scap added to big_sur branch with updated cce check

SCAP/.gitignore

@@ -0,0 +1 @@
+*.xpr

SCAP/Makefile

@@ -0,0 +1,65 @@
+XSLT		= /usr/local/bin/saxon
+TIDY		= /usr/local/bin/tidy
+VAL		= java -Djava.protocol.handler.pkgs=sun.net.www.protocol -jar ~/Projects/scapval/scapval-1.3.5.jar
+
+DIR		= ../build/All_rules
+
+all: inputs tidy XCCDF datastream report
+
+inputs:
+	# generate the HTML checklist document
+	../scripts/generate_guidance.py -g ../baselines/all_rules.yaml 2>/dev/null
+	# generate the related OVAL content
+	../scripts/yaml-to-oval.py ../baselines/all_rules.yaml
+	# outputs end up in ${DIR}
+
+tidy:
+	# de-louse the input HTML
+	# DO NOT use the treacherous -indent option
+	${TIDY} --show-errors 0 \
+		--output-xml true \
+		--numeric-entities true \
+		--output-encoding utf8 \
+		--input-encoding utf8 \
+		--logical-emphasis true \
+		--drop-proprietary-attributes true \
+		--coerce-endtags true \
+		-output ${DIR}/all_rules.xhtml \
+		${DIR}/all_rules.html || echo untidy
+
+XCCDF:
+	# generate the XCCDF document from the input
+	$(XSLT) -s:${DIR}/all_rules.xhtml \
+		-xsl:html-to-xccdf.xsl \
+	       	-o:${DIR}/xccdf.xml \
+		SCAP-version=1.3 \
+		id-namespace=content.mscp.nist.gov \
+		benchmark-id-suffix=macOS_11.0 \
+		OVAL-URI=${DIR}/All_rules.xml \
+		include-CPE=1
+	# the input OVAL document will be copied to a companion of the XCCDF document named 'oval.xml'
+	# a gratuitous OCIL document is provided
+	cp ocil.xml                 ${DIR}
+	cp macos-cpe-dictionary.xml ${DIR}
+	cp macos-cpe-oval.xml       ${DIR}
+
+datastream:
+	# generate the SCAP data stream collection document
+	$(XSLT) -s:${DIR}/xccdf.xml \
+		-xsl:xccdf-to-ds.xsl \
+		-o:${DIR}/datastream.xml \
+		SCAP-version=1.3 \
+		id-namespace=content.mscp.nist.gov \
+		datastream-id-suffix=macOS_11.0 \
+		include-CPE=1
+
+report:
+	# generate an XCCDF report for quality assurance
+	$(XSLT) -s:${DIR}/xccdf.xml \
+		-xsl:xccdf-to-html.xsl \
+		-o:${DIR}/xccdf.html
+
+validate:
+	# validate the datastream using SCAP content validation tool
+	( cd ${DIR}; ${VAL} -scapversion 1.3 -online -file datastream.xml >scapval-report.txt )
+	# See ${DIR}/validation-report.html for results

SCAP/README.md

@@ -0,0 +1,46 @@
+# SCAP Content Generation
+
+Generation of SCAP content uses XSLT to create an XCCDF document with an accompanying OVAL document, bundled into an SCAP data stream collection document.
+
+Steps:
+
+- Generate the "all rules" variant of the checklist in HTML form.
+- Generate the "all rules" variant of the checklist in OVAL form.
+- Generate the XCCDF document using the "all rules" checklist and OVAL as inputs.
+- Generate the SCAP data stream document using the XCCDF and OVAL documents.
+- Generate a report from the XCCDF document to be used for quality checking.
+
+These steps are configured within the Makefile.
+
+## Dependencies
+
+The supplied Makefile relies on the following components:
+- HTML Tidy — [Tidy](http://www.html-tidy.org/) is an HTML/XML syntax checker and reformatter.
+
+- Saxon 10 — [Saxon](https://www.saxonica.com/products/products.xml) is an [XSLT 3.0](https://www.w3.org/TR/xslt-30/) implementation. 
+The [HE](https://www.saxonica.com/products/PD10/HE.pdf) variant, which is open source, will suffice for the XSL transformations.
+
+### Optional components
+
+- SCAP Content Validation Tool (SCAPVal) — See 
+[SCAP Content Validation Tool](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3)
+under "Tools".
+Version 1.3.5 or later is required.
+
+## SCAP References
+
+[Security Content Automation Protocol (SCAP) 1.3](https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3 "SCAP 1.3")
+
+That page has links to most of the SCAP-related normative documents.
+
+An SCAP data stream (typically) consists of several XML documents knit together in a containing XML document.
+The component documents are
+- An XCCDF document
+- An OVAL document referenced by the XCCDF document
+- An OCIL document referenced by the XCCDF document
+- A CPE dictionary document referenced by the XCCDF document
+- An OVAL document referenced by the CPE dictionary document
+
+[National Checklist Program for IT Products: Guidelines for Checklist Users and Developers](https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final "National Checklist Program (NCP)")
+
+[National Checklist Program Repository](https://nvd.nist.gov/ncp/repository)

