[Open-scap] XCCDF validation issue

Martin Preisler mpreisle at redhat.com
Wed Nov 16 16:01:59 UTC 2011 

Hi!

> 1)
> There seems to be an issue with handling the <reference> tag inside a
> <Rule>:
> 
> 1 1871 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line
> 4247: Element '{http://checklists.nist.gov/xccdf/1.1}reference': This
> element is not expected. Expected is one of (
> {http://checklists.nist.gov/xccdf/1.1}check,
> {http://checklists.nist.gov/xccdf/1.1}signature ).

I find this really strange. The specification clearly mentions that reference is a valid sub element of Item, Rule inherits the Item so it should be allowed there as well. This may be caused by the way the schema enforces this. There are fairly complex inheritance trees, each extension appends elements and ordering matters in XSD.

You can get rid of it by reordering the elements, making reference appear before any elements specified in types inheriting from itemType. In this case putting <reference> before <rationale>.

Example:
<Rule id="partition_for_tmp">
  <title>...</title>
  <description>...</description>
  <reference xmlns:xhtml="http://www.w3.org/1999/xhtml" href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf">CM-6</reference>

   <rationale>...</rationale>
   ... the rest of the tags ...
   < reference used to be here >        
</Rule>

The XSD schema should be more relaxed towards this IMO and I am convinced this would work just fine with openscap if you skip validation. Regardless, I think this should be patched so the generated xccdf have reference elements where they should be.

> 
> 
> 2)
> There seems to be a problem with handling XHTML tags (such as
> <xhtml:code>) inside a <title>:
> 
> 1 1871 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line
> 5448: Element '{http://www.w3.org/1999/xhtml}code': This element is
> not
> expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1}sub ).
> 
> (I assumed this was allowed, but if not, I can change the XCCDF.)

"xhtml" namespace elements are only allowed inside some elements, for example description (and other htmlTextWithSubType types). According to the XSD, title shouldn't contain xhtml tags (and other textWithSubType types). What I find strange is that the specification PDF doesn't mention this clearly (or maybe I missed it).

> 
> 
> Or if I should be using a later version of openscap (built from
> source),
> let me know...

Both of these issues are reproducible outside of openscap with official XSD schemas and XML validating tools so getting newer openscap shouldn't make any difference (unless the target XSD schema changes of course).

> 
> 
> Thanks!
> Jeff

HTH :-)

--
Martin Preisler

More information about the Open-scap-list mailing list