Hey,
I'm hoping someone on this list can point me in the direction of what I'm doing wrong..
We would like to add some custom checks specific to our environment to the scap-security-guide content.
Since this is the first time I've tried to write any OVAL or XCCDF content, I thought I'd start with a nice simple package installed check for RHEL 6 (vmware-tools-core) as a method of learning more about how it all hangs together.
So I created an OVAL file based on some of the other package installed ones:
$ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml <def-group> <definition class="compliance" id="package_vmware-tools-core_installed" version="1"> <metadata> <title>Package vmware-tools-core Installed</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The RPM package vmware-tools-core should be installed.</description> </metadata> <criteria> <criterion comment="package vmware-tools-core is installed" test_ref="test_package_vmware-tools-core_installed" /> </criteria> </definition> <linux:rpminfo_test check="all" check_existence="all_exist" id="test_package_vmware-tools-core_installed" version="1" comment="package vmware-tools-core is installed"> <linux:object object_ref="obj_package_vmware-tools-core_installed" /> </linux:rpminfo_test> <linux:rpminfo_object id="obj_package_vmware-tools-core_installed" version="1"> linux:namevmware-tools-core</linux:name> </linux:rpminfo_object> </def-group>
And created a group / rule for it in xccdf:
$ cat RHEL/6/input/xccdf/system/test.xml <Group id="test"> <title>Test Checks</title> <description>Test Checks stuff.. and stuff...</description>
<Rule id="package_vmware-tools-core_installed" severity="medium"> <title>VMWare Tools must be installed</title> <description> VMWare Tools must be installed on all VMware based VM's. <yum-macro install="true" package="vmware-tools-core"/> </description> <ocil clause="the package is not installed" > <package-check-macro package="vmware-tools-core" /> <br /><br /> If the system isn't a VMWare Based VM, this isn't applicable. </ocil> <rationale>Required package for operational support.</rationale> <oval id="package_vmware-tools-core_installed" /> </Rule>
</Group>
Added a line into the common profile (RHEL/6/input/profiles/common.xml:
<select idref="package_vmware-tools-core_installed" selected="true" />
And finally, an entry in the RHEL/6/input/guide.xslt
<xsl:template match="Group[@id='test']"> xsl:copy <xsl:copy-of select="@*|node()" /> <xsl:apply-templates select="document('xccdf/services/test.xml')" /> </xsl:copy> </xsl:template>
However, attempting to make just the RHEL6 content fails:
$ make xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml xsltproc -stringparam profile "common" -o output/table-rhel6-nistrefs-common.html \ transforms/xccdf2table-profilenistrefs.xslt output/xccdf-unlinked-empty-groups.xml xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt output/xccdf-unlinked-empty-groups.xml xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap.html \ transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml xsltproc -stringparam flat "y" -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap-flat.html \ transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml output/table-rhel6-srgmap-flat.html # If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks # into final list of OVAL checks # RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next statement once required # find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} ';' # System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name "*.xml" | xargs xmlwf env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py ../../shared/../config rhel6 ../../shared/oval input/oval ../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml Merged 499 OVAL checks. WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. xmllint --format --output output/unlinked-rhel6-oval.xml output/unlinked-rhel6-oval.xml xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml xsltproc -o output/table-rhel6-stig-manual.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf-manual.xml xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam testinfo "y" -o output/table-stig-rhel6-testinfo.html \ transforms/xccdf2table-profileccirefs.xslt output/xccdf-unlinked-final.xml xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o output/unlinked-stig-rhel6-xccdf.xml \ transforms/xccdf-apply-overlay-stig.xslt output/xccdf-unlinked-final.xml xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt output/unlinked-stig-rhel6-xccdf.xml cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml xsltproc -o output/unlinked-rhel6-xccdf-guide.xml transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml ../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml input/oval/platform/rhel6-cpe-dictionary.xml ssg ../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule. ../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule. xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \ output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' output/ssg-rhel6-xccdf-1.2.xml oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'. File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend. File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'. File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend. <SNIP> OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' [oscap_source.c:172] Invalid SCAP Source Datastream (1.2) content in /home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml. [oscap_source.c:268] make: *** [content] Error 1
Is anyone able to point me in the direction of what I've missed ?
Kind regards, Michael Ward.
Hello,
Sorry for such a delay in reponse.
On Thu, Dec 1, 2016 at 9:54 PM, Michael Ward < Michael.Ward@melbourneit.com.au> wrote:
Hey,
I’m hoping someone on this list can point me in the direction of what I’m doing wrong..
We would like to add some custom checks specific to our environment to the scap-security-guide content.
Since this is the first time I’ve tried to write any OVAL or XCCDF content, I thought I’d start with a nice simple package installed check for RHEL 6 (vmware-tools-core) as a method of learning more about how it all hangs together.
