Oval 5.4 draft, User Sid test

Hi,

In the user sid test (oval 5.4 draft),
user_sid_object is having
              - "user" as element name whereas it should be "user_sid"
user_sid_state is having
              - "user" as element name, it should be "user_sid"
              - "group" as element name, it should be "group_sid".

To make the draft uniform, i think the above name changes are minor
ones.

Please let me know in case there is any difference in my understanding.

Regards,
Thomas

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Hi, Everyone,

I just came across this myself in the schema files. I strongly agree
with Thomas.

The user_sid_object should follow the pattern set by its brethren, e.g.,
the sid_sid_object and the group_sid_object.

I presume that this is just a cut-and-paste error. :)

Regards,
Eric

Eric Fredericksen, PhD
Solutions Architect
Risk and Compliance Business Unit
McAfee, Inc.

949.297.5600 Main
949.297.5574 Direct
949.466.5196 Mobile
949.297.5575 Fax
Eric_Fredericksen@...
www.mcafee.com

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you.

 

-----Original Message-----
From: Joy, Thomas
Sent: Tuesday, June 17, 2008 12:00 AM
To: OVAL-DEVELOPER-LIST@...
Subject: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test

Hi,

In the user sid test (oval 5.4 draft),
user_sid_object is having
              - "user" as element name whereas it should be "user_sid"
user_sid_state is having
              - "user" as element name, it should be "user_sid"
              - "group" as element name, it should be "group_sid".

To make the draft uniform, i think the above name changes are minor
ones.

Please let me know in case there is any difference in my understanding.

Regards,
Thomas

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Thomas_Joy@... wrote:

While I agree that the element's name is wrong, the change will
unfortunately have to wait for a subsequent OVAL version, as 5.4 is the
official (i.e., not draft) version as of 2008/04/10. Worse, probably a
major version, as minor versions strive to maintain backward eccentricity.

A pet peeve of mine is accesstoken_test security_principle, which has
enjoyed remarkable longevity.

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Looking at the official schema bundles we see that this problem is more
serious than I first thought.

The windows system characteristics XSD requires that user_sid_item
entries contain children named

        user_sid
        enabled
        group_sid

However, the windows definitions XSD requires user_sid_state
entries to have children named

        user
        enabled
        group

This looks to me like a clear and serious problem in the either the
schema or the
specification or both.

If the names were the same there would be no problem. However,
my guess that this requirement could easily break content in any
OVAL consumer that expects that state objects and item objects have
correctly named, that is, equivalently named, element children.

So, am I to understand that there is no mechanism for fixing a broken
specification? If there is no existing content that follows this then
why not fix the schema, amend the documentation, and move forward?

At the very least this should be fixed in a 5.5 release and not wait for
6.0.

Regards,
Eric

P.S.

Re: security_principle - I agree wholeheartedly. :) entities
(principals)
can have rights and rules (principles) are for secure
behavior. I gound my teeth over that one for some time.

There are a few other teath grinders in the same place: there are
security principal
rights that are partially camel case, out of sync with the rest.

sedenyremoteInteractivelogonright
------------^
sedenybatchLogonright
-----------^


-----Original Message-----
From: Gary Gapinski [mailto:gapinski@...]
Sent: Wednesday, July 02, 2008 3:22 AM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test

Thomas_Joy@... wrote: understanding.
>


While I agree that the element's name is wrong, the change will
unfortunately have to wait for a subsequent OVAL version, as 5.4 is the
official (i.e., not draft) version as of 2008/04/10. Worse, probably a
major version, as minor versions strive to maintain backward
eccentricity.

A pet peeve of mine is accesstoken_test security_principle, which has
enjoyed remarkable longevity.

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

I fully agree with Eric. As the specification is broken it has to be
fixed. So it makes sense to fix the spec & schema as soon as possible.
If the changes are done late then it may break content.

Regards,
Thomas

-----Original Message-----
From: Fredericksen, Eric
Sent: Wednesday, July 02, 2008 11:50 PM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test

Looking at the official schema bundles we see that this problem is more
serious than I first thought.

The windows system characteristics XSD requires that user_sid_item
entries contain children named

        user_sid
        enabled
        group_sid

However, the windows definitions XSD requires user_sid_state entries to
have children named

        user
        enabled
        group

This looks to me like a clear and serious problem in the either the
schema or the specification or both.

If the names were the same there would be no problem. However, my guess
that this requirement could easily break content in any OVAL consumer
that expects that state objects and item objects have correctly named,
that is, equivalently named, element children.

So, am I to understand that there is no mechanism for fixing a broken
specification? If there is no existing content that follows this then
why not fix the schema, amend the documentation, and move forward?

At the very least this should be fixed in a 5.5 release and not wait for
6.0.

Regards,
Eric

P.S.

Re: security_principle - I agree wholeheartedly. :) entities
(principals)
can have rights and rules (principles) are for secure behavior. I gound
my teeth over that one for some time.

There are a few other teath grinders in the same place: there are
security principal rights that are partially camel case, out of sync
with the rest.

sedenyremoteInteractivelogonright
------------^
sedenybatchLogonright
-----------^


-----Original Message-----
From: Gary Gapinski [mailto:gapinski@...]
Sent: Wednesday, July 02, 2008 3:22 AM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test

Thomas_Joy@... wrote: understanding.
>


While I agree that the element's name is wrong, the change will
unfortunately have to wait for a subsequent OVAL version, as 5.4 is the
official (i.e., not draft) version as of 2008/04/10. Worse, probably a
major version, as minor versions strive to maintain backward
eccentricity.

A pet peeve of mine is accesstoken_test security_principle, which has
enjoyed remarkable longevity.

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Thomas_Joy@... wrote:
>
> I fully agree with Eric. As the specification is broken it has to be
> fixed. So it makes sense to fix the spec & schema as soon as possible.
>

I agree wholeheartedly. However, current practice is to enshrine such
errors. I do not agree with this practice, but I am not in a position to
correct it.

> If the changes are done late then it may break content.
>

s/may/will/: see
http://nvd.nist.gov/fdcc/FDCC-Version-1.0-2008-06-20.zip, which is using
OVAL v5.4 and indeed uses the badly named elements.

I suspect there are only a couple of dozen people on the planet that
need to reach agreement that the errors can be corrected at the risk of
breaking content in a trivial way with a trivial fix. Hopefully, they
can take "principle" behind the barn and shoot it along while attending
to other corrections.

In any case, is this actually broken, or is it just in bad taste? System
characteristics and test objects and states need not have identical
element names (though of course they should).

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

I do agree that the schema is in error here.  The entities should have
been 'user_sid' and 'group_sid'.

Question for the rest of the community --- This puts into question our
stated goals of a minor release, namely that it won't invalidate
existing content.  Should we make exceptions to this rule to allow for
fixing schema errors?  Honestly, I think we have done this in the past.
With the coming version 6 we could formalize this type of practice.
The downside is that some users might have coded to the erroneous
version.

Thoughts?

Thanks
Drew

more to guess
>that this requirement could easily break content in any OVAL consumer
>that expects that state objects and item objects have correctly named,
>that is, equivalently named, element children.
>
>So, am I to understand that there is no mechanism for fixing a broken
>specification? If there is no existing content that follows this then
>why not fix the schema, amend the documentation, and move forward?
>
>At the very least this should be fixed in a 5.5 release and not wait
for gound "user_sid" the
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

>I do agree that the schema is in error here.  The entities should have
>been 'user_sid' and 'group_sid'.
>
>Question for the rest of the community --- This puts into question our
>stated goals of a minor release, namely that it won't invalidate
>existing content.  Should we make exceptions to this rule to allow for
>fixing schema errors?  Honestly, I think we have done this in the
past.
>With the coming version 6 we could formalize this type of practice.
>The downside is that some users might have coded to the erroneous
>version.

Please note that our current defined practice for handling this would
be to release a new minor version of the schema and create a new
<user_sid55_test> and to deprecate the current <user_sid_test>.

