I've moved the namespace-assignment templates from shorthand2xccdf.xslt to xccdf-addnamespaces.xslt (which is itself a renamed version of the transform Simon provided to us, to place all un-namespaced elements into the XCCDF namespace). This refactoring seemed to make sense, as it separates the macro expansion activities from the namespace assignment activities.
Going forward, I plan to explore: A. Deleting the xccdf-addprofiles.xslt transform entirely, in favor of simply including its functionality directly in input/guide.xslt.
B. Further simplification of some of the lines in shorthand2xccdf.xslt, with use of "{}" etc to further shorten overall number of lines.
C. Activating (perhaps using xsl:import and @mode) the namespace-specific transformations currently in xccdf-addnamespace.xslt from within shorthand2xccdf.xslt. This would have the benefit of actually producing XCCDF, as the name shorthand2xccdf already suggests...
This would also help simplify the Makefile.
Jeffrey Blank (3): refactoring of XCCDF shorthand expansion and namespace assignments removing namespaces from no-namespace fragments, transforms renaming namespace addition file, as part of refactoring
RHEL6/Makefile | 4 +- RHEL6/input/profiles/CS2.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/desktop.xml | 2 +- RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL6/input/profiles/server.xml | 2 +- RHEL6/input/profiles/stig-rhel6-server.xml | 2 +- RHEL6/input/profiles/test.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL6/transforms/add_xccdf_namespace.xslt | 15 --- RHEL6/transforms/shorthand2xccdf.xslt | 108 ++++---------------- RHEL6/transforms/xccdf-addnamespaces.xslt | 49 +++++++++ RHEL6/transforms/xccdf-addprofiles.xslt | 6 +- 14 files changed, 81 insertions(+), 119 deletions(-) delete mode 100644 RHEL6/transforms/add_xccdf_namespace.xslt create mode 100644 RHEL6/transforms/xccdf-addnamespaces.xslt
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/Makefile | 4 +- RHEL6/transforms/shorthand2xccdf.xslt | 108 +++++------------------------ RHEL6/transforms/xccdf-addnamespaces.xslt | 49 +++++++++++++ 3 files changed, 69 insertions(+), 92 deletions(-) create mode 100644 RHEL6/transforms/xccdf-addnamespaces.xslt
diff --git a/RHEL6/Makefile b/RHEL6/Makefile index d34b127..9515051 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -14,10 +14,10 @@ shorthand-guide: xmllint --format --output $(OUT)/rhel6-shorthand.xml $(OUT)/rhel6-shorthand.xml
shorthand2xccdf: shorthand-guide - xsltproc -o $(OUT)/unlinked-unresolved-noprofiles-rhel6-shorthand.xml $(TRANS)/shorthand2xccdf.xslt $(OUT)/rhel6-shorthand.xml - xsltproc -o $(OUT)/unlinked-unresolved-noprofiles-rhel6-xccdf.xml $(TRANS)/add_xccdf_namespace.xslt $(OUT)/unlinked-unresolved-noprofiles-rhel6-shorthand.xml + xsltproc -o $(OUT)/unlinked-unresolved-noprofiles-rhel6-xccdf.xml $(TRANS)/shorthand2xccdf.xslt $(OUT)/rhel6-shorthand.xml xsltproc -stringparam profile "allprofiles" -o $(OUT)/unlinked-unresolved-rhel6-xccdf.xml \ $(TRANS)/xccdf-addprofiles.xslt $(OUT)/unlinked-unresolved-noprofiles-rhel6-xccdf.xml + xsltproc -o $(OUT)/unlinked-unresolved-rhel6-xccdf.xml $(TRANS)/xccdf-addnamespaces.xslt $(OUT)/unlinked-unresolved-rhel6-xccdf.xml oscap xccdf resolve -o $(OUT)/unlinked-rhel6-xccdf.xml $(OUT)/unlinked-unresolved-rhel6-xccdf.xml # xsltproc -stringparam profile "stig-rhel6-server" -o $(OUT)/unlinked-rhel6-xccdf.xml \ # $(TRANS)/xccdf-addrefs.xslt $(OUT)/unlinked-rhel6-xccdf.xml diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 39f6741..2b47121 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -1,24 +1,20 @@ <?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" -xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" -xmlns:xhtml="http://www.w3.org/1999/xhtml" -xmlns:dc="http://purl.org/dc/elements/1.1/" -xmlns:date="http://exslt.org/dates-and-times" extension-element-prefixes="date" -exclude-result-prefixes="xccdf xhtml dc"> + xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" + xmlns:xhtml="http://www.w3.org/1999/xhtml" + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:date="http://exslt.org/dates-and-times" extension-element-prefixes="date" + exclude-result-prefixes="xccdf xhtml dc">
<xsl:include href="constants.xslt"/>
<xsl:variable name="ovalfile">unlinked-rhel6-oval.xml</xsl:variable> - <xsl:variable name="defaultseverity" select="'low'" />
