>From 6549bddbc7fdfb425665262900acbe209b375408 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Mon, 23 Dec 2013 02:50:56 -0500 Subject: [PATCH 10/25] RHEL6/ensure_gpgcheck_globally_activated.xml --> shared - Updated OVAL name to match XCCDF - Tested on RHEL7, added CPE - Moved to shared/
RHEL7 testing: [root@localhost checks]# grep gpgcheck /etc/yum.conf gpgcheck=1 [root@localhost checks]# ./testcheck.py ensure_gpgcheck_globally_activated.xml Evaluating with OVAL tempfile : /tmp/ensure_gpgcheck_globally_activatedjeVsLY.xml Writing results to : /tmp/ensure_gpgcheck_globally_activatedjeVsLY.xml-results Definition oval:scap-security-guide.testing:def:123: true Evaluation done. [root@localhost checks]# sed -i 's/gpgcheck=1/gpgcheck=0/g' /etc/yum.conf [root@localhost checks]# ./testcheck.py ensure_gpgcheck_globally_activated.xml Evaluating with OVAL tempfile : /tmp/ensure_gpgcheck_globally_activatedp4GrwX.xml Writing results to : /tmp/ensure_gpgcheck_globally_activatedp4GrwX.xml-results Definition oval:scap-security-guide.testing:def:123: false Evaluation done. [root@localhost checks]# sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf [root@localhost checks]# ./testcheck.py ensure_gpgcheck_globally_activated.xml Evaluating with OVAL tempfile : /tmp/ensure_gpgcheck_globally_activated06W2DW.xml Writing results to : /tmp/ensure_gpgcheck_globally_activated06W2DW.xml-results Definition oval:scap-security-guide.testing:def:123: true Evaluation done. Signed-off-by: Shawn Wells <[email protected]> --- :000000 120000 0000000... 391b999... A RHEL/6/input/checks/ensure_gpgcheck_globally_activated.xml :100644 000000 6482dce... 0000000... D RHEL/6/input/checks/yum_gpgcheck_global_activation.xml :000000 120000 0000000... 391b999... A RHEL/7/input/checks/ensure_gpgcheck_globally_activated.xml :000000 100644 0000000... e397400... A shared/oval/ensure_gpgcheck_globally_activated.xml .../checks/ensure_gpgcheck_globally_activated.xml | 1 + .../checks/yum_gpgcheck_global_activation.xml | 25 -------------------- .../checks/ensure_gpgcheck_globally_activated.xml | 1 + shared/oval/ensure_gpgcheck_globally_activated.xml | 27 ++++++++++++++++++++++ 4 files changed, 29 insertions(+), 25 deletions(-) diff --git a/RHEL/6/input/checks/ensure_gpgcheck_globally_activated.xml b/RHEL/6/input/checks/ensure_gpgcheck_globally_activated.xml new file mode 120000 index 0000000..391b999 --- /dev/null +++ b/RHEL/6/input/checks/ensure_gpgcheck_globally_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_gpgcheck_globally_activated.xml \ No newline at end of file diff --git a/RHEL/6/input/checks/yum_gpgcheck_global_activation.xml b/RHEL/6/input/checks/yum_gpgcheck_global_activation.xml deleted file mode 100644 index 6482dce..0000000 --- a/RHEL/6/input/checks/yum_gpgcheck_global_activation.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <definition class="compliance" id="yum_gpgcheck_global_activation" version="1"> - <metadata> - <title>Ensure Yum gpgcheck Globally Activated</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The gpgcheck option should be used to ensure that checking - of an RPM package's signature always occurs prior to its - installation.</description> - <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> - </metadata> - <criteria> - <criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="test_yum_gpgcheck_global_activation" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="test_yum_gpgcheck_global_activation" version="1"> - <ind:object object_ref="object_yum_gpgcheck_global_activation" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_yum_gpgcheck_global_activation" comment="gpgcheck set in /etc/yum.conf" version="1"> - <ind:filepath>/etc/yum.conf</ind:filepath> - <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern> - <ind:instance datatype="int" operation="equals">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL/7/input/checks/ensure_gpgcheck_globally_activated.xml b/RHEL/7/input/checks/ensure_gpgcheck_globally_activated.xml new file mode 120000 index 0000000..391b999 --- /dev/null +++ b/RHEL/7/input/checks/ensure_gpgcheck_globally_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_gpgcheck_globally_activated.xml \ No newline at end of file diff --git a/shared/oval/ensure_gpgcheck_globally_activated.xml b/shared/oval/ensure_gpgcheck_globally_activated.xml new file mode 100644 index 0000000..e397400 --- /dev/null +++ b/shared/oval/ensure_gpgcheck_globally_activated.xml @@ -0,0 +1,27 @@ +<def-group> + <definition class="compliance" id="ensure_gpgcheck_globally_activated" version="1"> + <metadata> + <title>Ensure Yum gpgcheck Globally Activated</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The gpgcheck option should be used to ensure that checking + of an RPM package's signature always occurs prior to its + installation.</description> + <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + <!-- rhel7: <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> --> + </metadata> + <criteria> + <criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="test_ensure_gpgcheck_globally_activated" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="test_ensure_gpgcheck_globally_activated" version="1"> + <ind:object object_ref="object_ensure_gpgcheck_globally_activated" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_ensure_gpgcheck_globally_activated" comment="gpgcheck set in /etc/yum.conf" version="1"> + <ind:filepath>/etc/yum.conf</ind:filepath> + <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
