Hello,
I have noticed that in the content there is often xccdf:sub element
commented out (or even omitted). I wonder why these elements are
commented out. I thought, perhaps there was some problem in OpenSCAP
which have hold you from usage of sub elements.
As a reminder, xccdf:sub elements can be used within a Rule's title,
description, or fix elements. Each xccdf:sub element refers to a XCCDF
variable. The value of variable depends on selected profile. During a
content processing, the xccdf:sub elements shall get resolved according
to the profile.
I have recently reviewed and fixed OpenSCAP and SCAP-Workbench tools in
regard to the xccdf:sub processing. Please consider using/uncommneting
xccdf:sub elements.
The following snippets from ssg-rhel6-xccdf.xml illustrate the current
(non-)usage of sub elements:
(1)
PASS_MIN_LEN 14<!-- <sub
idref="var_accounts_password_minlen_login_defs"> -->
(2)
the following lines in <xhtml:code>/etc/default/useradd</xhtml:code>,
substituting
<xhtml:code><i
xmlns="http://www.w3.org/1999/xhtml";>NUM_DAYS</i></xhtml:code>
appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml";>INACTIVE=<i>NUM_DAYS</i></pre>
(3)
to require differing
characters when changing passwords, substituting <i
xmlns="http://www.w3.org/1999/xhtml";>NUM</i> appropriately.
The DoD requirement is <xhtml:code>4</xhtml:code>.
(4)
umask 077<!-- <sub idref="var_accounts_user_umask" /> -->
(5)
Modify the following line,
substituting <i xmlns="http://www.w3.org/1999/xhtml";>ACTION</i>
appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml";>space_left_action =
<i>ACTION</i></pre>
Possible values for <i xmlns="http://www.w3.org/1999/xhtml";>ACTION</i>
are described in the <xhtml:code>auditd.conf</xhtml:code> man page.
--
Simon Lukasik
Security Technologies, Red Hat, Inc.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
