>From 2a619a0c834e7abb62f703a01a115055a4acfb03 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sat, 16 Feb 2013 13:24:14 -0500
Subject: [PATCH] [RFC] Modularized the fix scripts
Wanted to get something in place to allow for the Aqueduct guys / interested
parties
to start working on fix scripts. Current approach involves placing the scripts
into
a single file (bash-ks), which really should be modularized (ala OVAL scripts).
- Developers now place their bash scripts into RHEL6/input/fixes/bash,
naming their file against the XCCDF rule name
- Make process concatenates these together:
(first argument == location of scripts, second == where tp put concatenated
file)
./$(TRANS)/combinefixes.sh $(IN)/fixes/bash/ $(OUT)/bash-remediations.xml
- bash-remediations uses the same syntax as the old bash-ks, allowing Jeff's
xccdf-addfixes.xslt to behave as normal
- At some point it makes sense to do everything in xccdf-addfixes.xslt
EXAMPLE USAGE:
(since generate fix only produces scripts for failed rules, change all results
to fail)
if ! rpm -qa | grep -q aide; then
yum -y install aide
fi
if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi
if rpm -qa | grep -q telnet-server; then
yum -y remove telnet-server
fi
if rpm -qa | grep -q ypserv; then
yum -y remove ypserv
fi
---
RHEL6/Makefile | 3 ++-
RHEL6/input/fixes/bash-ks.xml | 7 -------
RHEL6/input/fixes/bash/disable_vsftp.sh | 3 +++
RHEL6/input/fixes/bash/install_aide.sh | 3 +++
RHEL6/input/fixes/bash/uninstall_telnet_server.sh | 3 +++
RHEL6/input/fixes/bash/uninstall_xinetd.sh | 3 +++
RHEL6/input/fixes/bash/uninstall_ypserv.sh | 3 +++
RHEL6/transforms/combinefixes.sh | 17 +++++++++++++++++
8 files changed, 34 insertions(+), 8 deletions(-)
delete mode 100644 RHEL6/input/fixes/bash-ks.xml
create mode 100755 RHEL6/input/fixes/bash/disable_vsftp.sh
create mode 100755 RHEL6/input/fixes/bash/install_aide.sh
create mode 100755 RHEL6/input/fixes/bash/uninstall_telnet_server.sh
create mode 100755 RHEL6/input/fixes/bash/uninstall_xinetd.sh
create mode 100755 RHEL6/input/fixes/bash/uninstall_ypserv.sh
create mode 100755 RHEL6/transforms/combinefixes.sh
diff --git a/RHEL6/Makefile b/RHEL6/Makefile
index 4d40d99..31d56b0 100644
--- a/RHEL6/Makefile
+++ b/RHEL6/Makefile
@@ -23,7 +23,8 @@ shorthand2xccdf: shorthand-guide
xsltproc -o $(OUT)/unlinked-rhel6-ocil.xml
$(TRANS)/xccdf-create-ocil.xslt $(OUT)/unlinked-rhel6-xccdf.xml
xmllint --format --output $(OUT)/unlinked-rhel6-ocil.xml
$(OUT)/unlinked-rhel6-ocil.xml
xsltproc -o $(OUT)/unlinked-ocilrefs-rhel6-xccdf.xml
$(TRANS)/xccdf-ocilcheck2ref.xslt $(OUT)/unlinked-rhel6-xccdf.xml
-# xsltproc -stringparam fixes "../$(IN)/fixes/bash-ks.xml" -o
$(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt
$(OUT)/unlinked-rhel6-xccdf.xml
+ ./$(TRANS)/combinefixes.sh $(IN)/fixes/bash/
$(OUT)/bash-remediations.xml
+ xsltproc -stringparam fixes "../$(OUT)/bash-remediations.xml" -o
$(OUT)/unlinked-rhel6-xccdf.xml $(TRANS)/xccdf-addfixes.xslt
$(OUT)/unlinked-rhel6-xccdf.xml