Thanks
Drew

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Adding yet another test just muddies the water here.  With the problems
with this test and the problems with the TextFileContent54 test, I
recommend releasing OVAL 5.5 with these fixes and declaring it to be
backwards compatible with 5.3, basically severing ties with 5.4.


Paul

-----Original Message-----
From: Buttner, Drew [mailto:abuttner@...]
Sent: Thursday, July 03, 2008 11:07 AM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test

>I do agree that the schema is in error here.  The entities should have
>been 'user_sid' and 'group_sid'.
>
>Question for the rest of the community --- This puts into question our
>stated goals of a minor release, namely that it won't invalidate
>existing content.  Should we make exceptions to this rule to allow for
>fixing schema errors?  Honestly, I think we have done this in the
past.
>With the coming version 6 we could formalize this type of practice.
>The downside is that some users might have coded to the erroneous
>version.

Please note that our current defined practice for handling this would
be to release a new minor version of the schema and create a new
<user_sid55_test> and to deprecate the current <user_sid_test>.

Thanks
Drew

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

I am not all that worried about having deprecated tests laying around
in the schema. If people are worried about muddying up the schema,
perhaps it makes sense to more clearly separate out deprecated items in
the schema. We could certainly make it more clear that items in the
schema are deprecated. If it helped, we could probably even add a
stylesheet to look for deprecated items and warn you about them.


Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...



>-----Original Message-----
>From: Paul_Whitehurst@... [mailto:Paul_Whitehurst@...]
>Sent: Thursday, July 03, 2008 1:14 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test
>
>Adding yet another test just muddies the water here.  With the
problems have
>>been 'user_sid' and 'group_sid'.
>>
>>Question for the rest of the community --- This puts into question
our
>>stated goals of a minor release, namely that it won't invalidate
>>existing content.  Should we make exceptions to this rule to allow
for
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Have there been any new developments with regard to correcting the
user_sid_object/user_sid_state schema?  Does anyone know if there is
going to be a 5.5 Oval release that includes a correction or will that
only be included in 6.0? (side question: If there isn't a 5.5 with this
correction is there going to be an Oval 5.5 at all?  Is so, what's the
anticipated date?)

Bob Riley

-----Original Message-----
From: Baker, Jon [mailto:bakerj@...]
Sent: Monday, July 07, 2008 5:31 PM
To: OVAL-DEVELOPER-LIST@...
Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test

I am not all that worried about having deprecated tests laying around
in the schema. If people are worried about muddying up the schema,
perhaps it makes sense to more clearly separate out deprecated items in
the schema. We could certainly make it more clear that items in the
schema are deprecated. If it helped, we could probably even add a
stylesheet to look for deprecated items and warn you about them.


Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: bakerj@...



>-----Original Message-----
>From: Paul_Whitehurst@... [mailto:Paul_Whitehurst@...]
>Sent: Thursday, July 03, 2008 1:14 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] Oval 5.4 draft, User Sid test
>
>Adding yet another test just muddies the water here.  With the
problems have
>>been 'user_sid' and 'group_sid'.
>>
>>Question for the rest of the community --- This puts into question
our
>>stated goals of a minor release, namely that it won't invalidate
>>existing content.  Should we make exceptions to this rule to allow
for
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

Version 5.5 will happen and most likely will be in draft form by the
end of Aug.  Work (other than planning) on it has not started but my
guess is that it will be mostly bug fixes.  I am currently working on a
way to expose our internal issue tracker to the website so that the
community can get a real-time view into what has been included and what
is still being planned for a new version.

All info on version 5.5 will be available here:

http://oval.mitre.org/language/download/schema/version5.5/index.html

Regarding the specific user_sid issue, I think we will follow the
defined procedure for this version.  (create a new test and deprecate
the existing test)  If this not desirable for the community, we should
work to improve the process under the Version 6 framework.

Thanks
Drew

this in with
>>SIGNOFF OVAL-DEVELOPER-LIST
>>in the BODY of the message.  If you have difficulties, write to
>>OVAL-DEVELOPER-LIST-request@....
>>
>>To unsubscribe, send an email message to LISTSERV@...
with
To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....