- - <!-- Content:template --> - <xsl:template match="Benchmark"> - xsl:copy - <xsl:apply-templates select="@*|node()" /> - </xsl:copy> - </xsl:template> + <!-- This transform takes a "shorthand" variant of XCCDF + and expands its elements into proper XCCDF elements, + except (notably) it does not assign namespaces. This is handled + in another transform. -->
<!-- insert current date --> <xsl:template match="Benchmark/status/@date"> @@ -63,6 +59,10 @@ exclude-result-prefixes="xccdf xhtml dc"> </xsl:copy> </xsl:template>
+ <!-- XHTML, such as tt, is not allowed in titles --> + <xsl:template match="title/tt"> + <xsl:apply-templates select="@*|node()" /> + </xsl:template>
<!-- expand reference to ident types --> <xsl:template match="Rule/ident"> @@ -223,13 +223,6 @@ exclude-result-prefixes="xccdf xhtml dc"> </reference> </xsl:template>
- <xsl:template match="@*|node()"> - xsl:copy - <xsl:apply-templates select="@*|node()" /> - </xsl:copy> - </xsl:template> - -
<!-- convenience macros for XCCDF prose --> <xsl:template match="sysctl-desc-macro"> @@ -445,76 +438,11 @@ If the system is configured to audit this activity, it will return a line. </xsl:if> </xsl:template>
- - <!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW --> - <!-- (expanding xhtml tags back into the xhtml namespace) --> - <xsl:template match="br"> - <xhtml:br /> - </xsl:template> - - <xsl:template match="ul"> - xhtml:ul - <xsl:apply-templates select="@*|node()" /> - </xhtml:ul> - </xsl:template> - - <xsl:template match="li"> - xhtml:li - <xsl:apply-templates select="@*|node()" /> - </xhtml:li> - </xsl:template> - - <xsl:template match="tt"> - xhtml:code - <xsl:apply-templates select="@*|node()" /> - </xhtml:code> - </xsl:template> - - - <!-- remove use of tt in titles; xhtml in titles is not allowed --> - <xsl:template match="title/tt"> - <xsl:apply-templates select="@*|node()" /> - </xsl:template> - - <xsl:template match="code"> - xhtml:code - <xsl:apply-templates select="@*|node()" /> - </xhtml:code> - </xsl:template> - - <xsl:template match="strong"> - xhtml:strong - <xsl:apply-templates select="@*|node()" /> - </xhtml:strong> - </xsl:template> - - <xsl:template match="b"> - xhtml:b - <xsl:apply-templates select="@*|node()" /> - </xhtml:b> - </xsl:template> - - <xsl:template match="em"> - xhtml:em - <xsl:apply-templates select="@*|node()" /> - </xhtml:em> - </xsl:template> - - <xsl:template match="i"> - xhtml:i - <xsl:apply-templates select="@*|node()" /> - </xhtml:i> - </xsl:template> - - <xsl:template match="ol"> - xhtml:ol - <xsl:apply-templates select="@*|node()" /> - </xhtml:ol> + <!-- identity transform: pass anything else through --> + <xsl:template match="@*|node()"> + xsl:copy + <xsl:apply-templates select="@*|node()" /> + </xsl:copy> </xsl:template>
- <xsl:template match="pre"> - xhtml:pre - <xsl:apply-templates select="@*|node()" /> - </xhtml:pre> - </xsl:template> </xsl:stylesheet> diff --git a/RHEL6/transforms/xccdf-addnamespaces.xslt b/RHEL6/transforms/xccdf-addnamespaces.xslt new file mode 100644 index 0000000..b27dbb8 --- /dev/null +++ b/RHEL6/transforms/xccdf-addnamespaces.xslt @@ -0,0 +1,49 @@ +<?xml version="1.0"?> +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:xhtml="http://www.w3.org/1999/xhtml" + exclude-result-prefixes="xccdf dc xhtml"> + + <!-- This transform places elements into the correct namespaces, + so that content authors never have to bother with them. + XHTML elements are explicitly identified and the xhtml + namespace is added. Any element with an empty namespace + is assigned to the xccdf namespace. --> + + <!-- table and list-related xhtml --> + <xsl:template match="table | tr | th | td | ul | li | ol"> + <xsl:element name="{local-name()}" namespace="http://www.w3.org/1999/xhtml%22%3E + <xsl:apply-templates select="@*|node()"/> + </xsl:element> + </xsl:template> + + <!-- general formatting xhtml --> + <xsl:template match="code | strong | b | em | i | pre | br | hr"> + <xsl:element name="{local-name()}" namespace="http://www.w3.org/1999/xhtml%22%3E + <xsl:apply-templates select="@*|node()"/> + </xsl:element> + </xsl:template> + + <!-- convert tt to code, which seems better-supported --> + <xsl:template match="tt"> + xhtml:code + <xsl:apply-templates select="@*|node()"/> + </xhtml:code> + </xsl:template> + + <!