More Windows Services and Inventory Definitions

Ken,

It looks like the message text got left out of this one. Can you tell
us more specifically what these definitions are for? Did you auto
generate the creation of these?

Thanks,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...



>-----Original Message-----
>From: Ken Lassesen [mailto:ken.lassesen@...]
>Sent: Tuesday, June 24, 2008 12:04 PM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: [OVAL-DISCUSSION-LIST] More Windows Services and Inventory
>Definitions
>

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

They are autogenerated from WMI scripts and add more services and
product installation inventory tests. Continuation of the last large
batch, passed through the same code base to generate the OVAL files.

later next week I expect to make the utility to feed the automational
available to all.


-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Tuesday, June 24, 2008 11:54 AM
To: OVAL-DISCUSSION-LIST@...
Subject: Re: [OVAL-DISCUSSION-LIST] More Windows Services and Inventory
Definitions

Ken,

It looks like the message text got left out of this one. Can you tell
us more specifically what these definitions are for? Did you auto
generate the creation of these?

Thanks,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...



>-----Original Message-----
>From: Ken Lassesen [mailto:ken.lassesen@...]
>Sent: Tuesday, June 24, 2008 12:04 PM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: [OVAL-DISCUSSION-LIST] More Windows Services and Inventory
>Definitions
>

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DISCUSSION-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

Ken,

Looking through these definitions I think all of my comments on your
first large content submission apply to these definitions too. I assume
they were both produced with similar versions of your code? You can
find my previous comments at the bottom of this message.

Thanks,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


1- I noticed that many of the compliance definitions have cpe names as
their references. CPE names should be used as the reference for
inventory definitions, not compliance definitions. The same is also
true for the definitions you assigned the miscellaneous class to.

2- you appear to be generating 3 basic types of definitions:
  A - "The XXX service is Installed"        
  B  - "The XXX service is installed and started"
  C - "The XXX service is installed and configured to start
automatically"

Ideally types B and C would leverage A to determine if the service is
installed. Ideally your code would create type A definitions then use
the extend_definition struction in the criteria of the type B and C
definitions to reuse the inventory definition.

You have assigned a different class to types B and C. Can you explain
why? I would have thought that they would have the same class.

3- I am happy to see that you have started to use the
<affected_cpe_list>. The platforms in that list should align with the
strings in the <affected> element. So for example if you have an
affected element like:

<affected family="windows">
  <platform>Microsoft Windows 2000</platform>
  <platform>Microsoft Windows XP</platform>
  <platform>Microsoft Windows Server 2003</platform>
  <platform>Microsoft Windows Server 2008</platform>
  <platform>Microsoft Windows Vista</platform>
</affected>

You should have an affected_cpe_list like:

<affected_cpe_list>
  <cpe>cpe:/o:microsoft:windows_2000</cpe>
  <cpe>cpe:/o:microsoft:windows_xp</cpe>
  <cpe>cpe:/o:microsoft:windows_2003</cpe>
  <cpe>cpe:/o:microsoft:windows_2008</cpe>
  <cpe>cpe:/o:microsoft:windows_vista</cpe>
</affected_cpe_list>


4- There appear to be a lot of new CPE names that are not quite
correct. I have not found them all, but here are a few samples that
show some of the incorrect names I found.
cpe:/a:exchsrvr:microsoft_exchange_mta_stacks
cpe:/a:system:microsoft_search
cpe:/a:microsoft:mssqlsharepoint
cpe:/a:ipod:ipodservice
cpe:/a:program:onecare_firewall

Is it possible to correct these names in your generation code?

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

I will regenerate everything for our next iteration...

-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Friday, June 27, 2008 9:45 AM
To: OVAL-DISCUSSION-LIST@...
Subject: Re: [OVAL-DISCUSSION-LIST] More Windows Services and Inventory
Definitions

Ken,

Looking through these definitions I think all of my comments on your
first large content submission apply to these definitions too. I assume
they were both produced with similar versions of your code? You can
find my previous comments at the bottom of this message.

Thanks,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


1- I noticed that many of the compliance definitions have cpe names as
their references. CPE names should be used as the reference for
inventory definitions, not compliance definitions. The same is also
true for the definitions you assigned the miscellaneous class to.

2- you appear to be generating 3 basic types of definitions:
  A - "The XXX service is Installed"        
  B  - "The XXX service is installed and started"
  C - "The XXX service is installed and configured to start
automatically"

Ideally types B and C would leverage A to determine if the service is
installed. Ideally your code would create type A definitions then use
the extend_definition struction in the criteria of the type B and C
definitions to reuse the inventory definition.

