[Open-scap] issues with xccdf resolve
Jeffrey Blank
blank at eclipse.ncsc.mil
Fri Jul 20 22:15:53 UTC 2012
Hi OpenSCAP developers,
We continue working on SCAP content for RHEL 6 on
fedorahosted.org/scap-security-guide, and depend heavily on OpenSCAP --
thanks again for making it.
Right now, I'm having 2 (relatively small) issues with the XCCDF resolve
feature.
For example:
$ git clone git://git.fedorahosted.org/scap-security-guide.git
$ cd scap-security-guide/RHEL6
$ make content
$ cd output
See that we have an XCCDF file:
rhel6-xccdf-scap-security-guide.xml
...with some Profiles which extend others, and some <rationale> tags
with XHTML inside.
...and it's valid but unresolved:
$ oscap xccdf validate-xml rhel6-xccdf-scap-security-guide.xml
...and so we want to resolve it:
(FYI, oscap man page in rpm 0.8.0-2 is a bit off -- it says "-o" is okay
for output file.)
$ oscap xccdf resolve --output resolved.xml
rhel6-xccdf-scap-security-guide.xml
Issue 1)
After resolution, the XHTML tags' angle brackets (inside <rationale>
text) have been escaped (to < and &rt;) and thus they don't render
properly anymore.
The XCCDF spec tells me that I should be allowed to have XHTML tags
inside a <rationale>. I certainly do not understand XSD as well as
Martin, but both <description> and <rationale> have type
"cdf:htmlTextWithSubType" (which I assume permits XHTML children).
Issue 2)
Strange things happen if a Group gets attribute hidden="true".
For example, add hidden="true" to <Group id="intro"> and then doing an
XCCDF resolve. The result is all the Group's children are marked as
hidden="false", and a duplicate hidden="true" is added to the Group node.
Thanks -- and my apologies if these were already "resolved" (hahaha)
with a bugzilla that I did not see.
Jeff
More information about the Open-scap-list
mailing list