Open vanderpol opened 2 weeks ago
vanderpol
commented
2 weeks ago @solind, given that our attempts to add logical tests or platform applicability fell through with OVAL, I'm attempting to find a 'simple' way to apply the existing XCCDF platform specifications to a check-content-ref, so that only one check content ref would be performed. Looking for your ideas, or share with anyone else who you might think would be helpful.
solind
commented
2 weeks ago You need the exact same rule to apply to both platforms?
If not, you could have two different rules, each targeting a different check to a different platform.
vanderpol
commented
1 week ago @solind, if we were in control of the XCCDF rules, this would be a non-issue, I agree completely. But in this scenario, DISA writes STIGS, and other people like us are trying to create benchmarks based on them, and the results have to tie back to the original STIG XCCDF rule id's. If there isn't enough support for this change, we'll survive, just have a few less automated rules, or sometimes having to end up with OVAL results of ERROR or TRUE = TRUE, so the overall result is correct, we just have to deal with some less than ideal results to get there.
solind
commented
1 week ago This could work if you want to redefine what it means to have multiple check-content-refs in a check, Table 11, section 6.4.4.4 in the specification.
Sometimes an XCCDF rule contains different requirements based on the target platform, and it would be useful to be able to select a single check-content-ref to perform based on the outcome of XCCDF's existing platform specifications.
Example: If system is a domain controller, perform OVAL definition 1. If the system is a member server, perform OVAL definition 2.
Where only one of the above platformIDRefs would be true and then be performed.