Hi,
On 03/19/2014 08:20 PM, Rui Pedro Bernardino wrote:
Hi,
I think xccdf:sub should be used in all descriptions where any XCCDF variable
is referred. Eg, it's quite confusing to have a XCCDF profile that specifies
and checks for 'MIN_PASS_LEN 12' but the guide/report description states
'MIN_PASS_LEN 10'.
+1
I already raised this subject and even tried to submit a patch for this. It
works quite well for me...
Regards
Peter.
[sorry if this is a repost, my 'from:' address changed and my previous e-mail
went to the approval queue]
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Simon
Lukasik
Sent: quarta-feira, 19 de Março de 2014 08:33
To: SCAP Security Guide
Subject: Re: xccdf:sub elements commented out
On 03/18/2014 05:33 PM, Jan Ruzicka wrote:
Hi,
Hello,
Was the commenting out result of some evaluation substituting specified values?
The commented-out code was not result of automated evaluation/substitution.
Is there a step to revert this substitution (to have a roundtrip) ?
The xccdf:sub elements are rarely substituted in the input XCCDF file [1]. The
xccdf:sub elements are only resolved in the run-time; e.g. in order to be
printed-out.
[1]: There is only one exception. OpenSCAP substitutes xccdf:sub elements
within Rule/fix and exports the result to the particular rule-result/fix during
remediation. That is done to help users debug/audit what commands has been run.
Jan
On Mar 18, 2014, at 10:46, Simon Lukasik wrote:
Hello,
I have noticed that in the content there is often xccdf:sub element
commented out (or even omitted). I wonder why these elements are
commented out. I thought, perhaps there was some problem in OpenSCAP
which have hold you from usage of sub elements.
As a reminder, xccdf:sub elements can be used within a Rule's title,
description, or fix elements. Each xccdf:sub element refers to a
XCCDF variable. The value of variable depends on selected profile.
During a content processing, the xccdf:sub elements shall get
resolved according to the profile.
I have recently reviewed and fixed OpenSCAP and SCAP-Workbench tools
in regard to the xccdf:sub processing. Please consider
using/uncommneting xccdf:sub elements.
The following snippets from ssg-rhel6-xccdf.xml illustrate the
current (non-)usage of sub elements:
(1)
PASS_MIN_LEN 14<!-- <sub
idref="var_accounts_password_minlen_login_defs"> -->
(2)
the following lines in <xhtml:code>/etc/default/useradd</xhtml:code>,
substituting
<xhtml:code><i
xmlns="http://www.w3.org/1999/xhtml";>NUM_DAYS</i></xhtml:code>
appropriately:
<pre
xmlns="http://www.w3.org/1999/xhtml";>INACTIVE=<i>NUM_DAYS</i></pre>
(3)
to require differing
characters when changing passwords, substituting <i
xmlns="http://www.w3.org/1999/xhtml";>NUM</i> appropriately.
The DoD requirement is <xhtml:code>4</xhtml:code>.
(4)
umask 077<!-- <sub idref="var_accounts_user_umask" /> -->
(5)
Modify the following line,
substituting <i xmlns="http://www.w3.org/1999/xhtml";>ACTION</i>
appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml";>space_left_action =
<i>ACTION</i></pre> Possible values for <i
xmlns="http://www.w3.org/1999/xhtml";>ACTION</i>
are described in the <xhtml:code>auditd.conf</xhtml:code> man page.
--
Simon Lukasik
Security Technologies, Red Hat, Inc.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Jan Ruzicka
Senior Software Engineer
Comtech Mobile Datacom Corporation
20430 Century Blvd, Germantown, MD 20874
Office: 240-686-3300
Fax: 240-686-3301
The information contained in this message may be privileged and/or
confidential. If you are not the intended recipient, or responsible for
delivering this message to the intended recipient, any review, forwarding,
dissemination, distribution or copying of this communication or any
attachment(s) is strictly prohibited. If you have received this message in
error, please so notify the sender immediately, and delete it and all
attachments from your computer and network.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Simon Lukasik
Security Technologies
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
