Hey,
I'm hoping someone on this list can point me in the direction of what I'm doing
wrong..
We would like to add some custom checks specific to our environment to the
scap-security-guide content.
Since this is the first time I've tried to write any OVAL or XCCDF content, I
thought I'd start with a nice simple package installed check for RHEL 6
(vmware-tools-core) as a method of learning more about how it all hangs
together.
So I created an OVAL file based on some of the other package installed ones:
$ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml
<def-group>
<definition class="compliance" id="package_vmware-tools-core_installed"
version="1">
<metadata>
<title>Package vmware-tools-core Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package vmware-tools-core should be
installed.</description>
</metadata>
<criteria>
<criterion comment="package vmware-tools-core is installed"
test_ref="test_package_vmware-tools-core_installed" />
</criteria>
</definition>
<linux:rpminfo_test check="all" check_existence="all_exist"
id="test_package_vmware-tools-core_installed" version="1"
comment="package vmware-tools-core is installed">
<linux:object object_ref="obj_package_vmware-tools-core_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_package_vmware-tools-core_installed"
version="1">
<linux:name>vmware-tools-core</linux:name>
</linux:rpminfo_object>
</def-group>
And created a group / rule for it in xccdf:
$ cat RHEL/6/input/xccdf/system/test.xml
<Group id="test">
<title>Test Checks</title>
<description>Test Checks stuff..
and stuff...</description>
<Rule id="package_vmware-tools-core_installed" severity="medium">
<title>VMWare Tools must be installed</title>
<description>
VMWare Tools must be installed on all VMware based VM's.
<yum-macro install="true" package="vmware-tools-core"/>
</description>
<ocil clause="the package is not installed" >
<package-check-macro package="vmware-tools-core" />
<br /><br />
If the system isn't a VMWare Based VM, this isn't applicable.
</ocil>
<rationale>Required package for operational support.</rationale>
<oval id="package_vmware-tools-core_installed" />
</Rule>
</Group>
Added a line into the common profile (RHEL/6/input/profiles/common.xml:
<select idref="package_vmware-tools-core_installed" selected="true" />
And finally, an entry in the RHEL/6/input/guide.xslt
<xsl:template match="Group[@id='test']">
<xsl:copy>
<xsl:copy-of select="@*|node()" />
<xsl:apply-templates select="document('xccdf/services/test.xml')" />
</xsl:copy>
</xsl:template>
However, attempting to make just the RHEL6 content fails:
$ make
xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html
transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam profile "common" -o
output/table-rhel6-nistrefs-common.html \
transforms/xccdf2table-profilenistrefs.xslt
output/xccdf-unlinked-empty-groups.xml
xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt
output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml"
-o output/table-rhel6-srgmap.html \
transforms/table-srgmap.xslt
../../shared/references/disa-os-srg-v1r4.xml
xsltproc -stringparam flat "y" -stringparam map-to-items
"../output/xccdf-unlinked-empty-groups.xml" -o
output/table-rhel6-srgmap-flat.html \
transforms/table-srgmap.xslt
../../shared/references/disa-os-srg-v1r4.xml
xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml
output/table-rhel6-srgmap-flat.html
# If openscap on the system supports OVAL-5.11 language version, include also
OVAL-5.11 checks
# into final list of OVAL checks
# RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next statement
once required
# find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} ';'
# System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into
the environment
find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name "*.xml" |
xargs xmlwf
env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py
../../shared/../config rhel6 ../../shared/oval input/oval
../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml
Merged 499 OVAL checks.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple
times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and
extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times
and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and
extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple
times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and
extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple
times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and
extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times
and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and
extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple
times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and
extend this definition by it.
xmllint --format --output output/unlinked-rhel6-oval.xml
output/unlinked-rhel6-oval.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt
../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml
xsltproc -o output/table-rhel6-stig-manual.html
transforms/xccdf2table-stig.xslt
../../shared/references/disa-stig-rhel6-v1r12-xccdf-manual.xml
xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam
testinfo "y" -o output/table-stig-rhel6-testinfo.html \
transforms/xccdf2table-profileccirefs.xslt
output/xccdf-unlinked-final.xml
xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o
output/unlinked-stig-rhel6-xccdf.xml \
transforms/xccdf-apply-overlay-stig.xslt
output/xccdf-unlinked-final.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt
output/unlinked-stig-rhel6-xccdf.xml
cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml
xsltproc -o output/unlinked-rhel6-xccdf-guide.xml
transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml
../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml
input/oval/platform/rhel6-cpe-dictionary.xml ssg
../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing
<check-content> element from the XCCDF rule.
../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing
<check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing
<check-content> element from the XCCDF rule.
xsltproc --stringparam reverse_DNS org.ssgproject.content
/usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \
output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml
sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' output/ssg-rhel6-xccdf-1.2.xml
oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml'
line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute
'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a
valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml'
line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute
'idref': Warning: No precomputed value available, the value was either invalid
or something strange happend.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml'
line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute
'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a
valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml'
line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute
'idref': Warning: No precomputed value available, the value was either invalid
or something strange happend.
<SNIP>
OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' [oscap_source.c:172]
Invalid SCAP Source Datastream (1.2) content in
/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml.
[oscap_source.c:268]
make: *** [content] Error 1
Is anyone able to point me in the direction of what I've missed ?
Kind regards,
Michael Ward.
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
