[Open-scap] Sets and unions...

David Jaccard dave.jaccard.ctr at hpcmo.hpc.mil
Tue Jun 7 14:50:01 UTC 2011 

No worries!

Thanks for looking into it for us!

- Dave

On Jun 7, 2011, at 8:45 AM, Peter Vrabec wrote:

> Hi David,
> 
> it seems that fixing issue with duplicates is a bit complicated at the moment. 
> The fix will be part of a bigger "redesign" that will be delivered later in the 
> summer.
> 
> 
> Peter.
> 
> 
> On Wednesday, June 01, 2011 04:31:48 PM David Jaccard [CTR] wrote:
>> I saw that, and I don't have the answer either, sorry.
>> 
>> -ave
>> 
>> On Jun 1, 2011, at 6:17 AM, Peter Vrabec <pvrabec at redhat.com> wrote:
>>> Hi David,
>>> 
>>> thnx. for the email.
>>> 
>>> The question that I was looking answer for is: "What we consider
>>> duplicates?" See my email on: OVAL-DEVELOPER-LIST at lists.mitre.org.
>>> 
>>> Peter.
>>> 
>>> On Friday, May 27, 2011 06:11:50 PM David Jaccard wrote:
>>>> On May 27, 2011, at 6:25 AM, Peter Vrabec wrote:
>>>>> Hi David,
>>>>> 
>>>>> thnx.  you for pointing this out.
>>>>> 
>>>>> Before we get to implementation it would be worth to clarify desired
>>>>> functionality. I'm not sure about it.
>>>>> 
>>>>> What is the key for Set Operations
>>>>> * Items and values of an object?
>>>>> * Object ID?
>>>>> 
>>>>> If I look at ovaldi(AbsObjectCollector.cpp), I see it use Objects ID.
>>>>> We also use Object ID (worker.c). Maybe I don't know how IDs  should
>>>>> be assigned, but this doesn't make much sense to me. Real use case
>>>>> might clear up the issue.
>>>>> 
>>>>> What is your use case? Can you provide sample of the OVAL content?
>>>> 
>>>> Here are some examples I culled from various OVAL definitions.  I'm
>>>> sorry I didn't keep track of where they came from, at the time I was
>>>> only interested in the general <set> forms.  I hope it gives you some
>>>> idea of how sets are used to build objects by culling values from other
>>>> objects. Its a very powerful tool!  You ARE building a new object out
>>>> of other objects, though.  The new object will contain the values from
>>>> the original objects, but combine those values using whatever operator
>>>> logic you specify.  If you want all the "normal" system users, who
>>>> aren't also "admins", you could build an object for "normal" users, and
>>>> one for "admins", and then build a 3rd object as the COMPLEMENT of
>>>> "normal" and "admins".  Any users that appear in the first two sets
>>>> will be eliminated from the third.  And now you can apply a state to
>>>> that 3rd object.
>>>> 
>>>> I want to point out that each of the set operations defined in OVAL
>>>> (UNION, INTERSECTION, and COMPLEMENT) will remove any duplicate entries
>>>> from the final sets.  Example, if set A is (1, 1, 2, 2, 3, 3) and set B
>>>> is (2, 2, 3, 3, 4, 4) then the UNION of A and B will only leave (1, 2,
>>>> 3, 4) in the final set.  I'm not sure the traditional Boolean Algebra
>>>> removes duplicates.
>>>> 
>>>> So, let's say you wanted to check the home directories of certain users
>>>> for a particular thing.  You wanted to make sure you had all the
>>>> important users, but wanted to leave out guest accounts and such.  This
>>>> first example builds a new sid_sid_object by taking the UNION of other
>>>> object's values.  There's actually an embedded set here, too.  All the
>>>> users in 'localsystem' and 'admins' are combined, and then those are
>>>> combined with 'users'.  The final object (:1123) has the combined list
>>>> of all those users (no duplicates.)
>>>> 
>>>> <sid_sid_object
>>>> 
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
>>>> id="oval:com.mcafee.rw.nist.fdcc.xp:obj:1123" version="1"> <set
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
>>>> set_operator="UNION"> <set
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
>>>> set_operator="UNION">
>>>> <object_reference>oval:com.mcafee.rw.nist.fdcc.xp:obj:1132</object_refer
>>>> en ce> <!-- localsystem -->
>>>> <object_reference>oval:com.mcafee.rw.nist.fdcc.xp:obj:1130</object_refer
>>>> en ce> <!-- admins --> </set>
>>>> 
>>>>     <set set_operator="UNION">
>>>> 
>>>> <object_reference>oval:com.mcafee.rw.nist.fdcc.xp:obj:1131</object_refer
>>>> en ce> <!-- users --> </set>
>>>> 
>>>>   </set>
>>>> 
>>>> </sid_sid_object>
>>>> 
>>>> Ok, I won't even pretend to know what this one is up to, but COMPLEMENT
