[Xccdf-dev] XSD schema does not recognize dangling selectors

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Xccdf-dev] XSD schema does not recognize dangling selectors

Simon Lukasik

Hello XCCDF-Dev!

I am not sure whether this is the place to report issues against XCCDF
standard, XCCDF schema in particular, but I will take my chances.


Ján Lieskovský (CC-ed) has found that XSD schema validation will not
always detect malformed XCCDF. Having good XSD schema is critical for
SCAP content authors at SCAP-Security-Guide project. They use XSD
schemas to ensure reasonable quality of their output. The following case
was not detected by XCCDF XSD validation:

XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml

The PCI-DSS profile contains:

    <select idref="service_chronyd_enabled" selected="true"/>

However, the content does no include Rule/Group element with such ID.
Similar defects of XCCDF content usually get caught by XSD.

What do you think?

Best regards,

--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] XSD schema does not recognize dangling selectors

Melvin Steward
Simon

Yes I encountered the same issue. I'm using OxygenXML to create a fix in my schema but I've not tested it enough to put it out a fixed Schema 



On Thursday, July 2, 2015, Šimon Lukašík <[hidden email]> wrote:

Hello XCCDF-Dev!

I am not sure whether this is the place to report issues against XCCDF
standard, XCCDF schema in particular, but I will take my chances.


Ján Lieskovský (CC-ed) has found that XSD schema validation will not
always detect malformed XCCDF. Having good XSD schema is critical for
SCAP content authors at SCAP-Security-Guide project. They use XSD
schemas to ensure reasonable quality of their output. The following case
was not detected by XCCDF XSD validation:

XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml

The PCI-DSS profile contains:

    <select idref="service_chronyd_enabled" selected="true"/>

However, the content does no include Rule/Group element with such ID.
Similar defects of XCCDF content usually get caught by XSD.

What do you think?

Best regards,

--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
_______________________________________________
XCCDF-dev mailing list
<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;XCCDF-dev@nist.gov&#39;)">XCCDF-dev@...
To unsubscribe, send an email message to <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;xccdf-dev-unsubscribe@nist.gov&#39;)">xccdf-dev-unsubscribe@....


--
Sent from my BlackBerry® smartphone with SprintSpeed
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged. This email is intended to be reviewed only by the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any review, dissemination, storage, or copying of this email and its attachments, if any, or the information contained herein is prohibited.  If you have received this email in error, please immediately notify the sender by return email and delete this email from your system- Thank you.

 

_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] XSD schema does not recognize dangling selectors

Wild, Mike P.
In reply to this post by Simon Lukasik
Looks like you have something dangling.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Šimon Lukašík
Sent: Thursday, July 2, 2015 10:55 AM
To: [hidden email]
Cc: Jan Lieskovsky; [hidden email]
Subject: [Xccdf-dev] XSD schema does not recognize dangling selectors


Hello XCCDF-Dev!

I am not sure whether this is the place to report issues against XCCDF standard, XCCDF schema in particular, but I will take my chances.


Ján Lieskovský (CC-ed) has found that XSD schema validation will not
always detect malformed XCCDF. Having good XSD schema is critical for
SCAP content authors at SCAP-Security-Guide project. They use XSD
schemas to ensure reasonable quality of their output. The following case
was not detected by XCCDF XSD validation:

XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml

The PCI-DSS profile contains:

    <select idref="service_chronyd_enabled" selected="true"/>

However, the content does no include Rule/Group element with such ID.
Similar defects of XCCDF content usually get caught by XSD.

What do you think?

Best regards,

--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] XSD schema does not recognize dangling selectors

Lubell, Joshua
In reply to this post by Melvin Steward

Simon and Melvin,

 

According to the XCCDF 1.1 spec (http://scap.nist.gov/specifications/xccdf/index.html#resource-1.1.4), the XML schema does not express all of the constraints needed to validate a benchmark document.

 

However, if you were to convert the RHEL7 benchmark document from XCCDF 1.1 to 1.2, you could then use the Schematron available for 1.2 to check for dangling idref values. The XCCDF 1.2 includes instructions for converting a 1.1 benchmark document to 1.2.

 

The XCCDF 1.2 spec, XSD, and Schematron are at http://scap.nist.gov/revision/1.2/index.html#xccdf

 

To validate your XCCDF 1.2 benchmark document, you can first check for validity with respect to the XSD, and then check for validity with respect to the Schematron. To do this using oXygenXML, you’d set up a two-step validation scenario.

 

Hope this is helpful,

 

Josh

 

Joshua Lubell

National Institute of Standards and Technology

100 Bureau Drive, Stop 8260

Gaithersburg MD 20899-8260 USA

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Melvin Steward
Sent: Thursday, July 02, 2015 12:01 PM
To: XCCDF-DEV
Cc: Jan Lieskovsky; [hidden email]
Subject: Re: [Xccdf-dev] XSD schema does not recognize dangling selectors

 

Simon

 

Yes I encountered the same issue. I'm using OxygenXML to create a fix in my schema but I've not tested it enough to put it out a fixed Schema 

 



On Thursday, July 2, 2015, Šimon Lukašík <[hidden email]> wrote:


Hello XCCDF-Dev!

I am not sure whether this is the place to report issues against XCCDF
standard, XCCDF schema in particular, but I will take my chances.


