Hello, Sorry for such a delay in reponse.
On Thu, Dec 1, 2016 at 9:54 PM, Michael Ward < [email protected]> wrote: > Hey, > > > > I’m hoping someone on this list can point me in the direction of what I’m > doing wrong.. > > > > We would like to add some custom checks specific to our environment to the > scap-security-guide content. > > > > Since this is the first time I’ve tried to write any OVAL or XCCDF > content, I thought I’d start with a nice simple package installed check for > RHEL 6 (vmware-tools-core) as a method of learning more about how it all > hangs together. > > > > So I created an OVAL file based on some of the other package installed > ones: > > > > $ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml > > <def-group> > > <definition class="compliance" id="package_vmware-tools-core_installed" > > version="1"> > > <metadata> > > <title>Package vmware-tools-core Installed</title> > > <affected family="unix"> > > <platform>Red Hat Enterprise Linux 6</platform> > > </affected> > > <description>The RPM package vmware-tools-core should be > installed.</description> > > </metadata> > > <criteria> > > <criterion comment="package vmware-tools-core is installed" > > test_ref="test_package_vmware-tools-core_installed" /> > > </criteria> > > </definition> > > <linux:rpminfo_test check="all" check_existence="all_exist" > > id="test_package_vmware-tools-core_installed" version="1" > > comment="package vmware-tools-core is installed"> > > <linux:object object_ref="obj_package_vmware-tools-core_installed" /> > > </linux:rpminfo_test> > > <linux:rpminfo_object id="obj_package_vmware-tools-core_installed" > version="1"> > > <linux:name>vmware-tools-core</linux:name> > > </linux:rpminfo_object> > > </def-group> > > > > > > And created a group / rule for it in xccdf: > > > > $ cat RHEL/6/input/xccdf/system/test.xml > > <Group id="test"> > > <title>Test Checks</title> > > <description>Test Checks stuff.. > > and stuff...</description> > > > > <Rule id="package_vmware-tools-core_installed" severity="medium"> > > <title>VMWare Tools must be installed</title> > > <description> > > VMWare Tools must be installed on all VMware based VM's. > > <yum-macro install="true" package="vmware-tools-core"/> > > </description> > > <ocil clause="the package is not installed" > > > <package-check-macro package="vmware-tools-core" /> > > <br /><br /> > > If the system isn't a VMWare Based VM, this isn't applicable. > > </ocil> > > <rationale>Required package for operational support.</rationale> > > <oval id="package_vmware-tools-core_installed" /> > > </Rule> > > > > </Group> > > > > > > Added a line into the common profile (RHEL/6/input/profiles/common.xml: > > > > <select idref="package_vmware-tools-core_installed" selected="true" /> > > > > > > And finally, an entry in the RHEL/6/input/guide.xslt > > > > <xsl:template match="Group[@id='test']"> > > <xsl:copy> > > <xsl:copy-of select="@*|node()" /> > > <xsl:apply-templates select="document('xccdf/services/test.xml')" /> > > </xsl:copy> > > </xsl:template> > This should be: <xsl:apply-templates select="document('xccdf/system/test.xml')" /> Also, for some reason, and not really looking into it, having a custom group seems to not work when guide.xslt is processed; however if you add <xsl:apply-templates select="document('xccdf/system/test.xml')" /> to an existing group, it should work. > > > However, attempting to make just the RHEL6 content fails: > > > > $ make > > xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html > transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml > > xsltproc -stringparam profile "common" -o > output/table-rhel6-nistrefs-common.html > \ > > transforms/xccdf2table-profilenistrefs.xslt > output/xccdf-unlinked-empty-groups.xml > > xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt > output/xccdf-unlinked-empty-groups.xml > > xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" > -o output/table-rhel6-srgmap.html \ > > transforms/table-srgmap.xslt ../../shared/references/disa- > os-srg-v1r4.xml > > xsltproc -stringparam flat "y" -stringparam map-to-items > "../output/xccdf-unlinked-empty-groups.xml" -o > output/table-rhel6-srgmap-flat.html > \ > > transforms/table-srgmap.xslt ../../shared/references/disa- > os-srg-v1r4.xml > > xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml > output/table-rhel6-srgmap-flat.html > > # If openscap on the system supports OVAL-5.11 language version, include > also OVAL-5.11 checks > > # into final list of OVAL checks > > # RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next > statement once required > > # find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} > ';' > > # System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable > into the environment > > find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name > "*.xml" | xargs xmlwf > > env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py > ../../shared/../config rhel6 ../../shared/oval input/oval > ../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml > > Merged 499 OVAL checks. > > WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used > multiple times and should represent the same elements. > > Rewrite the OVAL checks. Place the identical IDs into their own definition > and extend this definition by it. > > WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple > times and should represent the same elements. > > Rewrite the OVAL checks. Place the identical IDs into their own definition > and extend this definition by it. > > WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used > multiple times and should represent the same elements. > > Rewrite the OVAL checks. Place the identical IDs into their own definition > and extend this definition by it. > > WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used > multiple times and should represent the same elements. > > Rewrite the OVAL checks. Place the identical IDs into their own definition > and extend this definition by it. > > WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple > times and should represent the same elements. > > Rewrite the OVAL checks. Place the identical IDs into their own definition > and extend this definition by it. > > WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used > multiple times and should represent the same elements. > > Rewrite the OVAL checks. Place the identical IDs into their own definition > and extend this definition by it. > > xmllint --format --output output/unlinked-rhel6-oval.xml > output/unlinked-rhel6-oval.xml > > xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt > ../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml > > xsltproc -o output/table-rhel6-stig-manual.html > transforms/xccdf2table-stig.xslt ../../shared/references/disa- > stig-rhel6-v1r12-xccdf-manual.xml > > xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam > testinfo "y" -o output/table-stig-rhel6-testinfo.html \ > > transforms/xccdf2table-profileccirefs.xslt > output/xccdf-unlinked-final.xml > > xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o > output/unlinked-stig-rhel6-xccdf.xml \ > > transforms/xccdf-apply-overlay-stig.xslt > output/xccdf-unlinked-final.xml > > xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt > output/unlinked-stig-rhel6-xccdf.xml > > cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml > > xsltproc -o output/unlinked-rhel6-xccdf-guide.xml > transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml > > ../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml > input/oval/platform/rhel6-cpe-dictionary.xml ssg > > ../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg > > WARNING: OVAL check 'package_sssd_installed' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'service_sssd_enabled' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing > <check-content> element from the XCCDF rule. > > ../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg > > WARNING: OVAL check 'package_sssd_installed' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'service_sssd_enabled' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing > <check-content> element from the XCCDF rule. > > WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing > <check-content> element from the XCCDF rule. > > xsltproc --stringparam reverse_DNS org.ssgproject.content > /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \ > > output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml > > sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' > output/ssg-rhel6-xccdf-1.2.xml > > oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml > > File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' > line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', > attribute 'idref': 'dangling reference to > package_vmware-tools-core_installed!' > is not a valid value of the atomic type 'xs:NCName'. > > File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' > line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', > attribute 'idref': Warning: No precomputed value available, the value was > either invalid or something strange happend. > > File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' > line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', > attribute 'idref': 'dangling reference to > package_vmware-tools-core_installed!' > is not a valid value of the atomic type 'xs:NCName'. > > File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' > line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', > attribute 'idref': Warning: No precomputed value available, the value was > either invalid or something strange happend. > > <SNIP> > > OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' > [oscap_source.c:172] > > Invalid SCAP Source Datastream (1.2) content in /home/rpmbuild/new/scap- > security-guide/RHEL/6/output/ssg-rhel6-ds.xml. [oscap_source.c:268] > > make: *** [content] Error 1 > You are getting this error because the XCCDF does not exist for package_vmware-tools-core_installed. It is not being merged when it is in its own group for some reason. > > > Is anyone able to point me in the direction of what I’ve missed ? > > > > Kind regards, > > Michael Ward. > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
