Okay, pushed the fix (also sent to list). Thanks Brian!
On 02/05/2013 01:26 PM, Jeffrey Blank wrote: > That's odd. > > Thanks for the suggested patch -- I just wanna do some quick checks and > make sure that the obvious fix won't breaking some kind of hidden > dependency somewhere, and then I'll respond. > > > On 02/05/2013 12:07 PM, Brian Millett wrote: >> Ok, so I've a rhel-6.3 system >> >> [root@localhost checks]# uname -r >> 2.6.32-279.19.1.el6.x86_64 >> [root@localhost checks]# rpm -qa | grep libxslt >> libxslt-1.1.26-2.el6_3.1.x86_64 >> >> I've been looking at the RHEL6/input/checks to see how it is done, and I >> wanted to test the checks. So following the documentation >> https://fedorahosted.org/scap-security-guide/wiki/newoval, I ran >> 'sshd_idle_timeout_value=30 ./testcheck.py sshd_idle_timeout.xml' and >> got the following error: >> >> [root@localhost checks]# sshd_idle_timeout_value=30 ./testcheck.py >> sshd_idle_timeout.xml >> external_variable with id : sshd_idle_timeout_value >> Evaluating with OVAL tempfile : /tmp/sshd_idle_timeoutUDK_FW.xml >> File '/tmp/sshd_idle_timeoutUDK_FW.xml' line 7: Element >> '{http://oval.mitre.org/XMLSchema/oval-definitions-5}definition', >> attribute 'id': [facet 'pattern'] The value >> 'oval:oval:scap-security-guide.testing:def:108' is not accepted by the >> pattern 'oval:[A-Za-z0-9_\-\.]+:def:[1-9][0-9]*'. >> >> Looking into the code, I see that idtranslate.idtranslator already is >> adding the namespace to the id >> >> str_id = "%s:%s:%s:%d" % (namespace_to_prefix(tagname), self.content_id, >> tagname_to_abbrev(tagname), i) >> >> So the 'oval:oval:scap-security-guide.testing:def:108' being generated >> is redundant. the following patch fixes that. >> >> [root@localhost checks]# diff -wruN testcheck.py.orig ./testcheck.py >> --- testcheck.py.orig 2013-02-05 10:54:44.579854555 -0600 >> +++ ./testcheck.py 2013-02-05 10:54:57.889884072 -0600 >> @@ -102,7 +102,7 @@ >> if element.getchildren(): >> ovaltree.append(element) >> # re-map all the element ids from meaningful names to >> meaningless numbers >> - testtranslator = idtranslate.idtranslator("testids.ini", >> "oval:scap-security-guide.testing") >> + testtranslator = idtranslate.idtranslator("testids.ini", >> "scap-security-guide.testing") >> ovaltree = testtranslator.translate(ovaltree) >> (ovalfile, fname) = tempfile.mkstemp(prefix=defname,suffix=".xml") >> os.write(ovalfile, ET.tostring(ovaltree)) >> >> >> so now >> >> [root@localhost checks]# sshd_idle_timeout_value=30 ./testcheck.py >> sshd_idle_timeout.xml >> external_variable with id : sshd_idle_timeout_value >> Evaluating with OVAL tempfile : /tmp/sshd_idle_timeoutt_n33_.xml >> Definition oval:scap-security-guide.testing:def:111: false >> Definition oval:scap-security-guide.testing:def:109: false >> Definition oval:scap-security-guide.testing:def:108: false >> Evaluation done. >> >> -- >> Brian Millett >> "Shifts in paradigms >> often cause nose bleeds." >> Greg Glenn >> >> >> _______________________________________________ >> scap-security-guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