So I created an OVAL file based on some of the other package installed ones:
$ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml
<def-group>
<definition class="compliance" id="package_vmware-tools-core_installed"
version="1">
<metadata> <title>Package vmware-tools-core Installed</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The RPM package vmware-tools-core should be
installed.</description>
</metadata> <criteria> <criterion comment="package vmware-tools-core is installed" test_ref="test_package_vmware-tools-core_installed" /> </criteria>
</definition>
<linux:rpminfo_test check="all" check_existence="all_exist"
id="test_package_vmware-tools-core_installed" version="1"
comment="package vmware-tools-core is installed">
<linux:object object_ref="obj_package_vmware-tools-core_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_package_vmware-tools-core_installed" version="1">
<linux:name>vmware-tools-core</linux:name>
</linux:rpminfo_object>
</def-group>
And created a group / rule for it in xccdf:
$ cat RHEL/6/input/xccdf/system/test.xml
<Group id="test">
<title>Test Checks</title>
<description>Test Checks stuff..
and stuff...</description>
<Rule id="package_vmware-tools-core_installed" severity="medium">
<title>VMWare Tools must be installed</title>
<description>
VMWare Tools must be installed on all VMware based VM's.
<yum-macro install="true" package="vmware-tools-core"/>
</description>
<ocil clause="the package is not installed" >
<package-check-macro package="vmware-tools-core" />
<br /><br />
If the system isn't a VMWare Based VM, this isn't applicable.
</ocil>
<rationale>Required package for operational support.</rationale>
<oval id="package_vmware-tools-core_installed" />
</Rule>
</Group>
Added a line into the common profile (RHEL/6/input/profiles/common.xml:
<select idref="package_vmware-tools-core_installed" selected="true" />
And finally, an entry in the RHEL/6/input/guide.xslt
<xsl:template match="Group[@id='test']">
<xsl:copy> <xsl:copy-of select="@*|node()" /> <xsl:apply-templates select="document('xccdf/services/test.xml')" /> </xsl:copy>
</xsl:template>
This should be: <xsl:apply-templates select="document('xccdf/system/test.xml')" /> Also, for some reason, and not really looking into it, having a custom group seems to not work when guide.xslt is processed; however if you add xsl:apply-templates select="document('xccdf/system/test.xml')" / to an existing group, it should work.
However, attempting to make just the RHEL6 content fails:
$ make
xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam profile "common" -o output/table-rhel6-nistrefs-common.html \
transforms/xccdf2table-profilenistrefs.xslt
output/xccdf-unlinked-empty-groups.xml
xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap.html \
transforms/table-srgmap.xslt ../../shared/references/disa-
os-srg-v1r4.xml
xsltproc -stringparam flat "y" -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap-flat.html \
transforms/table-srgmap.xslt ../../shared/references/disa-
os-srg-v1r4.xml
xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml output/table-rhel6-srgmap-flat.html
# If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks
# into final list of OVAL checks
# RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next statement once required
# find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} ';'
# System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment
find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name "*.xml" | xargs xmlwf
env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py ../../shared/../config rhel6 ../../shared/oval input/oval ../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml
Merged 499 OVAL checks.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
xmllint --format --output output/unlinked-rhel6-oval.xml output/unlinked-rhel6-oval.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml
xsltproc -o output/table-rhel6-stig-manual.html transforms/xccdf2table-stig.xslt ../../shared/references/disa- stig-rhel6-v1r12-xccdf-manual.xml
xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam testinfo "y" -o output/table-stig-rhel6-testinfo.html \
transforms/xccdf2table-profileccirefs.xslt
output/xccdf-unlinked-final.xml
xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o output/unlinked-stig-rhel6-xccdf.xml \
transforms/xccdf-apply-overlay-stig.xslt
output/xccdf-unlinked-final.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt output/unlinked-stig-rhel6-xccdf.xml
cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml
xsltproc -o output/unlinked-rhel6-xccdf-guide.xml transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml
../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml input/oval/platform/rhel6-cpe-dictionary.xml ssg
../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule.
../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule.
xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \
output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml
sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' output/ssg-rhel6-xccdf-1.2.xml
oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend.
<SNIP>
OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' [oscap_source.c:172]
Invalid SCAP Source Datastream (1.2) content in /home/rpmbuild/new/scap- security-guide/RHEL/6/output/ssg-rhel6-ds.xml. [oscap_source.c:268]
make: *** [content] Error 1
You are getting this error because the XCCDF does not exist for package_vmware-tools-core_installed. It is not being merged when it is in its own group for some reason.
Is anyone able to point me in the direction of what I’ve missed ?
Kind regards,
Michael Ward.
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Hey,
Thank you very much. Fixing the path, and moving the rule to an existing group in guide.xslt as mentioned got it compiling.
Regards, Michael Ward.
From: Gabe Alford [mailto:redhatrises@gmail.com] Sent: Friday, 9 December 2016 1:44 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Problems with adding custom checks
Hello, Sorry for such a delay in reponse.
