Re: [PATCH] Update to put fix content common functions into plain-text elements

[Shawn Wells]

On 4/7/13 3:44 PM, Francisco Slavin wrote:
As per Simon Lukasik's suggestion, pulling common bash functions into XCCDF <plain-text> 
elements for use by various <fix> elements using <sub> references.
Francisco Slavin (1):
   Infrastructure: Update fix transform handling to put common functions
     into <plain-text> elements for easy code reuse.

  RHEL6/transforms/combinefixes.py     |   25 +++++++++++++++++++++++--
  RHEL6/transforms/xccdf-addfixes.xslt |   30 +++++++++++++++++++++++++++++-
  2 files changed, 52 insertions(+), 3 deletions(-)


I like this. Here's how I tested:

(1) Create a common function, package_install, and update the 
install_aide.sh file to use it:

$ cat <<EOF>/input/fixes/bash/package_install.common
#!/bin/bash
function package_install {
    yum -y install -bash
}

$ cat "package_install(aide)" >/input/fixes/bash/install_aide.sh


(2) Run make, ensure the <plain-text> elements showup under the benchmark.
$ make clean; make content
$ grep -4 package_install output/ssg-rhel6-xccdf.xml
.....
<plain-text id="package_install">
#!/bin/bash
function package_install {
    yum -y install -bash
}

</plain-text>
.....


(3) Run a scan, check for proper function substitution
$ oscap xccdf eval --profile stig-rhel6-server --results 
/tmp/results.xml --cpe output/ssg-rhel6-cpe-dictionary.xml 
output/ssg-rhel6-xccdf.xml
$ grep -2 "yum -y install aide" /tmp/results.xml
            <ident system="http://cce.mitre.org";>CCE-27024-9</ident>
            <fix xmlns:xhtml="http://www.w3.org/1999/xhtml"; 
system="urn:xccdf:fix:script:sh">
yum -y install aide

</fix>
--
      <ident system="http://cce.mitre.org";>CCE-27024-9</ident>
      <fix xmlns:xhtml="http://www.w3.org/1999/xhtml"; 
system="urn:xccdf:fix:script:sh">
yum -y install aide

</fix>

(4) Generate remediation scripts, to check expansion in the 'oscap 
generate fix' process (yes, redundant from step #3....). Moved 
everything to 'fail' state to get full output
$ sed -e 's/pass/fail/g' -i /tmp/results.xml
$ oscap xccdf generate fix --result-id 
xccdf_org.open-scap_testresult_stig-rhel6-server /tmp/results.xml
.....
# XCCDF rule: package_aide_installed
# CCE-27024-9

yum -y install aide

....,

Looks like we have a very manageable approach to remediation code! Ack
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide