For starters, the id attribute for the definition is wrong (it's for /etc/skel instead of what you really want).  This is very important.  This is also apparent in the temporary filename with the OVAL definition.  The id is also important since it's how the XCCDF links to the OVAL.  (As is, your reference to the OVAL from the XCCDF Rule doesn't actually link to anything.)

Next, oscap may not be behaving as expected since the OVAL here does not validate per the OVAL schematron.  See:

[blank@eclipse checks]$ oscap oval validate-xml --schematron /tmp/file_ownership_etc_skeljsnZt0.xml
<?xml version="1.0"?>
oval:scap-security-guide.testing:tst:111 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:116 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:112 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:117 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:113 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:118 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:114 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:119 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:115 - No state should be referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:120 - No state should be referenced when check_existence has a value of 'none_exist'.

Invalid OVAL Definition content(5.10) in /tmp/file_ownership_etc_skeljsnZt0.xml.


Lemme add schematron validation to the Makerule ... I think it should work out of the box now, per:
https://www.redhat.com/archives/open-scap-list/2012-September/msg00007.html

Some relevant documentation for what all the check* attributes mean is maybe here:
http://oval.mitre.org/language/version5.10/ovaldefinition/documentation/oval-definitions-schema.html#TestType

and around page 29 here:
http://oval.mitre.org/language/version5.10.1/OVAL_Language_Specification_01-20-2012.pdf

Though like most OVAL documentation it's quite inaccessible.
I don't think OVAL was maliciously designed, but it is more complicated than the problem it was trying to solve.



On Fri, Apr 19, 2013 at 11:25 PM, Shawn Wells <shawn.d.wells@gmail.com> wrote:


_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide