Thanks very much for checking on this, Simon. And you're entirely right: we want only to select Rules and not Groups for the profiles. We'll try to clean it up.
I don't think anyone is using the ftp profile (though I could be wrong!) so it wasn't being carefuly tested (as far as I know). And yes -- it would absolutely make sense to include such an xpath check in the build process. (And it's much cleaner than some of the python in utils/verify-references.py...) Probably there should be a new Makerule which runs several tests against the content, including the existing validate Makerule. If anyone is volunteering, let me know! Thanks very much again. Jeff On 11/22/2012 02:26 PM, Simon Lukasik wrote: > Oops, scratch that. I've just realized that these groups doesn't have > any rule yet. > > Thus, more correct xpath check would be: > > xpath ssg-rhel6-xccdf.xml '//Profile/select[(@selected != "false" or > @selected != "0") and @idref = //Group[/Rule]/@id]/@idref' > > which is passing right now. > > > On 11/22/2012 07:27 PM, Simon Lukasik wrote: >> On 11/21/2012 05:48 PM, Jeffrey Blank wrote: >>> thanks -- please push! >>> >> >> Pushed. But I've just noticed there are two more bugs like this. The >> command: >> >> $ xpath ssg-rhel6-xccdf.xml \ >> '//Profile/select[@idref = //Group/@id]/@idref' >> >> founds: >> >> idref="ftp_limit_users"-- NODE -- >> idref="ftp_configure_firewall" >> >> We should really not be selecting the Groups but the Rules. >> >> However, I cannot fix this. As not being the content author, I am sure >> whether we want to have all the Rules of the given group >> (ftp_limit_users) to be selected. Could someone please check? >> >> Also, would it make sense to include such xpath check in the build process? >> >> Thanks, >> >> -- >> Simon Lukasik >> _______________________________________________ >> scap-security-guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
