[PATCH] [RFC] Creating shared bash script directory

Sat, 30 Nov 2013 22:08:29 -0800 

>From 3ad8ce28808123fb2d66db09afb98a3b7fd105b4 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Fri, 29 Nov 2013 23:48:16 -0500
Subject: [PATCH] [RFC] Creating shared bash script directory

As remediation content expands, many scripts will be repurposed across 
operating system releases. To reduce
the maintanence burden of having the same script in multiple places, I propose 
to create a shared fix directory. A patch to demonstrate this concept is 
attached.

combinefixes was modified to first look at input/fixes/bash, then 
../shared/fixes/, else echo a "no fix exists" message.

The downside to this approach is "exclusion" -- just because a script does not 
exist within RHEL6/fixes/bash does not
automatically mean we want the ../shared/fixes/ version. Unsure how to handle 
this. One idea was to 'touch RHEL6/fixes/bash',
and then delete that file if the shared version was to be inherited.
---
 .../input/fixes/bash/sysctl_net_ipv4_ip_forward.sh |   16 ------------
 RHEL6/transforms/combinefixes.py                   |   25 ++++++++++++-------
 shared/bash/sysctl_net_ipv4_ip_forward.sh          |   16 ++++++++++++
 3 files changed, 32 insertions(+), 25 deletions(-)
 delete mode 100644 RHEL6/input/fixes/bash/sysctl_net_ipv4_ip_forward.sh
 create mode 100644 shared/bash/sysctl_net_ipv4_ip_forward.sh

diff --git a/RHEL6/input/fixes/bash/sysctl_net_ipv4_ip_forward.sh 
b/RHEL6/input/fixes/bash/sysctl_net_ipv4_ip_forward.sh
deleted file mode 100644
index 3292a63..0000000
--- a/RHEL6/input/fixes/bash/sysctl_net_ipv4_ip_forward.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# Set runtime for net.ipv4.ip_forward
-#
-sysctl -q -n -w net.ipv4.ip_forward=0
-
-#
-# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
-#      else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
-#
-if grep --silent ^net.ipv4.ip_forward /etc/sysctl.conf ; then
-       sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 0/g' 
/etc/sysctl.conf
-else
-       echo "" >> /etc/sysctl.conf
-       echo "# Set net.ipv4.ip_forward to 0 per security requirements" >> 
/etc/sysctl.conf
-       echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
-fi
diff --git a/RHEL6/transforms/combinefixes.py b/RHEL6/transforms/combinefixes.py
index 71fbe6f..4f3ac9f 100755
--- a/RHEL6/transforms/combinefixes.py
+++ b/RHEL6/transforms/combinefixes.py
@@ -1,6 +1,7 @@
 #!/usr/bin/python
 
 import sys, os, re, lxml.etree as etree
+from os import path, access
 
 def substitute_vars(fix):
        # brittle and troubling code to assign environment vars to XCCDF values
@@ -29,16 +30,22 @@ def main():
        fixcontent = etree.Element("fix-content", 
system="urn:xccdf:fix:script:sh", xmlns="http://checklists.nist.gov/xccdf/1.1";)
        fixgroup = etree.SubElement(fixcontent, "fix-group", id="bash", 
system="urn:xccdf:fix:script:sh", xmlns="http://checklists.nist.gov/xccdf/1.1";)
        
-       for filename in os.listdir(fixdir):
-               if filename.endswith(".sh"):
-                       # create and populate new fix element based on shell 
file
-                       fixname = os.path.splitext(filename)[0]
+       for filename in os.listdir('input/checks/'):
+               if filename.endswith(".xml"):
+                       fixname =  os.path.splitext(filename)[0]
                        fix = etree.SubElement(fixgroup, "fix", rule=fixname)
-                       with open( fixdir + "/" + filename, 'r') as f:
-                               # assignment automatically escapes shell 
characters for XML
-                               fix.text = f.read()
-                               # replace instance of bash function "populate" 
with XCCDF variable substitution
-                               substitute_vars(fix)
+                               
+                       if path.isfile('input/fixes/bash/' + fixname + '.sh'):
+                               with open( 'input/fixes/bash/' + fixname + 
'.sh', 'r') as f:
+                                       fix.text = f.read()
+                                       substitute_vars(fix)
+                       elif path.isfile('../shared/bash/' + fixname + '.sh'):
+                               with open( '../shared/bash/' + fixname + '.sh', 
'r') as f:
+                                       fix.text = f.read()
+                                       substitute_vars(fix)
+                       else:
+                               fix.text = "# No bash script available for " + 
fixname + " yet.\n\
+# Interested in helping? https://fedorahosted.org/scap-security-guide/";
 
        tree = etree.ElementTree(fixcontent)
        tree.write(output, pretty_print=True)
diff --git a/shared/bash/sysctl_net_ipv4_ip_forward.sh 
b/shared/bash/sysctl_net_ipv4_ip_forward.sh
new file mode 100644
index 0000000..3292a63
--- /dev/null
+++ b/shared/bash/sysctl_net_ipv4_ip_forward.sh
@@ -0,0 +1,16 @@
+#
+# Set runtime for net.ipv4.ip_forward
+#
+sysctl -q -n -w net.ipv4.ip_forward=0
+
+#
+# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
+#      else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
+#
+if grep --silent ^net.ipv4.ip_forward /etc/sysctl.conf ; then
+       sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 0/g' 
/etc/sysctl.conf
+else
+       echo "" >> /etc/sysctl.conf
+       echo "# Set net.ipv4.ip_forward to 0 per security requirements" >> 
/etc/sysctl.conf
+       echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
+fi
-- 
1.7.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide






















					Reply via email to