Hi Shawn, It's not an OVAL requirement; it's an SCAP requirement. Section 3.3 of NIST SP 800-126r2, the SCAP 1.2 specification, includes the following:
1. For compliance class definitions: b. Definitions that are directly or indirectly extended SHALL be limited to inventory and compliance classes. The SSG author of these particular checks excluded the inventory class, which left only the compliance class. Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) [email protected] (gov't) [email protected] (com'l) > -----Original Message----- > From: [email protected] [mailto:scap- > [email protected]] On Behalf Of Shawn Wells > Sent: Friday, November 08, 2013 1:18 AM > To: [email protected] > Subject: Re: [PATCH] set class=compliance for x86-bitness definitions > > On 11/6/13, 9:50 AM, Steinke, Leland J Sr CTR DISA FSO (US) wrote: > > > The NIST SCAP Content Validation Tool threw errors on the > system_info_architecture_x86* definitions (requirement ID 208). This > patch corrects the errors. > > > Regards, > -- > Leland Steinke, Security+ > DISA FSO Technical Support Contractor > tapestry technologies, Inc > 717-267-5797 (DSN 570) > [email protected] (gov't) > [email protected] (com'l) > > --- > .../input/checks/system_info_architecture_x86.xml | 2 +- > .../checks/system_info_architecture_x86_64.xml | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/RHEL6/input/checks/system_info_architecture_x86.xml > b/RHEL6/input/checks/system_info_architecture_x86.xml > index f05260a..393c4d6 100644 > --- a/RHEL6/input/checks/system_info_architecture_x86.xml > +++ b/RHEL6/input/checks/system_info_architecture_x86.xml > @@ -1,5 +1,5 @@ > <def-group> > - <definition class="miscellaneous" > id="system_info_architecture_x86" > + <definition class="compliance" > id="system_info_architecture_x86" > version="1"> > <!-- Note that this does not meet requirements for > class=inventory as > that only tests for patches per 5.10.1 Revision 1 --> > diff --git > a/RHEL6/input/checks/system_info_architecture_x86_64.xml > b/RHEL6/input/checks/system_info_architecture_x86_64.xml > index d4e681f..08481b5 100644 > --- a/RHEL6/input/checks/system_info_architecture_x86_64.xml > +++ b/RHEL6/input/checks/system_info_architecture_x86_64.xml > @@ -1,5 +1,5 @@ > <def-group> > - <definition class="miscellaneous" > id="system_info_architecture_x86_64" > + <definition class="compliance" > id="system_info_architecture_x86_64" > version="1"> > <!-- Note that this does not meet requirements for > class=inventory as > that only tests for patches per 5.10.1 Revision 1 --> > > > I'm not sure this is an error after reviewing the OVAL spec: > http://oval.mitre.org/language/version5.10/ovaldefinition/documentation > /oval-common-schema.html#ClassEnumeration > > - Compliance definitions are meant to describe "the state of a machine > when in compliance with a specific policy." > - Miscellaneous definitions are used "to categorize a definition that > doesn't fit into one of the other four classes," with the other four > being compliance, inventory, patch, and vulnerability. > > Since the system_info_architecture_x86* checks are called from other > OVAL checks, such as audit_*, to test system architecture (versus > testing for the compliance of being a specific architecture), the class > definition of miscellaneous seems appropriate. > > Or am I interpreting the spec incorrectly (....which is totally > possible)?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
