8.4.5. Validating SCAP Content

Before you start using a security policy on your systems, you should first verify the policy in order to avoid any possible syntax or semantic errors in the policy. The oscap utility can be used to validate the security content against standard SCAP XML schemas. The validation results are printed to the standard error stream (stderr). The general syntax of such a validation command is the following:

oscap module validate [module_options_and_arguments] file

Where file is the full path to the file being validated. The only exception is the data stream module (ds), which uses the sds-validate operation instead of validate. Note that all SCAP components within the given data stream are validated automatically, and none of the components is specified separately, as can be seen in the following example:

~]$ oscap ds sds-validate /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml

With certain SCAP content, such as OVAL specification, you can also perform a Schematron validation. The Schematron validation is slower than the standard validation but provides deeper analysis, and is thus able to detect more errors. The following SSG example shows typical usage of the command:

~]$ oscap oval validate --schematron /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml