For our viewers at home who are seeing some of the recent commits and wondering what's up:
In the "shorthand XCCDF" in input/system and input/services, we've got stuff like:
<ocil><package-check-macro package="xinetd" /> </ocil>
The package-remove-macro (and many other macros) are defined in transforms/shorthand2xccdf.xslt, which inserts the lines of text that you'd expect to see for a manual check. In this case, it's text that describes how you'd check to see whether that package is installed. See:
<xsl:template match="package-check-macro"> Run the following command to determine if the xhtml:code<xsl:value-of select="@package"/></xhtml:code> package is installed: xhtml:pre# rpm -q <xsl:value-of select="@package"/> </xhtml:pre> </xsl:template>
This way, if we need to change the language in the entire project that describes how you check for a package being installed, it's easy to do at once.
There is also support for adding boilerplate remarks with the text, by providing the conditional clause which describes non-compliance. This clause can be provided by adding a clause= attribute to the ocil tag. (And yes, other transforms take care of generating the 100 lines of XML that make it proper OCIL.)
A commit I've just made takes care of also adding that clause= attribute automatically, for those checks which contain a macro. An example of all of this coming together is in RHEL6/output/rhel6-table-stig-server-shorttitles.html (don't forget to git pull; make tables)
scap-security-guide@lists.fedorahosted.org