Was playing with the repos tonight, really just doing a git clone and tinkering some to familiarize myself with the codebase. I did a make all and was looking at the outputs/rhel6-table-nistrefs.html.... all it has is the "desktop_baseline" header. Here's the process I used for the make. Note the warning in the output. Known bug, or am I doing something wrong?
First, I did a "make all".... [shawn@localhost src]$ make all xsltproc -o output/rhel6-shorthand.xml input/guide.xslt input/guide.xml xmllint --format --output output/rhel6-shorthand.xml output/rhel6-shorthand.xml xsltproc -o output/rhel6-xccdf.xml transforms/shorthand2xccdf.xslt output/rhel6-shorthand.xml xmllint --format --output output/rhel6-xccdf.xml output/rhel6-xccdf.xml xsltproc -o output/rhel6-table-nistrefs.html transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml > output/rhel6-guide.html WARNING: Processing an unresolved XCCDF document. This may have unexpected results.
I then took a look at the make file, and manually ran the command for xccdf2table-nistrefs (after verifying the syntax through the man page of xsltproc):
[shawn@localhost src]$ xsltproc -o output/rhel6-table-nistrefs.html transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml
This should be fixed now. At one point, I had decided not to output profiles (in order to ensure oscap's prose guide generation would show all rules). But, the table transform was still expecting a particular profile (which is logical). So now we've got another Make rule and transform to add in profiles as directed.
Try a git pull , and give it another shot. Feedback is appreciated.
Please keep in mind that this is primarily an example of what can be derived from a common body of XCCDF content, not a polished product.
Some of the text elements in the spreadsheet are derived from the USGCB work, which occasionally made direct use of CCE descriptions (which could be a bit wacky at times). I plan to replace much of this language with more comprehensible prose, but will of course retain CCE references. Anyone who would still want the CCE descriptions could then programmatically grab them, since the CCE ref is still there.
On 10/25/2011 10:55 PM, Shawn Wells wrote:
Was playing with the repos tonight, really just doing a git clone and tinkering some to familiarize myself with the codebase. I did a make all and was looking at the outputs/rhel6-table-nistrefs.html.... all it has is the "desktop_baseline" header. Here's the process I used for the make. Note the warning in the output. Known bug, or am I doing something wrong?
First, I did a "make all".... [shawn@localhost src]$ make all xsltproc -o output/rhel6-shorthand.xml input/guide.xslt input/guide.xml xmllint --format --output output/rhel6-shorthand.xml output/rhel6-shorthand.xml xsltproc -o output/rhel6-xccdf.xml transforms/shorthand2xccdf.xslt output/rhel6-shorthand.xml xmllint --format --output output/rhel6-xccdf.xml output/rhel6-xccdf.xml xsltproc -o output/rhel6-table-nistrefs.html transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml> output/rhel6-guide.html WARNING: Processing an unresolved XCCDF document. This may have unexpected results.
I then took a look at the make file, and manually ran the command for xccdf2table-nistrefs (after verifying the syntax through the man page of xsltproc):
[shawn@localhost src]$ xsltproc -o output/rhel6-table-nistrefs.html transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
On 10/26/2011 07:42 PM, Jeffrey Blank wrote:
This should be fixed now. At one point, I had decided not to output profiles (in order to ensure oscap's prose guide generation would show all rules). But, the table transform was still expecting a particular profile (which is logical).
However, <Profile>s in XCCDF are optional (as is IMO appropriate and acknowledged by NIST SP 800-126 section 3.2.3).
Ah -- didn't recall that from the spec.
The purpose of the table (and scripts which generate it) is to allow an organization to see at a glance whether/how a particular profile's Rules enabled compliance with a particular set of NIST (or whoever's) requirements. The basic idea was for XCCDF authors to embed each reference to a formal policy doc (using the reference tag, or a vastly simplified macro for it) with each Rule, and then folks could transform as needed. So far, refs have only been added for 800-53, but it could be done for others.
I'm totally with you on the optional-ness of this, and also being able to select/transform any other part of the content. After all, the project will only be able to "stay upstream" by providing anybody the tools they'd want, in order to customize/transform the content.
The new transforms (with only a little adjustment) should allow easy insertion of any profile that's defined in the profiles directory (or even for folks who want to make their own "private" ones and insert/test it easily privately).
On 10/26/2011 07:50 PM, Gary Gapinski wrote:
On 10/26/2011 07:42 PM, Jeffrey Blank wrote:
This should be fixed now. At one point, I had decided not to output profiles (in order to ensure oscap's prose guide generation would show all rules). But, the table transform was still expecting a particular profile (which is logical).
However,<Profile>s in XCCDF are optional (as is IMO appropriate and acknowledged by NIST SP 800-126 section 3.2.3).
scap-security-guide@lists.fedorahosted.org