Thanks for the testing, Leam! Indeed. Nobody should be cutting RPMs with these outstanding. Nor should anybody push a commit without running "make validate" first.
I am still toying with the idea of adding some git pre-commit hooks to attempt to enforce some discipline in this matter. The environmentvariable one relates to an OVAL check that was apparently in the RHEL 5 USGCB (and not the RHEL 6 STIG) and which I had advocated simply removing from our body of checks; the related XCCDF is perfectly nice as best practice guidance, but some changes occurred in the OVAL language between 5.8 and 5.10 that make this a headache to support. Any USGCB (per NIST 800-70 Appendix E) is to be based on the submission to NIST by a USG "champion agency", which has often (but not always) been a STIG from DoD. The RHEL 5 USGCB preceded the STIG for RHEL 5 (and our regular listeners are aware of the significant quality differences in these). However things have been converging and the USGCB for RHEL 6 (if submitted to NIST by DoD) will be based on the STIG (as captured in SSG). It should simply be an additional Profile, with some adjustments for the federal audience. (Indeed there should be giant "pre-submission draft" labelling around our current "USGCB" Profile for that purpose). I would like to draw Shawn's attention to the intended nature of this lineage, and thus complete this thread differently, with application of Maura's patch: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-July/003593.html David and I are working the USGCB submission angle and meeting with relevant leadership tomorrow. Er, today... On Thu, Aug 29, 2013 at 12:55 PM, leam hall <[email protected]> wrote: > Pulled the latest from > https://git.fedorahosted.org/cgit/scap-security-guide.git/ and did a make > and make validate. Received the following: > > > oscap xccdf validate-xml output/ssg-rhel6-xccdf.xml > oscap oval validate-xml output/ssg-rhel6-oval.xml > oscap oval validate-xml output/ssg-rhel6-cpe-oval.xml > cd output; ../utils/verify-references.py --rules-with-invalid-checks > --ovaldefs-unused ssg-rhel6-xccdf.xml > Invalid OVAL definition referenced by XCCDF Rule: set_gdm_login_banner_text > Invalid OVAL definition referenced by XCCDF Rule: > disable_logwatch_for_logserver > OVAL Check is not referenced by XCCDF: oval:ssg:def:1052 > oscap oval validate-xml --schematron output/ssg-rhel6-oval.xml > <?xml version="1.0"?> > DEPRECATED OBJECT: ind:environmentvariable_object ID: oval:ssg:obj:2112 > > Invalid OVAL Definition content(5.10) in output/ssg-rhel6-oval.xml. > make: *** [validate] Error 2 > > > > -- > Mind on a Mission > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
