Bug 769813

Summary: Group/Rule children do NOT inherit "selected" attribute.
Product: [Fedora] Fedora Reporter: Peter Vrabec <pvrabec>
Component: openscapAssignee: Martin Preisler <mpreisle>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dkopecek, pvrabec, slukasik, theinric
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-09 11:29:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Vrabec 2011-12-22 11:08:40 UTC 
Description of problem:

"Originally, I had tried adding "selected=false" to the toplevel Groups, 
but oscap did not make the Group/Rule children inherit this when it 
builds its internal "policy" for each profile.

(Page 18 of the XCCDF 1.1.4 spec, and
Page 20 of the XCCDF 1.2 spec,
which describe the behavior of "selected,"
suggests this should work. But no big deal.  It's simpler to just set 
the rules directly anyway.)"


see: https://fedorahosted.org/pipermail/scap-security-guide/2011-December/000017.html
Comment 1 Martin Preisler 2012-08-09 11:29:43 UTC 
I think this is a misunderstanding of the XCCDF specification.

The spec says:
"An <xccdf:Group> holds other items. An <xccdf:Group> collects related
<xccdf:Rule> and <xccdf:Value> elements into a common structure and can provide
descriptive text and references about them. An <xccdf:Group> allows benchmark users to select and deselect related <xccdf:Rule> elements together; since a deselected <xccdf:Group> is not processed, none of its contained items are processed either.
Selection of an <xccdf:Group> allows its children to be processed normally based on their individual selection states."

The most important part being the last sentence. Rules do NOT inherit the selected attribute of their parent Group. They do NOT get processed if the parent group is unselected, the fact that the Profile selects these rules doesn't have any effect on that.

I tested and couldn't reproduce any Group selection behavior that is not compliant with the spec. Feel free to reopen this bug if you find any.