Hello XCCDF-Dev!
I am not sure whether this is the place to report issues against XCCDF
standard, XCCDF schema in particular, but I will take my chances.
Ján Lieskovský (CC-ed) has found that XSD schema validation will not
always detect malformed XCCDF. Having good XSD schema is critical for
SCAP content authors at SCAP-Security-Guide project. They use XSD
schemas to ensure reasonable quality of their output. The following case
was not detected by XCCDF XSD validation:
XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml
The PCI-DSS profile contains:
<select idref="service_chronyd_enabled" selected="true"/>
However, the content does no include Rule/Group element with such ID.
Similar defects of XCCDF content usually get caught by XSD.
What do you think?
Best regards,
--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
