Added support scripts.

[thenefield]

Two scripts are being added to facilitate some useful functions.

Both scripts should be executed from within the root folder of a given project (e.g. RHEL\6).

shared\transforms\stats.sh

The above script provides useful statistics based on the information presented in 'auxiliary\stig_overlay.xml'. It will identify the number of checks included, the number of fixes included, an overall number of STIG requirements indicated in the stig_overlay, and the number of STIG requirements in the XCCDF STIG document. This is useful for providing an overview of how much STIG coverage is accounted for. It is also useful for comparison against newly released STIGs to support identifying new requirements and deprecated requirements to ensure complete alignment.

shared\transforms\stig_refs.sh

The above script facilitates automating the updating of STIG information within the SCAP content. It will initially use 'auxiliary\stig_overlay.xml' to provide a mapping of STIG ID to SCAP RULE. Once that mapping has been created, it will update the 'auxiliary\stig_overlay.xml' data and the XML data associated with each rule in the 'services' and 'system' sub-folders. The script is also dependent on the XCCDF STIG document being located within the references folder of the project folder (e.g. RHEL\6\references).

The following data is updated in each location:

CCI
CCE
SEVERITY
SVKEY
VRELEASE
IA CONTROLS
TITLE

In addition it also includes a 'stig=' reference in the 'ident' section of each rule with the STIG ID. This will support a separate change to be committed, that will help identifying the appropriate STIG ID for each rule within the scan report.

[thenefield]

Just added one small change to check the IACONTROLS variable. The IA Controls get pulled properly from the RHEL 5 STIG. However the IA Controls in the RHEL6 STIG are managed differently and don't resolve. Applying this script without the last change would effectively remove all IA Control references in the RHEL6 SCAP content.

[shawndwells]

$ ./../../shared/transforms/stats.sh 

STIG INTEGRATION SUMMARY:


