(Finally I have had some time to look into this!) Thanks Peter, you're right, this indicates a problem with the OVAL checks.
They were using the check_existence attribute which is an ExistenceEnumeration type (which shouldn't be used if states are being used): http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-common-schema.html#ExistenceEnumeration Instead, tests which reference states should be using only the check= attribute which is a CheckEnumeration type: http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-common-schema.html#CheckEnumeration Given that the OVAL check I've corrected so far (accounts_nologin_for_system.xml) didn't even behave correctly, I can only guess that whatever tool was previously used for testing somehow produced the correct results by chance... More fixes to come for this. However, I do not understand the problem with the "inconsistent datatype between the variable and associated var_ref". There is a number datatype used in the XCCDF values, and an int datatype for the external_variable type in OVAL. Anyone else have any ideas? Jeff On 08/21/2012 09:54 AM, Peter Vrabec wrote: > Hi all, > > I have found that If I validate OVAL results by schematron rules: > > $ oscap oval validate-xml --results --schematron > rhel6-oval-scap-security-guide.xml.result.xml > > I get two types of errors: > > oval:scap-security-guide:tst:960 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:959 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:811 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:787 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:786 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:359 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:267 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:221 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:tst:1085 - No state should be referenced when > check_existence has a value of 'none_exist'. > oval:scap-security-guide:var:2663 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2655 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2651 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2649 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2648 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2644 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2636 - inconsistent datatype between the > variable and an associated var_ref > oval:scap-security-guide:var:2629 - inconsistent datatype between the > variable and an associated var_ref > > > Peter. > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
