[Open-scap] Sets and unions...
Peter Vrabec
pvrabec at redhat.com
Tue Jun 7 14:45:38 UTC 2011
Hi David,
it seems that fixing issue with duplicates is a bit complicated at the moment.
The fix will be part of a bigger "redesign" that will be delivered later in the
summer.
Peter.
On Wednesday, June 01, 2011 04:31:48 PM David Jaccard [CTR] wrote:
> I saw that, and I don't have the answer either, sorry.
>
> -ave
>
> On Jun 1, 2011, at 6:17 AM, Peter Vrabec <pvrabec at redhat.com> wrote:
> > Hi David,
> >
> > thnx. for the email.
> >
> > The question that I was looking answer for is: "What we consider
> > duplicates?" See my email on: OVAL-DEVELOPER-LIST at lists.mitre.org.
> >
> > Peter.
> >
> > On Friday, May 27, 2011 06:11:50 PM David Jaccard wrote:
> >> On May 27, 2011, at 6:25 AM, Peter Vrabec wrote:
> >>> Hi David,
> >>>
> >>> thnx. you for pointing this out.
> >>>
> >>> Before we get to implementation it would be worth to clarify desired
> >>> functionality. I'm not sure about it.
> >>>
> >>> What is the key for Set Operations
> >>> * Items and values of an object?
> >>> * Object ID?
> >>>
> >>> If I look at ovaldi(AbsObjectCollector.cpp), I see it use Objects ID.
> >>> We also use Object ID (worker.c). Maybe I don't know how IDs should
> >>> be assigned, but this doesn't make much sense to me. Real use case
> >>> might clear up the issue.
> >>>
> >>> What is your use case? Can you provide sample of the OVAL content?
> >>
> >> Here are some examples I culled from various OVAL definitions. I'm
> >> sorry I didn't keep track of where they came from, at the time I was
> >> only interested in the general <set> forms. I hope it gives you some
> >> idea of how sets are used to build objects by culling values from other
> >> objects. Its a very powerful tool! You ARE building a new object out
> >> of other objects, though. The new object will contain the values from
> >> the original objects, but combine those values using whatever operator
> >> logic you specify. If you want all the "normal" system users, who
> >> aren't also "admins", you could build an object for "normal" users, and
> >> one for "admins", and then build a 3rd object as the COMPLEMENT of
> >> "normal" and "admins". Any users that appear in the first two sets
> >> will be eliminated from the third. And now you can apply a state to
> >> that 3rd object.
> >>
> >> I want to point out that each of the set operations defined in OVAL
> >> (UNION, INTERSECTION, and COMPLEMENT) will remove any duplicate entries
> >> from the final sets. Example, if set A is (1, 1, 2, 2, 3, 3) and set B
> >> is (2, 2, 3, 3, 4, 4) then the UNION of A and B will only leave (1, 2,
> >> 3, 4) in the final set. I'm not sure the traditional Boolean Algebra
> >> removes duplicates.
> >>
> >> So, let's say you wanted to check the home directories of certain users
> >> for a particular thing. You wanted to make sure you had all the
> >> important users, but wanted to leave out guest accounts and such. This
> >> first example builds a new sid_sid_object by taking the UNION of other
> >> object's values. There's actually an embedded set here, too. All the
> >> users in 'localsystem' and 'admins' are combined, and then those are
> >> combined with 'users'. The final object (:1123) has the combined list
> >> of all those users (no duplicates.)
> >>
> >> <sid_sid_object
> >>
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
> >> id="oval:com.mcafee.rw.nist.fdcc.xp:obj:1123" version="1"> <set
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
> >> set_operator="UNION"> <set
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
> >> set_operator="UNION">
> >> <object_reference>oval:com.mcafee.rw.nist.fdcc.xp:obj:1132</object_refer
> >> en ce> <!-- localsystem -->
> >> <object_reference>oval:com.mcafee.rw.nist.fdcc.xp:obj:1130</object_refer
> >> en ce> <!-- admins --> </set>
> >>
> >> <set set_operator="UNION">
> >>
> >> <object_reference>oval:com.mcafee.rw.nist.fdcc.xp:obj:1131</object_refer
> >> en ce> <!-- users --> </set>
> >>
> >> </set>
> >>
> >> </sid_sid_object>
> >>
> >> Ok, I won't even pretend to know what this one is up to, but COMPLEMENT
> >> will keep everything that's in the first object which is not also in the
> >> second object, and then INTERSECTION keeps only those bits they have in
> >> common. The values that survive those operations remain to populate
> >> object 1131 so they can be fed to a state.
