Hi, I think xccdf:sub should be used in all descriptions where any XCCDF variable is referred. Eg, it's quite confusing to have a XCCDF profile that specifies and checks for 'MIN_PASS_LEN 12' but the guide/report description states 'MIN_PASS_LEN 10'.
I already raised this subject and even tried to submit a patch for this. It works quite well for me... Regards [sorry if this is a repost, my 'from:' address changed and my previous e-mail went to the approval queue] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Simon Lukasik Sent: quarta-feira, 19 de Março de 2014 08:33 To: SCAP Security Guide Subject: Re: xccdf:sub elements commented out On 03/18/2014 05:33 PM, Jan Ruzicka wrote: > Hi, > Hello, > Was the commenting out result of some evaluation substituting specified > values? The commented-out code was not result of automated evaluation/substitution. > Is there a step to revert this substitution (to have a roundtrip) ? > The xccdf:sub elements are rarely substituted in the input XCCDF file [1]. The xccdf:sub elements are only resolved in the run-time; e.g. in order to be printed-out. [1]: There is only one exception. OpenSCAP substitutes xccdf:sub elements within Rule/fix and exports the result to the particular rule-result/fix during remediation. That is done to help users debug/audit what commands has been run. > Jan > > On Mar 18, 2014, at 10:46, Simon Lukasik wrote: > >> Hello, >> >> I have noticed that in the content there is often xccdf:sub element >> commented out (or even omitted). I wonder why these elements are >> commented out. I thought, perhaps there was some problem in OpenSCAP >> which have hold you from usage of sub elements. >> >> As a reminder, xccdf:sub elements can be used within a Rule's title, >> description, or fix elements. Each xccdf:sub element refers to a >> XCCDF variable. The value of variable depends on selected profile. >> During a content processing, the xccdf:sub elements shall get >> resolved according to the profile. >> >> I have recently reviewed and fixed OpenSCAP and SCAP-Workbench tools >> in regard to the xccdf:sub processing. Please consider >> using/uncommneting xccdf:sub elements. >> >> The following snippets from ssg-rhel6-xccdf.xml illustrate the >> current (non-)usage of sub elements: >> >> (1) >> PASS_MIN_LEN 14<!-- <sub >> idref="var_accounts_password_minlen_login_defs"> --> >> >> (2) >> the following lines in <xhtml:code>/etc/default/useradd</xhtml:code>, >> substituting >> <xhtml:code><i >> xmlns="http://www.w3.org/1999/xhtml";>NUM_DAYS</i></xhtml:code> >> appropriately: >> <pre >> xmlns="http://www.w3.org/1999/xhtml";>INACTIVE=<i>NUM_DAYS</i></pre> >> >> (3) >> to require differing >> characters when changing passwords, substituting <i >> xmlns="http://www.w3.org/1999/xhtml";>NUM</i> appropriately. >> The DoD requirement is <xhtml:code>4</xhtml:code>. >> >> (4) >> umask 077<!-- <sub idref="var_accounts_user_umask" /> --> >> >> (5) >> Modify the following line, >> substituting <i xmlns="http://www.w3.org/1999/xhtml";>ACTION</i> >> appropriately: >> <pre xmlns="http://www.w3.org/1999/xhtml";>space_left_action = >> <i>ACTION</i></pre> Possible values for <i >> xmlns="http://www.w3.org/1999/xhtml";>ACTION</i> >> are described in the <xhtml:code>auditd.conf</xhtml:code> man page. >> >> -- >> Simon Lukasik >> Security Technologies, Red Hat, Inc. >> _______________________________________________ >> scap-security-guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > Jan Ruzicka > Senior Software Engineer > Comtech Mobile Datacom Corporation > 20430 Century Blvd, Germantown, MD 20874 > Office: 240-686-3300 > Fax: 240-686-3301 > > The information contained in this message may be privileged and/or > confidential. If you are not the intended recipient, or responsible for > delivering this message to the intended recipient, any review, forwarding, > dissemination, distribution or copying of this communication or any > attachment(s) is strictly prohibited. If you have received this message in > error, please so notify the sender immediately, and delete it and all > attachments from your computer and network. > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > -- Simon Lukasik Security Technologies _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
