Hi all,
as briefly mentioned already in yesterdays’ Contributor Workshop, our customer wants to enrich the SSG content by adding references to their internal security requirements.
I wonder how I could add my own Security Identifiers, because when trying to simply add e.g. a „customerident“ attribute into the shorthand XCCDF as per below, my build fails with:
[...] xmllint --format --output output/shorthand.xml output/shorthand.xml xsltproc --stringparam ssg_version "0.1.27" -o output/xccdf-unlinked-unresolved.xml transforms/shorthand2xccdf.xslt output/shorthand.xml oscap xccdf resolve -o output/xccdf-unlinked-empty-groups.xml output/xccdf-unlinked-unresolved.xml File 'output/xccdf-unlinked-unresolved.xml' line 153: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 167: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 182: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 190: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. Invalid XCCDF Checklist content(1.1) in output/xccdf-unlinked-unresolved.xml. ../../shared/product-make.include:60: recipe for target 'output/xccdf-unlinked-empty-groups.xml' failed make: *** [output/xccdf-unlinked-empty-groups.xml] Error 1
Do I have to „register“/„declare“ the new identifier type, and if so where and how?
Example of what I'm trying to achieve:
<Rule id="sshd_allow_only_protocol2"> <title>My Title</title> <description>My description</description> <rationale>My rationale</rationale> <ident cce="27072-8" customerident="1234" stig="RHEL-06-000227"/> <oval id="sshd_allow_only_protocol2"/> <ref disa="776,774,1436" nist="AC-3(10),IA-5(1)(c)"/> </Rule>
Any pointers highly appreciated :-) !
Thanks & regards Oliver
Hi Oliver,
It needs to be referenced in the following file:
<PROJECT>\transforms\shorthand2xccdf.xslt
Using RHEL 6 as an example, observe the following lines:
<!-- expand reference to ident types --> <xsl:template match="Rule/ident"> <xsl:for-each select="@*"> <ident> xsl:choose <xsl:when test="name() = 'cce'"> <xsl:attribute name="system"> <xsl:value-of select="$cceuri" /> </xsl:attribute> xsl:choose <xsl:when test="starts-with(translate(., 'ce', 'CE'), 'CCE')"> <xsl:value-of select="." /> </xsl:when> xsl:otherwise <xsl:value-of select="concat('CCE-', .)" /> </xsl:otherwise> </xsl:choose> </xsl:when> <xsl:when test="name() = 'stig'"> <xsl:attribute name="system"> <xsl:value-of select="$cceuri" /> </xsl:attribute> <xsl:value-of select="." /> </xsl:when> xsl:otherwise <xsl:value-of select="." /> </xsl:otherwise> </xsl:choose> </ident> </xsl:for-each> </xsl:template>
You could add in an additional identifier 'customerid', as follows:
<xsl:when test="name() = 'customerid'"> <xsl:attribute name="system"> <xsl:value-of select="$cceuri" /> </xsl:attribute> <xsl:value-of select="." /> </xsl:when>
Which would then look like this:
<!-- expand reference to ident types --> <xsl:template match="Rule/ident"> <xsl:for-each select="@*"> <ident> xsl:choose <xsl:when test="name() = 'cce'"> <xsl:attribute name="system"> <xsl:value-of select="$cceuri" /> </xsl:attribute> xsl:choose <xsl:when test="starts-with(translate(., 'ce', 'CE'), 'CCE')"> <xsl:value-of select="." /> </xsl:when> xsl:otherwise <xsl:value-of select="concat('CCE-', .)" /> </xsl:otherwise> </xsl:choose> </xsl:when> <xsl:when test="name() = 'stig'"> <xsl:attribute name="system"> <xsl:value-of select="$cceuri" /> </xsl:attribute> <xsl:value-of select="." /> </xsl:when> <xsl:when test="name() = 'customerid'"> <xsl:attribute name="system"> <xsl:value-of select="$cceuri" /> </xsl:attribute> <xsl:value-of select="." /> </xsl:when> xsl:otherwise <xsl:value-of select="." /> </xsl:otherwise> </xsl:choose> </ident> </xsl:for-each> </xsl:template>
On Tue, 2016-01-12 at 07:04 +0000, oliver.skiebe@uniqpartners.com wrote:
Hi all,
as briefly mentioned already in yesterdays’ Contributor Workshop, our customer wants to enrich the SSG content by adding references to their internal security requirements.