Ján Lieskovský (CC-ed) has found that XSD schema validation will not
always detect malformed XCCDF. Having good XSD schema is critical for
SCAP content authors at SCAP-Security-Guide project. They use XSD
schemas to ensure reasonable quality of their output. The following case
was not detected by XCCDF XSD validation:

XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml

The PCI-DSS profile contains:

    <select idref="service_chronyd_enabled" selected="true"/>

However, the content does no include Rule/Group element with such ID.
Similar defects of XCCDF content usually get caught by XSD.

What do you think?

Best regards,

--
Šimon Lukašík
Security Technologies, Red Hat, Inc.
_______________________________________________
XCCDF-dev mailing list
<a href="javascript:;">XCCDF-dev@...
To unsubscribe, send an email message to <a href="javascript:;">xccdf-dev-unsubscribe@....



--
Sent from my BlackBerry® smartphone with SprintSpeed
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged. This email is intended to be reviewed only by the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any review, dissemination, storage, or copying of this email and its attachments, if any, or the information contained herein is prohibited.  If you have received this email in error, please immediately notify the sender by return email and delete this email from your system- Thank you.

 


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] XSD schema does not recognize dangling selectors

Simon Lukasik
Thanks for the pointers Lubell and Joshua.

In fact, we convert the mentioned document to XCCDF 1.2. And latest
OpenSCAP includes ability to run schematron for XCCDF.

     oscap xccdf validate --schematron ssg-rhel7-xccdf-12.xml

However, this does not reveal the uppermentioned issue. I'll dig into
this a bit more in comming days and report back once I know more.

Thank You!
--
Šimon Lukašík
Security Technologies, Red Hat, Inc.


On 07/02/2015 08:05 PM, Lubell, Joshua wrote:

> Simon and Melvin,
>
> According to the XCCDF 1.1 spec
> (http://scap.nist.gov/specifications/xccdf/index.html#resource-1.1.4),
> the XML schema does not express all of the constraints needed to
> validate a benchmark document.
>
> However, if you were to convert the RHEL7 benchmark document from XCCDF
> 1.1 to 1.2, you could then use the Schematron available for 1.2 to check
> for dangling idref values. The XCCDF 1.2 includes instructions for
> converting a 1.1 benchmark document to 1.2.
>
> The XCCDF 1.2 spec, XSD, and Schematron are at
> http://scap.nist.gov/revision/1.2/index.html#xccdf
>
> To validate your XCCDF 1.2 benchmark document, you can first check for
> validity with respect to the XSD, and then check for validity with
> respect to the Schematron. To do this using oXygenXML, you’d set up a
> two-step validation scenario.
>
> Hope this is helpful,
>
> Josh
>
> Joshua Lubell
>
> National Institute of Standards and Technology
>
> 100 Bureau Drive, Stop 8260
>
> Gaithersburg MD 20899-8260 USA
>
> *From:*[hidden email] [mailto:[hidden email]]
> *On Behalf Of *Melvin Steward
> *Sent:* Thursday, July 02, 2015 12:01 PM
> *To:* XCCDF-DEV
> *Cc:* Jan Lieskovsky; [hidden email]
> *Subject:* Re: [Xccdf-dev] XSD schema does not recognize dangling selectors
>
> Simon
>
> Yes I encountered the same issue. I'm using OxygenXML to create a fix in
> my schema but I've not tested it enough to put it out a fixed Schema
>
>
>
> On Thursday, July 2, 2015, Šimon Lukašík <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>     Hello XCCDF-Dev!
>
>     I am not sure whether this is the place to report issues against XCCDF
>     standard, XCCDF schema in particular, but I will take my chances.
>
>
>     Ján Lieskovský (CC-ed) has found that XSD schema validation will not
>     always detect malformed XCCDF. Having good XSD schema is critical for
>     SCAP content authors at SCAP-Security-Guide project. They use XSD
>     schemas to ensure reasonable quality of their output. The following case
>     was not detected by XCCDF XSD validation:
>
>     XCCDF: https://isimluk.fedorapeople.org/ssg-rhel7-xccdf.xml
>
>     The PCI-DSS profile contains:
>
>          <select idref="service_chronyd_enabled" selected="true"/>
>
>     However, the content does no include Rule/Group element with such ID.
>     Similar defects of XCCDF content usually get caught by XSD.
>
>     What do you think?
>
>     Best regards,
>
>     --
>     Šimon Lukašík
>     Security Technologies, Red Hat, Inc.
>     _______________________________________________
>     XCCDF-dev mailing list
>     [hidden email] <javascript:;>
>     To unsubscribe, send an email message to
>     [hidden email] <javascript:;>.
>
>
>
> --
> Sent from my BlackBerry® smartphone with SprintSpeed
> ++++++CONFIDENTIALITY NOTICE++++++
> The information in this email may be confidential and/or privileged.
> This email is intended to be reviewed only by the individual or
> organization named above. If you are not the intended recipient or an
> authorized representative of the intended recipient, you are hereby
> notified that any review, dissemination, storage, or copying of this
> email and its attachments, if any, or the information contained herein
> is prohibited.  If you have received this email in error, please
> immediately notify the sender by return email and delete this email from
> your system- Thank you.
>
>
>
> _______________________________________________
> XCCDF-dev mailing list
> [hidden email]
> To unsubscribe, send an email message to [hidden email].
>


--
~š.
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Loading...