openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

XCCDF guide lacks Rules selected in Profile(s)

Open GaryGapinski opened this issue 5 years ago • 3 comments

Description of Problem:

OpenSCAP does not include all XCCDF Rules (specified as selected in a chosen Profile) when producing an XCCDF guide. The Rules do not appear in the resulting HTML output.

OpenSCAP Version:

origin/maint-1.3 from https://github.com/OpenSCAP/openscap (as of 2020-06-29T12:24:18Z)

Operating System & Version:

Ubuntu 20.04 LTS

Steps to Reproduce:

  1. Follow Ubuntu-related directions in https://github.com/OpenSCAP/openscap/blob/maint-1.3/docs/developer/developer.adoc
  2. Supplement packages with libopendbx1-dev, asciidoc, doxygen, libprocps-dev, libzstd-dev (noted in cmake output as not installed)
  3. cmake ../ and make in build sub-directory
  4. Define a bash alias as oscap_wrapper (e.g., alias oscap='~/Projects/github/OpenSCAP/openscap/build/oscap_wrapper')
  5. Use oscap to produce a guide from the attached XCCDF document (e.g., oscap xccdf generate guide --profile xccdf_gov.nist.mscp.content_profile_all xccdf.xml >xccdf-guide.html

Actual Results:

The resulting guide lacks all selected Rules: shows 101 rather than 202.

Expected Results:

A guide inclusive of all selected Rules.

Additional Information / Debugging Steps:

A quick count of the Rules included in the generated guide can be obtained by searching for the string <span class="label label-default">Rule</span>. A variant method is XPath //@data-tt-id[matches(.,'_rule_')]. The count also appears in the guide in the Checklist section.

NB: A comparison (XPath //Rule[not(@id = doc('xccdf-guide.html')//@id)]) of XCCDF Rules selected in the "_all" Profile which are missing in the resulting guide indicates every other Rule in (XCCDF) document order is missing.

The attached archive includes the input XCCDF document used as well as a specimen guide (lacking all expected Rules).

Using an SCAP data stream collection (also in archive) rather than the XCCDF document yields identical results.

issue-files.zip contains the specimen files.

GaryGapinski avatar Jun 29 '20 13:06 GaryGapinski

There is definitely something wrong with the XML parsing. But I was able to workaround the problem. The xccdf you provided is in a certain way minified and OpenSCAP doesn't seem to play very well with it. When I pretty printed the XML file before generating the guide using the following:

cat xccdf.xml | xmllint --format - > pretty-xccdf.xml then: oscap xccdf --verbose DEVEL generate guide --profile xccdf_gov.nist.mscp.content_profile_all pretty-xccdf.xml > guide.html

xmllint is available from libxml2 package. (http://www.xmlsoft.org/)

It yields me with an HTML guide containing all 202 rules

xccdf_and_guide.zip

ggbecker avatar Jun 29 '20 14:06 ggbecker

I can confirm that the method that @ggbecker details works (around the issue) for me.

By the way: the "minification" had been achieved — deliberately — using <xsl:output indent="false"/> (https://www.w3.org/TR/xslt-30/#serialization) in the transform which produced the XCCDF (and that which produced the SCAP data stream collection). Using <xsl:output indent="true"/> also appears to avoid the issue.

GaryGapinski avatar Jun 29 '20 16:06 GaryGapinski

It might or might not be related: #1391.

evgenyz avatar Jul 02 '20 11:07 evgenyz