OVALDI Log states the 'none exist' CheckEnumeration value has been deprecated

To unsubscribe, send an email message to LISTSERV@... with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
      xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
      xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
      xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"
      xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/download/schema/version5.4/ovaldefinition/complete/windows-definitions-schema.xsd
      http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/download/schema/version5.4/ovaldefinition/complete/independent-definitions-schema.xsd
      http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/download/schema/version5.4/ovaldefinition/complete/oval-definitions-schema.xsd
      http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/download/schema/version5.4/ovaldefinition/complete/oval-common-schema.xsd">
      <generator>
            <oval:product_name>National Institute of Standards and Technology</oval:product_name>
            <oval:schema_version>5.4</oval:schema_version>
            <oval:timestamp>2008-06-03T07:58:22.000-05:00</oval:timestamp>
      </generator>
      <!-- ==================================================================================================== -->
      <!-- ==========================================  DEFINITIONS  =========================================== -->
      <!-- ==================================================================================================== -->
      <definitions>
            <definition id="oval:gov.nist.fdcc.xp:def:128" version="1" class="compliance">
                  <metadata>
                        <title>Administrators and System User Have Full Access to the SYSTEMROOT/system32/arp.exe File</title>
                        <affected family="windows">
                              <platform>Microsoft Windows XP</platform>
                        </affected>
                        <reference source="CCE" ref_id="CCE-600"/>
                        <description>The Administrators group and the System user should have full access to the SYSTEMROOT/system32/arp.exe file and all other users should have no file access privileges</description>
                  </metadata>
                  <criteria>
                        <extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:gov.nist.fdcc.xp:def:2"/>
                        <criteria operator="AND">
                              <criterion comment="The Administrators group is granted full access to the file arp.exe" test_ref="oval:gov.nist.fdcc.xp:tst:193"/>
                              <criterion comment="The System user is granted full access to the file arp.exe" test_ref="oval:gov.nist.fdcc.xp:tst:194"/>
                              <criterion comment="There are no access privileges to file arp.exe by users not part of the Administrators group or the System user" test_ref="oval:gov.nist.fdcc.xp:tst:195"/>
                        </criteria>
                  </criteria>
            </definition>
            <!--====================================================================================================-->
            <!--=====================================  EXTENDED DEFINITIONS  =========================================-->
            <!--====================================================================================================-->
            <definition id="oval:gov.nist.fdcc.xp:def:2" version="1" class="inventory">
                  <metadata>
                        <title>Microsoft Windows XP is installed</title>
                        <affected family="windows">
                              <platform>Microsoft Windows XP</platform>
                        </affected>
                        <description>Microsoft Windows XP is installed</description>
                  </metadata>
                  <criteria>
                        <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:gov.nist.fdcc.xp:tst:6"/>
                        <criterion comment="Microsoft Windows XP is installed" test_ref="oval:gov.nist.fdcc.xp:tst:7"/>
                  </criteria>
            </definition>
      </definitions>
      <!-- ==================================================================================================== -->
      <!-- ============================================  TESTS  =============================================== -->
      <!-- ==================================================================================================== -->
      <tests>
            <family_test id="oval:gov.nist.fdcc.xp:tst:6" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
                  <object object_ref="oval:gov.nist.fdcc.xp:obj:3"/>
                  <state state_ref="oval:gov.nist.fdcc.xp:ste:14"/>
            </family_test>
            <registry_test id="oval:gov.nist.fdcc.xp:tst:7" version="1" comment="Microsoft Windows XP is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <object object_ref="oval:gov.nist.fdcc.xp:obj:4"/>
                  <state state_ref="oval:gov.nist.fdcc.xp:ste:15"/>
            </registry_test>
            <fileeffectiverights53_test id="oval:gov.nist.fdcc.xp:tst:193" version="1" comment="The Administrators group is granted full access to the file arp.exe" check_existence="any_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <object object_ref="oval:gov.nist.fdcc.xp:obj:83"/>
                  <state state_ref="oval:gov.nist.fdcc.xp:ste:51"/>
            </fileeffectiverights53_test>
            <fileeffectiverights53_test id="oval:gov.nist.fdcc.xp:tst:194" version="1" comment="The System user is granted full access to the file arp.exe" check_existence="any_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <object object_ref="oval:gov.nist.fdcc.xp:obj:84"/>
                  <state state_ref="oval:gov.nist.fdcc.xp:ste:51"/>
            </fileeffectiverights53_test>
            <fileeffectiverights53_test id="oval:gov.nist.fdcc.xp:tst:195" version="1" comment="There are no access privileges to file arp.exe by users not part of the Administrators group or the System user" check_existence="any_exist" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <object object_ref="oval:gov.nist.fdcc.xp:obj:85"/>
                  <state state_ref="oval:gov.nist.fdcc.xp:ste:52"/>
            </fileeffectiverights53_test>
      </tests>
      <!-- ==================================================================================================== -->
      <!-- ===========================================  OBJECTS  ============================================== -->
      <!-- ==================================================================================================== -->
      <objects>
            <family_object id="oval:gov.nist.fdcc.xp:obj:3" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
            <registry_object id="oval:gov.nist.fdcc.xp:obj:4" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <hive>HKEY_LOCAL_MACHINE</hive>
                  <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
                  <name>CurrentVersion</name>
            </registry_object>
            <registry_object id="oval:gov.nist.fdcc.xp:obj:79" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <hive>HKEY_LOCAL_MACHINE</hive>