You have assigned a different class to types B and C. Can you explain
why? I would have thought that they would have the same class.

3- I am happy to see that you have started to use the
<affected_cpe_list>. The platforms in that list should align with the
strings in the <affected> element. So for example if you have an
affected element like:

<affected family="windows">
  <platform>Microsoft Windows 2000</platform>
  <platform>Microsoft Windows XP</platform>
  <platform>Microsoft Windows Server 2003</platform>
  <platform>Microsoft Windows Server 2008</platform>
  <platform>Microsoft Windows Vista</platform>
</affected>

You should have an affected_cpe_list like:

<affected_cpe_list>
  <cpe>cpe:/o:microsoft:windows_2000</cpe>
  <cpe>cpe:/o:microsoft:windows_xp</cpe>
  <cpe>cpe:/o:microsoft:windows_2003</cpe>
  <cpe>cpe:/o:microsoft:windows_2008</cpe>
  <cpe>cpe:/o:microsoft:windows_vista</cpe>
</affected_cpe_list>


4- There appear to be a lot of new CPE names that are not quite
correct. I have not found them all, but here are a few samples that
show some of the incorrect names I found.
cpe:/a:exchsrvr:microsoft_exchange_mta_stacks
cpe:/a:system:microsoft_search
cpe:/a:microsoft:mssqlsharepoint
cpe:/a:ipod:ipodservice
cpe:/a:program:onecare_firewall

Is it possible to correct these names in your generation code?

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DISCUSSION-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

Comment (for discussion)

1) Will only have CPE for Inventory in next drop.

2)  Making the changes --- good idea.

"Ideally types B and C would leverage A to determine if the service is
installed. Ideally your code would create type A definitions then use
the extend_definition struction in the criteria of the type B and C
definitions to reuse the inventory definition.

You have assigned a different class to types B and C. Can you explain
why? I would have thought that they would have the same class."

A is checking for INVENTORY (is it installed on the machine)
B & C are configuration issues, that does not 'feel' like a INVENTORY
but a COMPLIANCE (positive or negative depends on circumstance).

3) Making those changes

4) I used a heuristic to try finding a match, as with all heuristics it
was touch and go.  I will revisit and get back to you shortly.

I do attach a mapping file for WSUS derived content (you have not seen
the content there yet), in this case, just changing this file will
result in cpe being adjusted.  I'm implementing similar for the WMI
produced content.



-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Friday, June 27, 2008 9:45 AM
To: OVAL-DISCUSSION-LIST@...
Subject: Re: [OVAL-DISCUSSION-LIST] More Windows Services and Inventory
Definitions

Ken,

Looking through these definitions I think all of my comments on your
first large content submission apply to these definitions too. I assume
they were both produced with similar versions of your code? You can
find my previous comments at the bottom of this message.

Thanks,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


1- I noticed that many of the compliance definitions have cpe names as
their references. CPE names should be used as the reference for
inventory definitions, not compliance definitions. The same is also
true for the definitions you assigned the miscellaneous class to.

2- you appear to be generating 3 basic types of definitions:
  A - "The XXX service is Installed"        
  B  - "The XXX service is installed and started"
  C - "The XXX service is installed and configured to start
automatically"

Ideally types B and C would leverage A to determine if the service is
installed. Ideally your code would create type A definitions then use
the extend_definition struction in the criteria of the type B and C
definitions to reuse the inventory definition.

You have assigned a different class to types B and C. Can you explain
why? I would have thought that they would have the same class.

3- I am happy to see that you have started to use the
<affected_cpe_list>. The platforms in that list should align with the
strings in the <affected> element. So for example if you have an
affected element like:

<affected family="windows">
  <platform>Microsoft Windows 2000</platform>
  <platform>Microsoft Windows XP</platform>
  <platform>Microsoft Windows Server 2003</platform>
  <platform>Microsoft Windows Server 2008</platform>
  <platform>Microsoft Windows Vista</platform>
</affected>

You should have an affected_cpe_list like:

<affected_cpe_list>
  <cpe>cpe:/o:microsoft:windows_2000</cpe>
  <cpe>cpe:/o:microsoft:windows_xp</cpe>
  <cpe>cpe:/o:microsoft:windows_2003</cpe>
  <cpe>cpe:/o:microsoft:windows_2008</cpe>
  <cpe>cpe:/o:microsoft:windows_vista</cpe>
</affected_cpe_list>


4- There appear to be a lot of new CPE names that are not quite
correct. I have not found them all, but here are a few samples that
show some of the incorrect names I found.
cpe:/a:exchsrvr:microsoft_exchange_mta_stacks
cpe:/a:system:microsoft_search
cpe:/a:microsoft:mssqlsharepoint
cpe:/a:ipod:ipodservice
cpe:/a:program:onecare_firewall

Is it possible to correct these names in your generation code?

