Default key in registry issue

Hi,

I’ve been testing the latest version of OvalDI (5.6.1) on Windows XP and collecting some objects with it.

I found some results differences on my machine between versions 5.5.23 and 5.6.1 when running the following oval description:

--------------------------------------------------------

<?xml version="1.0" encoding="ISO8859-1"?>

<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">

  <generator>

    <oval:product_name>The OVAL Repository</oval:product_name>

    <oval:schema_version>5.6</oval:schema_version>

    <oval:timestamp>2009-07-20T21:13:42.715-04:00</oval:timestamp>

  </generator>

<objects>

    <registry_object

                id="oval:test.win:obj:10000" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">

      <hive>HKEY_LOCAL_MACHINE</hive>

      <key>Software\Classes\regfile\shell\open\command</key>

      <name></name>

    </registry_object>

</objects>

</oval_definitions>

--------------------------------------------------------

Here is the <system_data> tag from system_characteristics file for Ovaldi 5.6.1:

<system_data>

    <registry_item id="1" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">

      <hive>HKEY_LOCAL_MACHINE</hive>

      <key>Software\Classes\regfile\shell\open\command</key>

    </registry_item>

  </system_data>

And here’s for Ovaldi 5.5.23:

<system_data>

    <registry_item id="1" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">

      <hive>HKEY_LOCAL_MACHINE</hive>

      <key>Software\Classes\regfile\shell\open\command</key>

      <name/>

      <type>reg_sz</type>

      <value>regedit.exe "%1"</value>

    </registry_item>

  </system_data>

Ovaldi 5.5.23 collected the (Default) key in registry, but 5.6.1 did not. Did anyone face problems with this too?

Thanks in advance,

Sergio Camara

Modulo Security – Solutions for GRC

                Hi Sergio,

                The results from ovaldi-5.5.23 are correct.  This is a bug in the OVAL Interpreter that must have been introduced when the registry probe was modified to accommodate behaviors.    We should be able to address this bug within the next couple of weeks.

                Thanks,

                Danny

Hi,

I’ve been testing the latest version of OvalDI (5.6.1) on Windows XP and collecting some objects with it.

I found some results differences on my machine between versions 5.5.23 and 5.6.1 when running the following oval description:

--------------------------------------------------------

<?xml version="1.0" encoding="ISO8859-1"?>

<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">

  <generator>

    <oval:product_name>The OVAL Repository</oval:product_name>

    <oval:schema_version>5.6</oval:schema_version>

    <oval:timestamp>2009-07-20T21:13:42.715-04:00</oval:timestamp>

  </generator>

<objects>

    <registry_object

                id="oval:test.win:obj:10000" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">

      <hive>HKEY_LOCAL_MACHINE</hive>

      <key>Software\Classes\regfile\shell\open\command</key>

      <name></name>

    </registry_object>

</objects>

</oval_definitions>

--------------------------------------------------------

Here is the <system_data> tag from system_characteristics file for Ovaldi 5.6.1:

<system_data>

    <registry_item id="1" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">

      <hive>HKEY_LOCAL_MACHINE</hive>

      <key>Software\Classes\regfile\shell\open\command</key>

    </registry_item>

  </system_data>

And here’s for Ovaldi 5.5.23:

<system_data>

    <registry_item id="1" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#windows">

      <hive>HKEY_LOCAL_MACHINE</hive>

      <key>Software\Classes\regfile\shell\open\command</key>

      <name/>

      <type>reg_sz</type>

      <value>regedit.exe "%1"</value>

    </registry_item>

  </system_data>

Ovaldi 5.5.23 collected the (Default) key in registry, but 5.6.1 did not. Did anyone face problems with this too?

Thanks in advance,

Sergio Camara

Modulo Security – Solutions for GRC

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].