File Content Checks

All:

I’ve been trying for a short while (new to OVAL construction) to specify an OVAL test that will check the contents of a Windows file.  At first, I could only find file attribute tests in the Windows schema, but then came across textfilecontent_test in the independent schema.  At this point, the ovaldi reads the file, but then errors because it can’t find the file name.  I’m afraid that my ind-def:path, ind-def:file, or ind-def:line elements are incorrect in my ind-textfilecontent_object. 

Here’s what I’m doing (mostly).

<oval_definitions>

…

<definition>

  <criteria>

    <criterion test_ref=”test”/>

  </criteria>

</definition>

…

<tests>

  <ind-def:textfilecontent_test id=”test”version=”1” check=”all”>

    <ind-def:object object_ref=”obj”/>

    <ind-def:state state_ref=”ste”/>

  </ind-def:textfilecontent_test>

</tests>

…

<objects>

  <ind-def:textfilecontent_object id=”obj”>

    <ind-def:path>C:\</ind-def:path>

    <ind-def:filename>test.txt</ind-def:filename>

    <ind-def:line>test</ind-def:line>

</objects>

…

<states>

  <ind-def:textfilecontent_state id=”ste”>

    <ind-def:line>test</ind-def:line>

  </ind-def:textfilecontent_state>

Any thoughts on what I’m most likely doing wrong?  I’m pretty sure I shouldn’t need the duplicate ind-def:line element in an object and a test, but when I was cooking this up the IDE indicated these were required by the schema.  So, that’s a bit confusing.  Also, I couldn’t find any real documentation with respect to proper formatting for paths, filenames, etc. 

Regards,

Adam Montville, CISSP | Policy Analyst

                Hi Adam,

Your ind-def:path and ind-def:filename entities look correct and would represent the file ‘C:\test.txt’.  One thing to point out, is that your ind-def:textfilecontent_object does not have a closing tag ‘</ind-def:textfilecontent_object>’, but, I am guessing that it is just a copy and paste error.  Another important thing to note is that the line entity should use the pattern match operation as the value specified in the line entity is a regular expression.   Now, when you say that the OVAL Interpreter cannot find the file, is an actual error being thrown by the OVAL Interpreter?  Or, are you referring to the fact that the object has a status of ‘does not exist’?  This can be determined by examining the ‘results.xml’ file.   Also, when you say that you shouldn’t need the duplicate ind-def:line entity in both the object and the test, do you mean the object and the state?  As specified in the OVAL Language, more specifically the independent-definitions-schema, the line entity is required in the ind-def:textfilecontent_object.  Also, would it be possible to post your actual OVAL Definition, or send it to me directly, as it would be much easier to troubleshoot your problem if I could reproduce it on my system?  In the meantime,  I have attached a sample OVAL Definition, and text file, for you to try on your system.  The attached OVAL Definition examines the attached text file ‘C:\test.txt’ and only collects text file content items for each line that contains digit characters as specified by the regular expression ‘$^[0-9]+$’.  It then checks these values to see if they satisfy the entities specified in the state, which say that in order for the test to return true, there must be at least one line entity that contains the digit character sequence ‘234’ as specified by the regular expression ‘^[0-9]*234[0-9]*$’.  Since at least one of the collected text file content items contain the digit character sequence ‘234’, this test will return true.  If you have any issues running the attached OVAL Definition, or have any other questions, please let me know.

Thanks,

Danny

All:

I’ve been trying for a short while (new to OVAL construction) to specify an OVAL test that will check the contents of a Windows file.  At first, I could only find file attribute tests in the Windows schema, but then came across textfilecontent_test in the independent schema.  At this point, the ovaldi reads the file, but then errors because it can’t find the file name.  I’m afraid that my ind-def:path, ind-def:file, or ind-def:line elements are incorrect in my ind-textfilecontent_object. 

Here’s what I’m doing (mostly).