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DISCUSSION-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

<?xml version="1.0" encoding="UTF-8"?>
<cpe-list xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns="http://cpe.mitre.org/dictionary/2.0" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 cpe-dictionary-metadata_0.2.xsd http://cpe.mitre.org/dictionary/2.0 cpe-dictionary_2.1.xsd">
        <generator>
                <product_name>Lumension Security Repository[WSUS Sourced]</product_name>
                <product_version>3.0</product_version>
                <schema_version>2.1</schema_version>
                <timestamp>2008-05-23T14:24:43Z</timestamp>
        </generator>
        <cpe-item name="cpe:/a:microsoft:windows_2003_server:cluster_pack">
                <title source="wsus3.0">Compute Cluster Pack</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:exchange">
                <title source="wsus3.0">Exchange</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:forefront_security">
                <title source="wsus3.0">Forefront</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:isa_server">
                <title source="wsus3.0">Internet Security and Acceleration Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:system_center:data_protection_manager">
                <title source="wsus3.0">Microsoft System Center Data Protection Manager</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:office">
                <title source="wsus3.0">Office</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:office:communications_server">
                <title source="wsus3.0">Office Communications Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:sdk">
                <title source="wsus3.0">SDK Components</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:sql_server">
                <title source="wsus3.0">SQL Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2977</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:system_center:virtual_machine_manager">
                <title source="wsus3.0">System Center Virtual Machine Manager</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:systems_management_server">
                <title source="wsus3.0">Systems Management Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:virtual_server">
                <title source="wsus3.0">Virtual Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:visual_studio">
                <title source="wsus3.0">Visual Studio</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:def:981</check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows">
                <title source="wsus3.0">Windows</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:windows_live">
                <title source="wsus3.0">Windows Live</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:windows:small_business_server">
                <title source="wsus3.0">Windows Small Business Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:capicom">
                <title source="wsus3.0">CAPICOM</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:system_center:data_protection_manager:2006">
                <title source="wsus3.0">Data Protection Manager 2006</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:exchange_server:2000">
                <title source="wsus3.0">Exchange 2000 Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:exchange_server:2003">
                <title source="wsus3.0">Exchange Server 2003</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2760</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:exchange_server:2007">
                <title source="wsus3.0">Exchange Server 2007</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:exchange_server:2007:antispam">
                <title source="wsus3.0">Exchange Server 2007 Anti-spam</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:isa_server:firewall">
                <title source="wsus3.0">Firewall Client for ISA Server</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:forefront_security">
                <title source="wsus3.0">Forefront Client Security</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:isa_server:2006">
                <title source="wsus3.0">Internet Security and Acceleration Server 2006</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:297</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:isa_server:2009">
                <title source="wsus3.0">ISA Server codename Nitrogen,  Definition Updates for HTTP Malware Protection</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:mail:installer">
                <title source="wsus3.0">Mail Installation and Upgrades</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:virtual_server:2007">
                <title source="wsus3.0">Microsoft System Center Virtual Machine Manager 2007</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:office:2002">
                <title source="wsus3.0">Office 2002/XP</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:def:663</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:office:2003">
                <title source="wsus3.0">Office 2003</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:def:233</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:office:2007">
                <title source="wsus3.0">Office 2007</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:1211&type=view">oval:org.mitre.oval:def:1211</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:office_communicator:2007">
                <title source="wsus3.0">Office Communications Server 2007</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:windows_live_onecare">
                <title source="wsus3.0">OneCare Family Safety Installation</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:photo_gallery">
                <title source="wsus3.0">Photo Gallery Installation and Upgrades</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:signin_assistant">
                <title source="wsus3.0">Sign-in Assistant Installation and Upgrades</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:sql_server:2005">
                <title source="wsus3.0">SQL Server 2005</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:sql_server::feature_pack">
                <title source="wsus3.0">SQL Server Feature Pack</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2977</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:systems_management_server:2007">
                <title source="wsus3.0">System Center Configuration Management 2007</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:virtual_pc">
                <title source="wsus3.0">Virtual PC</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:visual_studio:2005">
                <title source="wsus3.0">Visual Studio 2005</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:def:426</check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_2000">
                <title source="wsus3.0">Windows 2000</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:3085</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:windows_defender">
                <title source="wsus3.0">Windows Defender</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:ie:7:dynamic_installer">
                <title source="wsus3.0">Windows Internet Explorer 7 Dynamic Installer</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:windows_live_toolbar">
                <title source="wsus3.0">Windows Live Toolbar</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:windows_media_format_dynamic_installer">
                <title source="wsus3.0">Windows Media Dynamic Installer</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_2003_server">
                <title source="wsus3.0">Windows Server 2003</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2761</check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_2003_server::datacenter">
                <title source="wsus3.0">Windows Server 2003, Datacenter Edition</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2761</check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_2008">
                <title source="wsus3.0">Windows Server 2008</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:small_business_server:2003">
                <title source="wsus3.0">Windows Small Business Server 2003</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:vista:ultimate:extras">
                <title source="wsus3.0">Windows Ultimate Extras</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_vista">
                <title source="wsus3.0">Windows Vista</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:vista:ultimate:language">
                <title source="wsus3.0">Windows Vista Ultimate Language Packs</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_xp">
                <title source="wsus3.0">Windows XP</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2838</check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_xp::x64:2003">
                <title source="wsus3.0">Windows XP 64-Bit Edition Version 2003</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2747</check>
        </cpe-item>
        <cpe-item name="cpe:/o:microsoft:windows_xp::x64">
                <title source="wsus3.0">Windows XP x64 Edition</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view">oval:org.mitre.oval:tst:2747</check>
        </cpe-item>
        <cpe-item name="cpe:/a:microsoft:writer:installation">
                <title source="wsus3.0">Writer Installation and Upgrades</title>
                <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:233&type=view"></check>
        </cpe-item>
</cpe-list>

