diff options
Diffstat (limited to 'sechecker/modules/template/profiles.readme')
-rw-r--r-- | sechecker/modules/template/profiles.readme | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/sechecker/modules/template/profiles.readme b/sechecker/modules/template/profiles.readme new file mode 100644 index 0000000..f781ee0 --- /dev/null +++ b/sechecker/modules/template/profiles.readme @@ -0,0 +1,142 @@ +How to write a profile for SEChecker +===================================== + +Table of Contents +======================== +1. Use of Profiles +2. Format of the Profile + 2.0 <sechecker> + 2.1 <profile> + 2.2 <module> + 2.3 <output> + 2.4 <option> +3. Example Profile + +1. Use of Profiles +========================== +SEChecker has a wide variety of modules which perform various tests +on the policy and/or system. To make the management and running of +these modules easier, several profiles are defined. + +A profile is used to run a set of modules with options set in a way +that the resulting report reflects a specific security goal. + +To write your own profile, create a new XML file named <profile name>.prof. +The format of the file is detailed below. + +2. Format of the Profile +========================= +A profile is an XML file loaded by SEChecker to run a specific set of tests. +The profile recognizes the following tags + +2.0 <sechecker> +=========================== +The sechecker tag should be the first open tag in the file and the final +tag to be closed. The tag has a single attribute version, which should +be set to the current version of SEChecker you are using. To find your +version number, run: "sechecker --version". + +<sechecker version="1.0"> + +Be sure to remember to close this tag at the end of the file. + +2.1 <profile> +=========================== +The profile tag tells the parser that SEChecker should interpret this +file as a profile. This tag has no attributes. + +<profile> + +Close this tag just before the sechecker tag is closed at the end of the file + +2.2 <module> +=========================== +The module tag tells SEChecker that a particular module should be run for +this profile. The only attribute is name. + +<module name="mod_name"> + +This tag is closed after all other tags related to that module + +2.3 <output> +========================= +The output tag tells SEChecker to use this output format for the module +in which it appears. This tag is optional and has one attribute, value. + +<output value="short"/> + +This tag should close itself. The valid values are: + none - do not print anything in the report; only run this module + as dependency of another module. + quiet - print only the stats and header in the report + short - print the header, stats, and a list of items found by the + module without any accompanying proof + long - print the header, stats, and a list of items found by the + module with proof of the result following each item + verbose - print all possible output including the header, stats, + a list of items and a list of items with proof + +NOTE: any of the above values other than "none" are overridden by the + command line output flags. Setting an output value in a profile + overrides the default setting in the configuration file for this + profile only. + +2.4 <option> +======================= +The option tag allows a profile to specify additional options for a module. +The option tag has two mandatory attributes, "name" and "value". +The values of these attributes is specific to the module for which the +option is specified. Options specified in a profile are used in addition +to those in the configuration file. + +<option name="option_name" value="some_value"/> + +This tag closes itself. As its name implies this tag is optional. + +3. Example Profile +====================== +The following is a brief example of a profile + +<sechecker version="1.0"> +<profile> + + <module name="mod1"> + </module> + + <module name="mod2"> + <output value="none"/> + <option name="attribute" value="my_attrib"/> + </module> + + <module name="mod3"> + <option name="foo" value="bar"/> + </module> + + <module name="mod4"> + <output value="short"/> + </module> + + <module name="mod5"> + <output value="quiet"/> + <option name="type" value="shadow_t"/> + </module> + +</profile> +</sechecker> + +The result of this profile would be: +- run mod1 with default configuration; + print with default settings +- run mod2 with the additional attribute my_attrib, + but don't print its results +- run mod3 with option foo set to bar (in addition to any other settings); + print with default settings +- run mod4; + print in short output +- run mod5 with additional type shadow_t; + print using quiet output + +If there are also modules mod6 and mod7, neither would be run unless +one of the other modules (mod1-5) had a dependency on them. + + |