-- if no namespace is indicated, put into xccdf namespace--> + <xsl:template match="*[namespace-uri()='']" priority="-1"> + <xsl:element name="{local-name()}" namespace="http://checklists.nist.gov/xccdf/1.1%22%3E + <xsl:apply-templates select="node()|@*"/> + </xsl:element> + </xsl:template> + + <!-- pass everything else through --> + <xsl:template match="@*|node()" priority="-2"> + xsl:copy + <xsl:apply-templates select="@*|node()"/> + </xsl:copy> + </xsl:template> + +</xsl:stylesheet>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/profiles/CS2.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/desktop.xml | 2 +- RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL6/input/profiles/server.xml | 2 +- RHEL6/input/profiles/stig-rhel6-server.xml | 2 +- RHEL6/input/profiles/test.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL6/transforms/xccdf-addprofiles.xslt | 6 +++--- 10 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml index ad9d4a9..5d6e5dd 100644 --- a/RHEL6/input/profiles/CS2.xml +++ b/RHEL6/input/profiles/CS2.xml @@ -1,4 +1,4 @@ -<Profile id="CS2" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="CS2"> <title>Example Server Profile</title> <description>This profile is an example of a customized server profile.</description>
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index b659f4d..c06530a 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -1,4 +1,4 @@ -<Profile id="common" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="common"> <title>Common Profile for General-Purpose Systems</title> <description>This profile contains items common to general-purpose desktop and server installations.</description> <select idref="partition_for_tmp" selected="true"/> diff --git a/RHEL6/input/profiles/desktop.xml b/RHEL6/input/profiles/desktop.xml index 2cc3787..849ca6b 100644 --- a/RHEL6/input/profiles/desktop.xml +++ b/RHEL6/input/profiles/desktop.xml @@ -1,4 +1,4 @@ -<Profile id="desktop" extends="common" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="desktop" extends="common"> <title>Desktop Baseline</title> <description>This profile is for a desktop installation of RHEL 6.</description> <select idref="enable_gdm_login_banner" selected="true"/> diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml index d45fd97..43a304b 100644 --- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml @@ -1,4 +1,4 @@ -<Profile id="fisma-medium-rhel6-server" extends="" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="fisma-medium-rhel6-server"> <title>FISAMA Medium for Red Hat Enterprise Linux 6</title> <description>FISMA Medium for Red Hat Enterprise Linux 6</description>
diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml b/RHEL6/input/profiles/nist-CL-IL-AL.xml index 565e5e7..8050639 100644 --- a/RHEL6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml @@ -1,4 +1,4 @@ -<Profile id="stig-rhel6-server" extends="common" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="stig-rhel6-server" extends="common"> <title>CNSSI 1253 Low/Low/Low</title> <description>This profile follows the Committee on National Security Systems Instruction (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security diff --git a/RHEL6/input/profiles/server.xml b/RHEL6/input/profiles/server.xml index c119ddb..3cc11c8 100644 --- a/RHEL6/input/profiles/server.xml +++ b/RHEL6/input/profiles/server.xml @@ -1,4 +1,4 @@ -<Profile id="server" extends="common" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="server" extends="common"> <title>Server Baseline</title> <description>This profile is for RHEL 6 acting as a server.</description> <select idref="deactivate_wireless_interfaces" selected="true"/> diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index ac65f41..4881c8a 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -1,4 +1,4 @@ -<Profile id="stig-rhel6-server" extends="common" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="stig-rhel6-server" extends="common"> <title>Pre-release Draft STIG for RHEL 6 Server</title> <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