                  <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key>
                  <name>SystemRoot</name>
            </registry_object>
            <fileeffectiverights53_object id="oval:gov.nist.fdcc.xp:obj:83" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <path var_ref="oval:gov.nist.fdcc.xp:var:1"/>
                  <filename>arp.exe</filename>
                  <trustee_sid>S-1-5-32-544</trustee_sid>
            </fileeffectiverights53_object>
            <fileeffectiverights53_object id="oval:gov.nist.fdcc.xp:obj:84" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <path var_ref="oval:gov.nist.fdcc.xp:var:1"/>
                  <filename>arp.exe</filename>
                   <trustee_sid>S-1-5-18</trustee_sid>
            </fileeffectiverights53_object>
            <fileeffectiverights53_object id="oval:gov.nist.fdcc.xp:obj:85" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <set set_operator="INTERSECTION" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                        <set set_operator="COMPLEMENT">
                              <object_reference>oval:gov.nist.fdcc.xp:obj:300</object_reference>
                              <object_reference>oval:gov.nist.fdcc.xp:obj:84</object_reference>
                        </set>
                        <set set_operator="COMPLEMENT">
                              <object_reference>oval:gov.nist.fdcc.xp:obj:300</object_reference>
                              <object_reference>oval:gov.nist.fdcc.xp:obj:86</object_reference>
                        </set>
                  </set>
            </fileeffectiverights53_object>
            <fileeffectiverights53_object id="oval:gov.nist.fdcc.xp:obj:86" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <behaviors resolve_group="true"/>
                  <path var_ref="oval:gov.nist.fdcc.xp:var:1"/>
                  <filename>arp.exe</filename>
                  <trustee_sid>S-1-5-32-544</trustee_sid>
            </fileeffectiverights53_object>
            <fileeffectiverights53_object id="oval:gov.nist.fdcc.xp:obj:300" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <behaviors resolve_group="true"/>
                  <path var_ref="oval:gov.nist.fdcc.xp:var:1"/>
                  <filename>arp.exe</filename>
                  <trustee_sid operation="pattern match">.*</trustee_sid>
            </fileeffectiverights53_object>
      </objects>
      <!-- ==================================================================================================== -->
      <!-- ============================================  STATES  ============================================== -->
      <!-- ==================================================================================================== -->
      <states>
            <family_state id="oval:gov.nist.fdcc.xp:ste:14" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
                  <family>windows</family>
            </family_state>
            <registry_state id="oval:gov.nist.fdcc.xp:ste:15" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <value>5.1</value>
            </registry_state>
            <fileeffectiverights53_state id="oval:gov.nist.fdcc.xp:ste:51" version="1" comment="specified account is granted full control" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <standard_delete datatype="boolean">1</standard_delete>
                  <standard_read_control datatype="boolean">1</standard_read_control>
                  <standard_write_dac datatype="boolean">1</standard_write_dac>
                  <standard_write_owner datatype="boolean">1</standard_write_owner>
                  <standard_synchronize datatype="boolean">1</standard_synchronize>
                  <file_read_data datatype="boolean">1</file_read_data>
                  <file_write_data datatype="boolean">1</file_write_data>
                  <file_append_data datatype="boolean">1</file_append_data>
                  <file_read_ea datatype="boolean">1</file_read_ea>
                  <file_write_ea datatype="boolean">1</file_write_ea>
                  <file_execute datatype="boolean">1</file_execute>
                  <file_delete_child datatype="boolean">1</file_delete_child>
                  <file_read_attributes datatype="boolean">1</file_read_attributes>
                  <file_write_attributes datatype="boolean">1</file_write_attributes>
            </fileeffectiverights53_state>
            <fileeffectiverights53_state id="oval:gov.nist.fdcc.xp:ste:52" version="1" comment="specified account has no access privileges" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows">
                  <standard_delete datatype="boolean">0</standard_delete>
                  <standard_read_control datatype="boolean">0</standard_read_control>
                  <standard_write_dac datatype="boolean">0</standard_write_dac>
                  <standard_write_owner datatype="boolean">0</standard_write_owner>
                  <standard_synchronize datatype="boolean">0</standard_synchronize>
                  <access_system_security datatype="boolean">0</access_system_security>
                  <generic_read datatype="boolean">0</generic_read>
                  <generic_write datatype="boolean">0</generic_write>
                  <generic_execute datatype="boolean">0</generic_execute>
                  <generic_all datatype="boolean">0</generic_all>
                  <file_read_data datatype="boolean">0</file_read_data>
                  <file_write_data datatype="boolean">0</file_write_data>
                  <file_append_data datatype="boolean">0</file_append_data>
                  <file_read_ea datatype="boolean">0</file_read_ea>
                  <file_write_ea datatype="boolean">0</file_write_ea>
                  <file_execute datatype="boolean">0</file_execute>
                  <file_delete_child datatype="boolean">0</file_delete_child>
                  <file_read_attributes datatype="boolean">0</file_read_attributes>
                  <file_write_attributes datatype="boolean">0</file_write_attributes>
            </fileeffectiverights53_state>
      </states>
      <!-- ==================================================================================================== -->
      <!-- ===========================================  VARIABLES  ============================================ -->
      <!-- ==================================================================================================== -->
      <variables>
            <local_variable id="oval:gov.nist.fdcc.xp:var:1" version="1" comment="Windows system32 directory" datatype="string">
                  <concat>
                        <object_component object_ref="oval:gov.nist.fdcc.xp:obj:79" item_field="value"/>
                        <literal_component>\system32</literal_component>
                  </concat>
            </local_variable>
      </variables>
      <!-- ==================================================================================================== -->
      <!-- ==================================================================================================== -->
      <!-- ==================================================================================================== -->
</oval_definitions>