I wonder how I could add my own Security Identifiers, because when trying to simply add e.g. a „customerident“ attribute into the shorthand XCCDF as per below, my build fails with:
[...] xmllint --format --output output/shorthand.xml output/shorthand.xml xsltproc --stringparam ssg_version "0.1.27" -o output/xccdf-unlinked-unresolved.xml transforms/shorthand2xccdf.xslt output/shorthand.xml oscap xccdf resolve -o output/xccdf-unlinked-empty-groups.xml output/xccdf-unlinked-unresolved.xml File 'output/xccdf-unlinked-unresolved.xml' line 153: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 167: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 182: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 190: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. Invalid XCCDF Checklist content(1.1) in output/xccdf-unlinked-unresolved.xml. ../../shared/product-make.include:60: recipe for target 'output/xccdf-unlinked-empty-groups.xml' failed make: *** [output/xccdf-unlinked-empty-groups.xml] Error 1
Do I have to „register“/„declare“ the new identifier type, and if so where and how?
Example of what I'm trying to achieve:
<Rule id="sshd_allow_only_protocol2"> <title>My Title</title> <description>My description</description> <rationale>My rationale</rationale> <ident cce="27072-8" customerident="1234" stig="RHEL-06-000227"/> <oval id="sshd_allow_only_protocol2"/> <ref disa="776,774,1436" nist="AC-3(10),IA-5(1)(c)"/> </Rule>
Any pointers highly appreciated :-) !
Thanks & regards Oliver -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
Hello Oliver,
thank you for checking with us.
----- Original Message -----
From: "oliver skiebe" oliver.skiebe@uniqpartners.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, January 12, 2016 8:04:29 AM Subject: Adding Custom "ident" Sources in shorthand XCCDFs
Hi all,
as briefly mentioned already in yesterdays’ Contributor Workshop, our customer wants to enrich the SSG content by adding references to their internal security requirements.
I wonder how I could add my own Security Identifiers, because when trying to simply add e.g. a „customerident“ attribute into the shorthand XCCDF as per below, my build fails with:
There's a need to define "an action" for the newly / to be added "customerident" attribute in the particular XSLT transformation of a concrete product, e.g. should we suppose the case of RHEL/6 product the code responsible to expanding the attribute ('cce', 'stig') values of the "ident" attribute is defined here: [1] https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/transform...
So in short a new code block fro 'customerident' should be added there (of course should the customer be interested in different product, also to 'shorthand2xccdf.xslt' transformation of that product).
For example if the intention is to rewrite the value of 'customerident' attribute to an actual URL of the internal document, the underlying code might look like in the similar 'pcidss' attribute case of the 'ref' attribute.
The particular patches that have added PCI-DSS support ('pcidss' attribute support for the 'ref' element) are as follows:
[2] https://github.com/ybznek/scap-security-guide/commit/7b6abe98b9557417f35fe9e... (define the new constant)
[3] https://github.com/ybznek/scap-security-guide/commit/cb3d7c7c47aeb7be17ff8d5... (define the action to perform when the 'pcidssuri' reference is provided)
So hopefully something similar could be implemented for the <ident> element's 'customerident' attribute case?
For further information about the expected format of the xccdf:reference element type, see: [4] http://scap.nist.gov/specifications/xccdf/xccdf_element_dictionary.html#refe...
[...] xmllint --format --output output/shorthand.xml output/shorthand.xml xsltproc --stringparam ssg_version "0.1.27" -o output/xccdf-unlinked-unresolved.xml transforms/shorthand2xccdf.xslt output/shorthand.xml oscap xccdf resolve -o output/xccdf-unlinked-empty-groups.xml output/xccdf-unlinked-unresolved.xml File 'output/xccdf-unlinked-unresolved.xml' line 153: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 167: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 182: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. File 'output/xccdf-unlinked-unresolved.xml' line 190: Element '{http://checklists.nist.gov/xccdf/1.1%7Dident': The attribute 'system' is required but missing. Invalid XCCDF Checklist content(1.1) in output/xccdf-unlinked-unresolved.xml. ../../shared/product-make.include:60: recipe for target 'output/xccdf-unlinked-empty-groups.xml' failed make: *** [output/xccdf-unlinked-empty-groups.xml] Error 1
Do I have to „register“/„declare“ the new identifier type, and if so where and how?
See above.
Example of what I'm trying to achieve:
<Rule id="sshd_allow_only_protocol2"> <title>My Title</title> <description>My description</description> <rationale>My rationale</rationale> <ident cce="27072-8" customerident="1234" stig="RHEL-06-000227"/> <oval id="sshd_allow_only_protocol2"/> <ref disa="776,774,1436" nist="AC-3(10),IA-5(1)(c)"/> </Rule>
Any pointers highly appreciated :-) !
Hope this helps. Let us know if we can be of any further assistance.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Thanks & regards Oliver -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
Thanks for elaborating Jan - much appreciated as well as I'm also changing the references a bit!
Cheers Oliver
scap-security-guide@lists.fedorahosted.org