In order to address our need for discipline in OVAL development, I have updated the Makefile to make it easier to run some automated checks that are possible using OpenSCAP and the verify-references.py script.
So, after someone OKs my next patch, you can try: make validate-xml (this is the old, fast schema validation) make validate (that, plus other problem indicators) I haven't decided to add these into git commit hooks. Yet. Some of the OpenSCAP developers had flagged our issues with schematron validation a while ago; I believe we're now in a position to address. And I believe that failed schematron validation is also likely to discover OVAL code that may need attention for other reasons, too. There seem to be a number of OVAL checks that are not used by some of the XCCDF we have. The "right" choice may be to either delete the OVAL or delete the XCCDF. It may vary on a case-by-case basis. HOWEVER note also that some OVAL definitions "extend" others, and so there may be some OVAL checks that are not _directly_ referenced by the XCCDF, but are in fact referenced by other OVAL. I will be updating verify-references.py to handle this. Hopefully it explains the current long list of seemingly orphaned OVAL. As a convenience, also, note that each OVAL check (in final output) includes a human-readable ID, which should indicate the input filename (or even still be hanging around in the XCCDF as a commented-out reference to an OVAL check). For example, in the final OVAL output, you'll see in the metadata for each definition something like: <reference source="ssg" ref_id="sysconfig_ipv6_networking"/> So, if you're developer who likes a list of stuff to work through, now you've got more tools to generate these... Thanks, Jeff -- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
