[Open-scap] Checking directory existence using indirection

Jason Dana jdana at tresys.com
Thu Aug 26 15:52:29 UTC 2010 

> -----Original Message-----
> From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-
> bounces at redhat.com] On Behalf Of Daniel Kopecek
> Sent: Wednesday, August 25, 2010 6:20 PM
> To: Marshall Miller
> Cc: open-scap-list at redhat.com
> Subject: Re: [Open-scap] Checking directory existence using
indirection
> 
> On Wed, 25 Aug 2010 17:55:39 -0400
> Marshall Miller <mmiller at tresys.com> wrote:
> > It does not work with the content that was originally provided, but
it
> > does not work when the variable used to create the file object
> > contains more than one value.
> >
> > I am attaching updated content with two definitions.  One correctly
> > evaluates to true, but the other incorrectly evaluates to false.
> 
> When referencing variables with multiple values you have to be careful
with
> the var_check attribute. It defaults to "all" which is not the right
value in your
> case. You want "at least one" or "only one". In case of "only one" you
have to
> ensure that there aren't duplicate values in the variable.
> 
> So changing the path entity in obj:1001 to
> 
>   <path operation="equals"
var_ref="oval:com.tresys.oval.rhel:var:1001"
> var_check="at least one"/>
> 
> fixes the problem.

We tested changing the var_check attribute to be "at least one", but
unfortunately we still do not get the results we expect. 
 
We are attempting to check that every home directory within the
/etc/passwd file exists on the system.  The example that we forwarded is
somewhat of a representation of that, so we obtain the same results when
testing.  If a variable is assigned multiple values, with a var_check of
"at least one", it will return true if even one of the values exist.  We
are seeing that if the variable contains 2 paths, one that exists and
one that does not, it will return true.

We were hoping that the default behavior of "all" for var_check was what
we needed.  Our interpretation of the OVAL documentation is that if a
variable has multiple values, the default behavior is for all values
within the variable to be compared to the operation provided on the
entity, in this case I believe it is defaulted to "equals", which would
determine if the directory exists on the system.  So, we were hoping
that for every value within the variable, if any of the values do not
exist, the object would return "does not exist" or something equivalent.

Could you possibly steer us in the right direction?

Thank you,

Jason

> > Thanks,
> > Marshall Miller
> >
> 
> Dan

More information about the Open-scap-list mailing list