SCAP/SCAP-1.3.sch

@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<sch:schema xmlns:sch="http://purl.oclc.org/dsdl/schematron" queryBinding="xslt2" xmlns:sqf="http://www.schematron-quickfix.com/validator/process"
+    see="https://csrc.nist.gov/projects/security-content-automation-protocol/scap-releases/scap-1-3">
+    <sch:title>This Schematron document asserts rules which are either mandatory or recommended by NIST SP 800-126 revision 3 as well as other normative documnents incorporated by
+        reference</sch:title>
+    <!-- NB: the SCAP 1.3 namespace ends in 1.2. Go figure. -->
+    <sch:ns prefix="ds" uri="http://scap.nist.gov/schema/scap/source/1.2"/>
+    <sch:ns prefix="xccdf" uri="http://checklists.nist.gov/xccdf/1.2"/>
+    <sch:ns prefix="cpe2" uri="http://cpe.mitre.org/language/2.0"/>
+    <sch:ns prefix="cpe2-dict" uri="http://cpe.mitre.org/dictionary/2.0"/>
+    <sch:ns prefix="cpe2-dict-ext" uri="http://scap.nist.gov/schema/cpe-extension/2.3"/>
+    <sch:ns prefix="xhtml" uri="http://www.w3.org/1999/xhtml"/>
+    <sch:ns prefix="dc" uri="http://purl.org/dc/elements/1.1/"/>
+    <sch:ns prefix="dsig" uri="http://www.w3.org/2000/09/xmldsig#"/>
+    <sch:ns prefix="oval-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5"/>
+    <sch:ns prefix="oval" uri="http://oval.mitre.org/XMLSchema/oval-common-5"/>
+    <sch:pattern see="https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final">
+        <sch:title>SCAP data stream constraints</sch:title>
+        <sch:rule context="ds:data-stream-collection">
+            <sch:assert test="@schematron-version = '1.3'">&lt;<sch:name/>&gt; must have @schematron-version set to "1.3" (since SCAP 1.3 conmtent must be validated using SCAP 1.3 schemata).</sch:assert>
+        </sch:rule>
+        <sch:rule context="ds:data-stream">
+            <sch:assert test="@scap-version = '1.3'">&lt;<sch:name/>&gt; SHALL have @scap-version set to "1.3". See NIST SP 800-126 Revision 3 §3.1.1 Table 3.</sch:assert>
+        </sch:rule>
+        <sch:rule context="cpe2-dict:cpe-list/cpe2-dict:cpe-item">
+            <!-- See NIST Interagency Reports 7695, 7696, 7697, 7698 for CPE 2.3 -->
+            <!-- Which is quite perverse -->
+            <!-- The only way to conform to NISTIR 7275 is to use a <cpe23-item> element within a <cpe-item> element -->
+            <!-- and that <cpe-item> element is *required* to use an deprecated/despised CPE 2.2 @name -->
+            <sch:assert test="cpe2-dict-ext:cpe23-item" see="https://csrc.nist.gov/CSRC/media/Publications/nistir/7275/rev-4/final/documents/nistir-7275r4_updated-march-2012_clean.pdf"
+                    >&lt;<sch:value-of select="name(.)"/>&gt; missing a &lt;cpe23-item&gt;. See NISTIR 7275 Revision 4 §6.2.5 ¶3.</sch:assert>
+            <!-- So, no cpe23-item means XCCDF document cannot address a CPE 2.3 dictionary construct (and be conformant) -->
+            <!-- See as well NISTIR 7275 -->
+        </sch:rule>
+    </sch:pattern>
+    <sch:pattern see="https://csrc.nist.gov/publications/detail/nistir/7275/rev-4/final">
+        <sch:title>XCCDF constraints</sch:title>
+        <sch:rule context="xccdf:Benchmark" see="https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final">
+            <sch:assert flag="WARNING" test="@style = 'SCAP_1.3'">Warning: &lt;<sch:name/> style="<sch:value-of select="@style"/>"&gt; SHOULD have the value <sch:emph>SCAP_1.3</sch:emph>. See NIST SP
+                800-126 Revision 3 §3.2.2 ¶1 item 4.</sch:assert>
+        </sch:rule>
+        <sch:rule context="xccdf:Benchmark" see="https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final">
+            <sch:assert test="@xml:lang">The element &lt;<sch:name/>&gt; SHALL have an @xml:lang attribute. See NIST SP 800-126 Revision 3 §3.2.2 ¶1 item 3.</sch:assert>
