I did a quick check of the generated content against the SCAP Content Validation Tool http://scap.nist.gov/revision/1.1/index.html#validation.
I first created CPE definition and OVAL documents (available when needed; I can check into the project after I grok proper commit conduct). These are unfortunately required for conformance with SP 800-126.
I then noticed that the OVAL ids are not in OVAL format, so further validation attempts will have to await assignment of OVAL-conformant identifiers.
Also noticed: xsi:schemaLocation attributes in XCCDF and OVAL documents should cite "canonical" URIs for desired schema documents rather than document-relative citations they do currently, e.g.,
xsi:schemaLocation=" http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.8/ovaldefinition/complete/oval-commo... http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.8/ovaldefinition/complete/oval-defin... http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/version5.8/ovaldefinition/complete/independen... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/version5.8/ovaldefinition/complete/linux-defi... http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/version5.8/ovaldefinition/complete/unix-defin...
As such, the documents cannot be validated using the supplied xsi:schemaLocation attributes. For those who cannot use direct web references, XML Catalog (examples also available) can be used to employ local copies in lieu of direct references.
And, an OVAL version (presumably 5.8 or later) should be selected.
On 08/20/2012 04:42 PM, Gary Gapinski wrote:
I did a quick check of the generated content against the SCAP Content Validation Tool http://scap.nist.gov/revision/1.1/index.html#validation.
Fantastic -- thanks for the testing!
I first created CPE definition and OVAL documents (available when needed; I can check into the project after I grok proper commit conduct). These are unfortunately required for conformance with SP 800-126.
I thought my patch from last week took care of generating those? (in the script transforms/cpe_generate.py, and new directory input/checks/platform)
The output files should be in: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/
(There's a weird bug where one of the OVAL definitions (qpid) got flagged as inventory but it should be fixed now (if you pull a clean clone).)
I then noticed that the OVAL ids are not in OVAL format, so further validation attempts will have to await assignment of OVAL-conformant identifiers.
Could you elaborate? I certainly played some games with identifiers during development, but I thought we got final output right.
The file rhel6-oval.xml isn't in proper OVAL format, but rhel6-oval-scap-security-guide.xml has the IDs properly assigned. This was done on purpose, so that any org could easily assign an ID, and developers would never have to see pointless numeric designators and duplicative org designators. (But maybe we've got something else wrong.) And admittedly, this isn't apparent at a glance.
But it's what the Makerule for "content:" does here: http://people.redhat.com/swells/scap-security-guide/RHEL6/Makefile
Also noticed: xsi:schemaLocation attributes in XCCDF and OVAL documents should cite "canonical" URIs for desired schema documents rather than document-relative citations they do currently, e.g.,
xsi:schemaLocation=" http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.8/ovaldefinition/complete/oval-commo... http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.8/ovaldefinition/complete/oval-defin... http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/version5.8/ovaldefinition/complete/independen... http://oval.mitre.org/XMLSchema/oval-definitions-5#linux http://oval.mitre.org/language/version5.8/ovaldefinition/complete/linux-defi... http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/version5.8/ovaldefinition/complete/unix-defin...
As such, the documents cannot be validated using the supplied xsi:schemaLocation attributes. For those who cannot use direct web references, XML Catalog (examples also available) can be used to employ local copies in lieu of direct references.
And, an OVAL version (presumably 5.8 or later) should be selected.
Ah, okay, I think I understand this. I've opened a ticket since it seems like something that should be addressed to support validation. Whoever addresses it may want to consider whether these should be controlled in some kind of global constants file (for the python scripts and the XSLT transforms, perhaps similarly to constants.xslt.). Or not. The OVAL header is supplied in transforms/combinechecks.py; the XCCDF header is in input/guide.xml.
On 08/21/2012 10:29 AM, Jeffrey Blank wrote:
On 08/20/2012 04:42 PM, Gary Gapinski wrote:
I did a quick check of the generated content against the SCAP Content Validation Tool http://scap.nist.gov/revision/1.1/index.html#validation.
Fantastic -- thanks for the testing!
I first created CPE definition and OVAL documents (available when needed; I can check into the project after I grok proper commit conduct). These are unfortunately required for conformance with SP 800-126.
I thought my patch from last week took care of generating those? (in the script transforms/cpe_generate.py, and new directory input/checks/platform)
The output files should be in: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/
(There's a weird bug where one of the OVAL definitions (qpid) got flagged as inventory but it should be fixed now (if you pull a clean clone).)
I see them at that URI but they do not appear to be generated in RHEL6/output by "make tables".
I then noticed that the OVAL ids are not in OVAL format, so further validation attempts will have to await assignment of OVAL-conformant identifiers.
Could you elaborate? I certainly played some games with identifiers during development, but I thought we got final output right.
The file rhel6-oval.xml isn't in proper OVAL format, but rhel6-oval-scap-security-guide.xml has the IDs properly assigned. This was done on purpose, so that any org could easily assign an ID, and developers would never have to see pointless numeric designators and duplicative org designators. (But maybe we've got something else wrong.) And admittedly, this isn't apparent at a glance.
But it's what the Makerule for "content:" does here: http://people.redhat.com/swells/scap-security-guide/RHEL6/Makefile
"make content" creates them - I had neglected to use that.
I had also unfortunately used rhel6-oval.xml - I'll re-run with the other documents.
indeed, that's high on the todo list (with a lot of other things right now).
thanks again for sharing with everybody and doing this. i'll try to check out the output when i've got a bit more time later today.
On 08/21/2012 10:48 AM, Gary Gapinski wrote:
On 08/21/2012 10:39 AM, Gary Gapinski wrote:
I had also unfortunately used rhel6-oval.xml - I'll re-run with the other documents.
Initial output is attached.
I had to rename the documents to conform to SP 800-126r1 §3.1.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 08/20/2012 04:42 PM, Gary Gapinski wrote:
For those who cannot use direct web references, XML Catalog (examples also available) can be used to employ local copies in lieu of direct references.
I've created an example XML Catalog for XCCDF et al. at https://github.com/GaryGapinski/sacm-xml-catalog/wiki https://github.com/GaryGapinski/sacm-xml-catalog.
This of course relies on the citation of "canonical" URIs (e.g., "http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd") for schemata in xsi:schemaLocation attributes.
Regards,
Gary
scap-security-guide@lists.fedorahosted.org
-
Gary Gapinski -
Gary Gapinski -
Jeffrey Blank