>>>> will keep everything that's in the first object which is not also in the
>>>> second object, and then INTERSECTION keeps only those bits they have in
>>>> common.  The values that survive those operations remain to populate
>>>> object 1131 so they can be fed to a state.
>>>> 
>>>> <fileeffectiverights53_object
>>>> 
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
>>>> id="oval:gov.nist.fdcc.xp:obj:1131" version="1"> <set
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
>>>> set_operator="INTERSECTION"> <set set_operator="INTERSECTION">
>>>> 
>>>>       <set set_operator="COMPLEMENT">
>>>> 
>>>> <object_reference>oval:gov.nist.fdcc.xp:obj:3071</object_reference>
>>>> <object_reference>oval:gov.nist.fdcc.xp:obj:1121</object_reference>
>>>> </set>
>>>> 
>>>>       <set set_operator="COMPLEMENT">
>>>> 
>>>> <object_reference>oval:gov.nist.fdcc.xp:obj:3071</object_reference>
>>>> <object_reference>oval:gov.nist.fdcc.xp:obj:1141</object_reference>
>>>> </set>
>>>> 
>>>>     </set>
>>>>     <set set_operator="COMPLEMENT">
>>>> 
>>>>       <object_reference>oval:gov.nist.fdcc.xp:obj:3071</object_referenc
>>>>       e>
>>>>       <object_reference>oval:gov.nist.fdcc.xp:obj:1142</object_referen
>>>>       ce>
>>>> 
>>>>     </set>
>>>> 
>>>>   </set>
>>>> 
>>>> </fileeffectiverights53_object>
>>>> 
>>>> You may want to run a single test on two (or more) different registry
>>>> locations.  It's the exact same test, so why duplicate it for each
>>>> registry entry?  Just UNION them together with a set!  I left in the
>>>> 
>>>> original objects in this example:
>>>>       <registry_object
>>>> 
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
>>>> id="oval:com.g2.temp:obj:20110504004" version="0"
>>>> comment="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\Excel\InstallR
>>>> oo t!Path"> <hive>HKEY_LOCAL_MACHINE</hive>
>>>> 
>>>>           <key>SOFTWARE\Microsoft\Office\8.0\Excel\InstallRoot</key>
>>>>           <name>Path</name>
>>>> 
>>>>       </registry_object>
>>>>       <registry_object
>>>> 
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
>>>> id="oval:com.g2.temp:obj:20110509007" version="0"
>>>> comment="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\8.0\Ex
>>>> ce l\InstallRoot!Path"> <hive>HKEY_LOCAL_MACHINE</hive>
>>>> 
>>>> <key>SOFTWARE\Wow6432Node\Microsoft\Office\8.0\Excel\InstallRoot</key>
>>>> <name>Path</name>
>>>> 
>>>>       </registry_object>
>>>>       <registry_object
>>>> 
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
>>>> id="oval:com.g2.temp:obj:20110509008" version="0" comment="Excel 97
>>>> InstallRoot path"> <set
>>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>>>> <object_reference>oval:com.g2.temp:obj:20110504004</object_reference>
>>>> <object_reference>oval:com.g2.temp:obj:20110509007</object_reference>
>>>> </set>
>>>> 
>>>>       </registry_object>
>>>> 
>>>> Hope that helps!
>>>> 
>>>>> thnx.
>>>>> Peter.
>>>>> 
>>>>> On Thursday, May 26, 2011 06:09:09 PM David Jaccard wrote:
>>>>>> Hello!
>>>>>> 
>>>>>> I need to use a set and it looks like the union operator is not
>>>>>> removing duplicate entries from the final list of values.
>>>>>> 
>>>>>> http://oval.mitre.org/language/version5.6/ovaldefinition/documentation
>>>>>> /o val -definitions-schema.html#SetOperatorEnumeration
>>>>>> 
>>>>>> and
>>>>>> 
>>>>>> openscap/src/OVAL/probes/probe/worker.c:593 ... ish.   :)
>>>>>> 
>>>>>> I would like to make a patch for you!  I did some digging and I don't
>>>>>> see a SEXP_list_* function for determining whether a particular value
>>>>>> is already in a set.  If you had one, it would be really easy to wrap
>>>>>> the call that adds the new value.  (Though I'm not sure about falling
>>>>>> through into the COMPLEMENT operation...  I've asked the OVAL list if
>>>>>> INTERSECTION and COMPLEMENT were to remove duplicates as well.)
>>>>>> 
>>>>>> What do you think?
>>>>>> 
>>>>>> - Dave Jaccard
>>>>>> DoD DREN/HPCMP
>>>>>> [contractor]
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Open-scap-list mailing list
>>>>>> Open-scap-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/open-scap-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6179 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20110607/eb9f57fa/attachment.p7s>

More information about the Open-scap-list mailing list