Jeffrey Blank wrote:
For starters, the id attribute for the definition is wrong (it's
for
/etc/skel instead of what you really want). This is very important.
This is also apparent in the temporary filename with the OVAL
definition. The id is also important since it's how the XCCDF links
to the OVAL. (As is, your reference to the OVAL from the XCCDF Rule
doesn't actually link to anything.)
Ugh, yes, I don't know how I missed
that.
Next, oscap may not be behaving as expected since the OVAL here does
not validate per the OVAL schematron. See:
[blank@eclipse checks]$ oscap oval validate-xml --schematron
/tmp/file_ownership_etc_skeljsnZt0.xml
<?xml version="1.0"?>
oval:scap-security-guide.testing:tst:111 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:116 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:112 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:117 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:113 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:118 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:114 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:119 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:115 - No state should be
referenced when check_existence has a value of 'none_exist'.
oval:scap-security-guide.testing:tst:120 - No state should be
referenced when check_existence has a value of 'none_exist'.
Invalid OVAL Definition content(5.10) in
/tmp/file_ownership_etc_skeljsnZt0.xml.
What version of OpenSCAP are you using?
$ oscap oval validate-xml --schematron
input/checks/file_ownership_library_dirs.xml
OpenSCAP Error: Unknown document type:
'input/checks/file_ownership_library_dirs.xml' [oscapxml.c:615]
$ oscap oval validate --definitions --schematron
input/checks/file_ownership_library_dirs.xml
OpenSCAP Error: Document type doesn't match root element's name:
'def-group'. [oval_parser.c:121]
I (clearly) copied the template used for file_ownership_etc_skel.xml, so
we're going to have this problem in a few checks.
Lemme add schematron validation to the Makerule ... I think it should
work out of the box now, per:
https://www.redhat.com/archives/open-scap-list/2012-September/msg00007.html
Some relevant documentation for what all the check* attributes mean is
maybe here:
http://oval.mitre.org/language/version5.10/ovaldefinition/documentation/o...
and around page 29 here:
http://oval.mitre.org/language/version5.10.1/OVAL_Language_Specification_...
Though like most OVAL documentation it's quite inaccessible.
I don't think OVAL was maliciously designed, but it is more
complicated than the problem it was trying to solve.