Thanks for the pointers Lubell and Joshua.
In fact, we convert the mentioned document to XCCDF 1.2. And latest
OpenSCAP includes ability to run schematron for XCCDF.
oscap xccdf validate --schematron ssg-rhel7-xccdf-12.xml
However, this does not reveal the uppermentioned issue. I'll dig into
this a bit more in comming days and report back once I know more.
Thank You!
--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
On 07/02/2015 08:05 PM, Lubell, Joshua wrote:
Simon and Melvin,
According to the XCCDF 1.1 spec
(http://scap.nist.gov/specifications/xccdf/index.html#resource-1.1.4),
the XML schema does not express all of the constraints needed to
validate a benchmark document.
However, if you were to convert the RHEL7 benchmark document from XCCDF
1.1 to 1.2, you could then use the Schematron available for 1.2 to check
for dangling idref values. The XCCDF 1.2 includes instructions for
converting a 1.1 benchmark document to 1.2.
The XCCDF 1.2 spec, XSD, and Schematron are at
http://scap.nist.gov/revision/1.2/index.html#xccdf
To validate your XCCDF 1.2 benchmark document, you can first check for
validity with respect to the XSD, and then check for validity with
respect to the Schematron. To do this using oXygenXML, you’d set up a
two-step validation scenario.
Hope this is helpful,
Josh
Joshua Lubell
National Institute of Standards and Technology
100 Bureau Drive, Stop 8260
Gaithersburg MD 20899-8260 USA
*From:*[email protected] [mailto:[email protected]]
*On Behalf Of *Melvin Steward
*Sent:* Thursday, July 02, 2015 12:01 PM
*To:* XCCDF-DEV
*Cc:* Jan Lieskovsky; [email protected]
*Subject:* Re: [Xccdf-dev] XSD schema does not recognize dangling selectors
Simon
Yes I encountered the same issue. I'm using OxygenXML to create a fix in
my schema but I've not tested it enough to put it out a fixed Schema
On Thursday, July 2, 2015, Šimon Lukašík <[email protected]
<mailto:[email protected]>> wrote:
Hello XCCDF-Dev!
I am not sure whether this is the place to report issues against XCCDF
standard, XCCDF schema in particular, but I will take my chances.
Ján Lieskovský (CC-ed) has found that XSD schema validation will not
always detect malformed XCCDF. Having good XSD schema is critical for
SCAP content authors at SCAP-Security-Guide project. They use XSD
schemas to ensure reasonable quality of their output. The following case
was not detected by XCCDF XSD validation:
XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml
The PCI-DSS profile contains:
<select idref="service_chronyd_enabled" selected="true"/>
However, the content does no include Rule/Group element with such ID.
Similar defects of XCCDF content usually get caught by XSD.
What do you think?
Best regards,
--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
_______________________________________________
XCCDF-dev mailing list
[email protected] <javascript:;>
To unsubscribe, send an email message to
[email protected] <javascript:;>.
--
Sent from my BlackBerry® smartphone with SprintSpeed
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged.
This email is intended to be reviewed only by the individual or
organization named above. If you are not the intended recipient or an
authorized representative of the intended recipient, you are hereby
notified that any review, dissemination, storage, or copying of this
email and its attachments, if any, or the information contained herein
is prohibited. If you have received this email in error, please
immediately notify the sender by return email and delete this email from
your system- Thank you.
_______________________________________________
XCCDF-dev mailing list
[email protected]
To unsubscribe, send an email message to [email protected].
--
~š.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
