>On 03/12/2012 10:26 PM, Shawn Wells wrote:
>> On 3/12/12 5:59 PM, Jeffrey Blank wrote:
>>> We'll shortly be committing a script to do checking for consistency
>>> between our OVAL and XCCDF. This should detect situations such as:
>>>
>>> 1)
>>> a reference from an XCCDF rule to an OVAL definition that doesn't
>>>exist.
>>>
>>> 2)
>>> an XCCDF rule exists (and is used in a profile) but doesn't include
>>> any reference to a check.
>>>
>>> 3)
>>> mismatch between filename and OVAL definition name (as this is an
>>> important convention for our approach to modular definitions)
>>
>> I think the following would be helpful too:
>>
>> 4)
>> An XCCDF rule exists and isn't used in a profile
>>
>> 5)
>> Any checks that are not present in an XCCDF rule
>> (I can't imagine there would actually be any of these given how we've
>> been making XCCFD then the checks, but it'd be good to watch for)
There doesn't seem to be a way to add new prose (ie from the SNAC guide) to the scap-security-guide, due to issues with well-formedness. File names, Linux keywords, and config file settings are wrapped in <xhtml:code> and <xhtml:pre> tags in ssg, but not in the SNAC guide, so anything that isn't well-formed within the SNAC prose breaks the xccdf.
There are also some cases where these settings are well-formed, but are still wrapped in the namespace (xhtml:code/pre) tags within the scap-security-guide. I'd like to keep the SNAC+scap-sec-guide merge consistent with the previous security-guide, but I can't seem to find an all-encompassing set of conditions to systematically add these tags where appropriate. I'm wondering if you guys know of a way to do this (other than manually).
If not, this would be great functionality to add for future use. If no one else is currently doing so, I'd like to work on it.
--Mike