Hello Simon, Thank you for taking a look at the solution. I will start looking at using a simple CSV file to solve this and try to make the "create_sysctl_checks.py" module capable of identifying the right template to use.
Another point that wanted to check with you was on the changes I need to make on the documentation. The rule that I modified for the sample pull request, "sysctl_net_ipv4_conf_all_accept_source_route" has a title "Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces". When we are providing the option to enable or disable the parameter to the user, the title, description, rationale and OCIL content become inaccurate (and confusing) because they all refer to just disabling the parameter. I changed the rule name to "Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces" to make it slightly unambiguous leaving all the other content intact. I later realized that this is probably not a good thing to do either because there might be user tailored profiles which use the original rule name and these would now break. Should I just leave all the XCCDF content untouched and leave it at that? Thank you. Regards, Gautam. -----Original Message----- From: Šimon Lukašík [mailto:[email protected]] Sent: Tuesday, December 15, 2015 3:33 PM To: SCAP Security Guide Subject: Re: XCCDF variables associated with "sysctl_net_ipv4_conf_*" do not seem to be getting used. Hello Gautam, Great to hear this worked for you! The solution you propose seems sensible to me. The other that comes to my mind would be a sinble CSV file that would contain all the information, something like: "<parameter>,<value-if-applicable>,<variable-if-applicable>" Just an option. Thanks! ~š. -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
