8:57 p.m.
For starters, the id attribute for the definition is wrong (it's for
/etc/skel instead of what you really want). This is very important. This
is also apparent in the temporary filename with the OVAL definition. The
id is also important since it's how the XCCDF links to the OVAL. (As is,
your reference to the OVAL from the XCCDF Rule doesn't actually link to
anything.)
Next, oscap may not be behaving as expected since the OVAL here does not
validate per the OVAL schematron. See:
[blank@eclipse checks]$ oscap oval validate-xml --schematron
/tmp/file_ownership_etc_skeljsnZt0.xml
<?xml version="1.0"?>
oval:scap-security-guide.testing:tst:111 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:116 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:112 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:117 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:113 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:118 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:114 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:119 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:115 - No state should be referenced
when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:120 - No state should be referenced
when check_existence has a value of 'none_exist'.
Invalid OVAL Definition content(5.10) in
/tmp/file_ownership_etc_skeljsnZt0.xml.
Lemme add schematron validation to the Makerule ... I think it should work
out of the box now, per:
https://www.redhat.com/archives/open-scap-list/2012-September/msg00007.html
Some relevant documentation for what all the check* attributes mean is
maybe here:
http://oval.mitre.org/language/version5.10/ovaldefinition/documentation/o...
and around page 29 here:
http://oval.mitre.org/language/version5.10.1/OVAL_Language_Specification_...
Though like most OVAL documentation it's quite inaccessible.
I don't think OVAL was maliciously designed, but it is more complicated
than the problem it was trying to solve.
On Fri, Apr 19, 2013 at 11:25 PM, Shawn Wells <shawn.d.wells(a)gmail.com>wrote:
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
10:05 p.m.
Jeffrey Blank wrote:
For starters, the id attribute for the definition is wrong (it's
for
/etc/skel instead of what you really want). This is very important.
This is also apparent in the temporary filename with the OVAL
definition. The id is also important since it's how the XCCDF links
to the OVAL. (As is, your reference to the OVAL from the XCCDF Rule
doesn't actually link to anything.)
Ugh, yes, I don't know how I missed
that.
Next, oscap may not be behaving as expected since the OVAL here does
not validate per the OVAL schematron. See:
[blank@eclipse checks]$ oscap oval validate-xml --schematron
/tmp/file_ownership_etc_skeljsnZt0.xml
<?xml version="1.0"?>
oval:scap-security-guide.testing:tst:111 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:116 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:112 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:117 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:113 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:118 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:114 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:119 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:115 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:120 - No state should be
referenced when check_existence has a value of 'none_exist'.
Invalid OVAL Definition content(5.10) in
/tmp/file_ownership_etc_skeljsnZt0.xml.
What version of OpenSCAP are you using?
$ oscap oval validate-xml --schematron
input/checks/file_ownership_library_dirs.xml
OpenSCAP Error: Unknown document type:
'input/checks/file_ownership_library_dirs.xml' [oscapxml.c:615]
$ oscap oval validate --definitions --schematron
input/checks/file_ownership_library_dirs.xml
OpenSCAP Error: Document type doesn't match root element's name:
'def-group'. [oval_parser.c:121]
I (clearly) copied the template used for file_ownership_etc_skel.xml, so
we're going to have this problem in a few checks.
Lemme add schematron validation to the Makerule ... I think it should
work out of the box now, per:
https://www.redhat.com/archives/open-scap-list/2012-September/msg00007.html
Some relevant documentation for what all the check* attributes mean is
maybe here:
http://oval.mitre.org/language/version5.10/ovaldefinition/documentation/o...
and around page 29 here:
http://oval.mitre.org/language/version5.10.1/OVAL_Language_Specification_...
Though like most OVAL documentation it's quite inaccessible.
I don't think OVAL was maliciously designed, but it is more
complicated than the problem it was trying to solve.
8:54 a.m.
New subject: Fwd: Re: [PATCH 1/2] (resubmit) Ticket 396 - OVAL needed for file_ownership_library_dirs
What version of OpenSCAP are you using?
0.9.3
$ oscap oval validate-xml --schematron
input/checks/file_ownership_library_dirs.xml
OpenSCAP Error: Unknown document type:
'input/checks/file_ownership_library_dirs.xml' [oscapxml.c:615]
$ oscap oval validate --definitions --schematron
input/checks/file_ownership_library_dirs.xml
OpenSCAP Error: Document type doesn't match root element's name:
'def-group'. [oval_parser.c:121]
That's less relevant than the fact that I am trying to run validation
against an OVAL file (versus our input files).
Note that I'm running the oscap schematron validation against a file in
/tmp, which testcheck assembled for us, based on the input file.
4048
days inactive
4051
days old
scap-security-guide@lists.fedorahosted.org
3 comments
4 participants
participants (4)
-
Jeffrey Blank -
Jeffrey Blank -
Shawn Wells -
Shawn Wells