Bug with fileeffectiverights53
|
|
Moreno Gontijo
|
Hi,
I found a bug while trying to collect effectives rights using "fileeffectiverights53" to windows. The file to be collectd is at.exe (C:\Windows\system32\at.exe) I tryed to collect for 3 sid´s: S-1-5-32-544 (Administrators) S-1-5-18 ( System) S-1-5-32-545 (Users) I Changed the permission of file at.exe as below: Administrators - read & execute. System - read & execute. Users - read & execute. But after the collect, the line "<standard_write_dac datatype="boolean">" is different to 3 sid´s. S-1-5-32-544 was: <standard_write_dac datatype="boolean">1</standard_write_dac> S-1-5-18 was: <standard_write_dac datatype="boolean">1</standard_write_dac> S-1-5-32-545 was: <standard_write_dac datatype="boolean">0</standard_write_dac> See below: <fileeffectiverights_item id="253" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows"> <path>C:\Windows\system32</path> <filename>at.exe</filename> <trustee_sid>S-1-5-32-544</trustee_sid> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">1</standard_write_dac> <standard_write_owner datatype="boolean">0</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <access_system_security datatype="boolean">0</access_system_security> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">0</generic_write> <generic_execute datatype="boolean">1</generic_execute> <generic_all datatype="boolean">1</generic_all> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">0</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights_item> <fileeffectiverights_item id="254" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows"> <path>C:\Windows\system32</path> <filename>at.exe</filename> <trustee_sid>S-1-5-18</trustee_sid> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">1</standard_write_dac> <standard_write_owner datatype="boolean">0</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <access_system_security datatype="boolean">0</access_system_security> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">0</generic_write> <generic_execute datatype="boolean">1</generic_execute> <generic_all datatype="boolean">1</generic_all> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">0</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights_item> <fileeffectiverights_item id="255" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows"> <path>C:\Windows\system32</path> <filename>at.exe</filename> <trustee_sid>S-1-5-32-545</trustee_sid> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">0</standard_write_dac> <standard_write_owner datatype="boolean">0</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <access_system_security datatype="boolean">0</access_system_security> <generic_read datatype="boolean">1</generic_read> <generic_write datatype="boolean">0</generic_write> <generic_execute datatype="boolean">1</generic_execute> <generic_all datatype="boolean">1</generic_all> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">0</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights_item> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. Moreno Lucas Gontijo
moreno@mindsatwork.com.br Minds at Work Information technology http://www.mindsatwork.com.br |
||||||||||||||||
Danny Haynes
|
Some javascript/style in this post has been disabled (why?)
Hi Moreno, When reporting a bug, for the
OVAL Interpreter, it is best to submit the bug to the SourceForge project site
at http://sourceforge.net/tracker/?group_id=215469&atid=1033794
because it is very easy to lose bugs on the oval-discussion-list. It also
makes it much easier for us because everything is in one place. Also, to make
troubleshooting your issue easier, would you mind posting your OVAL definition?
That way we can reproduce the issue and see exactly what you are doing. Thanks, Danny From: moreno gontijo
[mailto:[hidden email]] Hi, |
||||||||||||||||
|
Moreno Gontijo
|
Hi Danny,
I´ll submit the bug to the SourceForge too. Below is my OVAL definition: <?xml version="1.0" encoding="ISO8859-1"?> <oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <generator> <oval:product_name>The OVAL Repository</oval:product_name> <oval:schema_version>5.5</oval:schema_version> <oval:timestamp>2009-07-20T21:13:42.715-04:00</oval:timestamp> </generator> <!-- ========================================= --> <!-- ========== 1. DEFINITIONS ========== --> <!-- ========================================= --> <definitions> <definition id="oval:gov.nist.fdcc.win2008:def:35984" version="1" class="compliance"> <metadata> <title>The effective rights to file "%SystemRoot%\system32\at.exe" should be read and execute</title> <description>The effective rights to file "%SystemRoot%\system32\at.exe" should be read and execute</description> </metadata> <criteria> <criterion test_ref="oval:gov.nist.fdcc.win2008:tst:35984" comment="%SystemRoot%\system32\at.exe - Read and Execute permission"/> </criteria> </definition> </definitions> <!-- ========================================= --> <!-- ========== 2. TESTS ========== --> <!-- ========================================= --> <tests> <registry_test id="oval:gov.nist.fdcc.win2008:tst:35984" version="1" comment="Coletar as permissões do %SystemRoot%\system32\at.exe" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:gov.nist.fdcc.win2008:obj:35984"/> <state state_ref="oval:gov.nist.fdcc.win2008:ste:4112"/> </registry_test> </tests> <!-- ========================================= --> <!-- ========== 3. OBJECTS ========== --> <!