> >>
> >> <fileeffectiverights53_object
> >>
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
> >> id="oval:gov.nist.fdcc.xp:obj:1131" version="1"> <set
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
> >> set_operator="INTERSECTION"> <set set_operator="INTERSECTION">
> >>
> >> <set set_operator="COMPLEMENT">
> >>
> >> <object_reference>oval:gov.nist.fdcc.xp:obj:3071</object_reference>
> >> <object_reference>oval:gov.nist.fdcc.xp:obj:1121</object_reference>
> >> </set>
> >>
> >> <set set_operator="COMPLEMENT">
> >>
> >> <object_reference>oval:gov.nist.fdcc.xp:obj:3071</object_reference>
> >> <object_reference>oval:gov.nist.fdcc.xp:obj:1141</object_reference>
> >> </set>
> >>
> >> </set>
> >> <set set_operator="COMPLEMENT">
> >>
> >> <object_reference>oval:gov.nist.fdcc.xp:obj:3071</object_referenc
> >> e>
> >> <object_reference>oval:gov.nist.fdcc.xp:obj:1142</object_referen
> >> ce>
> >>
> >> </set>
> >>
> >> </set>
> >>
> >> </fileeffectiverights53_object>
> >>
> >> You may want to run a single test on two (or more) different registry
> >> locations. It's the exact same test, so why duplicate it for each
> >> registry entry? Just UNION them together with a set! I left in the
> >>
> >> original objects in this example:
> >> <registry_object
> >>
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
> >> id="oval:com.g2.temp:obj:20110504004" version="0"
> >> comment="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\Excel\InstallR
> >> oo t!Path"> <hive>HKEY_LOCAL_MACHINE</hive>
> >>
> >> <key>SOFTWARE\Microsoft\Office\8.0\Excel\InstallRoot</key>
> >> <name>Path</name>
> >>
> >> </registry_object>
> >> <registry_object
> >>
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
> >> id="oval:com.g2.temp:obj:20110509007" version="0"
> >> comment="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\8.0\Ex
> >> ce l\InstallRoot!Path"> <hive>HKEY_LOCAL_MACHINE</hive>
> >>
> >> <key>SOFTWARE\Wow6432Node\Microsoft\Office\8.0\Excel\InstallRoot</key>
> >> <name>Path</name>
> >>
> >> </registry_object>
> >> <registry_object
> >>
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
> >> id="oval:com.g2.temp:obj:20110509008" version="0" comment="Excel 97
> >> InstallRoot path"> <set
> >> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
> >> <object_reference>oval:com.g2.temp:obj:20110504004</object_reference>
> >> <object_reference>oval:com.g2.temp:obj:20110509007</object_reference>
> >> </set>
> >>
> >> </registry_object>
> >>
> >> Hope that helps!
> >>
> >>> thnx.
> >>> Peter.
> >>>
> >>> On Thursday, May 26, 2011 06:09:09 PM David Jaccard wrote:
> >>>> Hello!
> >>>>
> >>>> I need to use a set and it looks like the union operator is not
> >>>> removing duplicate entries from the final list of values.
> >>>>
> >>>> http://oval.mitre.org/language/version5.6/ovaldefinition/documentation
> >>>> /o val -definitions-schema.html#SetOperatorEnumeration
> >>>>
> >>>> and
> >>>>
> >>>> openscap/src/OVAL/probes/probe/worker.c:593 ... ish. :)
> >>>>
> >>>> I would like to make a patch for you! I did some digging and I don't
> >>>> see a SEXP_list_* function for determining whether a particular value
> >>>> is already in a set. If you had one, it would be really easy to wrap
> >>>> the call that adds the new value. (Though I'm not sure about falling
> >>>> through into the COMPLEMENT operation... I've asked the OVAL list if
> >>>> INTERSECTION and COMPLEMENT were to remove duplicates as well.)
> >>>>
> >>>> What do you think?
> >>>>
> >>>> - Dave Jaccard
> >>>> DoD DREN/HPCMP
> >>>> [contractor]
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Open-scap-list mailing list
> >>>> Open-scap-list at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/open-scap-list
More information about the Open-scap-list
mailing list