Re: [PATCH 3/8] Add Fedora-19 basic guide XML (and corresponding XSLT) files.

Sat, 14 Sep 2013 16:48:34 -0700 

On 9/13/13 1:33 AM, Jan Lieskovsky wrote:


0003-Add-Fedora-19-basic-guide-XML-and-corresponding-XSLT.patch


 From 0c41ca1ca9736f24517737578ac3debb981e4e5b Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Thu, 12 Sep 2013 17:19:45 +0200
Subject: [PATCH 3/8] Add Fedora-19 basic guide XML (and corresponding XSLT)
  files.


Signed-off-by: Jan Lieskovsky<[email protected]>
---
  FEDORA/input/guide.xml  |  40 +++++++++++++
  FEDORA/input/guide.xslt | 148 ++++++++++++++++++++++++++++++++++++++++++++++++
  2 files changed, 188 insertions(+)
  create mode 100644 FEDORA/input/guide.xml
  create mode 100644 FEDORA/input/guide.xslt

diff --git a/FEDORA/input/guide.xml b/FEDORA/input/guide.xml
new file mode 100644
index 0000000..0b92540
--- /dev/null
+++ b/FEDORA/input/guide.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0"?>
+<Benchmark xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";  xmlns:xhtml="http://www.w3.org/1999/xhtml";  
xmlns:dc="http://purl.org/dc/elements/1.1/";  id="FEDORA-19" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 
xccdf-1.1.4.xsd"  resolved="false" xml:lang="en-US" >
+
+<status date="2011-12-20">draft</status>
+<title>Guide to the Secure Configuration of Fedora release 19 (Schrödinger's 
Cat)</title>
+<description>This guide presents a catalog of security-relevant
+configuration settings for Fedora release 19 (Schrödinger's Cat) formatted in 
the
+eXtensible Configuration Checklist Description Format (XCCDF).
+<br/>
+<br/>
+Providing system administrators with such guidance informs them how to securely
+configure systems under their control in a variety of network roles.  Policy
+makers and baseline creators can use this catalog of settings, with its
+associated references to higher-level security control catalogs, in order to
+assist them in security baseline creation.  This guide is a <i>catalog, not a
+checklist,</i> and satisfaction of every item is not likely to be possible or
+sensible in many operational scenarios.  However, the XCCDF format enables
+granular selection and adjustment of settings, and their association with OVAL
+and OCIL content provides an automated checking capability.  Transformations of
+this document, and its associated automated checking content, are capable of
+providing baselines that meet a diverse set of policy objectives.  Some example
+XCCDF <i>Profiles</i>, which are selections of items that form checklists and
+can be used as baselines, are available with this guide.  They can be
+processed, in an automated fashion, with tools that support the Security
+Content Automation Protocol (SCAP).
+</description>
+<notice id="terms_of_use">Do not attempt to implement any of the settings in
+this guide without first testing them in a non-operational environment. The
+creators of this guidance assume no responsibility whatsoever for its use by
+other parties, and makes no guarantees, expressed or implied, about its
+quality, reliability, or any other characteristic.</notice>
+
+<front-matter>The SCAP Security Guide 
Project<br/>https://fedorahosted.org/scap-security-guide</front-matter>
+<rear-matter>Red Hat and Fedora are either registered
+trademarks or trademarks of Red Hat, Inc. in the United States and other
+countries. All other names are registered trademarks or trademarks of their
+respective companies.</rear-matter>
+<platform idref="cpe:/o:fedoraproject:fedora:19" />
+<version>0.0.1</version>
+</Benchmark>
diff --git a/FEDORA/input/guide.xslt b/FEDORA/input/guide.xslt
new file mode 100644
index 0000000..3ac59e9
--- /dev/null
+++ b/FEDORA/input/guide.xslt
@@ -0,0 +1,148 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform";  
xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1";  xmlns:xhtml="http://www.w3.org/1999/xhtml";  
xmlns:dc="http://purl.org/dc/elements/1.1/";>
+
+<!-- This transform assembles all fragments into one "shorthand" XCCDF document 
-->
+
+  <xsl:template match="Benchmark">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+
+       <!-- adding profiles here -->
+       <!-- Relevant (currently commented-out) document files below to be 
included
+            later once there is a requirement them to be included (in order to 
the final
+            XCCDF / OVAL files generation to work properly). For now only 
those, included
+            below are sufficient. -->
+               <xsl:apply-templates select="document('profiles/test.xml')" />
+               <!--
+               <xsl:apply-templates select="document('profiles/CS2.xml')" />
+               <xsl:apply-templates select="document('profiles/common.xml')" />
+               <xsl:apply-templates select="document('profiles/desktop.xml')" 
/>
+               <xsl:apply-templates select="document('profiles/server.xml')" />
+               <xsl:apply-templates select="document('profiles/ftp.xml')" />
+               <xsl:apply-templates 
select="document('profiles/stig-rhel6-server.xml')" />
+               -->



Not all of these profiles (yet) exist within the Fedora content. I'd 
delete everything but "common" above.