-- ========================================= --> <objects> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:35984" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION"> <set> <object_reference>oval:gov.nist.fdcc.win2008:obj:3598401</object_reference> <object_reference>oval:gov.nist.fdcc.win2008:obj:3598402</object_reference> </set> <set> <object_reference>oval:gov.nist.fdcc.win2008:obj:3598403</object_reference> </set> </set> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3598401" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5111"/> <filename>at.exe</filename> <trustee_sid operation="pattern match">S-1-5-32-544</trustee_sid> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3598402" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5111"/> <filename>at.exe</filename> <trustee_sid operation="pattern match">S-1-5-18</trustee_sid> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3598403" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5111"/> <filename>at.exe</filename> <trustee_sid operation="pattern match">S-1-5-32-545</trustee_sid> </fileeffectiverights53_object> </objects> <!-- ========================================= --> <!-- ========== 4. STATES ========== --> <!-- ========================================= --> <states> <fileeffectiverights53_state id="oval:gov.nist.fdcc.win2008:ste:4112" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="Permissão Read and Execute"> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">0</standard_write_dac> <standard_write_owner datatype="boolean">0</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">0</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights53_state> </states> <!-- ========================================= --> <!-- =========== 5. VARIABLES ============ --> <!-- ========================================= --> <variables> <local_variable id="oval:gov.nist.fdcc.win2008:var:5111" version="1" comment="Concantena o system Root + \system32 " datatype="string"> <concat> <object_component object_ref="oval:gov.nist.fdcc.win2008:obj:1001" item_field="value"/> <literal_component>\system32</literal_component> </concat> </local_variable> </variables> </oval_definitions> Thanks, Moreno To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. Moreno Lucas Gontijo
moreno@mindsatwork.com.br Minds at Work Information technology http://www.mindsatwork.com.br |
||||||||||||||||
|
Moreno Gontijo
|
In reply to this post
by Danny Haynes
Here is my deninitions.xml
On Fri, Oct 2, 2009 at 4:21 PM, Haynes, Dan <[hidden email]> wrote:
-- ---------------------------------------------------------------- Moreno Lucas Gontijo [hidden email] Minds at Work Tecnologia da Informação http://www.mindsatwork.com.br ---------------------------------------------------------------- A informação transmitida destina-se apenas à pessoa ou entidade a quem foi endereçada e pode conter informação confidencial, legalmente protegida e para conhecimento exclusivo do destinatário. Se o leitor desta advertência não for o seu destinatário, fica ciente de que sua leitura, divulgação, distribuição ou cópia é estritamente proibida. Caso a mensagem tenha sido recebida por engano, favor comunicar ao remetente e apagar o texto do computador. To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. <?xml version="1.0" encoding="ISO8859-1"?> <oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <generator> <oval:product_name>The OVAL Repository</oval:product_name> <oval:schema_version>5.5</oval:schema_version> <oval:timestamp>2009-07-20T21:13:42.715-04:00</oval:timestamp> </generator> <!-- ========================================= --> <!-- ========== 1. DEFINITIONS ========== --> <!-- ========================================= --> <definitions> <definition id="oval:gov.nist.fdcc.win2008:def:35984" version="1" class="compliance"> <metadata> <title>The effective rights to file "%SystemRoot%\system32\at.exe" should be read and execute</title> <description>The effective rights to file "%SystemRoot%\system32\at.exe" should be read and execute</description> </metadata> <criteria> <criterion test_ref="oval:gov.nist.fdcc.win2008:tst:35984" comment="%SystemRoot%\system32\at.exe - Read and Execute permission"/> </criteria> </definition> </definitions> <!-- ========================================= --> <!-- ========== 2. TESTS ========== --> <!-- ========================================= --> <tests> <registry_test id="oval:gov.nist.fdcc.win2008:tst:35984" version="1" comment="Coletar as permissões do %SystemRoot%\system32\at.exe" check_existence="all_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:gov.nist.fdcc.win2008:obj:35984"/> <state state_ref="oval:gov.nist.fdcc.win2008:ste:4112"/> </registry_test> </tests> <!-- ========================================= --> <!-- ========== 3. OBJECTS ========== --> <!-- ========================================= --> <objects> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:35984" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <set xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" set_operator="UNION"> <set> <object_reference>oval:gov.nist.fdcc.win2008:obj:3598401</object_reference> <object_reference>oval:gov.nist.fdcc.win2008:obj:3598402</object_reference> </set> <set> <object_reference>oval:gov.nist.fdcc.win2008:obj:3598403</object_reference> </set> </set> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3598401" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5111"/> <filename>at.exe</filename> <trustee_sid operation="pattern match">S-1-5-32-544</trustee_sid> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3598402" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5111"/> <filename>at.exe</filename> <trustee_sid operation="pattern match">S-1-5-18</trustee_sid> </fileeffectiverights53_object> <fileeffectiverights53_object id="oval:gov.nist.fdcc.win2008:obj:3598403" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path datatype="string" var_ref="oval:gov.nist.fdcc.win2008:var:5111"/> <filename>at.exe</filename> <trustee_sid operation="pattern match">S-1-5-32-545</trustee_sid> </fileeffectiverights53_object> <registry_object id="oval:gov.nist.fdcc.win2008:obj:1001" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key> <name>SystemRoot</name> </registry_object> </objects> <!