Hello David,
> Ahh, excellent - glad to see the addition of Fedora content!
>
> Two quick things before I can ack this patch set:
>
> 1) Have the OVAL checks been tested in Fedora 19? In the RHEL 6 content,
> there is a testcheck.py within /input/checks/ -- it might be worth copying
> that over.
Thank you for your reply and suggestion(s). No, the proposed content haven't
been
tested via testcheck.py / verify-input-sanity.py utilities yet (have just
focused
those scripts listed in Makefile to work [and tested that those OVAL
definitions /
scans work properly on Fedora-19 and return 'not applicable' for other
products]).
But definitely reasonable enhancement. Attached file contains current output of
its run in / against the RHEL6 directory. Those warnings cover definitions
not currently present in Fedora (not saying those shouldn't be fixed of course)
=>
we should be safe wrt to these and Fedora.
Regarding the traceback I will try to find why / where it's failing, and submit
a patch to overcome it. Subsequently (when got it working) we could possibly
add verify-input-sanity.py script it to be run by default (hopefully under
make checks', 'make validate-xml', or 'make validate' clauses), so we would
catch possible regressions / notice something changed into wrong direction
in the future.
>
> 2) When copying XCCDF and OVAL from the RHEL 6 content, we should be careful
> to remove the test attestation that was done under RHEL, and re-add it with
> the tester's initials and date when tested under Fedora 19.
Original wanted to ask what you mean under test attestation, but Shawn clarified
already :). Sure will grep the content for its occurrences and remove particular
records for now.
Do you possibly have link to some documentation, how is that attestation
created?
Is it like, SSG content is committed into the repository (after internal
review).
Subsequently some 3-rd party performs independent testing of the profiles (or
even individual OVAL file definitions) and if they pass the review, grants the
attestation? What kind of organisation does this for RHEL6? And who would be
able to grant these for Fedora? IOW how this attestation testing should look
like
for Fedora?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
$ ./verify-input-sanity.py
WARNING: OVAL check
src/input/checks/accounts_password_minclass_login_defs.xml has ID
"accounts_password_pam_cracklib_minclass"
the ID should match the file name without the .xml
WARNING: OVAL check src/input/checks/accounts_passwords_pam_fail_interval.xml
has ID "accounts_passwords_pam_faillock_fail_interval"
the ID should match the file name without the .xml
WARNING: XCCDF Rule "disable_logwatch_for_logserver" references OVAL check
"logwatch_disabled_for_logserver" which does not exist
problem occurs in file: src/input/system/logging.xml
WARNING: XCCDF Rule "set_gdm_login_banner_text" references OVAL check
"banner_gui_text_set" which does not exist
problem occurs in file: src/input/system/accounts/banners.xml
WARNING: XCCDF Rule "deny_password_attempts_fail_interval" references OVAL
check "accounts_passwords_pam_faillock_fail_interval" which does not exist
problem occurs in file: src/input/system/accounts/pam.xml
Traceback (most recent call last):
File "./verify-input-sanity.py", line 130, in <module>
tree = ET.fromstring(xccdf_xml_contents)
File "lxml.etree.pyx", line 2993, in lxml.etree.fromstring
(src/lxml/lxml.etree.c:62557)
File "parser.pxi", line 1617, in lxml.etree._parseMemoryDocument
(src/lxml/lxml.etree.c:92539)
File "parser.pxi", line 1495, in lxml.etree._parseDoc
(src/lxml/lxml.etree.c:91352)
File "parser.pxi", line 1011, in lxml.etree._BaseParser._parseDoc
(src/lxml/lxml.etree.c:88025)
File "parser.pxi", line 577, in
lxml.etree._ParserContext._handleParseResultDoc (src/lxml/lxml.etree.c:83766)
File "parser.pxi", line 676, in lxml.etree._handleParseResult
(src/lxml/lxml.etree.c:84869)
File "parser.pxi", line 616, in lxml.etree._raiseParseError
(src/lxml/lxml.etree.c:84192)
lxml.etree.XMLSyntaxError: XML declaration allowed only at the start of the
document, line 1, column 49
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