On Thu, Dec 1, 2016 at 9:54 PM, Michael Ward <Michael.Ward@melbourneit.com.aumailto:Michael.Ward@melbourneit.com.au> wrote: Hey,
I’m hoping someone on this list can point me in the direction of what I’m doing wrong..
We would like to add some custom checks specific to our environment to the scap-security-guide content.
Since this is the first time I’ve tried to write any OVAL or XCCDF content, I thought I’d start with a nice simple package installed check for RHEL 6 (vmware-tools-core) as a method of learning more about how it all hangs together.
So I created an OVAL file based on some of the other package installed ones:
$ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml <def-group> <definition class="compliance" id="package_vmware-tools-core_installed" version="1"> <metadata> <title>Package vmware-tools-core Installed</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The RPM package vmware-tools-core should be installed.</description> </metadata> <criteria> <criterion comment="package vmware-tools-core is installed" test_ref="test_package_vmware-tools-core_installed" /> </criteria> </definition> <linux:rpminfo_test check="all" check_existence="all_exist" id="test_package_vmware-tools-core_installed" version="1" comment="package vmware-tools-core is installed"> <linux:object object_ref="obj_package_vmware-tools-core_installed" /> </linux:rpminfo_test> <linux:rpminfo_object id="obj_package_vmware-tools-core_installed" version="1"> linux:namevmware-tools-core</linux:name> </linux:rpminfo_object> </def-group>
And created a group / rule for it in xccdf:
$ cat RHEL/6/input/xccdf/system/test.xml <Group id="test"> <title>Test Checks</title> <description>Test Checks stuff.. and stuff...</description>
<Rule id="package_vmware-tools-core_installed" severity="medium"> <title>VMWare Tools must be installed</title> <description> VMWare Tools must be installed on all VMware based VM's. <yum-macro install="true" package="vmware-tools-core"/> </description> <ocil clause="the package is not installed" > <package-check-macro package="vmware-tools-core" /> <br /><br /> If the system isn't a VMWare Based VM, this isn't applicable. </ocil> <rationale>Required package for operational support.</rationale> <oval id="package_vmware-tools-core_installed" /> </Rule>
</Group>
Added a line into the common profile (RHEL/6/input/profiles/common.xml:
<select idref="package_vmware-tools-core_installed" selected="true" />
And finally, an entry in the RHEL/6/input/guide.xslt
<xsl:template match="Group[@id='test']"> xsl:copy <xsl:copy-of select="@*|node()" /> <xsl:apply-templates select="document('xccdf/services/test.xml')" /> </xsl:copy> </xsl:template>
This should be: <xsl:apply-templates select="document('xccdf/system/test.xml')" /> Also, for some reason, and not really looking into it, having a custom group seems to not work when guide.xslt is processed; however if you add <xsl:apply-templates select="document('xccdf/system/test.xml')" /> to an existing group, it should work.
However, attempting to make just the RHEL6 content fails:
$ make xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml xsltproc -stringparam profile "common" -o output/table-rhel6-nistrefs-common.html \ transforms/xccdf2table-profilenistrefs.xslt output/xccdf-unlinked-empty-groups.xml xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt output/xccdf-unlinked-empty-groups.xml xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap.html \ transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml xsltproc -stringparam flat "y" -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap-flat.html \ transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml output/table-rhel6-srgmap-flat.html # If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks # into final list of OVAL checks # RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next statement once required # find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} ';' # System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name "*.xml" | xargs xmlwf env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py ../../shared/../config rhel6 ../../shared/oval input/oval ../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml Merged 499 OVAL checks. WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements. Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it. xmllint --format --output output/unlinked-rhel6-oval.xml output/unlinked-rhel6-oval.xml xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml xsltproc -o output/table-rhel6-stig-manual.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf-manual.xml xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam testinfo "y" -o output/table-stig-rhel6-testinfo.html \ transforms/xccdf2table-profileccirefs.xslt output/xccdf-unlinked-final.xml xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o output/unlinked-stig-rhel6-xccdf.xml \ transforms/xccdf-apply-overlay-stig.xslt output/xccdf-unlinked-final.xml xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt output/unlinked-stig-rhel6-xccdf.xml cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml xsltproc -o output/unlinked-rhel6-xccdf-guide.xml transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml ../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml input/oval/platform/rhel6-cpe-dictionary.xml ssg ../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule. ../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule. WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule. xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \ output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' output/ssg-rhel6-xccdf-1.2.xml oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselecthttp://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'. File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselecthttp://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend. File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselecthttp://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'. File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2%7Dselecthttp://checklists.nist.gov/xccdf/1.2%7Dselect', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend. <SNIP> OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' [oscap_source.c:172] Invalid SCAP Source Datastream (1.2) content in /home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml. [oscap_source.c:268] make: *** [content] Error 1
You are getting this error because the XCCDF does not exist for package_vmware-tools-core_installed. It is not being merged when it is in its own group for some reason.
Is anyone able to point me in the direction of what I’ve missed ?
Kind regards, Michael Ward.
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org
scap-security-guide@lists.fedorahosted.org