diff --git a/RHEL6/input/profiles/test.xml b/RHEL6/input/profiles/test.xml index e2a2ff6..e487eee 100644 --- a/RHEL6/input/profiles/test.xml +++ b/RHEL6/input/profiles/test.xml @@ -1,4 +1,4 @@ -<Profile id="test" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="test"> <title>test</title> <description>This profile is for testing.</description> <!-- diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml index 50678c7..be960fa 100644 --- a/RHEL6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -1,4 +1,4 @@ -<Profile id="usgcb-rhel6-server" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<Profile id="usgcb-rhel6-server"> <title>United States Government Configuration Baseline (USGCB)</title> <description>This profile is a working draft for a USGCB submission against RHEL6 Server.</description>
diff --git a/RHEL6/transforms/xccdf-addprofiles.xslt b/RHEL6/transforms/xccdf-addprofiles.xslt index 9dce45e..e1358e8 100644 --- a/RHEL6/transforms/xccdf-addprofiles.xslt +++ b/RHEL6/transforms/xccdf-addprofiles.xslt @@ -1,7 +1,7 @@ <?xml version="1.0"?> -<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" >
- <xsl:template match="xccdf:Benchmark/xccdf:version"> + <xsl:template match="Benchmark/version"> xsl:copy <xsl:copy-of select="@*" /> <xsl:copy-of select="node()" /> @@ -19,7 +19,7 @@
<!-- add attribute selected=false so that Profiles can activate Rules as needed --> - <xsl:template match="xccdf:Rule"> + <xsl:template match="Rule"> xsl:copy <xsl:apply-templates select="@*" /> <xsl:attribute name="selected">false</xsl:attribute>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/transforms/add_xccdf_namespace.xslt | 15 --------------- 1 files changed, 0 insertions(+), 15 deletions(-) delete mode 100644 RHEL6/transforms/add_xccdf_namespace.xslt
diff --git a/RHEL6/transforms/add_xccdf_namespace.xslt b/RHEL6/transforms/add_xccdf_namespace.xslt deleted file mode 100644 index 3acd511..0000000 --- a/RHEL6/transforms/add_xccdf_namespace.xslt +++ /dev/null @@ -1,15 +0,0 @@ -<?xml version="1.0"?> -<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform%22%3E - <!-- Add the XCCDF 1.1 namespace to all elements without namespace. --> - <xsl:template match="node()|@*"> - xsl:copy - <xsl:apply-templates select="node()|@*"/> - </xsl:copy> - </xsl:template> - - <xsl:template match="*[namespace-uri()='']"> - <xsl:element name="{local-name()}" namespace="http://checklists.nist.gov/xccdf/1.1%22%3E - <xsl:apply-templates select="node()|@*" /> - </xsl:element> - </xsl:template> -</xsl:stylesheet>
Awesome, please push!
On 07/28/2013 11:48 PM, Jeffrey Blank wrote:
I've moved the namespace-assignment templates from shorthand2xccdf.xslt to xccdf-addnamespaces.xslt (which is itself a renamed version of the transform Simon provided to us, to place all un-namespaced elements into the XCCDF namespace). This refactoring seemed to make sense, as it separates the macro expansion activities from the namespace assignment activities.
Going forward, I plan to explore: A. Deleting the xccdf-addprofiles.xslt transform entirely, in favor of simply including its functionality directly in input/guide.xslt.
B. Further simplification of some of the lines in shorthand2xccdf.xslt, with use of "{}" etc to further shorten overall number of lines.
C. Activating (perhaps using xsl:import and @mode) the namespace-specific transformations currently in xccdf-addnamespace.xslt from within shorthand2xccdf.xslt. This would have the benefit of actually producing XCCDF, as the name shorthand2xccdf already suggests...
This would also help simplify the Makefile.
Jeffrey Blank (3): refactoring of XCCDF shorthand expansion and namespace assignments removing namespaces from no-namespace fragments, transforms renaming namespace addition file, as part of refactoring
RHEL6/Makefile | 4 +- RHEL6/input/profiles/CS2.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/desktop.xml | 2 +- RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL6/input/profiles/server.xml | 2 +- RHEL6/input/profiles/stig-rhel6-server.xml | 2 +- RHEL6/input/profiles/test.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL6/transforms/add_xccdf_namespace.xslt | 15 --- RHEL6/transforms/shorthand2xccdf.xslt | 108 ++++---------------- RHEL6/transforms/xccdf-addnamespaces.xslt | 49 +++++++++ RHEL6/transforms/xccdf-addprofiles.xslt | 6 +- 14 files changed, 81 insertions(+), 119 deletions(-) delete mode 100644 RHEL6/transforms/add_xccdf_namespace.xslt create mode 100644 RHEL6/transforms/xccdf-addnamespaces.xslt
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank