[Open-scap] Questions about OVAL

[Tim Burress]

Hello,

I'm trying to learn my way around SCAP just now, with the main focus
right now on scans of Linux-based systems using oscap and the related
tools. I'm hitting a bit of a wall when it comes to writing OVAL content
and just wondered if someone could point me to resources that unpack
things from the perspective of someone accustomed to writing software in
"normal" programming languages?

Some more-or-less specific questions:

o In an object definition like this (condensed from OVAL found in SSG,
where B is a local variable containing a set of file paths):

<ind:textfilecontent54_object id="A" version="1">
    <ind:filepath var_ref="B" var_check="at least one" />
    <ind:pattern operation="pattern match">^0$</ind:pattern>
    <ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>

what is the function of var_check="at least one"? I assume that this is
a condition being applied to the value of the variable B, saying that it
must have at least one member, but what happens if the variable B is an
empty set?

o Basic question: is the order in which entities appear in a file of
OVAL content irrelevant? Given that they are all tagged with types and
ID strings it seems like this would be the case, but OVAL is a new world
where many things are not what they seem, so I thought I would check.

o Is there a tool that allows you to debug OVAL at runtime? That is,
much like any other debugger, to set breakpoints and examine the values
of objects/variables/etc at runtime?

o Is there a document/book/tutorial that guides a person through
creating complex OVAL rules (preferably on Linux systems)? Most of the
examples I've found on the web are of the very simple "Hello World"
variety, so lead to more questions than they answer. Something that
walks through even just how to *think* about solving problems in OVAL
would be helpful at this point.

Thanks!