Agree, I would have expected B and C to have a class of compliance.

>3) Making those changes
>
>4) I used a heuristic to try finding a match, as with all heuristics
it
>was touch and go.  I will revisit and get back to you shortly.
>
>I do attach a mapping file for WSUS derived content (you have not seen
>the content there yet), in this case, just changing this file will
>result in cpe being adjusted.  I'm implementing similar for the WMI
>produced content.
>
>

The mapping is helpful and quickly shows issues. Here is one of the
entries I found:

<cpe-item name="cpe:/a:microsoft:forefront_security">
  <title source="wsus3.0">Forefront</title>
  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
href="http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:
org.mitre.oval:def:233&type=view"></check>
</cpe-item>

When I looked at it the title and cpe name seemed to align, but the
definition referenced is the Office 2003 inventory definition. I lookd
a bit further and noticed that this definition is referenced a lot. Is
there a bug in this code somewhere causing this definition to be
referenced?

Thanks,

Jon


>
>-----Original Message-----
>From: Baker, Jon [mailto:bakerj@...]
>Sent: Friday, June 27, 2008 9:45 AM
>To: OVAL-DISCUSSION-LIST@...
>Subject: Re: [OVAL-DISCUSSION-LIST] More Windows Services and
Inventory
>Definitions
>
>Ken,
>
>Looking through these definitions I think all of my comments on your
>first large content submission apply to these definitions too. I
assume
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

Thank for the info and guidance.

I attached the Service Mapping to CPE file, for review (before
resubmitting the OVAL definitions).  Directly email me if you have a
better mapping for any item. (just cut and paste the revised node to
make my life easier!) -- everyone is welcome to join in!

Ken

-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Tuesday, July 08, 2008 6:08 PM
To: OVAL-DISCUSSION-LIST@...
Subject: Re: [OVAL-DISCUSSION-LIST] Automated Definitions Thread

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DISCUSSION-LIST-request@....

