9:55 p.m.
Was playing with the repos tonight, really just doing a git clone and
tinkering some to familiarize myself with the codebase. I did a make
all and was looking at the outputs/rhel6-table-nistrefs.html.... all it
has is the "desktop_baseline" header. Here's the process I used for the
make. Note the warning in the output. Known bug, or am I doing
something wrong?
First, I did a "make all"....
[shawn@localhost src]$ make all
xsltproc -o output/rhel6-shorthand.xml input/guide.xslt input/guide.xml
xmllint --format --output output/rhel6-shorthand.xml
output/rhel6-shorthand.xml
xsltproc -o output/rhel6-xccdf.xml transforms/shorthand2xccdf.xslt
output/rhel6-shorthand.xml
xmllint --format --output output/rhel6-xccdf.xml output/rhel6-xccdf.xml
xsltproc -o output/rhel6-table-nistrefs.html
transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml
oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml >
output/rhel6-guide.html
WARNING: Processing an unresolved XCCDF document. This may have
unexpected results.
I then took a look at the make file, and manually ran the command for
xccdf2table-nistrefs (after verifying the syntax through the man page of
xsltproc):
[shawn@localhost src]$ xsltproc -o output/rhel6-table-nistrefs.html
transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml
6:42 p.m.
This should be fixed now. At one point, I had decided not to output
profiles (in order to ensure oscap's prose guide generation would show
all rules). But, the table transform was still expecting a particular
profile (which is logical). So now we've got another Make rule and
transform to add in profiles as directed.
Try a git pull , and give it another shot.
Feedback is appreciated.
Please keep in mind that this is primarily an example of what can be
derived from a common body of XCCDF content, not a polished product.
Some of the text elements in the spreadsheet are derived from the USGCB
work, which occasionally made direct use of CCE descriptions (which
could be a bit wacky at times). I plan to replace much of this language
with more comprehensible prose, but will of course retain CCE
references. Anyone who would still want the CCE descriptions could then
programmatically grab them, since the CCE ref is still there.
On 10/25/2011 10:55 PM, Shawn Wells wrote:
Was playing with the repos tonight, really just doing a git clone
and
tinkering some to familiarize myself with the codebase. I did a make
all and was looking at the outputs/rhel6-table-nistrefs.html.... all it
has is the "desktop_baseline" header. Here's the process I used for the
make. Note the warning in the output. Known bug, or am I doing
something wrong?
First, I did a "make all"....
[shawn@localhost src]$ make all
xsltproc -o output/rhel6-shorthand.xml input/guide.xslt input/guide.xml
xmllint --format --output output/rhel6-shorthand.xml
output/rhel6-shorthand.xml
xsltproc -o output/rhel6-xccdf.xml transforms/shorthand2xccdf.xslt
output/rhel6-shorthand.xml
xmllint --format --output output/rhel6-xccdf.xml output/rhel6-xccdf.xml
xsltproc -o output/rhel6-table-nistrefs.html
transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml
oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml>
output/rhel6-guide.html
WARNING: Processing an unresolved XCCDF document. This may have
unexpected results.
I then took a look at the make file, and manually ran the command for
xccdf2table-nistrefs (after verifying the syntax through the man page of
xsltproc):
[shawn@localhost src]$ xsltproc -o output/rhel6-table-nistrefs.html
transforms/xccdf2table-nistrefs.xslt output/rhel6-xccdf.xml
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide
6:50 p.m.
On 10/26/2011 07:42 PM, Jeffrey Blank wrote:
This should be fixed now. At one point, I had decided not to output
profiles (in order to ensure oscap's prose guide generation would show
all rules). But, the table transform was still expecting a particular
profile (which is logical).
However, <Profile>s in XCCDF are optional (as is IMO appropriate and
acknowledged by NIST SP 800-126 section 3.2.3).
11:42 a.m.
Ah -- didn't recall that from the spec.
The purpose of the table (and scripts which generate it) is to allow an
organization to see at a glance whether/how a particular profile's Rules
enabled compliance with a particular set of NIST (or whoever's)
requirements. The basic idea was for XCCDF authors to embed each
reference to a formal policy doc (using the reference tag, or a vastly
simplified macro for it) with each Rule, and then folks could transform
as needed. So far, refs have only been added for 800-53, but it could
be done for others.
I'm totally with you on the optional-ness of this, and also being able
to select/transform any other part of the content. After all, the
project will only be able to "stay upstream" by providing anybody the
tools they'd want, in order to customize/transform the content.
The new transforms (with only a little adjustment) should allow easy
insertion of any profile that's defined in the profiles directory (or
even for folks who want to make their own "private" ones and insert/test
it easily privately).
On 10/26/2011 07:50 PM, Gary Gapinski wrote:
On 10/26/2011 07:42 PM, Jeffrey Blank wrote:
> This should be fixed now. At one point, I had decided not to output
> profiles (in order to ensure oscap's prose guide generation would show
> all rules). But, the table transform was still expecting a particular
> profile (which is logical).
However,<Profile>s in XCCDF are optional (as is IMO appropriate and
acknowledged by NIST SP 800-126 section 3.2.3).
4559
days inactive
4560
days old
scap-security-guide@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Gary Gapinski -
Jeffrey Blank -
Shawn Wells