Hi Oliver,
It needs to be referenced in the following file:
<PROJECT>\transforms\shorthand2xccdf.xslt
Using RHEL 6 as an example, observe the following lines:
<!-- expand reference to ident types -->
<xsl:template match="Rule/ident">
<xsl:for-each select="@*">
<ident>
<xsl:choose>
<xsl:when test="name() = 'cce'">
<xsl:attribute name="system">
<xsl:value-of select="$cceuri" />
</xsl:attribute>
<xsl:choose>
<xsl:when test="starts-with(translate(., 'ce', 'CE'),
'CCE')">
<xsl:value-of select="." />
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="concat('CCE-', .)" />
</xsl:otherwise>
</xsl:choose>
</xsl:when>
<xsl:when test="name() = 'stig'">
<xsl:attribute name="system">
<xsl:value-of select="$cceuri" />
</xsl:attribute>
<xsl:value-of select="." />
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="." />
</xsl:otherwise>
</xsl:choose>
</ident>
</xsl:for-each>
</xsl:template>
You could add in an additional identifier 'customerid', as follows:
<xsl:when test="name() = 'customerid'">
<xsl:attribute name="system">
<xsl:value-of select="$cceuri" />
</xsl:attribute>
<xsl:value-of select="." />
</xsl:when>
Which would then look like this:
<!-- expand reference to ident types -->
<xsl:template match="Rule/ident">
<xsl:for-each select="@*">
<ident>
<xsl:choose>
<xsl:when test="name() = 'cce'">
<xsl:attribute name="system">
<xsl:value-of select="$cceuri" />
</xsl:attribute>
<xsl:choose>
<xsl:when test="starts-with(translate(., 'ce', 'CE'),
'CCE')">
<xsl:value-of select="." />
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="concat('CCE-', .)" />
</xsl:otherwise>
</xsl:choose>
</xsl:when>
<xsl:when test="name() = 'stig'">
<xsl:attribute name="system">
<xsl:value-of select="$cceuri" />
</xsl:attribute>
<xsl:value-of select="." />
</xsl:when>
<xsl:when test="name() = 'customerid'">
<xsl:attribute name="system">
<xsl:value-of select="$cceuri" />
</xsl:attribute>
<xsl:value-of select="." />
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="." />
</xsl:otherwise>
</xsl:choose>
</ident>
</xsl:for-each>
</xsl:template>
On Tue, 2016-01-12 at 07:04 +0000, [email protected] wrote:
> Hi all,
>
> as briefly mentioned already in yesterdays’ Contributor Workshop,
> our customer wants to enrich the SSG content by adding references to their
> internal security requirements.
>
> I wonder how I could add my own Security Identifiers, because when trying to
> simply add e.g. a „customerident“ attribute into the shorthand XCCDF as per
> below,
> my build fails with:
>
> [...]
> xmllint --format --output output/shorthand.xml output/shorthand.xml
> xsltproc --stringparam ssg_version "0.1.27" -o
> output/xccdf-unlinked-unresolved.xml transforms/shorthand2xccdf.xslt
> output/shorthand.xml
> oscap xccdf resolve -o output/xccdf-unlinked-empty-groups.xml
> output/xccdf-unlinked-unresolved.xml
> File 'output/xccdf-unlinked-unresolved.xml' line 153: Element
> '{http://checklists.nist.gov/xccdf/1.1}ident': The attribute 'system' is
> required but missing.
> File 'output/xccdf-unlinked-unresolved.xml' line 167: Element
> '{http://checklists.nist.gov/xccdf/1.1}ident': The attribute 'system' is
> required but missing.
> File 'output/xccdf-unlinked-unresolved.xml' line 182: Element
> '{http://checklists.nist.gov/xccdf/1.1}ident': The attribute 'system' is
> required but missing.
> File 'output/xccdf-unlinked-unresolved.xml' line 190: Element
> '{http://checklists.nist.gov/xccdf/1.1}ident': The attribute 'system' is
> required but missing.
> Invalid XCCDF Checklist content(1.1) in output/xccdf-unlinked-unresolved.xml.
> ../../shared/product-make.include:60: recipe for target
> 'output/xccdf-unlinked-empty-groups.xml' failed
> make: *** [output/xccdf-unlinked-empty-groups.xml] Error 1
>
> Do I have to „register“/„declare“ the new identifier type, and if so where
> and how?
>
> Example of what I'm trying to achieve:
>
> <Rule id="sshd_allow_only_protocol2">
> <title>My Title</title>
> <description>My description</description>
> <rationale>My rationale</rationale>
> <ident cce="27072-8" customerident="1234" stig="RHEL-06-000227"/>
> <oval id="sshd_allow_only_protocol2"/>
> <ref disa="776,774,1436" nist="AC-3(10),IA-5(1)(c)"/>
> </Rule>
>
> Any pointers highly appreciated :-) !
>
> Thanks & regards
> Oliver
> --
> SCAP Security Guide mailing list
> [email protected]
> https://lists.fedorahosted.org/admin/lists/[email protected]
> https://github.com/OpenSCAP/scap-security-guide/
>
--
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
[email protected]
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com
Disclaimer
The information contained in this communication from
[email protected] sent at 2016-01-12 09:24:58 is confidential and
may be legally privileged.
It is intended solely for use by [email protected] and
others authorized to receive it. If you are not
[email protected] you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the
contents of this information is strictly prohibited and may be unlawful.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
https://github.com/OpenSCAP/scap-security-guide/
