Hello XCCDF-Dev!
I am not sure whether this is the place to report issues against XCCDF standard, XCCDF schema in particular, but I will take my chances.
Ján Lieskovský (CC-ed) has found that XSD schema validation will not always detect malformed XCCDF. Having good XSD schema is critical for SCAP content authors at SCAP-Security-Guide project. They use XSD schemas to ensure reasonable quality of their output. The following case was not detected by XCCDF XSD validation:
XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml
The PCI-DSS profile contains:
<select idref="service_chronyd_enabled" selected="true"/>
However, the content does no include Rule/Group element with such ID. Similar defects of XCCDF content usually get caught by XSD.
What do you think?
Best regards,
scap-security-guide@lists.fedorahosted.org