Skip to content

SCAP Content Generation

Bob Gendler edited this page Oct 21, 2021 · 3 revisions

SCAP Content Generation

Generation of SCAP content uses XSLT to create an XCCDF document with an accompanying OVAL document, bundled into an SCAP data stream collection document.

Prerequisites

The supplied Makefile relies on the following components:

  • The requirements as outlined in the Scripts.

  • HTML Tidy — Tidy is an HTML/XML syntax checker and reformatter.

  • Saxon 10 — Saxon is an XSLT 3.0 implementation. The HE variant, which is open source, will suffice for the XSL transformations.

    • Saxon requires the installation of a JavaJDK.

Note The version of tidy included in macOS is an out of date version that will not work.

Optional components

How To Use

If additional rules have been created, they must be included in the all_rules.yaml baseline file to be included in the OVAL and SCAP.

  1. Edit lines 1 and 2 of the Makefile to point the appropriate version of saxon and tidy

    • Optional - Edit line 3 to point to the NIST SCAP Content Validation Tool(SCAPVal) if desired.

  2. VERSION.yaml must have a valid date in order to generate SCAP content.

  3. In the SCAP directory use the command make. This will generate

    • Generate the "all rules" variable of the checklist in AsciiDoc form. - all_rules.adoc

    • Generate the "all rules" variant of the checklist in HTML form. - all_rules.html

    • Generate the "all rules" variant of the checklist in OVAL form. - All_rules.xml

    • Generate the XCCDF document using the "all rules" checklist and OVAL as inputs. - xccdf.xml

    • Generate a report from the XCCDF document to be used for quality checking. - xccdf.html

    • Generate the SCAP data stream document using the XCCDF and OVAL documents. - datastream.xml

The SCAP profiles are generated off of the tag keywords found in each rule file excluding inherent, permanent, n_a, none, manual, i386, arm64, supplemental.

Different versions of the macOS will require changes to the CPE dictionary macos-cpe-dictionary.xml and CPE Oval macos-cpe-oval.xml to test the required version. And a chance to line 306 of the file html-to-xccdf.xsl to the desired CPE of the platform.

<xsl:text>cpe:2.3:o:apple:mac_os_x:10.15:*:*:*:*:*:*:*</xsl:text>

SCAP References

That page has links to most of the SCAP-related normative documents.

An SCAP data stream (typically) consists of several XML documents knit together in a containing XML document. The component documents are - An XCCDF document - An OVAL document referenced by the XCCDF document - An OCIL document referenced by the XCCDF document - A CPE dictionary document referenced by the XCCDF document - An OVAL document referenced by the CPE dictionary document