>From 35f5fdeef83ecbf55770b87e483db599ac4e27bb Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Thu, 17 Apr 2014 20:17:17 -0400
Subject: [PATCH 06/15] Updated RHEL6 OVAL template create_sysctl_checks.py to
include bash remediation
Consolidating templates
TESTING
$ make clean ; ./create_sysctl_checks.py sysctl_values.csv ; ls output/ ; cat
output/sysctl_net_ipv4_ip_forward.sh
rm -f output/*.xml
rm -f output/*.sh
sysctl_fs_suid_dumpable.sh
sysctl_net_ipv4_conf_default_accept_redirects.xml
sysctl_fs_suid_dumpable.xml
sysctl_net_ipv4_conf_default_accept_source_route.sh
sysctl_kernel_dmesg_restrict.sh
sysctl_net_ipv4_conf_default_accept_source_route.xml
sysctl_kernel_dmesg_restrict.xml
sysctl_net_ipv4_conf_default_rp_filter.sh
sysctl_kernel_exec_shield.sh
sysctl_net_ipv4_conf_default_rp_filter.xml
sysctl_kernel_exec_shield.xml
sysctl_net_ipv4_conf_default_secure_redirects.sh
sysctl_kernel_randomize_va_space.sh
sysctl_net_ipv4_conf_default_secure_redirects.xml
sysctl_kernel_randomize_va_space.xml
sysctl_net_ipv4_conf_default_send_redirects.sh
sysctl_net_ipv4_conf_all_accept_redirects.sh
sysctl_net_ipv4_conf_default_send_redirects.xml
sysctl_net_ipv4_conf_all_accept_redirects.xml
sysctl_net_ipv4_icmp_echo_ignore_broadcasts.sh
sysctl_net_ipv4_conf_all_accept_source_route.sh
sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml
sysctl_net_ipv4_conf_all_accept_source_route.xml
sysctl_net_ipv4_icmp_ignore_bogus_error_responses.sh
sysctl_net_ipv4_conf_all_log_martians.sh
sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml
sysctl_net_ipv4_conf_all_log_martians.xml sysctl_net_ipv4_ip_forward.sh
sysctl_net_ipv4_conf_all_rp_filter.sh sysctl_net_ipv4_ip_forward.xml
sysctl_net_ipv4_conf_all_rp_filter.xml
sysctl_net_ipv4_tcp_syncookies.sh
sysctl_net_ipv4_conf_all_secure_redirects.sh
sysctl_net_ipv4_tcp_syncookies.xml
sysctl_net_ipv4_conf_all_secure_redirects.xml
sysctl_net_ipv6_conf_all_accept_ra.sh
sysctl_net_ipv4_conf_all_send_redirects.sh
sysctl_net_ipv6_conf_all_accept_ra.xml
sysctl_net_ipv4_conf_all_send_redirects.xml
sysctl_net_ipv6_conf_default_accept_ra.sh
sysctl_net_ipv4_conf_default_accept_redirects.sh
sysctl_net_ipv6_conf_default_accept_ra.xml
sysctl -q -n -w net.ipv4.ip_forward=0
if grep --silent ^net.ipv4.ip_forward /etc/sysctl.conf ; then
sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 0/g'
/etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.ip_forward to 0 per security requirements" >>
/etc/sysctl.conf
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
fi
---
RHEL/6/input/checks/templates/bash/sysctl | 16 ++++++++
.../input/checks/templates/create_sysctl_checks.py | 11 +++++-
RHEL/6/input/checks/templates/oval/sysctl | 40 ++++++++++++++++++++
RHEL/6/input/checks/templates/template_sysctl | 40 --------------------
.../fixes/bash/templates/create_sysctl_bash.py | 35 -----------------
RHEL/6/input/fixes/bash/templates/template_sysctl | 16 --------
6 files changed, 66 insertions(+), 92 deletions(-)
create mode 100644 RHEL/6/input/checks/templates/bash/sysctl
create mode 100644 RHEL/6/input/checks/templates/oval/sysctl
delete mode 100644 RHEL/6/input/checks/templates/template_sysctl
delete mode 100755 RHEL/6/input/fixes/bash/templates/create_sysctl_bash.py
delete mode 100644 RHEL/6/input/fixes/bash/templates/template_sysctl
diff --git a/RHEL/6/input/checks/templates/bash/sysctl
b/RHEL/6/input/checks/templates/bash/sysctl
new file mode 100644
index 0000000..e654ee3
--- /dev/null
+++ b/RHEL/6/input/checks/templates/bash/sysctl
@@ -0,0 +1,16 @@
+#
+# Set runtime for SYSCTLVAR
+#
+sysctl -q -n -w SYSCTLVAR=SYSCTLVAL
+
+#
+# If SYSCTLVAR present in /etc/sysctl.conf, change value to "SYSCTLVAL"
+# else, add "SYSCTLVAR = SYSCTLVAL" to /etc/sysctl.conf
+#
+if grep --silent ^SYSCTLVAR /etc/sysctl.conf ; then
