From 0c41ca1ca9736f24517737578ac3debb981e4e5b Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 12 Sep 2013 17:19:45 +0200 Subject: [PATCH 3/8] Add Fedora-19 basic guide XML (and corresponding XSLT) files.
Signed-off-by: Jan Lieskovsky <[email protected]> --- FEDORA/input/guide.xml | 40 +++++++++++++ FEDORA/input/guide.xslt | 148 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+) create mode 100644 FEDORA/input/guide.xml create mode 100644 FEDORA/input/guide.xslt diff --git a/FEDORA/input/guide.xml b/FEDORA/input/guide.xml new file mode 100644 index 0000000..0b92540 --- /dev/null +++ b/FEDORA/input/guide.xml @@ -0,0 +1,40 @@ +<?xml version="1.0"?> +<Benchmark xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:xhtml="http://www.w3.org/1999/xhtml"; xmlns:dc="http://purl.org/dc/elements/1.1/"; id="FEDORA-19" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="false" xml:lang="en-US" > + +<status date="2011-12-20">draft</status> +<title>Guide to the Secure Configuration of Fedora release 19 (Schrödinger's Cat)</title> +<description>This guide presents a catalog of security-relevant +configuration settings for Fedora release 19 (Schrödinger's Cat) formatted in the +eXtensible Configuration Checklist Description Format (XCCDF). +<br/> +<br/> +Providing system administrators with such guidance informs them how to securely +configure systems under their control in a variety of network roles. Policy +makers and baseline creators can use this catalog of settings, with its +associated references to higher-level security control catalogs, in order to +assist them in security baseline creation. This guide is a <i>catalog, not a +checklist,</i> and satisfaction of every item is not likely to be possible or +sensible in many operational scenarios. However, the XCCDF format enables +granular selection and adjustment of settings, and their association with OVAL +and OCIL content provides an automated checking capability. Transformations of +this document, and its associated automated checking content, are capable of +providing baselines that meet a diverse set of policy objectives. Some example +XCCDF <i>Profiles</i>, which are selections of items that form checklists and +can be used as baselines, are available with this guide. They can be +processed, in an automated fashion, with tools that support the Security +Content Automation Protocol (SCAP). +</description> +<notice id="terms_of_use">Do not attempt to implement any of the settings in +this guide without first testing them in a non-operational environment. The +creators of this guidance assume no responsibility whatsoever for its use by +other parties, and makes no guarantees, expressed or implied, about its +quality, reliability, or any other characteristic.</notice> + +<front-matter>The SCAP Security Guide Project<br/>https://fedorahosted.org/scap-security-guide</front-matter> +<rear-matter>Red Hat and Fedora are either registered +trademarks or trademarks of Red Hat, Inc. in the United States and other +countries. All other names are registered trademarks or trademarks of their +respective companies.</rear-matter> +<platform idref="cpe:/o:fedoraproject:fedora:19" /> +<version>0.0.1</version> +</Benchmark> diff --git a/FEDORA/input/guide.xslt b/FEDORA/input/guide.xslt new file mode 100644 index 0000000..3ac59e9 --- /dev/null +++ b/FEDORA/input/guide.xslt @@ -0,0 +1,148 @@ +<?xml version="1.0"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1"; xmlns:xhtml="http://www.w3.org/1999/xhtml"; xmlns:dc="http://purl.org/dc/elements/1.1/";> + +<!-- This transform assembles all fragments into one "shorthand" XCCDF document --> + + <xsl:template match="Benchmark"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + + <!-- adding profiles here --> + <!-- Relevant (currently commented-out) document files below to be included + later once there is a requirement them to be included (in order to the final + XCCDF / OVAL files generation to work properly). For now only those, included + below are sufficient. --> + <xsl:apply-templates select="document('profiles/test.xml')" /> + <!-- + <xsl:apply-templates select="document('profiles/CS2.xml')" /> + <xsl:apply-templates select="document('profiles/common.xml')" /> + <xsl:apply-templates select="document('profiles/desktop.xml')" /> + <xsl:apply-templates select="document('profiles/server.xml')" /> + <xsl:apply-templates select="document('profiles/ftp.xml')" /> + <xsl:apply-templates select="document('profiles/stig-rhel6-server.xml')" /> + --> + + + <Value id="conditional_clause" type="string" operator="equals"> + <title>A conditional clause for check statements.</title> + <description>A conditional clause for check statements.</description> + <value>This is a placeholder.