+        </sch:rule>
+        <sch:rule context="xccdf:version" see="https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final">
+            <sch:assert flag="WARNING" test="@time">Warning: the @time attribute of the &lt;<sch:name/>&gt; element SHOULD be used for a timestamp of when the benchmark was defined. See NIST SP
+                800-126 Revision 3 §3.2.2 ¶1 item 1a.</sch:assert>
+        </sch:rule>
+        <sch:rule context="xccdf:version" see="https://csrc.nist.gov/publications/detail/sp/800-126/rev-3/final">
+            <sch:assert flag="WARNING" test="@update">Warning: the @update attribute of the &lt;<sch:name/>&gt; element SHOULD be used for a URI that specifies where updates to the benchmark can be
+                obtained. See NIST SP 800-126 Revision 3 §3.2.2 ¶1 item 2.</sch:assert>
+        </sch:rule>
+        <sch:rule context="xccdf:Benchmark/xccdf:platform" see="https://csrc.nist.gov/CSRC/media/Publications/nistir/7275/rev-4/final/documents/nistir-7275r4_updated-march-2012_clean.pdf">
+            <sch:assert test="starts-with(@idref, 'cpe:2.3')">&lt;<sch:name/> idref="<sch:value-of select="@idref"/>"&gt; is not a CPE 2.3 formatted string binding. See NISTIR 7275 Revision 4 §6.2.5
+                ¶3.</sch:assert>
+            <!--
+                Read the following and decide what SHALL, or MAY, or SHALL⨯MAY⨯SHOULD⨯MAY convey.
+                
+                "Within XCCDF documents, all CPE names SHALL comply with the CPE 2.3 Naming specification
+                [IR7695], and all CPE applicability language expressions SHALL comply with the CPE 2.3 Applicability
+                Language specification [IR7698]. CPE 2.0 names MAY be used for backwards compatibility, but their
+                use has been deprecated for XCCDF 1.2. All CPE 2.3 names and applicability language expressions in
+                XCCDF documents SHOULD use formatted string bindings but MAY use URI bindings instead, both as
+                defined in [IR7695]." 
+            -->
+        </sch:rule>
+        <sch:rule context="xccdf:Rule/xccdf:platform" see="https://csrc.nist.gov/CSRC/media/Publications/nistir/7275/rev-4/final/documents/nistir-7275r4_updated-march-2012_clean.pdf">
+            <sch:assert test="starts-with(@idref, 'cpe:2.3')">&lt;<sch:name/> idref="<sch:value-of select="@idref"/>"&gt; is not a CPE 2.3 formatted string binding. See NISTIR 7275 Revision 4 §6.2.5
+                ¶3.</sch:assert>
+        </sch:rule>
+    </sch:pattern>
+    <sch:pattern>
+        <sch:title>OVAL constraints</sch:title>
+        <sch:rule context="oval:schema_version" see="https://doi.org/10.6028/NIST.SP.800-126A">
+            <sch:assert flag="WARNING" test=". = '5.11.2'">Warning: &lt;<sch:name/>&gt;<sch:value-of select="."/>&lt;/<sch:name/>&gt; should be 5.11.2. See NIST SP 800-126A §2.2.</sch:assert>
+        </sch:rule>
+    </sch:pattern>
+</sch:schema>

SCAP/excise.xsl

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- identity transform with excision -->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xs="http://www.w3.org/2001/XMLSchema" exclude-result-prefixes="xs" version="1.0">
+    <!-- indent for those desirous of such -->
+    <xsl:output indent="yes"/>
+    <!-- death to comments -->
+    <xsl:template match="comment()"/>
+    <!-- death to processing-instructions -->
+    <xsl:template match="processing-instruction()"/>
+    <!-- identity transform -->
+    <xsl:template match="node()" priority="-1">
+        <xsl:copy>
+            <xsl:copy-of select="attribute::node()"/>
+            <xsl:apply-templates/>
+        </xsl:copy>
+    </xsl:template>
+</xsl:stylesheet>