<?xml version="1.0" encoding="UTF-8"?>
<inventorytracker identity="1330">  
  <item cpeid="cpe:/a:adobe:adobe_version_cue_cs3" path=""C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service" name="Adobe Version Cue CS3" refid="1120" filename="VersionCueCS3.exe" />
  <item cpeid="cpe:/a:agere:agere_modem_call_progress_audio" path="C:\WINXP\system32\agrsmsvc.exe" name="AgereModemAudio" refid="1078" filename="agrsmsvc.exe" />
  <item cpeid="cpe:/a:ahead:incd_helper" path="C:\Program Files\Ahead\InCD\InCDsrv.exe" name="InCDsrv" refid="850" filename="InCDsrv.exe" />
  <item cpeid="cpe:/a:aisystems:my_first_service" path=""C:\AISystems\Excalibur\Utility\AMMQRelay\AMMQRelay\bin\Debug\AMMQRELAY.exe"" name="AMMQRelayService" refid="835" filename="AMMQRELAY.exe" />
  <item cpeid="cpe:/a:allume:stuffit_task_manager" path="C:\PROGRA~1\Allume\StuffIt\MXTask.exe -Service" name="StuffIt Task Manager" refid="904" filename="MXTask.ex" />
  <item cpeid="cpe:/a:analog_devices:spkrmon" path="C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe" name="spkrmon" refid="217" filename="spkrmon.exe" />
  <item cpeid="cpe:/a:apc:apc_pbe_agent" path="C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe" name="APCPBEAgent" refid="1216" filename="pbeagent.exe" />
  <item cpeid="cpe:/a:apc:apc_pbe_server" path="C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE" name="APCPBEServer" refid="1219" filename="PBESER~1.EXE" />
  <item cpeid="cpe:/a:apc:apc_ups_service" path="C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" name="APC UPS Service" refid="1264" filename="mainserv.exe" />
  <item cpeid="cpe:/a:app:oraclemtsrecoveryservice" path="F:\app\Ken.Lassesen\product\11.1.0\client_2\bin\omtsreco.exe "OracleMTSRecoveryService"" name="OracleMTSRecoveryService" refid="877" filename="omtsreco.exe OracleMTSRecoveryService" />
  <item cpeid="cpe:/a:apple:apple_mobile_device" path=""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" name="Apple Mobile Device" refid="313" filename="AppleMobileDeviceService.exe" />
  <item cpeid="cpe:/a:apple:apple_os_switch_manager" path="C:\WINDOWS\system32\AppleOSSMgr.exe" name="AppleOSSMgr" refid="1192" filename="AppleOSSMgr.exe" />
  <item cpeid="cpe:/a:apple:apple_time_service" path="C:\WINDOWS\system32\AppleTimeSrv.exe" name="AppleTimeSrv" refid="1195" filename="AppleTimeSrv.exe" />
  <item cpeid="cpe:/a:apple:ipod_service" path=""C:\Program Files\iPod\bin\iPodService.exe"" name="iPod Service" refid="340" filename="iPodService.exe" />
  <item cpeid="cpe:/a:apple:ipodservice" path="C:\Program Files\iPod\bin\iPodService.exe" name="iPodService" refid="1081" filename="iPodService.exe" />
  <item cpeid="cpe:/a:arservice.exe:arsvc" path="C:\WINDOWS\arservice.exe" name="ARSVC" refid="838" filename="arservice.exe" />
  <item cpeid="cpe:/a:artisoft:televantage_workstation_service" path=""C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe"" name="TvWksSvc" refid="256" filename="TvWksSvc.exe" />
  <item cpeid="cpe:/a:ati:ati_external_event_utility" path="C:\Windows\system32\Ati2evxx.exe" name="Ati External Event Utility" refid="1168" filename="Ati2evxx.exe" />
  <item cpeid="cpe:/a:ati:ati_hotkey_poller" path="C:\WINDOWS\system32\Ati2evxx.exe" name="Ati HotKey Poller" refid="316" filename="Ati2evxx.exe" />
  <item cpeid="cpe:/a:ati:ati_smart" path="C:\WINDOWS\system32\ati2sgag.exe" name="ATI Smart" refid="319" filename="ati2sgag.exe" />
  <item cpeid="cpe:/a:automated_qa:aqtime_5_service" path="C:\Program Files\Automated QA\AQtime 5\Bin\DebuggerService5x86.exe" name="AQtime 5 Service" refid="1297" filename="DebuggerService5x86.exe" />
  <item cpeid="cpe:/a:automated_qa:testcomplete_6_service" path=""C:\Program Files\Automated QA\TestComplete 6\Bin\TestCompleteService6.exe"" name="TestComplete 6 Service" refid="1228" filename="TestCompleteService6.exe" />
