On 03/18/2014 05:33 PM, Jan Ruzicka wrote:
Hi,
Hello,
Was the commenting out result of some evaluation substituting specified values?
The commented-out code was not result of automated evaluation/substitution.
Is there a step to revert this substitution (to have a roundtrip) ?
The xccdf:sub elements are rarely substituted in the input XCCDF file
[1]. The xccdf:sub elements are only resolved in the run-time; e.g. in
order to be printed-out.
[1]: There is only one exception. OpenSCAP substitutes xccdf:sub
elements within Rule/fix and exports the result to the particular
rule-result/fix during remediation. That is done to help users
debug/audit what commands has been run.
Jan
On Mar 18, 2014, at 10:46, Simon Lukasik wrote:
Hello,
I have noticed that in the content there is often xccdf:sub element
commented out (or even omitted). I wonder why these elements are
commented out. I thought, perhaps there was some problem in OpenSCAP
which have hold you from usage of sub elements.
As a reminder, xccdf:sub elements can be used within a Rule's title,
description, or fix elements. Each xccdf:sub element refers to a XCCDF
variable. The value of variable depends on selected profile. During a
content processing, the xccdf:sub elements shall get resolved according
to the profile.
I have recently reviewed and fixed OpenSCAP and SCAP-Workbench tools in
regard to the xccdf:sub processing. Please consider using/uncommneting
xccdf:sub elements.
The following snippets from ssg-rhel6-xccdf.xml illustrate the current
(non-)usage of sub elements:
(1)
PASS_MIN_LEN 14<!-- <sub
idref="var_accounts_password_minlen_login_defs"> -->
(2)
the following lines in <xhtml:code>/etc/default/useradd</xhtml:code>,
substituting
<xhtml:code><i
xmlns="http://www.w3.org/1999/xhtml";>NUM_DAYS</i></xhtml:code>
appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml";>INACTIVE=<i>NUM_DAYS</i></pre>
(3)
to require differing
characters when changing passwords, substituting <i
xmlns="http://www.w3.org/1999/xhtml";>NUM</i> appropriately.
The DoD requirement is <xhtml:code>4</xhtml:code>.
(4)
umask 077<!-- <sub idref="var_accounts_user_umask" /> -->
(5)
Modify the following line,
substituting <i xmlns="http://www.w3.org/1999/xhtml";>ACTION</i>
appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml";>space_left_action =
<i>ACTION</i></pre>
Possible values for <i xmlns="http://www.w3.org/1999/xhtml";>ACTION</i>
are described in the <xhtml:code>auditd.conf</xhtml:code> man page.
--
Simon Lukasik
Security Technologies, Red Hat, Inc.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Jan Ruzicka
Senior Software Engineer
Comtech Mobile Datacom Corporation
20430 Century Blvd, Germantown, MD 20874
Office: 240-686-3300
Fax: 240-686-3301
The information contained in this message may be privileged and/or
confidential. If you are not the intended recipient, or responsible for
delivering this message to the intended recipient, any review, forwarding,
dissemination, distribution or copying of this communication or any
attachment(s) is strictly prohibited. If you have received this message in
error, please so notify the sender immediately, and delete it and all
attachments from your computer and network.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Simon Lukasik
Security Technologies
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