xmllint --format --output $(OUT)/unlinked-rhel6-xccdf.xml
$(OUT)/unlinked-rhel6-xccdf.xml
checks:
diff --git a/RHEL6/input/fixes/bash-ks.xml b/RHEL6/input/fixes/bash-ks.xml
deleted file mode 100644
index c9ee5bd..0000000
--- a/RHEL6/input/fixes/bash-ks.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<fix-group id="bash" system="urn:xccdf:fix:script:sh"
xmlns="http://checklists.nist.gov/xccdf/1.1";>
-<fix rule="disable_vsftp">service vsftpd stop</fix>
-<fix rule="install_aide">yum -y install aide</fix>
-<fix rule="uninstall_xinetd">yum -y remove xinetd</fix>
-<fix rule="uninstall_telnet_server">yum -y remove telnet-server</fix>
-<fix rule="uninstall_ypserv">yum -y remove ypserv</fix>
-</fix-group>
diff --git a/RHEL6/input/fixes/bash/disable_vsftp.sh
b/RHEL6/input/fixes/bash/disable_vsftp.sh
new file mode 100755
index 0000000..a9d4d72
--- /dev/null
+++ b/RHEL6/input/fixes/bash/disable_vsftp.sh
@@ -0,0 +1,3 @@
+if service vsftpd status >/dev/null; then
+ service vsftpd stop
+fi
diff --git a/RHEL6/input/fixes/bash/install_aide.sh
b/RHEL6/input/fixes/bash/install_aide.sh
new file mode 100755
index 0000000..55d82ca
--- /dev/null
+++ b/RHEL6/input/fixes/bash/install_aide.sh
@@ -0,0 +1,3 @@
+if ! rpm -qa | grep -q aide; then
+ yum -y install aide
+fi
diff --git a/RHEL6/input/fixes/bash/uninstall_telnet_server.sh
b/RHEL6/input/fixes/bash/uninstall_telnet_server.sh
new file mode 100755
index 0000000..2c93f60
--- /dev/null
+++ b/RHEL6/input/fixes/bash/uninstall_telnet_server.sh
@@ -0,0 +1,3 @@
+if rpm -qa | grep -q telnet-server; then
+ yum -y remove telnet-server
+fi
diff --git a/RHEL6/input/fixes/bash/uninstall_xinetd.sh
b/RHEL6/input/fixes/bash/uninstall_xinetd.sh
new file mode 100755
index 0000000..593614d
--- /dev/null
+++ b/RHEL6/input/fixes/bash/uninstall_xinetd.sh
@@ -0,0 +1,3 @@
+if rpm -qa | grep -q xinetd; then
+ yum -y remove xinetd
+fi
diff --git a/RHEL6/input/fixes/bash/uninstall_ypserv.sh
b/RHEL6/input/fixes/bash/uninstall_ypserv.sh
new file mode 100755
index 0000000..d6897e1
--- /dev/null
+++ b/RHEL6/input/fixes/bash/uninstall_ypserv.sh
@@ -0,0 +1,3 @@
+if rpm -qa | grep -q ypserv; then
+ yum -y remove ypserv
+fi
diff --git a/RHEL6/transforms/combinefixes.sh b/RHEL6/transforms/combinefixes.sh
new file mode 100755
index 0000000..e351b1e
--- /dev/null
+++ b/RHEL6/transforms/combinefixes.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+## First argument: directory with .sh scripts
+## Second argument: where to put combined xml file
+
+shopt -s nullglob
+echo "<fix-group id=\"bash\" system=\"urn:xccdf:fix:script:sh\"
xmlns=\"http://checklists.nist.gov/xccdf/1.1\";>" > $2
+
+for fixScript in $1/*.sh; do
+ fixName=`echo $fixScript | awk -F/ ' { print $NF } ' | awk -F. ' {
print $1 }'`
+ fixContent=`cat $fixScript`
+ echo "<fix rule=\"$fixName\">" >>$2
+ cat $fixScript | while read fixLine; do echo $fixLine >>$2; done
+ echo "</fix>" >>$2
+done
+
+echo "</fix-group>" >>$2
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