TOTAL XCCDF STIG REQUIREMENTS: 262

TOTAL SSG STIG REQUIREMENTS: 355

TOTAL SSG STIG CHECKS: 186

TOTAL SSG STIG FIXES: 151


SSG STIG REQUIREMENTS NOT FOUND IN XCCDF STIG: 95

RHEL-06-000105|service_ip6tables_enabled
RHEL-06-000108|service_ip6tables_enabled
RHEL-06-000109|service_ip6tables_enabled
RHEL-06-000115|service_iptables_enabled
RHEL-06-000118|service_iptables_enabled
RHEL-06-000119|service_iptables_enabled
RHEL-06-000121|set_iptables_default_rule
RHEL-06-000122|set_iptables_default_rule
RHEL-06-000139|service_auditd_enabled
RHEL-06-000140|met_inherently_auditing
RHEL-06-000142|service_auditd_enabled
RHEL-06-000143|service_auditd_enabled
RHEL-06-000149|service_auditd_enabled
RHEL-06-000151|service_auditd_enabled
RHEL-06-000157|bootloader_audit_argument
RHEL-06-999999|auditd_data_retention_admin_space_left_action
RHEL-06-000235|disable_host_auth
RHEL-06-000244|sshd_use_approved_ciphers
RHEL-06-000245|sshd_use_approved_ciphers
RHEL-06-000251|XXXX
RHEL-06-000263|service_autofs_disabled
RHEL-06-000300|no_files_unowned_by_user
RHEL-06-000301|no_files_unowned_by_group
RHEL-06-000317|kernel_module_usb-storage_disabled
RHEL-06-000359|unselected
RHEL-06-000367|unselected
RHEL-06-000368|unselected
RHEL-06-000371|unselected
RHEL-06-000373|met_inherently_generic
RHEL-06-000374|met_inherently_nonselected
RHEL-06-000375|met_inherently_auditing
RHEL-06-000376|met_inherently_auditing
RHEL-06-000377|met_inherently_auditing
RHEL-06-000378|met_inherently_auditing
RHEL-06-000379|met_inherently_auditing
RHEL-06-000380|met_inherently_nonselected
RHEL-06-000381|met_inherently
RHEL-06-000382|met_inherently_auditing
RHEL-06-000387|met_inherently_generic
RHEL-06-000388|met_inherently_auditing
RHEL-06-000389|met_inherently_generic
RHEL-06-000390|met_inherently_generic
RHEL-06-000392|met_inherently_generic
RHEL-06-000396|met_inherently_generic
RHEL-06-000397|met_inherently_nonselected
RHEL-06-000398|met_inherently_generic
RHEL-06-000399|met_inherently_generic
RHEL-06-000403|met_inherently_generic
RHEL-06-000411|met_inherently_nonselected
RHEL-06-000412|met_inherently_nonselected
RHEL-06-000414|met_inherently_generic
RHEL-06-000415|met_inherently_generic
RHEL-06-000416|met_inherently_generic
RHEL-06-000417|met_inherently_nonselected
RHEL-06-000418|met_inherently_nonselected
RHEL-06-000419|met_inherently_nonselected
RHEL-06-000420|met_inherently_generic
RHEL-06-000421|met_inherently_nonselected
RHEL-06-000423|met_inherently_generic
RHEL-06-000424|met_inherently_generic
RHEL-06-000430|met_inherently_generic
RHEL-06-000431|met_inherently_generic
RHEL-06-000432|met_inherently_generic
RHEL-06-000445|unmet_finding_nonselected
RHEL-06-000451|met_inherently_nonselected
RHEL-06-000454|met_inherently_nonselected
RHEL-06-000455|update_process
RHEL-06-000456|met_inherently_nonselected
RHEL-06-000457|met_inherently_generic
RHEL-06-000458|met_inherently_generic
RHEL-06-000459|met_inherently_nonselected
RHEL-06-000460|met_inherently_generic
RHEL-06-000461|unmet_finding_nonselected
RHEL-06-000463|unmet_finding_nonselected
RHEL-06-000464|met_inherently_generic
RHEL-06-000465|met_inherently_generic
RHEL-06-000466|met_inherently_nonselected
RHEL-06-000473|met_inherently_generic
RHEL-06-000474|met_inherently_generic
RHEL-06-000485|met_inherently_generic
RHEL-06-000486|met_inherently_generic
RHEL-06-000488|met_inherently_nonselected
RHEL-06-000489|met_inherently_nonselected
RHEL-06-000490|met_inherently_nonselected
RHEL-06-000491|met_inherently_generic
RHEL-06-000492|met_inherently_nonselected
RHEL-06-000493|met_inherently_generic
RHEL-06-000494|unmet_finding_nonselected
RHEL-06-000497|met_inherently_generic
RHEL-06-000500|met_inherently_generic
RHEL-06-000501|met_inherently_nonselected
RHEL-06-000502|unselected
RHEL-06-000506|XXXX
RHEL-06-000512|unmet_finding_nonselected
RHEL-06-000513|unmet_finding_nonselected

XCCDF STIG REQUIREMENTS NOT FOUND IN SSG STIG: 2

RHEL-06-000163
RHEL-06-000527

[thenefield]

Isn't that awesome! So much visibility! This has been a great help for me
in my quest to write SCAP content for RHEL5.

BTW, I just committed a couple updates to the stig_refs.sh script. I am
done editing now. Also, in light of the couple errors I fixed in the
script, I found that there are still some changes to be committed for stig
references on RHEL6. Correcting those errors allowed the additional updates
to proceed. Since the previous request for the rhel6 stig refs is already
merged, I will start another one with just these additional changes
included.

Once I get all the dust settled from these initial changes, I will help out
more with the RHEL6 content in getting that above output prettier.

On Wed, Feb 25, 2015 at 12:07 PM, Shawn Wells notifications@github.com
wrote:

$ ./../../shared/transforms/stats.sh

STIG INTEGRATION SUMMARY:

TOTAL XCCDF STIG REQUIREMENTS: 262

TOTAL SSG STIG REQUIREMENTS: 355

TOTAL SSG STIG CHECKS: 186

TOTAL SSG STIG FIXES: 151

SSG STIG REQUIREMENTS NOT FOUND IN XCCDF STIG: 95

RHEL-06-000105|service_ip6tables_enabled
RHEL-06-000108|service_ip6tables_enabled
RHEL-06-000109|service_ip6tables_enabled
RHEL-06-000115|service_iptables_enabled
RHEL-06-000118|service_iptables_enabled
RHEL-06-000119|service_iptables_enabled
RHEL-06-000121|set_iptables_default_rule
RHEL-06-000122|set_iptables_default_rule
RHEL-06-000139|service_auditd_enabled
RHEL-06-000140|met_inherently_auditing
RHEL-06-000142|service_auditd_enabled
RHEL-06-000143|service_auditd_enabled
RHEL-06-000149|service_auditd_enabled
RHEL-06-000151|service_auditd_enabled
RHEL-06-000157|bootloader_audit_argument
RHEL-06-999999|auditd_data_retention_admin_space_left_action
RHEL-06-000235|disable_host_auth
RHEL-06-000244|sshd_use_approved_ciphers
RHEL-06-000245|sshd_use_approved_ciphers
RHEL-06-000251|XXXX
RHEL-06-000263|service_autofs_disabled
RHEL-06-000300|no_files_unowned_by_user
RHEL-06-000301|no_files_unowned_by_group
RHEL-06-000317|kernel_module_usb-storage_disabled
RHEL-06-000359|unselected
RHEL-06-000367|unselected
RHEL-06-000368|unselected
RHEL-06-000371|unselected
RHEL-06-000373|met_inherently_generic
RHEL-06-000374|met_inherently_nonselected
RHEL-06-000375|met_inherently_auditing
RHEL-06-000376|met_inherently_auditing
RHEL-06-000377|met_inherently_auditing
RHEL-06-000378|met_inherently_auditing
RHEL-06-000379|met_inherently_auditing
RHEL-06-000380|met_inherently_nonselected
RHEL-06-000381|met_inherently
RHEL-06-000382|met_inherently_auditing
RHEL-06-000387|met_inherently_generic
RHEL-06-000388|met_inherently_auditing
RHEL-06-000389|met_inherently_generic
RHEL-06-000390|met_inherently_generic
RHEL-06-000392|met_inherently_generic
RHEL-06-000396|met_inherently_generic
RHEL-06-000397|met_inherently_nonselected
RHEL-06-000398|met_inherently_generic
RHEL-06-000399|met_inherently_generic
RHEL-06-000403|met_inherently_generic
RHEL-06-000411|met_inherently_nonselected
RHEL-06-000412|met_inherently_nonselected
RHEL-06-000414|met_inherently_generic
RHEL-06-000415|met_inherently_generic
RHEL-06-000416|met_inherently_generic
RHEL-06-000417|met_inherently_nonselected
RHEL-06-000418|met_inherently_nonselected
RHEL-06-000419|met_inherently_nonselected
RHEL-06-000420|met_inherently_generic
RHEL-06-000421|met_inherently_nonselected
RHEL-06-000423|met_inherently_generic
RHEL-06-000424|met_inherently_generic
RHEL-06-000430|met_inherently_generic
RHEL-06-000431|met_inherently_generic
RHEL-06-000432|met_inherently_generic
RHEL-06-000445|unmet_finding_nonselected
RHEL-06-000451|met_inherently_nonselected
RHEL-06-000454|met_inherently_nonselected
RHEL-06-000455|update_process
RHEL-06-000456|met_inherently_nonselected
RHEL-06-000457|met_inherently_generic
RHEL-06-000458|met_inherently_generic
RHEL-06-000459|met_inherently_nonselected
RHEL-06-000460|met_inherently_generic
RHEL-06-000461|unmet_finding_nonselected
RHEL-06-000463|unmet_finding_nonselected
RHEL-06-000464|met_inherently_generic
RHEL-06-000465|met_inherently_generic
RHEL-06-000466|met_inherently_nonselected
RHEL-06-000473|met_inherently_generic
RHEL-06-000474|met_inherently_generic
RHEL-06-000485|met_inherently_generic
RHEL-06-000486|met_inherently_generic
RHEL-06-000488|met_inherently_nonselected
RHEL-06-000489|met_inherently_nonselected
RHEL-06-000490|met_inherently_nonselected
RHEL-06-000491|met_inherently_generic
RHEL-06-000492|met_inherently_nonselected
RHEL-06-000493|met_inherently_generic
RHEL-06-000494|unmet_finding_nonselected
RHEL-06-000497|met_inherently_generic
RHEL-06-000500|met_inherently_generic
RHEL-06-000501|met_inherently_nonselected
RHEL-06-000502|unselected
RHEL-06-000506|XXXX
RHEL-06-000512|unmet_finding_nonselected
RHEL-06-000513|unmet_finding_nonselected

XCCDF STIG REQUIREMENTS NOT FOUND IN SSG STIG: 2

RHEL-06-000163
RHEL-06-000527

—
Reply to this email directly or view it on GitHub
#452 (comment)
.

[shawndwells]

this actually inserts two spaces before the stig=$val, e.g.:

 <ident cce="26910-0"  stig="RHEL-06-000282" />

[thenefield]

Will fix. Standby.

