|
On 04/26/2018 11:00 AM, Jan De Luyck
wrote:
Hey list, I'm probably looking at this from the wrong way, but I thought that if one would include oval statements in the XCCDF rules, you'd be able to use "oscap xccdf eval" - but that just returns a bunch of notchecked statements.Or am I doing something wrong? $ oscap xccdf eval test_xccdf.xml Title Test 12345 Rule xccdf_test_rule_RULE-001001 Ident RULE-001001 Result notchecked $ oscap oval eval test_oval.xml Definition oval:com.test:def:1: true Evaluation done. There are some deficiencies. $ oscap xccdf validate --schematron test_xccdf.xml <?xml version="1.0"?> Error: The given @idref attribute 'tbd' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'application-pending' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'instance' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'instance-pending' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'system' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'system-pending' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'network' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'network-pending' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'organization' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'organization-pending' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'group' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Error: The given @idref attribute 'group-pending' must match a the @id or @cluster-id attributes of a 'Rule' or 'Group' element. See the XCCDF 1.2.1 specification, Section 6.5.3. Warning: A 'Benchmark' element should have a 'metadata' element, and it should contain a child from the Dublin Core schema. See the XCCDF 1.2.1 specification, Section 6.2.4. Warning: The 'cpe:/' prefix (CPE URI binding) is allowed within an @idref attribute, but the CPE Formatted String binding is preferred. See the XCCDF 1.2.1 specification, Section 6.2.5. You may or may not get away with those unscathed. xccdf_test_rule_RULE-001001 is defined as selected="true"
but was not checked. Alex identified why this occurred (there was
no usable XCCDF <check> referencing an OVAL
definition because of the incorrect system attribute).
This might have been obvious in a --results or
--results-arf output document had either of those been requested
with the oscap xccdf eval. Regards, Gary |
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
