Hello Mike, thank you for contacting us.
----- Original Message ----- > From: "Mike Kuhnkey" <[email protected]> > To: [email protected] > Sent: Monday, February 15, 2016 1:29:47 AM > Subject: [Open-scap] Suspect Error in ssg_rhel6-ds.xml: Incorrect reference > to NIST SP 800-53r4 control category > > In the DataStream referred to above: > > line# 25738 <reference href="http://nvlpubs.nist.gov/nistubs/SpecialPub > lications/NIST.SP.800-53r4.pdf">194</reference>; > line# 25739 <reference href="http://iase.disa.mil/stigs/cci/Pages/index > .aspx">194</reference>; > > Appears to be incorrect format for NIST SP-800-53r4 control > category....reference format should be of type AA-N. Not NNN? Can you clarify what those "AA-N" and "NNN" abbreviations refer to? Or select an example from e.g.: [1] http://linguistics.byu.edu/faculty/henrichsenl/apa/APA10.html you would like the SSG upstream to follow when creating the references? Feel free to file an upstream RFE with an example wrt to this: [2] https://github.com/OpenSCAP/scap-security-guide/issues/new > > <Rule > id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" > selected="false" severity="low"> > > I am unaware of how datastream content is formed for release within > scap-security-guide...could you identify the directories or point me to > applicable developer documentation so I can get a little smarter on > this? The format of the references is the very same for each rule in the benchmark. The DataStream content is created during the build process within Makefile for a particular product (e.g. for RHEL/6): https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/Makefile#L84 But this is just expansion of XCCDF standard formatted benchmark into output datastream form. The references are expanded within "shorthand2xccdf.xslt" XSLT transformation. For RHEL/6 product it's here: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/transforms/shorthand2xccdf.xslt#L165 Should we start producing references in different format, it would be easier for us an example to be provided (so we could update the build process upstream). Also a RFE filed upstream [2] would be appreciated too. > > I can build "rhel6-dist" but the substitution process that produces > this statement within the datastream still eludes me. Hope the above being helpful. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