+
+
+       <Value id="conditional_clause" type="string" operator="equals">
+                 <title>A conditional clause for check statements.</title>
+                 <description>A conditional clause for check 
statements.</description>
+                 <value>This is a placeholder.</value>
+       </Value>
+      <xsl:apply-templates select="document('intro/intro.xml')" />
+      <xsl:apply-templates select="document('system/system.xml')" />
+       <!--
+      <xsl:apply-templates select="document('services/services.xml')" />
+       -->
+      <!-- the auxiliary Groups here will be removed prior to some outputs -->
+       <!--
+      <xsl:apply-templates select="document('auxiliary/srg_support.xml')" />
+       -->
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="Group[@id='system']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+      <xsl:apply-templates select="document('system/software/software.xml')" />
+       <!--
+      <xsl:apply-templates 
select="document('system/permissions/permissions.xml')" />
+      <xsl:apply-templates select="document('system/selinux.xml')" />
+      <xsl:apply-templates select="document('system/accounts/accounts.xml')" />
+      <xsl:apply-templates select="document('system/network/network.xml')" />
+      <xsl:apply-templates select="document('system/logging.xml')" />
+      <xsl:apply-templates select="document('system/auditing.xml')" />



These sections should match up to XCCDF files. Apologies if they're 
created in later patches.



+       -->
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="Group[@id='software']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+       <!--
+      <xsl:apply-templates 
select="document('system/software/disk_partitioning.xml')" />
+       -->
+      <xsl:apply-templates select="document('system/software/updating.xml')" />
+       <!--
+      <xsl:apply-templates select="document('system/software/integrity.xml')" 
/>
+       -->
+    </xsl:copy>
+  </xsl:template>
+
+<!--
+  <xsl:template match="Group[@id='accounts']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+      <xsl:apply-templates 
select="document('system/accounts/restrictions/restrictions.xml')" />
+      <xsl:apply-templates select="document('system/accounts/pam.xml')" />
+      <xsl:apply-templates select="document('system/accounts/session.xml')" />
+      <xsl:apply-templates select="document('system/accounts/physical.xml')" />
+      <xsl:apply-templates select="document('system/accounts/banners.xml')" />
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="Group[@id='accounts-restrictions']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+      <xsl:apply-templates 
select="document('system/accounts/restrictions/root_logins.xml')" />
+      <xsl:apply-templates 
select="document('system/accounts/restrictions/password_storage.xml')" />
+      <xsl:apply-templates 
select="document('system/accounts/restrictions/password_expiration.xml')" />
+      <xsl:apply-templates 
select="document('system/accounts/restrictions/account_expiration.xml')" />
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="Group[@id='permissions']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+      <xsl:apply-templates select="document('system/permissions/partitions.xml')" 
/>
+      <xsl:apply-templates select="document('system/permissions/mounting.xml')" 
/>
+      <xsl:apply-templates select="document('system/permissions/files.xml')" />
+      <xsl:apply-templates select="document('system/permissions/execution.xml')" 
/>
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="Group[@id='network']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+      <xsl:apply-templates select="document('system/network/kernel.xml')" />
+      <xsl:apply-templates select="document('system/network/wireless.xml')" />
+      <xsl:apply-templates select="document('system/network/ipv6.xml')" />
+      <xsl:apply-templates select="document('system/network/iptables.xml')" />
+      <xsl:apply-templates select="document('system/network/ssl.xml')" />
+      <xsl:apply-templates select="document('system/network/uncommon.xml')" />
+      <xsl:apply-templates select="document('system/network/ipsec.xml')" />
+    </xsl:copy>
+  </xsl:template>
+
+  <xsl:template match="Group[@id='services']">
+    <xsl:copy>
+      <xsl:copy-of select="@*|node()" />
+      <xsl:apply-templates select="document('services/obsolete.xml')" />
+      <xsl:apply-templates select="document('services/base.xml')" />
+      <xsl:apply-templates select="document('services/cron.xml')" />
+      <xsl:apply-templates select="document('services/ssh.xml')" />
+      <xsl:apply-templates select="document('services/xorg.xml')" />
+      <xsl:apply-templates select="document('services/avahi.xml')" />
+      <xsl:apply-templates select="document('services/printing.xml')" />
+      <xsl:apply-templates select="document('services/dhcp.xml')" />
+      <xsl:apply-templates select="document('services/ntp.xml')" />
+      <xsl:apply-templates select="document('services/mail.xml')" />
+      <xsl:apply-templates select="document('services/ldap.xml')" />
+      <xsl:apply-templates select="document('services/nfs.xml')" />
+      <xsl:apply-templates select="document('services/dns.xml')" />
+      <xsl:apply-templates select="document('services/ftp.xml')" />
+      <xsl:apply-templates select="document('services/http.xml')" />
+      <xsl:apply-templates select="document('services/imap.xml')" />
+      <xsl:apply-templates select="document('services/smb.xml')" />
+      <xsl:apply-templates select="document('services/squid.xml')" />
+      <xsl:apply-templates select="document('services/snmp.xml')" />
+    </xsl:copy>



I'll work on documentation of the build process, and will add to the 
wiki. We can trim this file down some, but this is a GREAT start!



+  </xsl:template>
+-->
+
+  <!-- copy everything else through to final output -->
+  <xsl:template match="@*|node()">
+    <xsl:copy>
+      <xsl:apply-templates select="@*|node()" />
+    </xsl:copy>
+  </xsl:template>
+</xsl:stylesheet>
-- 1.7.11.7


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide



--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide






















					Reply via email to