stigs: new sketch

[tzz]

This is NOT ready for merging, just for review.

@zzamboni @jborozan please review and we can discuss. This is namespaced under cfdc_stigs.

@jborozan I need your full contact info for sketch authorship, will be shown together with the other CFEngine people who worked on it, if you're OK with that. Also note the license for your contributions is MIT.

[nickanderson]

What's marking?

[jborozan]

@tzz My fullname Jurica Borozan, emails work: jurica.borozan@tradeticity.com, private: jurica.borozan@gmail.com and I am ok with what you wrote.

[nickanderson]

What is mark_{created,modified,added} supposed to do?

[tzz]

The mark* variables are commented out right now, but will enable marking of the modifications. See the .cf file, it's at the top.

[nickanderson]

So it's for including the "modified by cfengine" banner? Sorry if I'm dense.

[tzz]

Yes. Search for g_STIGs in the policy and you'll see all the places.

[jborozan]

My starting idea, using plain cf files, was to mark files (and lines in them) according to created or modified status - to avoid having overwritten those changes that i.e. some admin might do some things manually. Initially, I left those lines commented out with double ##. I applied created banner with "edit_defaults => empty", otherwise modified.

Ted converted STIGS.cf to sketches form. I must admit I am trying to figure out how mark_{created,modified,added} is working: I see no connection - yet...

[tzz]

The conversion is not done, sorry I didn't make that clear. The mark* variables are not in use yet.

[jborozan]

I did a fast patch of your sketch file as discussed and added mark* enables, shall I mail it to you ?

[tzz]

@jborozan you can e-mail it to tzz@lifelogs.com or open a new PR here. The new PR is better because you can just pick up my adjustments.

Test with cd tools/test; make stigs

[nickanderson]

While your digging around in this sketch, a warn_only mode for it would be nice :)

[tzz]

Test mode only modifies files in /tmp so this is already covered.

[nickanderson]

What if I am interested in reporting on my STIGS compliance, without actually making any changes?

[tzz]

You could contribute such a mode! It sounds useful.

[jborozan]

@nickanderson: It is good idea but, according to my opinion, not so trivial to implement. STIGs do change permissions and settings so the filtering out which settings are ok and which are not is not so easy task.

BTW I just adapted old STIGs file without complete testing (yet), and above all did not (yet) compare latest recommendations from documents with current implementation. This is good starting point, but needs (much) more work.

[tzz]

@jborozan sorry for the silence. Due to travel I wasn't able to get back to this. I'll do my best to return to it next week.

[jborozan]

No problem. BTW I just checked 2 minutes ago what is the status of files...

[tzz]

Works for me (although I have not tested absolutely everything), merging.

@jborozan @zzamboni @nickanderson please try to test this. It would be nice to make it enterprise_compatible but I can't do that if I'm the only tester.