Hey,
I'm hoping someone on this list can point me in the direction of what I'm doing wrong..
We would like to add some custom checks specific to our environment to the scap-security-guide content.
Since this is the first time I've tried to write any OVAL or XCCDF content, I thought I'd start with a nice simple package installed check for RHEL 6 (vmware-tools-core) as a method of learning more about how it all hangs together.
So I created an OVAL file based on some of the other package installed ones:
$ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml
<def-group>
<definition class="compliance" id="package_vmware-tools-core_installed"
version="1">
<metadata>
<title>Package vmware-tools-core Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package vmware-tools-core should be installed.</description>
</metadata>
<criteria>
<criterion comment="package vmware-tools-core is installed"
test_ref="test_package_vmware-tools-core_installed" />
</criteria>
</definition>
<linux:rpminfo_test check="all" check_existence="all_exist"
id="test_package_vmware-tools-core_installed" version="1"
comment="package vmware-tools-core is installed">
<linux:object object_ref="obj_package_vmware-tools-core_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_package_vmware-tools-core_installed" version="1">
<linux:name>vmware-tools-core</linux:name>
</linux:rpminfo_object>
</def-group>
And created a group / rule for it in xccdf:
$ cat RHEL/6/input/xccdf/system/test.xml
<Group id="test">
<title>Test Checks</title>
<description>Test Checks stuff..
and stuff...</description>
<Rule id="package_vmware-tools-core_installed" severity="medium">
<title>VMWare Tools must be installed</title>
<description>
VMWare Tools must be installed on all VMware based VM's.
<yum-macro install="true" package="vmware-tools-core"/>
</description>
<ocil clause="the package is not installed" >
<package-check-macro package="vmware-tools-core" />
<br /><br />
If the system isn't a VMWare Based VM, this isn't applicable.
</ocil>
<rationale>Required package for operational support.</rationale>
<oval id="package_vmware-tools-core_installed" />
</Rule>
</Group>
Added a line into the common profile (RHEL/6/input/profiles/common.xml:
<select idref="package_vmware-tools-core_installed" selected="true" />
And finally, an entry in the RHEL/6/input/guide.xslt
<xsl:template match="Group[@id='test']">
<xsl:copy>
<xsl:copy-of select="@*|node()" />
<xsl:apply-templates select="document('xccdf/services/test.xml')" />
</xsl:copy>
</xsl:template>
However, attempting to make just the RHEL6 content fails:
$ make
xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam profile "common" -o output/table-rhel6-nistrefs-common.html \
transforms/xccdf2table-profilenistrefs.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap.html \
transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml
xsltproc -stringparam flat "y" -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap-flat.html \
transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml
xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml output/table-rhel6-srgmap-flat.html
# If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks
# into final list of OVAL checks
# RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next statement once required
# find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} ';'
# System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment
find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name "*.xml" | xargs xmlwf
env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py ../../shared/../config rhel6 ../../shared/oval input/oval ../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml
Merged 499 OVAL checks.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
xmllint --format --output output/unlinked-rhel6-oval.xml output/unlinked-rhel6-oval.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml
xsltproc -o output/table-rhel6-stig-manual.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf-manual.xml
xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam testinfo "y" -o output/table-stig-rhel6-testinfo.html \
transforms/xccdf2table-profileccirefs.xslt output/xccdf-unlinked-final.xml
xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o output/unlinked-stig-rhel6-xccdf.xml \
transforms/xccdf-apply-overlay-stig.xslt output/xccdf-unlinked-final.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt output/unlinked-stig-rhel6-xccdf.xml
cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml
xsltproc -o output/unlinked-rhel6-xccdf-guide.xml transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml
../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml input/oval/platform/rhel6-cpe-dictionary.xml ssg
../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule.
../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule.
xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \
output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml
sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' output/ssg-rhel6-xccdf-1.2.xml
oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend.
<SNIP>
OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' [oscap_source.c:172]
Invalid SCAP Source Datastream (1.2) content in /home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml. [oscap_source.c:268]
make: *** [content] Error 1
Is anyone able to point me in the direction of what I've missed ?
Kind regards,
Michael Ward.