  <item cpeid="cpe:/a:bha:bs_recorder_gold_library_general_service" path=""C:\WINDOWS\system32\bgsvcgen.exe"" name="bgsvcgen" refid="1267" filename="bgsvcgen.exe" />
  <item cpeid="cpe:/a:bonjour:mdnsresponder" path=""C:\Program Files\Bonjour\mDNSResponder.exe"" name="Bonjour Service" refid="322" filename="mDNSResponder.exe" />
  <item cpeid="cpe:/a:ca:ca_license_client" path=""C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe"" name="CA_LIC_CLNT" refid="844" filename="lic98rmt.exe" />
  <item cpeid="cpe:/a:ca:etrust_antivirus_job_server" path=""H:\Program Files\CA\eTrust Antivirus\InoTask.exe"" name="InoTask" refid="943" filename="InoTask.exe" />
  <item cpeid="cpe:/a:ca:etrust_antivirus_realtime_server" path=""H:\Program Files\CA\eTrust Antivirus\InoRT.exe"" name="InoRT" refid="940" filename="InoRT.exe" />
  <item cpeid="cpe:/a:ca:etrust_antivirus_rpc_server" path=""H:\Program Files\CA\eTrust Antivirus\InoRpc.exe"" name="InoRPC" refid="937" filename="InoRpc.exe" />
  <item cpeid="cpe:/a:ca:event_log_watch" path=""C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe"" name="LogWatch" refid="853" filename="LogWatNT.exe" />
  <item cpeid="cpe:/a:carbonite:carboniteservice" path=""C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe"" name="CarboniteService" refid="1093" filename="carboniteservice.exe" />
  <item cpeid="cpe:/a:castlecop:plsremote_service" path="C:\WINDOWS\SYSTEM32\PLSRemote.exe" name="PLSRemoteSvc" refid="1132" filename="PLSRemote.exe" />
  <item cpeid="cpe:/a:castlecops:tuneup_drive_defrag_service" path="C:\WINDOWS\System32\TuneUpDefragService.exe" name="TuneUp.Defrag" refid="1318" filename="TuneUpDefragService.exe" />
  <item cpeid="cpe:/a:citrix:citrix_diagnostic_facility_com_server" path="C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe" name="CdfSvc" refid="1300" filename="CdfSvc.exe" />
  <item cpeid="cpe:/a:compuware:trsdkservice11" path="c:\program files\common files\compuware\trsdkservicestub11.exe" name="TRSDKService11" refid="1315" filename="trsdkservicestub11.exe" />
  <item cpeid="cpe:/a:creative:creative_service_for_cdrom_access" path="C:\WINDOWS\system32\CTsvcCDA.exe" name="Creative Service for CDROM Access" refid="1270" filename="CTsvcCDA.exe" />
  <item cpeid="cpe:/a:digitalpersona:biometric_authentication_service" path="C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe" name="DpHost" refid="1096" filename="DpHostW.exe" />
  <item cpeid="cpe:/a:d-link:vservice" path="C:\Program Files\D-Link\D-Link USB VoIP Adapter\VServ.exe" name="VService" refid="913" filename="VServ.exe" />
  <item cpeid="cpe:/a:ehome:media_center_extender_service" path="C:\WINDOWS\ehome\mcrdsvc.exe" name="McrdSvc" refid="862" filename="mcrdsvc.exe" />
  <item cpeid="cpe:/a:ehome:windows_media_center_receiver_service" path="C:\Windows\ehome\ehRecvr.exe" name="ehRecvr" refid="751" filename="ehRecvr.exe" />
  <item cpeid="cpe:/a:ehome:windows_media_center_scheduler_service" path="C:\Windows\ehome\ehsched.exe" name="ehSched" refid="754" filename="ehsched.exe" />
  <item cpeid="cpe:/a:filefront:oo_defrag" path="C:\WINDOWS\system32\oodag.exe" name="O&O Defrag" refid="1309" filename="oodag.exe" />
  <item cpeid="cpe:/a:firebird:firebird_guardian__defaultinstance" path="C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe -s" name="FirebirdGuardianDefaultInstance" refid="1183" filename="fbguard.ex" />
  <item cpeid="cpe:/a:firebird:firebird_server__defaultinstance" path="C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe -s" name="FirebirdServerDefaultInstance" refid="1186" filename="fbserver.ex" />
  <item cpeid="cpe:/a:foldersize:folder_size" path=""C:\Program Files\FolderSize\FolderSizeSvc.exe"" name="FolderSize" refid="469" filename="FolderSizeSvc.exe" />
  <item cpeid="cpe:/a:google:google_desktop_manager_5170919590" path=""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe"" name="GoogleDesktopManager-091907-194040" refid="73" filename="GoogleDesktop.exe" />
  <item cpeid="cpe:/a:goo