On Sunday, April 07, 2013 9:03 AM, Francisco Slavin wrote: > On Saturday, April 06, 2013 4:30 PM, Shawn Wells wrote: > > On Apr 6, 2013, at 8:08 AM, Simon Lukasik <[email protected]> wrote: > > > > > On 04/05/2013 09:08 PM, Francisco Slavin wrote: > > >> If all of the bash scripts will live within one XCCDF XML file, > > >> each > > >> > > > > in discrete <fix> tags, I'm not sure what approach the community > > >> would like to take regarding function re-use. It seems like some > > >> pre-processing may be necessary; i.e. resolve the source operator > > >> before inserting the script content into the <fix> tag. The goal > > >> is to only have one copy of a specific function saved in the SSG > > >> repo but to be able to use it for multiple <fix>es which differ > > >> only in one parameter. > > > > > > Maybe the text substitution of <plain-text> could be considered for > > > this task. According to NISTIR-7275r4, the <xccdf:sub> element > > > within <xccdf:fix> may refer to the <xccdf:plain-text> element. > > > > > > Hence, SSG may use plain-text elements for definition of common > > > scripts or functions. And only refer to such single plain-text from > > > all of the Rules. > > > > > > The example of <plain-text> usage is in OpenSCAP unittests at: > > > > > > http://git.fedorahosted.org/cgit/openscap.git/tree/tests/API/XCCDF/u > > > ni ttests/test_remediation_subs_plain_text.xccdf.xml > > > > > > and > > > > > > http://git.fedorahosted.org/cgit/openscap.git/tree/tests/API/XCCDF/u > > > ni > > > ttests/ > > > > This is fantastic, thank you Simon! I went through your unit test > > scripts and got a few ideas on improving SSG (outside of remediation). > > > > I won't get a chance to try this until late Sunday, but we should > > easily be able to transform "functions" as existing in current Tresys > > scripts. Someone feel free to shoot out a first draft/patch! > > The <plain-text> usage does look like an excellent approach here. I'll try to > find some time today to hack together a patch based on the scripts I sent > previously.
I just sent up a patch with an initial stab at this, but it will need a bit of touchup. My XSLT is rocky so I was pretty heavy-handed with my update to the addfixes XSLT; there is probably a cleaner way of getting everything in the proper order in the output. It currently takes everything from files named ".*common" in the fixes/bash/ directory and puts it into <plain-text> elements in the final XCCDF as per Simon's examples. The question I have would be whether I should replace the source operator lines in the .sh files with <sub> references, or whether we should leave those source lines in place and turn them into <sub> lines with some more transform-magic. Any preferences? Thank you - Francisco > > - Francisco _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
