On 12/15/15 4:02 AM, Šimon Lukašík wrote:
On 12/14/2015 10:09 AM, S, Gautam wrote:
Hello folks,
I have tried out the recommended changes for one of the rules. I
updated the two extended definitions, (one for checking the run-time
sysctl value and the other for the static value in the config file)
and the remediation script to start using the XCCDF:value field. This
seems to be working.
The OVAL checks and remediation scripts for rules based on values of
sysctl kernel parameters are as of now automatically generated from a
template using the "create_sysctl_checks.py" module. The input CSV
file has a "<paramter>, <value>" format. The changes I made are
overriding these auto-generated scripts.
Of the 19 sysctl values in the input CSV file in RHEL6, 12 are
affected by the current issue. So I was wondering if it made sense to
add a new CSV file with a "<paramter>,<variable_name>" format along
with a new template file and python module which could auto-generate
content using the variable rather than a hard-coded value. Let me
know if this would be a cleaner solution.
Hello Gautam,
Great to hear this worked for you!
The solution you propose seems sensible to me.
The other that comes to my mind would be a sinble CSV file that would
contain all the information, something like:
"<parameter>,<value-if-applicable>,<variable-if-applicable>"
Just an option.
Thanks!
~š.
Perhaps not well documented, but the variables should be in the format
of ${xccdf_check_name}_value.
e.g. in the RHEL6 sysctl template file, we have
"net.ipv4.conf.all.accept_source_route." The build system will convert
this into an OVAL file named
sysctl_net_ipv4_conf_all_accept_source_route. So the variable should be
sysctl_net_ipv4_conf_all_accept_source_route_value.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
https://github.com/OpenSCAP/scap-security-guide/
