On 08/20/2012 04:42 PM, Gary Gapinski wrote:
I did a quick check of the generated content against the SCAP Content Validation Tool http://scap.nist.gov/revision/1.1/index.html#validation.
Fantastic -- thanks for the testing!
I first created CPE definition and OVAL documents (available when needed; I can check into the project after I grok proper commit conduct). These are unfortunately required for conformance with SP 800-126.
I thought my patch from last week took care of generating those? (in the script transforms/cpe_generate.py, and new directory input/checks/platform)
The output files should be in: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/
(There's a weird bug where one of the OVAL definitions (qpid) got flagged as inventory but it should be fixed now (if you pull a clean clone).)
I then noticed that the OVAL ids are not in OVAL format, so further validation attempts will have to await assignment of OVAL-conformant identifiers.
Could you elaborate? I certainly played some games with identifiers during development, but I thought we got final output right.
The file rhel6-oval.xml isn't in proper OVAL format, but rhel6-oval-scap-security-guide.xml has the IDs properly assigned. This was done on purpose, so that any org could easily assign an ID, and developers would never have to see pointless numeric designators and duplicative org designators. (But maybe we've got something else wrong.) And admittedly, this isn't apparent at a glance.
But it's what the Makerule for "content:" does here: http://people.redhat.com/swells/scap-security-guide/RHEL6/Makefile
Also noticed: xsi:schemaLocation attributes in XCCDF and OVAL documents should cite "canonical" URIs for desired schema documents rather than document-relative citations they do currently, e.g.,
xsi:schemaLocation=" http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.8/ovaldefinition/complete/oval-commo... http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.8/ovaldefinition/complete/oval-defin... http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/version5.8/ovaldefinition/complete/independen... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/version5.8/ovaldefinition/complete/linux-defi... http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/version5.8/ovaldefinition/complete/unix-defin...
As such, the documents cannot be validated using the supplied xsi:schemaLocation attributes. For those who cannot use direct web references, XML Catalog (examples also available) can be used to employ local copies in lieu of direct references.
And, an OVAL version (presumably 5.8 or later) should be selected.
Ah, okay, I think I understand this. I've opened a ticket since it seems like something that should be addressed to support validation. Whoever addresses it may want to consider whether these should be controlled in some kind of global constants file (for the python scripts and the XSLT transforms, perhaps similarly to constants.xslt.). Or not. The OVAL header is supplied in transforms/combinechecks.py; the XCCDF header is in input/guide.xml.