Hi Tim,

I apologize for taking a while to respond to your email.
Unfortunately, at this time, I don't have an answer for why those
particular tests are returning a result of "unknown", but I do know why
that logging message is appearing.  That message actually doesn't have
anything to do with your XML document, rather it just has to do with
the way that the OVALDI is checking to see what kind of check attribute
you've set.  When the OVALDI checks to see if the check attribute is
"none exist" a logging message gets written out every time.  If you
look at the code you can see that the problem exists inside of
OvalEnum.cpp and Test.cpp:

Test::Parse(...) gets called which then calls
"this->SetCheck(OvalEnum::ToCheck(...))".  OvalEnum::ToCheck(...)
basically compares the check attribute value against each member of the
"Check" enumeration (defined in OvalEnum.h).  When OVALDI compares the
attribute against "none exist" through use of the
OvalEnum::CheckToString(...) method, that logger message gets fired
off.  Because of the execution path, every time you have a check
attribute with a value of "only one" or "none exist" that logging
message should be displayed: that's a problem.

I will see what I can do about that logging message (move the logging
call or just remove the call) and hopefully it'll be fixed in the next
release.

Thanks for the heads-up,
Bryan Worrell

__
Bryan Worrell    
The MITRE Corporation
bworrell@...




To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Tim,

fileeffectiverights53_object is not currently supported in the OVAL
Interpreter. When an object is not supported the test that references
it will evaluate to unknown.

