check /tmp/stig-results.xml to ensure it has the remediation
script:
<rule-result idref="install_aide" time="2013-02-01T16:51:03"
severity="medium" weight="1.000000">
<result>pass</result>
<ident system="http://cce.mitre.org";>CCE-27024-9</ident>
<fix xmlns:xhtml="http://www.w3.org/1999/xhtml";
system="urn:xccdf:fix:script:bash">yum install aide</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5";>
<check-content-ref name="oval:ssg:def:1331"
href="ssg-rhel6-oval.xml"/>
</check>
</rule-result>
Seems all is well. Where are you differing in your process?
FWIW, I'm having trouble converting these into an actual fix script.
I've posted to the OpenSCAP mailing list and you can follow that thread
here:
https://www.redhat.com/archives/open-scap-list/2013-February/msg00000.html
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
