Closed iankko closed 8 years ago
I am temporarily re-opening this issue. The SSG content has been fixed (thanks to Martin for review of the referenced PR!).
But we also need NIST to confirm the tool shouldn't be checking this test for OCIL check system (just to be sure). Will close again once they confirm.
The scap-security-guide-nist-testsuite
Jenkins job has been modified to whitelist the error message for this particular error (see the next comment for explanation why):
ERROR: SCHEMATRON - [ssg-rhel6-ds.xml] scap_org.open-scap_datastream_from_
xccdf_ssg-rhel6-xccdf-1.2.xml - Values of XCCDF datatype 'string', when bound
to OVAL variables, the OVAL variables must be of the following OVAL types:
string, evr_string, version, ios_version, fileset_revision, binary
The XCCDF to OVAL datatype export matching constrain has been corrected in SSG content.
The remaining issue (reporting missing datatype constrain against the OCIL check system for
the xccdf_org.ssgproject.content_value_conditional_clause
xccdf:Value:
<Value id="xccdf_org.ssgproject.content_value_conditional_clause" operator="equals" type="string">
<title xml:lang="en-US">A conditional clause for check statements.</title>
<description xml:lang="en-US">A conditional clause for check statements.</description>
<value>This is a placeholder.</value>
</Value>
is not the problem of the SSG content itself. But rather problem of the SCAP NIST content testsuite which should not verify the XCCDF-to-OVAL datatype export matching constraint for the OCIL check system (since in ocil there isn't variable, where the 'datatype' from xccdf:Value could be specified for).
This issue has been reported to ScapVal maintainers.
When evaluating current SSG RHEL-6 benchmark with the SCAP NIST content testsuite on 2016-03-18 (https://jlieskov.fedorapeople.org/2016-03-18-scap-validation-result.html) there's one instance of the following error: