Requirement | Count | Level | Type | Description | Location | Test |
---|---|---|---|---|---|---|
148-1 | 1 (of 1) |
WARN | SCHEMATRON | cpe:/o:apple:mac_os:10:11 - CPE items SHOULD exist in the official CPE dictionary. | /*:data-stream[namespace-uri()='http://scap.nist.gov/schema/data-stream/0.2'][1]/*:cpe-dictionary-content[namespace-uri()='http://scap.nist.gov/schema/data-stream/0.2'][1]/*:cpe-list[namespace-uri()='http://cpe.mitre.org/dictionary/2.0'][1]/*:cpe-item[namespace-uri()='http://cpe.mitre.org/dictionary/2.0'][3] | exists(document(concat('','/official-cpe-dictionary_v2.2.xml'))/cpe-dict:cpe-list/cpe-dict:cpe-item[count(tokenize(@name,':')) ge count(tokenize(current()/@name,':')) and (tokenize(@name,':')[1] eq tokenize(current()/@name,':')[1] or tokenize(current()/@name,':')[1] eq '' or not(exists(tokenize(current()/@name,':')[1]))) and (tokenize(@name,':')[2] eq tokenize(current()/@name,':')[2] or tokenize(current()/@name,':')[2] eq '' or not(exists(tokenize(current()/@name,':')[2]))) and (tokenize(@name,':')[3] eq tokenize(current()/@name,':')[3] or tokenize(current()/@name,':')[3] eq '' or not(exists(tokenize(current()/@name,':')[3]))) and (tokenize(@name,':')[4] eq tokenize(current()/@name,':')[4] or tokenize(current()/@name,':')[4] eq '' or not(exists(tokenize(current()/@name,':')[4]))) and (tokenize(@name,':')[5] eq tokenize(current()/@name,':')[5] or tokenize(current()/@name,':')[5] eq '' or not(exists(tokenize(current()/@name,':')[5]))) and (tokenize(@name,':')[6] eq tokenize(current()/@name,':')[6] or tokenize(current()/@name,':')[6] eq '' or not(exists(tokenize(current()/@name,':')[6]))) and (tokenize(@name,':')[7] eq tokenize(current()/@name,':')[7] or tokenize(current()/@name,':')[7] eq '' or not(exists(tokenize(current()/@name,':')[7]))) and (tokenize(@name,':')[8] eq tokenize(current()/@name,':')[8] or tokenize(current()/@name,':')[8] eq '' or not(exists(tokenize(current()/@name,':')[8])))]) |
Requirement | Count | Level | Type | Description | Location | Test |
---|---|---|---|---|---|---|
A21 | 1 (of 2) |
INFO | SCHEMATRON | oval:gov.nist.validation.cpe.oval:tst:101 - The OVAL test type is not checked in the NIST SCAP Validation Program. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:tests[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:rpminfo_test[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5#linux'][1] | exists(document(concat('','/validation_program_oval_test_types.xml'))/test_types/test_type[@namespace eq namespace-uri(current()) and @name eq local-name(current())]) |
A21 | 1 (of 2) |
INFO | SCHEMATRON | oval:gov.nist.validation.cpe.oval:tst:1202 - The OVAL test type is not checked in the NIST SCAP Validation Program. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:tests[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:plist_test[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5#macos'][1] | exists(document(concat('','/validation_program_oval_test_types.xml'))/test_types/test_type[@namespace eq namespace-uri(current()) and @name eq local-name(current())]) |
Requirement | Count | Level | Type | Description | Location | Test |
---|---|---|---|---|---|---|
211-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:gov.nist.validation.r1100_scap11_win_rhel.patch:def:1 - Issue a warning if an OVAL patch class does not reference a CVE. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1] | if( @class eq 'patch' ) then exists(current()//oval-def:reference[matches(@source,'^(CVE|http://cve.mitre.org)$')]) else true() |
211-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:gov.nist.validation.r1100_scap11_win_rhel.patch:def:2 - Issue a warning if an OVAL patch class does not reference a CVE. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][2] | if( @class eq 'patch' ) then exists(current()//oval-def:reference[matches(@source,'^(CVE|http://cve.mitre.org)$')]) else true() |
211-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:gov.nist.validation.r1100_scap11_win_rhel.patch:def:3 - Issue a warning if an OVAL patch class does not reference a CVE. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][3] | if( @class eq 'patch' ) then exists(current()//oval-def:reference[matches(@source,'^(CVE|http://cve.mitre.org)$')]) else true() |
211-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:gov.nist.validation.r1100_scap11_win_rhel.patch:def:4 - Issue a warning if an OVAL patch class does not reference a CVE. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][4] | if( @class eq 'patch' ) then exists(current()//oval-def:reference[matches(@source,'^(CVE|http://cve.mitre.org)$')]) else true() |
211-1 | 1 (of 5) |
WARN | SCHEMATRON | oval:gov.nist.validation.r1100_scap11_win_rhel.patch:def:5 - Issue a warning if an OVAL patch class does not reference a CVE. | /*:oval_definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definitions[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][1]/*:definition[namespace-uri()='http://oval.mitre.org/XMLSchema/oval-definitions-5'][5] | if( @class eq 'patch' ) then exists(current()//oval-def:reference[matches(@source,'^(CVE|http://cve.mitre.org)$')]) else true() |
Requirement | Count | Level | Type | Description | Location | Test |
---|---|---|---|---|---|---|
15-2 | 1 (of 1) |
WARN | SCHEMATRON | xccdf_gov.nist.r1100_scap11_win_rhel_macos_benchmark - The <xccdf:platform> element of the <xccdf:Benchmark> element that contains a CPE SHALL contain a reference to a CPE name in the Official CPE Dictionary if such a name exists for the indicated platform. Issue a warning if the CPE name specified in <xccdf:platform> does not match a CPE name in the Official CPE Dictionary. | /*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][1] | every $m in xccdf:platform[matches(@idref,'[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*)0 6')] satisfies exists(document(concat('','/official-cpe-dictionary_v2.2.xml'))/cpe-dict:cpe-list/cpe-dict:cpe-item[count(tokenize(@name,':')) ge count(tokenize($m/@idref,':')) and (tokenize(@name,':')[1] eq tokenize($m/@idref,':')[1] or tokenize($m/@idref,':')[1] eq '' or not(exists(tokenize($m/@idref,':')[1]))) and (tokenize(@name,':')[2] eq tokenize($m/@idref,':')[2] or tokenize($m/@idref,':')[2] eq '' or not(exists(tokenize($m/@idref,':')[2]))) and (tokenize(@name,':')[3] eq tokenize($m/@idref,':')[3] or tokenize($m/@idref,':')[3] eq '' or not(exists(tokenize($m/@idref,':')[3]))) and (tokenize(@name,':')[4] eq tokenize($m/@idref,':')[4] or tokenize($m/@idref,':')[4] eq '' or not(exists(tokenize($m/@idref,':')[4]))) and (tokenize(@name,':')[5] eq tokenize($m/@idref,':')[5] or tokenize($m/@idref,':')[5] eq '' or not(exists(tokenize($m/@idref,':')[5]))) and (tokenize(@name,':')[6] eq tokenize($m/@idref,':')[6] or tokenize($m/@idref,':')[6] eq '' or not(exists(tokenize($m/@idref,':')[6]))) and (tokenize(@name,':')[7] eq tokenize($m/@idref,':')[7] or tokenize($m/@idref,':')[7] eq '' or not(exists(tokenize($m/@idref,':')[7]))) and (tokenize(@name,':')[8] eq tokenize($m/@idref,':')[8] or tokenize($m/@idref,':')[8] eq '' or not(exists(tokenize($m/@idref,':')[8])))]) |
251-1 | 1 (of 3) |
WARN | SCHEMATRON | r1100_scap11_win_rhel_macos_validation_rule_6 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][1] | exists(xccdf:ident[matches(@system,'^(CCE|http://cce.mitre.org|CVE|http://cve.mitre.org|CPE|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 3) |
WARN | SCHEMATRON | r1100_scap11_win_rhel_macos_validation_rule_7 - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][1]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][2] | exists(xccdf:ident[matches(@system,'^(CCE|http://cce.mitre.org|CVE|http://cve.mitre.org|CPE|http://cpe.mitre.org)$')]) |
251-1 | 1 (of 3) |
WARN | SCHEMATRON | security_patches_up_to_date - An xccdf:Rule should include an xccdf:ident containing a CVE, CCE, or CPE | /*:Benchmark[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][1]/*:Group[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][4]/*:Rule[namespace-uri()='http://checklists.nist.gov/xccdf/1.1'][1] | exists(xccdf:ident[matches(@system,'^(CCE|http://cce.mitre.org|CVE|http://cve.mitre.org|CPE|http://cpe.mitre.org)$')]) |
Statistic Type | Statistic ID | Test Name | Value |
---|---|---|---|
COUNT | RULE_OVAL_COUNT | ||
COUNT | RULE_OCIL_COUNT | ||
COUNT | RULE_OCIL_ONLY_COUNT | ||
COUNT | RULE_CCE_COUNT | ||
COUNT | RULE_TEST_COUNT | family_test | 4 |
COUNT | RULE_TEST_COUNT | rpminfo_test | 1 |
COUNT | RULE_TEST_COUNT | plist_test | 1 |
COUNT | RULE_TEST_COUNT | variable_test | 6 |