On Thu, 31 Jan 2013 13:56:41 -0500 Mike Palmiotto <[email protected]> wrote:
> On 1/31/2013 11:20 AM, Brian Millett wrote: > > On Thu, Jan 31, 2013 at 9:49 AM, Mike Palmiotto > > <[email protected]>wrote: > > > >> On 1/31/2013 9:38 AM, Brian Millett wrote: > >> > >>> I'm really interested in adding fixes, or having a set of fixes I can > >>> apply to > >>> the xccdf for rhel6. I've looked at the line in the Makefile: > >>> > >>> xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o > >>> $(OUT)/unlinked-rhel6-xccdf.**xml $(TRANS)/xccdf-addfixes.xslt > >>> $(OUT)/unlinked-rhel6-xccdf.**xml > >>> > >>> and it looks like, following the bas-ks.xml, I can create a file with > >>> each fix > >>> as long as each fix-id is the same as the rule-id so that the fix can be > >>> merged with the appropriate rule into a final xccdf.xml file. > >>> > >> > >> When you say fix-id, do you mean the rule attribute for each fix tag? > >> > > > > Ok, silly me, I went back and looked at the bash-ks.xml and I had totally > > miss read the fix. > > > > In the bash-ks.xml a fix is as > > > > <fix rule="disable_vsftp">service vsftpd stop</fix> > > > > while in a xccdf Rule tag, the fix is as > > > > <fix id="service_restorecond_enabled" reboot="false" platform="" > > system="">chkconfig restorecond on</fix> > > > > > > So, I didn't grok the "id=" vs the "rule=". > > > > That makes sense. > > > > So the bash-ks.xml is > > > > <fix-group id="bash" system="urn:xccdf:fix:script:bash" xmlns=" > > <snip> > > > fi</fix> > > </fix-group> > > You've got it. > <snip if really good info > Good stuff. Thanks I've been trying to get the sample bash-ks.xml to work, but when I run make no fixes referenced in the bask-ks.xml gets added to the finalized xccdf.xml file. I removed the comment in the Makefile so the xccdf-addfixes.xslt is fired, but not output. Kind of wanted to take baby steps with just the supplied before I dive into other projects/efforts to add fixes. Thanks. -- _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
