> On Nov 8, 2013, at 8:45 AM, "Steinke, Leland J Sr CTR DISA FSO (US)" > <[email protected]> wrote: > > Hi Shawn, > > It's not an OVAL requirement; it's an SCAP requirement. Section 3.3 of NIST > SP 800-126r2, the SCAP 1.2 specification, includes the following: > > 1. For compliance class definitions: > b. Definitions that are directly or indirectly extended SHALL be limited to > inventory and > compliance classes. > > The SSG author of these particular checks excluded the inventory class, which > left only the compliance class. > >
Makes sense, and thanks for the 800-126 reference! Ack > Thanks, > Leland > -- > Leland Steinke, Security+ > DISA FSO Technical Support Contractor > tapestry technologies, Inc > 717-267-5797 (DSN 570) > [email protected] (gov't) > [email protected] (com'l) > > >> -----Original Message----- >> From: [email protected] [mailto:scap- >> [email protected]] On Behalf Of Shawn Wells >> Sent: Friday, November 08, 2013 1:18 AM >> To: [email protected] >> Subject: Re: [PATCH] set class=compliance for x86-bitness definitions >> >> On 11/6/13, 9:50 AM, Steinke, Leland J Sr CTR DISA FSO (US) wrote: >> >> >> The NIST SCAP Content Validation Tool threw errors on the >> system_info_architecture_x86* definitions (requirement ID 208). This >> patch corrects the errors. >> >> >> Regards, >> -- >> Leland Steinke, Security+ >> DISA FSO Technical Support Contractor >> tapestry technologies, Inc >> 717-267-5797 (DSN 570) >> [email protected] (gov't) >> [email protected] (com'l) >> >> --- >> .../input/checks/system_info_architecture_x86.xml | 2 +- >> .../checks/system_info_architecture_x86_64.xml | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/RHEL6/input/checks/system_info_architecture_x86.xml >> b/RHEL6/input/checks/system_info_architecture_x86.xml >> index f05260a..393c4d6 100644 >> --- a/RHEL6/input/checks/system_info_architecture_x86.xml >> +++ b/RHEL6/input/checks/system_info_architecture_x86.xml >> @@ -1,5 +1,5 @@ >> <def-group> >> - <definition class="miscellaneous" >> id="system_info_architecture_x86" >> + <definition class="compliance" >> id="system_info_architecture_x86" >> version="1"> >> <!-- Note that this does not meet requirements for >> class=inventory as >> that only tests for patches per 5.10.1 Revision 1 --> >> diff --git >> a/RHEL6/input/checks/system_info_architecture_x86_64.xml >> b/RHEL6/input/checks/system_info_architecture_x86_64.xml >> index d4e681f..08481b5 100644 >> --- a/RHEL6/input/checks/system_info_architecture_x86_64.xml >> +++ b/RHEL6/input/checks/system_info_architecture_x86_64.xml >> @@ -1,5 +1,5 @@ >> <def-group> >> - <definition class="miscellaneous" >> id="system_info_architecture_x86_64" >> + <definition class="compliance" >> id="system_info_architecture_x86_64" >> version="1"> >> <!-- Note that this does not meet requirements for >> class=inventory as >> that only tests for patches per 5.10.1 Revision 1 --> >> >> >> I'm not sure this is an error after reviewing the OVAL spec: >> http://oval.mitre.org/language/version5.10/ovaldefinition/documentation >> /oval-common-schema.html#ClassEnumeration >> >> - Compliance definitions are meant to describe "the state of a machine >> when in compliance with a specific policy." >> - Miscellaneous definitions are used "to categorize a definition that >> doesn't fit into one of the other four classes," with the other four >> being compliance, inventory, patch, and vulnerability. >> >> Since the system_info_architecture_x86* checks are called from other >> OVAL checks, such as audit_*, to test system architecture (versus >> testing for the compliance of being a specific architecture), the class >> definition of miscellaneous seems appropriate. >> >> Or am I interpreting the spec incorrectly (....which is totally >> possible)? > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