</value> + </Value> + <xsl:apply-templates select="document('intro/intro.xml')" /> + <xsl:apply-templates select="document('system/system.xml')" /> + <!-- + <xsl:apply-templates select="document('services/services.xml')" /> + --> + <!-- the auxiliary Groups here will be removed prior to some outputs --> + <!-- + <xsl:apply-templates select="document('auxiliary/srg_support.xml')" /> + --> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='system']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/software/software.xml')" /> + <!-- + <xsl:apply-templates select="document('system/permissions/permissions.xml')" /> + <xsl:apply-templates select="document('system/selinux.xml')" /> + <xsl:apply-templates select="document('system/accounts/accounts.xml')" /> + <xsl:apply-templates select="document('system/network/network.xml')" /> + <xsl:apply-templates select="document('system/logging.xml')" /> + <xsl:apply-templates select="document('system/auditing.xml')" /> + --> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='software']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <!-- + <xsl:apply-templates select="document('system/software/disk_partitioning.xml')" /> + --> + <xsl:apply-templates select="document('system/software/updating.xml')" /> + <!-- + <xsl:apply-templates select="document('system/software/integrity.xml')" /> + --> + </xsl:copy> + </xsl:template> + +<!-- + <xsl:template match="Group[@id='accounts']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/accounts/restrictions/restrictions.xml')" /> + <xsl:apply-templates select="document('system/accounts/pam.xml')" /> + <xsl:apply-templates select="document('system/accounts/session.xml')" /> + <xsl:apply-templates select="document('system/accounts/physical.xml')" /> + <xsl:apply-templates select="document('system/accounts/banners.xml')" /> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='accounts-restrictions']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/accounts/restrictions/root_logins.xml')" /> + <xsl:apply-templates select="document('system/accounts/restrictions/password_storage.xml')" /> + <xsl:apply-templates select="document('system/accounts/restrictions/password_expiration.xml')" /> + <xsl:apply-templates select="document('system/accounts/restrictions/account_expiration.xml')" /> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='permissions']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/permissions/partitions.xml')" /> + <xsl:apply-templates select="document('system/permissions/mounting.xml')" /> + <xsl:apply-templates select="document('system/permissions/files.xml')" /> + <xsl:apply-templates select="document('system/permissions/execution.xml')" /> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='network']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/network/kernel.xml')" /> + <xsl:apply-templates select="document('system/network/wireless.xml')" /> + <xsl:apply-templates select="document('system/network/ipv6.xml')" /> + <xsl:apply-templates select="document('system/network/iptables.xml')" /> + <xsl:apply-templates select="document('system/network/ssl.xml')" /> + <xsl:apply-templates select="document('system/network/uncommon.xml')" /> + <xsl:apply-templates select="document('system/network/ipsec.xml')" /> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='services']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('services/obsolete.xml')" /> + <xsl:apply-templates select="document('services/base.xml')" /> + <xsl:apply-templates select="document('services/cron.xml')" /> + <xsl:apply-templates select="document('services/ssh.xml')" /> + <xsl:apply-templates select="document('services/xorg.xml')" /> + <xsl:apply-templates select="document('services/avahi.xml')" /> + <xsl:apply-templates select="document('services/printing.xml')" /> + <xsl:apply-templates select="document('services/dhcp.xml')" /> + <xsl:apply-templates select="document('services/ntp.xml')" /> + <xsl:apply-templates select="document('services/mail.xml')" /> + <xsl:apply-templates select="document('services/ldap.xml')" /> + <xsl:apply-templates select="document('services/nfs.xml')" /> + <xsl:apply-templates select="document('services/dns.xml')" /> + <xsl:apply-templates select="document('services/ftp.xml')" /> + <xsl:apply-templates select="document('services/http.xml')" /> + <xsl:apply-templates select="document('services/imap.xml')" /> + <xsl:apply-templates select="document('services/smb.xml')" /> + <xsl:apply-templates select="document('services/squid.xml')" /> + <xsl:apply-templates select="document('services/snmp.xml')" /> + </xsl:copy> + </xsl:template> +--> + + <!-- copy everything else through to final output --> + <xsl:template match="@*|node()"> + <xsl:copy> + <xsl:apply-templates select="@*|node()" /> + </xsl:copy> + </xsl:template> +</xsl:stylesheet> -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
