We have several sebool XCCDFs in shared/xccdf/system/selinux, however it appears OVAL and remediations are not being generated.
For example from shared/xccdf/system/selinux.xml :
<Rule id="sebool_fips_mode" severity="medium" prodtype="rhel7"> ...... <oval id="sebool_fips_mode" /> </Rule>
Which has an entry in the selinux_booleans.csv file:
$ grep -rin fips_mode shared/templates/selinux_booleans.csv 52:fips_mode,enable
After running a make, no OVAL gets attached in the datastream:
<ns0:Rule
id="xccdf_org.ssgproject.content_rule_sebool_fips_mode" selected="false" severity="medium"> ..... ns0:ident system="https://nvd.nist.gov/cce/index.cfm"CCE-80418-7</ns0:ident> <ns0:check system="http://scap.nist.gov/schema/ocil/2%22%3E <ns0:check-content-ref href="ssg-rhel7-ocil.xml" name="ocil:ssg-sebool_fips_mode_ocil:questionnaire:1"/> </ns0:check> </ns0:Rule>
So I cleaned out my build directory and re-ran 'make -j4 rhel7' and saw some errors:
WARNING: OVAL check 'sebool_abrt_upload_watch_anon_write' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_antivirus_can_scan_system' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_auditadm_exec_content' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_cron_userdomain_transition' was not found, removing <check-content> element from the XCCDF rule.
Is there a reason the seboolean checks aren't getting build into datastreams?
On 20/04/17 22:28, Shawn Wells wrote:
We have several sebool XCCDFs in shared/xccdf/system/selinux, however it appears OVAL and remediations are not being generated.
For example from shared/xccdf/system/selinux.xml :
<Rule id="sebool_fips_mode" severity="medium" prodtype="rhel7"> ...... <oval id="sebool_fips_mode" /> </Rule>
Which has an entry in the selinux_booleans.csv file:
$ grep -rin fips_mode shared/templates/selinux_booleans.csv 52:fips_mode,enable
After running a make, no OVAL gets attached in the datastream:
<ns0:Rule
id="xccdf_org.ssgproject.content_rule_sebool_fips_mode" selected="false" severity="medium"> ..... ns0:ident system="https://nvd.nist.gov/cce/index.cfm"CCE-80418-7</ns0:ident> <ns0:check system="http://scap.nist.gov/schema/ocil/2%22%3E <ns0:check-content-ref href="ssg-rhel7-ocil.xml" name="ocil:ssg-sebool_fips_mode_ocil:questionnaire:1"/> </ns0:check> </ns0:Rule>
So I cleaned out my build directory and re-ran 'make -j4 rhel7' and saw some errors:
WARNING: OVAL check 'sebool_abrt_upload_watch_anon_write' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_antivirus_can_scan_system' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_auditadm_exec_content' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_cron_userdomain_transition' was not found, removing <check-content> element from the XCCDF rule.
Is there a reason the seboolean checks aren't getting build into datastreams?
The template and script that generates the OVAL checks for SELinux booleans are out of the build system, generate-from-templates.py is not using them. Any reason why it was left out?
I'll give it a look and try to add it to the build system.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
On 4/21/17 8:03 AM, Watson Yuuma Sato wrote:
On 20/04/17 22:28, Shawn Wells wrote:
We have several sebool XCCDFs in shared/xccdf/system/selinux, however it appears OVAL and remediations are not being generated.
For example from shared/xccdf/system/selinux.xml :
<Rule id="sebool_fips_mode" severity="medium" prodtype="rhel7"> ...... <oval id="sebool_fips_mode" /> </Rule>
Which has an entry in the selinux_booleans.csv file:
$ grep -rin fips_mode shared/templates/selinux_booleans.csv 52:fips_mode,enable
After running a make, no OVAL gets attached in the datastream:
<ns0:Rule
id="xccdf_org.ssgproject.content_rule_sebool_fips_mode" selected="false" severity="medium"> ..... ns0:ident system="https://nvd.nist.gov/cce/index.cfm"CCE-80418-7</ns0:ident> <ns0:check system="http://scap.nist.gov/schema/ocil/2%22%3E <ns0:check-content-ref href="ssg-rhel7-ocil.xml" name="ocil:ssg-sebool_fips_mode_ocil:questionnaire:1"/> </ns0:check> </ns0:Rule>
So I cleaned out my build directory and re-ran 'make -j4 rhel7' and saw some errors:
WARNING: OVAL check 'sebool_abrt_upload_watch_anon_write' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_antivirus_can_scan_system' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_auditadm_exec_content' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sebool_cron_userdomain_transition' was not found, removing <check-content> element from the XCCDF rule.
Is there a reason the seboolean checks aren't getting build into datastreams?
The template and script that generates the OVAL checks for SELinux booleans are out of the build system, generate-from-templates.py is not using them. Any reason why it was left out?
I'll give it a look and try to add it to the build system.
Hey Watson - Wanted to send a note of thanks for (re)integrating this. Appreciate it!
scap-security-guide@lists.fedorahosted.org