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


why
>that logging message is appearing.  That message actually doesn't have
>anything to do with your XML document, rather it just has to do with
>the way that the OVALDI is checking to see what kind of check
attribute
>you've set.  When the OVALDI checks to see if the check attribute is
>"none exist" a logging message gets written out every time.  If you
>look at the code you can see that the problem exists inside of
>OvalEnum.cpp and Test.cpp:
>
>Test::Parse(...) gets called which then calls
>"this->SetCheck(OvalEnum::ToCheck(...))".  OvalEnum::ToCheck(...)
>basically compares the check attribute value against each member of
the the
>>only issue listed in the log file states, "the 'none exist'
>>CheckEnumeration value has been deprecated..."  I have check set to
>>'all' so I'm thinking the log file is incorrect, but that doesn't
help
>>me find my error.  I have attached the test file, any ideas what the
>>problem might be?
>>
>>Thanks,
>>Tim Harrison
>>To unsubscribe, send an email message to LISTSERV@...
with
>>SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>>difficulties, write to OVAL-DEVELOPER-LIST-request@....
>
>To unsubscribe, send an email message to LISTSERV@... with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

I have updated the current source to fix the erroneous log messages. I
have added in messages to report that an object is not supported. These
changes will be included in the next build of the interpreter.

Regards,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


have the
>>attribute against "none exist" through use of the
>>OvalEnum::CheckToString(...) method, that logger message gets fired
>>off.  Because of the execution path, every time you have a check
>>attribute with a value of "only one" or "none exist" that logging
>>message should be displayed: that's a problem.
>>
>>I will see what I can do about that logging message (move the logging
>>call or just remove the call) and hopefully it'll be fixed in the
next elements. with
>>SIGNOFF OVAL-DEVELOPER-LIST
>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>DEVELOPER-LIST-request@....
>
>To unsubscribe, send an email message to LISTSERV@... with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Thanks Jon!

Would it be recommended to hold off on moving the FDCC content from
using fileeffectiverights_* to using fileeffectiverights53_*? Or only in
the case of fileeffectiverights53_object?

Thanks,
Tim Harrison

-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Monday, June 09, 2008 9:21 PM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] OVALDI Log states the 'none exist'
CheckEnumeration value has been deprecated

I have updated the current source to fix the erroneous log messages. I
have added in messages to report that an object is not supported. These
changes will be included in the next build of the interpreter.

Regards,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


have the
>>attribute against "none exist" through use of the
>>OvalEnum::CheckToString(...) method, that logger message gets fired
>>off.  Because of the execution path, every time you have a check
>>attribute with a value of "only one" or "none exist" that logging
>>message should be displayed: that's a problem.
>>
>>I will see what I can do about that logging message (move the logging
>>call or just remove the call) and hopefully it'll be fixed in the
next elements. with
>>SIGNOFF OVAL-DEVELOPER-LIST
>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>DEVELOPER-LIST-request@....
>
>To unsubscribe, send an email message to LISTSERV@... with
>SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have
>difficulties, write to OVAL- DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have
difficulties, write to OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Well, I think the 53 version fixes some issues in the FDCC content. If
I recall the 53 tests were added specifically at the request of NIST to
support the FDCC content. I am currently working on the 53 version of
the file effective rights test and expect to include support for it in
the next build of the interpreter. I would like to release the next
build in two weeks. So, I would not let what the interpreter currently
supports guide your decision to switch to the 53 tests.

Are there other test you are looking to change? We would like the
interpreter to support all of the FDCC content.

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


in These exist' logging Discussion the OVAL-
>>>DEVELOPER-LIST-request@....
>>
>>To unsubscribe, send an email message to LISTSERV@...
with
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

I plan on using the user sid tests as well as the wmi tests.  Also, it
looks like I will need to do a pattern match in order to use an sid
instead of the acount name for SUPPORT_388945a0.  Let me know if either
of these present any issues.

Tim

-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Tuesday, June 10, 2008 8:37 AM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] OVALDI Log states the 'none exist'
CheckEnumeration value has been deprecated

Well, I think the 53 version fixes some issues in the FDCC content. If I
recall the 53 tests were added specifically at the request of NIST to
support the FDCC content. I am currently working on the 53 version of
the file effective rights test and expect to include support for it in
the next build of the interpreter. I would like to release the next
build in two weeks. So, I would not let what the interpreter currently
supports guide your decision to switch to the 53 tests.

Are there other test you are looking to change? We would like the
interpreter to support all of the FDCC content.

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...


in These exist' logging Discussion the OVAL-
>>>DEVELOPER-LIST-request@....
>>
>>To unsubscribe, send an email message to LISTSERV@...
with
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have
difficulties, write to OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....