+ sed -i 's/^SYSCTLVAR.*/SYSCTLVAR = SYSCTLVAL/g' /etc/sysctl.conf
+else
+ echo "" >> /etc/sysctl.conf
+ echo "# Set SYSCTLVAR to SYSCTLVAL per security requirements" >>
/etc/sysctl.conf
+ echo "SYSCTLVAR = SYSCTLVAL" >> /etc/sysctl.conf
+fi
diff --git a/RHEL/6/input/checks/templates/create_sysctl_checks.py
b/RHEL/6/input/checks/templates/create_sysctl_checks.py
index 009df15..a26bf0a 100755
--- a/RHEL/6/input/checks/templates/create_sysctl_checks.py
+++ b/RHEL/6/input/checks/templates/create_sysctl_checks.py
@@ -8,7 +8,7 @@ def output_checkfile(serviceinfo):
# convert variable name to a format suitable for 'id' tags
sysctl_var_id = re.sub('[-\.]', '_', sysctl_var)
# open the template and perform the conversions
- with open("template_sysctl", 'r') as templatefile:
+ with open("oval/sysctl", 'r') as templatefile:
filestring = templatefile.read()
filestring = filestring.replace("SYSCTLID", sysctl_var_id)
filestring = filestring.replace("SYSCTLVAR", sysctl_var)
@@ -17,6 +17,15 @@ def output_checkfile(serviceinfo):
with open("./output/sysctl_" + sysctl_var_id + ".xml", 'wb+') as
outputfile:
outputfile.write(filestring)
outputfile.close()
+ with open("bash/sysctl", 'r') as templatefile:
+ filestring = templatefile.read()
+ filestring = filestring.replace("SYSCTLID", sysctl_var_id)
+ filestring = filestring.replace("SYSCTLVAR", sysctl_var)
+ filestring = filestring.replace("SYSCTLVAL", sysctl_val)
+ # write the check
+ with open("./output/sysctl_" + sysctl_var_id + ".sh", 'wb+') as
outputfile:
+ outputfile.write(filestring)
+ outputfile.close()
def main():
if len(sys.argv) < 2:
diff --git a/RHEL/6/input/checks/templates/oval/sysctl
b/RHEL/6/input/checks/templates/oval/sysctl
new file mode 100644
index 0000000..be623db
--- /dev/null
+++ b/RHEL/6/input/checks/templates/oval/sysctl
@@ -0,0 +1,40 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_sysctl_checks.py. DO NOT EDIT. -->
+ <definition class="compliance" id="sysctl_SYSCTLID" version="1">
+ <metadata>
+ <title>Kernel Runtime Parameter "SYSCTLVAR" Check</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The kernel runtime parameter "SYSCTLVAR" should be set to
"SYSCTLVAL".</description>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"
/>
+ </metadata>
+ <criteria operator="AND">
+ <criterion comment="kernel runtime parameter SYSCTLVAR set to SYSCTLVAL"
test_ref="test_runtime_sysctl_SYSCTLID" />
+ <criterion comment="kernel /etc/sysctl.conf parameter SYSCTLVAR set to
SYSCTLVAL" test_ref="test_static_sysctl_SYSCTLID" />
+ </criteria>
+ </definition>
+
+ <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel
runtime parameter SYSCTLVAR set to SYSCTLVAL" id="test_runtime_sysctl_SYSCTLID"
version="1">
+ <unix:object object_ref="object_sysctl_SYSCTLID" />
+ <unix:state state_ref="state_sysctl_SYSCTLID" />
+ </unix:sysctl_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="SYSCTLVAR static configuration" id="test_static_sysctl_SYSCTLID"
version="1">
+ <ind:object object_ref="object_static_sysctl_SYSCTLID" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_static_sysctl_SYSCTLID" version="1">
+ <ind:filepath>/etc/sysctl.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <unix:sysctl_object id="object_sysctl_SYSCTLID" version="1">
+ <unix:name>SYSCTLVAR</unix:name>
+ </unix:sysctl_object>
+
+ <unix:sysctl_state id="state_sysctl_SYSCTLID" version="1">
+ <unix:value datatype="int" operation="equals">SYSCTLVAL</unix:value>
+ </unix:sysctl_state>
+</def-group>
diff --git a/RHEL/6/input/checks/templates/template_sysctl
b/RHEL/6/input/checks/templates/template_sysctl
deleted file mode 100644
index be623db..0000000
--- a/RHEL/6/input/checks/templates/template_sysctl
+++ /dev/null
@@ -1,40 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_sysctl_checks.py. DO NOT EDIT. -->
