[Open-scap] OpenSCAP 1.0.8 Issue ...

Trey Henefield trey.henefield at ultra-ats.com
Tue May 13 22:10:56 UTC 2014 

Resubmitted to include the resulting oval files for this check.

All,

I am testing the boundaries of SCAP content. I found numerous cases where there is a need to perform a check on files referenced in  a file.

For example, checking the group owner for all files referenced in /etc/shells.

Here is the example code I have created for this purpose:

#######################################

<def-group>
  <definition class="compliance" id="file_groupowner_shell_files" version="1">
    <metadata>
      <title>Test Rule</title>
      <affected family="unix">
        <platform>Red Hat Enterprise Linux 6</platform>
      </affected>
      <description>Rule for testing.</description>
    </metadata>
    <criteria>
      <criterion test_ref="test_file_groupowner_shell_files" />
    </criteria>
  </definition>

  <local_variable id="var_file_groupowner_shell_files_list" comment="List of files referenced in /etc/shells" datatype="string" version="1">
                                <object_component item_field="subexpression" object_ref="object_file_groupowner_shell_files_list" />
  </local_variable>
  <ind:textfilecontent54_object id="object_file_groupowner_shell_files_list" version="1">
    <ind:filepath>/etc/shells</ind:filepath>
    <ind:pattern operation="pattern match">^(/.*)$</ind:pattern>
    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>

  <unix:file_test check="all" check_existence="all_exist" comment="Testing group owner" id="test_file_groupowner_shell_files" version="1">
    <unix:object object_ref="object_file_groupowner_shell_files" />
    <unix:state state_ref="state_file_groupowner_shell_files" />
  </unix:file_test>
  <unix:file_object comment="List of files referenced in /etc/shells" id="object_file_groupowner_shell_files" version="1">
    <unix:filepath var_ref="var_file_groupowner_shell_files_list" var_check="all" />
  </unix:file_object>
  <unix:file_state id="state_file_groupowner_shell_files" version="1">
    <unix:group_id datatype="int">0</unix:group_id>
  </unix:file_state>

</def-group>


#######################################

The above code works properly when used with SCC v3.1.2.

However when using OpenSCAP v1.0.8, it fails on validating the existence of the files referenced through the local_variable.

I have tested both pass and fail cases with SCC. I have also tried changing "all_exist" to "any_exist", but results in no files getting checked in OpenSCAP because it does not detect them as existing. I have enabled "--oval-results" and can see the local_variable getting properly populated as the following:

          <object id="oval:ssg:obj:121" version="1" flag="does not exist">
            <variable_value variable_id="oval:ssg:var:124">/bin/sh</variable_value>
            <variable_value variable_id="oval:ssg:var:124">/bin/bash</variable_value>
            <variable_value variable_id="oval:ssg:var:124">/sbin/nologin</variable_value>
            <variable_value variable_id="oval:ssg:var:124">/bin/dash</variable_value>
            <variable_value variable_id="oval:ssg:var:124">/bin/tcsh</variable_value>
            <variable_value variable_id="oval:ssg:var:124">/bin/csh</variable_value>
          </object>

Is this a bug in 1.0.8?

Best regards,


Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

Disclaimer
The information contained in this communication from trey.henefield at ultra-ats.com sent at 2014-05-13 18:11:00 is confidential and may be legally privileged.
It is intended solely for use by open-scap-list at redhat.com and others authorized to receive it. If you are not open-scap-list at redhat.com you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20140513/c10589dd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.zip
Type: application/x-zip-compressed
Size: 7576 bytes
Desc: test.zip
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20140513/c10589dd/attachment.bin>

More information about the Open-scap-list mailing list