Hello XCCDF-Dev!

I am not sure whether this is the place to report issues against XCCDF standard, XCCDF schema in particular, but I will take my chances.

Ján Lieskovský (CC-ed) has found that XSD schema validation will not always detect malformed XCCDF. Having good XSD schema is critical for SCAP content authors at SCAP-Security-Guide project. They use XSD schemas to ensure reasonable quality of their output. The following case was not detected by XCCDF XSD validation:

XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml

The PCI-DSS profile contains:

<select idref="service_chronyd_enabled" selected="true"/>

However, the content does no include Rule/Group element with such ID. Similar defects of XCCDF content usually get caught by XSD.

What do you think?

Best regards,