[Open-scap] OpenSCAP 1.0.8 Issue ...

Trey Henefield trey.henefield at ultra-ats.com
Wed May 14 17:51:01 UTC 2014 

Thanks Simon! That change does seem to provide the intended result.

For some reason, I had interpreted var_check to mean checking all or at least one of the values within the variable array. In this case, I want to check all values obtained, so it seemed appropriate.

Thank you for the clarification.

Best regards,
 

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

-----Original Message-----
From: Simon Lukasik [mailto:slukasik at redhat.com] 
Sent: Wednesday, May 14, 2014 11:15 AM
To: Trey Henefield
Cc: open-scap-list at redhat.com
Subject: Re: [Open-scap] OpenSCAP 1.0.8 Issue ...

On 05/13/2014 09:14 PM, Trey Henefield wrote:
>
>
> All,
>
> I am testing the boundaries of SCAP content. I found numerous cases 
> where there is a need to perform a check on files referenced in  a file.
>
> For example, checking the group owner for all files referenced in 
> /etc/shells.
>
> Here is the example code I have created for this purpose:
>
> #######################################
>
> <def-group>
>
>    <definition class="compliance" id="file_groupowner_shell_files"
> version="1">
>
>      <metadata>
>
>        <title>Test Rule</title>
>
>        <affected family="unix">
>
>          <platform>Red Hat Enterprise Linux 6</platform>
>
>        </affected>
>
>        <description>Rule for testing.</description>
>
>      </metadata>
>
>      <criteria>
>
>        <criterion test_ref="test_file_groupowner_shell_files" />
>
>      </criteria>
>
>    </definition>
>
>    <local_variable id="var_file_groupowner_shell_files_list"
> comment="List of files referenced in /etc/shells" datatype="string"
> version="1">
>
>                                  <object_component 
> item_field="subexpression"
> object_ref="object_file_groupowner_shell_files_list" />
>
>    </local_variable>
>
>    <ind:textfilecontent54_object
> id="object_file_groupowner_shell_files_list" version="1">
>
>      <ind:filepath>/etc/shells</ind:filepath>
>
>      <ind:pattern operation="pattern match">^(/.*)$</ind:pattern>
>
>      <ind:instance operation="greater than or equal"
> datatype="int">1</ind:instance>
>
>    </ind:textfilecontent54_object>
>
>    <unix:file_test check="all" check_existence="all_exist"
> comment="Testing group owner" id="test_file_groupowner_shell_files"
> version="1">
>
>      <unix:object object_ref="object_file_groupowner_shell_files" />
>
>      <unix:state state_ref="state_file_groupowner_shell_files" />
>
>    </unix:file_test>
>
>    <unix:file_object comment="List of files referenced in /etc/shells"
> id="object_file_groupowner_shell_files" version="1">
>
>      <unix:filepath var_ref="var_file_groupowner_shell_files_list"
> var_check="all" />
>
>    </unix:file_object>
>
>    <unix:file_state id="state_file_groupowner_shell_files" 
> version="1">
>
>      <unix:group_id datatype="int">0</unix:group_id>
>
>    </unix:file_state>
>
> </def-group>
>
> #######################################
>
> The above code works properly when used with SCC v3.1.2.
>
> However when using OpenSCAP v1.0.8, it fails on validating the 
> existence of the files referenced through the local_variable.
>
> I have tested both pass and fail cases with SCC. I have also tried 
> changing "all_exist" to "any_exist", but results in no files getting 
> checked in OpenSCAP because it does not detect them as existing. I 
> have enabled "--oval-results" and can see the local_variable getting 
> properly populated as the following:
>
>            <object id="oval:ssg:obj:121" version="1" flag="does not 
> exist">
>
>              <variable_value
> variable_id="oval:ssg:var:124">/bin/sh</variable_value>
>
>              <variable_value
> variable_id="oval:ssg:var:124">/bin/bash</variable_value>
>
>              <variable_value
> variable_id="oval:ssg:var:124">/sbin/nologin</variable_value>
>
>              <variable_value
> variable_id="oval:ssg:var:124">/bin/dash</variable_value>
>
>              <variable_value
> variable_id="oval:ssg:var:124">/bin/tcsh</variable_value>
>
>              <variable_value
> variable_id="oval:ssg:var:124">/bin/csh</variable_value>
>
>            </object>
>
> Is this a bug in 1.0.8?
>

Hello Trey,

Thank you for checking with us. After a while of head scratching I can confirm that this is *not* a bug in OpenSCAP. This content should always evaluate to false. So the result=false is expected and correct behavior.

If any other scanner evaluates this content to true, please file a bug against that particular scanner.

The problem is in your content. Instead of clause

     var_check="all"

please make a use of

     var_check="at least one"

and you will get expected behavior. For more information please consult documentation regarding 'var_check' at

 
http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-definitions-schema.html

Best regards,

--
Simon Lukasik
Security Technologies, Red Hat, Inc.

Disclaimer
The information contained in this communication from trey.henefield at ultra-ats.com sent at 2014-05-14 13:51:04 is confidential and may be legally privileged.
It is intended solely for use by open-scap-list at redhat.com and others authorized to receive it. If you are not open-scap-list at redhat.com you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20140514/3601ec3e/attachment.htm>

More information about the Open-scap-list mailing list