- <definition class="compliance" id="sysctl_SYSCTLID" version="1">
- <metadata>
- <title>Kernel Runtime Parameter "SYSCTLVAR" Check</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The kernel runtime parameter "SYSCTLVAR" should be set to
"SYSCTLVAL".</description>
- <reference source="swells" ref_id="20130928" ref_url="test_attestation"
/>
- </metadata>
- <criteria operator="AND">
- <criterion comment="kernel runtime parameter SYSCTLVAR set to SYSCTLVAL"
test_ref="test_runtime_sysctl_SYSCTLID" />
- <criterion comment="kernel /etc/sysctl.conf parameter SYSCTLVAR set to
SYSCTLVAL" test_ref="test_static_sysctl_SYSCTLID" />
- </criteria>
- </definition>
-
- <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel
runtime parameter SYSCTLVAR set to SYSCTLVAL" id="test_runtime_sysctl_SYSCTLID"
version="1">
- <unix:object object_ref="object_sysctl_SYSCTLID" />
- <unix:state state_ref="state_sysctl_SYSCTLID" />
- </unix:sysctl_test>
-
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="SYSCTLVAR static configuration" id="test_static_sysctl_SYSCTLID"
version="1">
- <ind:object object_ref="object_static_sysctl_SYSCTLID" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_static_sysctl_SYSCTLID" version="1">
- <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <unix:sysctl_object id="object_sysctl_SYSCTLID" version="1">
- <unix:name>SYSCTLVAR</unix:name>
- </unix:sysctl_object>
-
- <unix:sysctl_state id="state_sysctl_SYSCTLID" version="1">
- <unix:value datatype="int" operation="equals">SYSCTLVAL</unix:value>
- </unix:sysctl_state>
-</def-group>
diff --git a/RHEL/6/input/fixes/bash/templates/create_sysctl_bash.py
b/RHEL/6/input/fixes/bash/templates/create_sysctl_bash.py
deleted file mode 100755
index 4d42ed3..0000000
--- a/RHEL/6/input/fixes/bash/templates/create_sysctl_bash.py
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/usr/bin/python
-
-import sys, csv, re
-
-def output_checkfile(serviceinfo):
- # get the items out of the list
- sysctl_var, sysctl_val = serviceinfo
- # convert variable name to a format suitable for 'id' tags
- sysctl_var_id = re.sub('[-\.]', '_', sysctl_var)
- # open the template and perform the conversions
- with open("template_sysctl", 'r') as templatefile:
- filestring = templatefile.read()
- filestring = filestring.replace("SYSCTLID", sysctl_var_id)
- filestring = filestring.replace("SYSCTLVAR", sysctl_var)
- filestring = filestring.replace("SYSCTLVAL", sysctl_val)
- # write the check
- with open("./output/sysctl_" + sysctl_var_id + ".sh", 'wb+') as
outputfile:
- outputfile.write(filestring)
- outputfile.close()
-
-def main():
- if len(sys.argv) < 2:
- print "Provide a CSV file containing lines of the format:
sysctlvariable,sysctlvalue"
- sys.exit(1)
- with open(sys.argv[1], 'r') as f:
- # put the CSV line's items into a list
- sysctl_lines = csv.reader(f)
- for line in sysctl_lines:
- output_checkfile(line)
-
- sys.exit(0)
-
-if __name__ == "__main__":
- main()
-
diff --git a/RHEL/6/input/fixes/bash/templates/template_sysctl
b/RHEL/6/input/fixes/bash/templates/template_sysctl
deleted file mode 100644
index e654ee3..0000000
--- a/RHEL/6/input/fixes/bash/templates/template_sysctl
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-# Set runtime for SYSCTLVAR
-#
-sysctl -q -n -w SYSCTLVAR=SYSCTLVAL
-
-#
-# If SYSCTLVAR present in /etc/sysctl.conf, change value to "SYSCTLVAL"
-# else, add "SYSCTLVAR = SYSCTLVAL" to /etc/sysctl.conf
-#
-if grep --silent ^SYSCTLVAR /etc/sysctl.conf ; then
- sed -i 's/^SYSCTLVAR.*/SYSCTLVAR = SYSCTLVAL/g' /etc/sysctl.conf
-else
- echo "" >> /etc/sysctl.conf
- echo "# Set SYSCTLVAR to SYSCTLVAL per security requirements" >>
/etc/sysctl.conf
- echo "SYSCTLVAR = SYSCTLVAL" >> /etc/sysctl.conf
-fi
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