-- ========================================= --> <!-- ========== 4. STATES ========== --> <!-- ========================================= --> <states> <fileeffectiverights53_state id="oval:gov.nist.fdcc.win2008:ste:4112" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" comment="Permissão Read and Execute"> <standard_delete datatype="boolean">0</standard_delete> <standard_read_control datatype="boolean">1</standard_read_control> <standard_write_dac datatype="boolean">0</standard_write_dac> <standard_write_owner datatype="boolean">0</standard_write_owner> <standard_synchronize datatype="boolean">1</standard_synchronize> <file_read_data datatype="boolean">1</file_read_data> <file_write_data datatype="boolean">0</file_write_data> <file_append_data datatype="boolean">0</file_append_data> <file_read_ea datatype="boolean">1</file_read_ea> <file_write_ea datatype="boolean">0</file_write_ea> <file_execute datatype="boolean">1</file_execute> <file_delete_child datatype="boolean">0</file_delete_child> <file_read_attributes datatype="boolean">1</file_read_attributes> <file_write_attributes datatype="boolean">0</file_write_attributes> </fileeffectiverights53_state> </states> <!-- ========================================= --> <!-- =========== 5. VARIABLES ============ --> <!-- ========================================= --> <variables> <local_variable id="oval:gov.nist.fdcc.win2008:var:5111" version="1" comment="Concantena o system Root + \system32 " datatype="string"> <concat> <object_component object_ref="oval:gov.nist.fdcc.win2008:obj:1001" item_field="value"/> <literal_component>\system32</literal_component> </concat> </local_variable> </variables> </oval_definitions> Moreno Lucas Gontijo
moreno@mindsatwork.com.br Minds at Work Information technology http://www.mindsatwork.com.br |
||||||||||||||||
|
Danny Haynes
|
Some javascript/style in this post has been disabled (why?)
Hi Moreno, When I changed the
permissions to ‘read and execute’ on at.exe for the Administrators,
System, and Users accounts, I received the same results as you. However, I do
not believe this is a bug in the OVAL Interpreter, but rather, a result of the
Administrators group being the owner of the at.exe file (at least on my system).
Prior to Windows Server 2008 and Windows Vista, the owner is given the read
control and write_dac permissions over the object which is why the write_dac
permission would have remained enabled even though the permissions were changed
to allow only ‘read and execute’. Please see http://msdn.microsoft.com/en-us/magazine/cc982153.aspx
for more information. When I changed the owner of the at.exe file to my user
account, rather than the Administrators group, your definition returned true
and the write_dac permission was disable for all three accounts. You can
change the owner of a file by right-clicking the file and selecting Properties->Security->Advanced->Owner
and then selecting a new owner from the list of possible owners. Let me know
if the doesn’t resolve your issue. Thanks, Danny From: moreno gontijo
[mailto:[hidden email]] Here is my deninitions.xml On Fri, Oct 2, 2009 at 4:21 PM,
Haynes, Dan <[hidden email]>
wrote:
Hi Moreno, When
reporting a bug, for the OVAL Interpreter, it is best to submit the bug to the
SourceForge project site at http://sourceforge.net/tracker/?group_id=215469&atid=1033794
because it is very easy to lose bugs on the oval-discussion-list. It also
makes it much easier for us because everything is in one place. Also, to
make troubleshooting your issue easier, would you mind posting your OVAL
definition? That way we can reproduce the issue and see exactly what you
are doing. Thanks, Danny
From: moreno gontijo [mailto:[hidden email]]
Hi, To unsubscribe, send an email
message to [hidden email]
with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
difficulties, write to [hidden email].
To unsubscribe, send an email
message to [hidden email]
with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
difficulties, write to [hidden email].
|
||||||||||||||||
|
Moreno Gontijo
|
Hi Danny,
After see http://msdn.microsoft.com/en-us/magazine/cc982153.aspx , I agree that it is not bug of Ovaldi. Thank you for helping me. Moreno. On Mon, Oct 5, 2009 at 3:01 PM, Haynes, Dan <[hidden email]> wrote:
-- ---------------------------------------------------------------- Moreno Lucas Gontijo [hidden email] Minds at Work Tecnologia da Informação http://www.mindsatwork.com.br ---------------------------------------------------------------- A informação transmitida destina-se apenas à pessoa ou entidade a quem foi endereçada e pode conter informação confidencial, legalmente protegida e para conhecimento exclusivo do destinatário. Se o leitor desta advertência não for o seu destinatário, fica ciente de que sua leitura, divulgação, distribuição ou cópia é estritamente proibida. Caso a mensagem tenha sido recebida por engano, favor comunicar ao remetente e apagar o texto do computador. To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. Moreno Lucas Gontijo
moreno@mindsatwork.com.br Minds at Work Information technology http://www.mindsatwork.com.br |
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