On Wed, Feb 25, 2015 at 12:16 PM, Shawn Wells notifications@github.com
wrote:

In shared/transforms/stig_refs.sh
#452 (comment)
:

•               # CCE
  

•               if [ ! -z "${CCE}" ]; then
  

•                   if [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep -c "<ident ")" = "0" ]; then
  

•                       sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<\/Rule>)/<ident cce=\"${CCE}\" \/>\n\1/" ${FILE}
  

•                   elif [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep "<ident " | grep -c "cce=")" = "0" ]; then
  

•                       sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<ident .*\)\/>/\1 cce=\"${CCE}\" \/>/" ${FILE}
  

•                   else
  

•                       sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<ident ._)cce=\"[a-zA-Z0-9-_.]_\"/\1cce=\"${CCE}\"/" ${FILE}
  

•                   fi
  

•               fi
  

•               # STIG ID
  

•               if [ ! -z "${STIG_ID}" ]; then
  

•                   if [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep -c "<ident ")" = "0" ]; then
  

•                       sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<\/Rule>)/<ident stig=\"${STIG_ID}\" \/>\n\1/" ${FILE}
  

•                   elif [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep "<ident " | grep -c "stig=")" = "0" ]; then
  

•                       sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<ident .*\)\/>/\1 stig=\"${STIG_ID}\" \/>/" ${FILE}
  

this actually inserts two spaces before the stig=$val, e.g.:

—
Reply to this email directly or view it on GitHub
https://github.com/OpenSCAP/scap-security-guide/pull/452/files#r25363784
.

[thenefield]

So I checked in a fix. It will no longer create the double spacing when
defining new values. However, running it won't fix the double spacing for
the ones already done. I do have a quick fix for that though. Since I need
to commit some additional changes for the RHEL6 STIG refs, I will also
commit the change to remove the double spacing added.

On Wed, Feb 25, 2015 at 12:17 PM, Trey Henefield thenefield@gmail.com
wrote:

Will fix. Standby.

On Wed, Feb 25, 2015 at 12:16 PM, Shawn Wells notifications@github.com
wrote:

In shared/transforms/stig_refs.sh
#452 (comment)
:

•              # CCE
  

•              if [ ! -z "${CCE}" ]; then
  

•                  if [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep -c "<ident ")" = "0" ]; then
  

•                      sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<\/Rule>)/<ident cce=\"${CCE}\" \/>\n\1/" ${FILE}
  

•                  elif [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep "<ident " | grep -c "cce=")" = "0" ]; then
  

•                      sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<ident .*\)\/>/\1 cce=\"${CCE}\" \/>/" ${FILE}
  

•                  else
  

•                      sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<ident ._)cce=\"[a-zA-Z0-9-_.]_\"/\1cce=\"${CCE}\"/" ${FILE}
  

•                  fi
  

•              fi
  

•              # STIG ID
  

•              if [ ! -z "${STIG_ID}" ]; then
  

•                  if [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep -c "<ident ")" = "0" ]; then
  

•                      sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<\/Rule>)/<ident stig=\"${STIG_ID}\" \/>\n\1/" ${FILE}
  

•                  elif [ "$(awk "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/" ${FILE} | grep "<ident " | grep -c "stig=")" = "0" ]; then
  

•                      sed -i "/<Rule id=\"${RULE_ID}\"/,/<\/Rule>/s/(<ident .*\)\/>/\1 stig=\"${STIG_ID}\" \/>/" ${FILE}
  

this actually inserts two spaces before the stig=$val, e.g.:

—
Reply to this email directly or view it on GitHub
https://github.com/OpenSCAP/scap-security-guide/pull/452/files#r25363784
.

[landscape-bot]

Code quality remained the same when pulling f69e5d3 on thenefield:support_scripts2 into 0fa5af9 on OpenSCAP:master.

[landscape-bot]

Code quality remained the same when pulling e9dccb6 on thenefield:support_scripts2 into 73f8d24 on OpenSCAP:master.

[landscape-bot]

Code quality remained the same when pulling ab99df8 on thenefield:support_scripts2 into 73f8d24 on OpenSCAP:master.

[isimluk]

[test this please] mr. jenkins

Thanks Trey, for this contribution.

This seems to me, that it can be merged. What am I missing?

[thenefield]

Absolutely! I am not aware of any issues that need to be resolved before
merging. If any are discovered, feel free to let me know.

On Wed, Dec 9, 2015 at 5:33 AM Šimon Lukašík notifications@github.com
wrote:

[test this please] mr. jenkins

Thanks Trey, for this contribution.

This seems to me, that it can be merged. What am I missing?

—
Reply to this email directly or view it on GitHub
#452 (comment)
.

[isimluk]

Ok, Trey, then please accept my sincere apology that this hasn't been merged in timely manner.