<oval_definitions>

…

<definition>

  <criteria>

    <criterion test_ref=”test”/>

  </criteria>

</definition>

…

<tests>

  <ind-def:textfilecontent_test id=”test”version=”1” check=”all”>

    <ind-def:object object_ref=”obj”/>

    <ind-def:state state_ref=”ste”/>

  </ind-def:textfilecontent_test>

</tests>

…

<objects>

  <ind-def:textfilecontent_object id=”obj”>

    <ind-def:path>C:\</ind-def:path>

    <ind-def:filename>test.txt</ind-def:filename>

    <ind-def:line>test</ind-def:line>

</objects>

…

<states>

  <ind-def:textfilecontent_state id=”ste”>

    <ind-def:line>test</ind-def:line>

  </ind-def:textfilecontent_state>

Any thoughts on what I’m most likely doing wrong?  I’m pretty sure I shouldn’t need the duplicate ind-def:line element in an object and a test, but when I was cooking this up the IDE indicated these were required by the schema.  So, that’s a bit confusing.  Also, I couldn’t find any real documentation with respect to proper formatting for paths, filenames, etc. 

Regards,

Adam Montville, CISSP | Policy Analyst

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Thanks for the response.  It was the pattern match operation.  Everything else was fine, except the copy/paste error.  I did receive help from Jeff Ito as well, so thanks to him also.

Adam

                Hi Adam,

Your ind-def:path and ind-def:filename entities look correct and would represent the file ‘C:\test.txt’.  One thing to point out, is that your ind-def:textfilecontent_object does not have a closing tag ‘</ind-def:textfilecontent_object>’, but, I am guessing that it is just a copy and paste error.  Another important thing to note is that the line entity should use the pattern match operation as the value specified in the line entity is a regular expression.   Now, when you say that the OVAL Interpreter cannot find the file, is an actual error being thrown by the OVAL Interpreter?  Or, are you referring to the fact that the object has a status of ‘does not exist’?  This can be determined by examining the ‘results.xml’ file.   Also, when you say that you shouldn’t need the duplicate ind-def:line entity in both the object and the test, do you mean the object and the state?  As specified in the OVAL Language, more specifically the independent-definitions-schema, the line entity is required in the ind-def:textfilecontent_object.  Also, would it be possible to post your actual OVAL Definition, or send it to me directly, as it would be much easier to troubleshoot your problem if I could reproduce it on my system?  In the meantime,  I have attached a sample OVAL Definition, and text file, for you to try on your system.  The attached OVAL Definition examines the attached text file ‘C:\test.txt’ and only collects text file content items for each line that contains digit characters as specified by the regular expression ‘$^[0-9]+$’.  It then checks these values to see if they satisfy the entities specified in the state, which say that in order for the test to return true, there must be at least one line entity that contains the digit character sequence ‘234’ as specified by the regular expression ‘^[0-9]*234[0-9]*$’.  Since at least one of the collected text file content items contain the digit character sequence ‘234’, this test will return true.  If you have any issues running the attached OVAL Definition, or have any other questions, please let me know.

Thanks,

Danny

All:

I’ve been trying for a short while (new to OVAL construction) to specify an OVAL test that will check the contents of a Windows file.  At first, I could only find file attribute tests in the Windows schema, but then came across textfilecontent_test in the independent schema.  At this point, the ovaldi reads the file, but then errors because it can’t find the file name.  I’m afraid that my ind-def:path, ind-def:file, or ind-def:line elements are incorrect in my ind-textfilecontent_object. 

Here’s what I’m doing (mostly).

<oval_definitions>

…

<definition>

  <criteria>

    <criterion test_ref=”test”/>

  </criteria>

</definition>

…

<tests>

  <ind-def:textfilecontent_test id=”test”version=”1” check=”all”>

    <ind-def:object object_ref=”obj”/>

    <ind-def:state state_ref=”ste”/>

  </ind-def:textfilecontent_test>

</tests>

…

<objects>

  <ind-def:textfilecontent_object id=”obj”>

    <ind-def:path>C:\</ind-def:path>

    <ind-def:filename>test.txt</ind-def:filename>

    <ind-def:line>test</ind-def:line>

</objects>

…

<states>

  <ind-def:textfilecontent_state id=”ste”>

    <ind-def:line>test</ind-def:line>

  </ind-def:textfilecontent_state>

Any thoughts on what I’m most likely doing wrong?  I’m pretty sure I shouldn’t need the duplicate ind-def:line element in an object and a test, but when I was cooking this up the IDE indicated these were required by the schema.  So, that’s a bit confusing.  Also, I couldn’t find any real documentation with respect to proper formatting for paths, filenames, etc. 

Regards,

Adam Montville, CISSP | Policy Analyst

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].