On 4/21/17 8:03 AM, Watson Yuuma Sato wrote: > On 20/04/17 22:28, Shawn Wells wrote: >> We have several sebool XCCDFs in shared/xccdf/system/selinux, however it >> appears OVAL and remediations are not being generated. >> >> For example from shared/xccdf/system/selinux.xml : >>> <Rule id="sebool_fips_mode" severity="medium" prodtype="rhel7"> >>> ...... >>> <oval id="sebool_fips_mode" /> >>> </Rule> >> Which has an entry in the selinux_booleans.csv file: >>> $ grep -rin fips_mode shared/templates/selinux_booleans.csv >>> 52:fips_mode,enable >> After running a make, no OVAL gets attached in the datastream: >>> <ns0:Rule >>> id="xccdf_org.ssgproject.content_rule_sebool_fips_mode" >>> selected="false" severity="medium"> >>> ..... >>> <ns0:ident >>> system="https://nvd.nist.gov/cce/index.cfm";>CCE-80418-7</ns0:ident> >>> <ns0:check system="http://scap.nist.gov/schema/ocil/2";> >>> <ns0:check-content-ref href="ssg-rhel7-ocil.xml" >>> name="ocil:ssg-sebool_fips_mode_ocil:questionnaire:1"/> >>> </ns0:check> >>> </ns0:Rule> >> So I cleaned out my build directory and re-ran 'make -j4 rhel7' and saw >> some errors: >>> WARNING: OVAL check 'sebool_abrt_upload_watch_anon_write' was not >>> found, removing <check-content> element from the XCCDF rule. >>> WARNING: OVAL check 'sebool_antivirus_can_scan_system' was not found, >>> removing <check-content> element from the XCCDF rule. >>> WARNING: OVAL check 'sebool_auditadm_exec_content' was not found, >>> removing <check-content> element from the XCCDF rule. >>> WARNING: OVAL check 'sebool_cron_userdomain_transition' was not found, >>> removing <check-content> element from the XCCDF rule. >> Is there a reason the seboolean checks aren't getting build into >> datastreams? > The template and script that generates the OVAL checks for SELinux > booleans are out of the build system, generate-from-templates.py is > not using them. > Any reason why it was left out? > > I'll give it a look and try to add it to the build system.
Hey Watson - Wanted to send a note of thanks for (re)integrating this. Appreciate it!
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
