On 08/20/2012 04:42 PM, Gary Gapinski wrote:
I did a quick check of the generated content against the SCAP
Content
Validation Tool <
http://scap.nist.gov/revision/1.1/index.html#validation>.
Fantastic -- thanks for the testing!
I first created CPE definition and OVAL documents (available when
needed; I can check into the project after I grok proper commit
conduct). These are unfortunately required for conformance with SP 800-126.
I thought my patch from last week took care of generating those?
(in the script transforms/cpe_generate.py, and new directory
input/checks/platform)
The output files should be in:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/
(There's a weird bug where one of the OVAL definitions (qpid) got
flagged as inventory but it should be fixed now (if you pull a clean
clone).)
I then noticed that the OVAL ids are not in OVAL format, so further
validation attempts will have to await assignment of OVAL-conformant
identifiers.
Could you elaborate? I certainly played some games with identifiers
during development, but I thought we got final output right.
The file rhel6-oval.xml isn't in proper OVAL format, but
rhel6-oval-scap-security-guide.xml has the IDs properly assigned. This
was done on purpose, so that any org could easily assign an ID, and
developers would never have to see pointless numeric designators and
duplicative org designators. (But maybe we've got something else
wrong.) And admittedly, this isn't apparent at a glance.
But it's what the Makerule for "content:" does here:
http://people.redhat.com/swells/scap-security-guide/RHEL6/Makefile
Ah, okay, I think I understand this. I've opened a ticket since it
seems like something that should be addressed to support validation.
Whoever addresses it may want to consider whether these should be
controlled in some kind of global constants file (for the python scripts
and the XSLT transforms, perhaps similarly to constants.xslt.). Or not.
The OVAL header is supplied in transforms/combinechecks.py; the XCCDF
header is in input/guide.xml.