Passing variables to new and unexplored places...

Hi all,

Currently, the way to have an rpm_test test if a package exists and to allow either expected value (exists, does not exist) is to combine two different check_existence tests with corresponding variable checks.

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id1" version="1" check="all" comment="all_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="expected:ste:id1"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="all_exist"

id="some:tst:id2" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id3" version="1" check="all" comment="none_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="some:ste:id2"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="none_exist"

id="some:tst:id3" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

Could we somehow pass in the expected check_existence?

<lin-def:rpminfo_test check_existence="some:var:id" id="some:tst:id"

version="1" check="all" comment="Is the foo package installed?">

        <lin-def:object object_ref="some:obj:id"/> </lin-def:rpminfo_test>

This would reduce the weight of the OVAL significantly by removing tests and reducing the size of the criteria as well.  I realize that parameterized tests are a new thing and I am opening a bottle of worms, but it is worth getting on the table.  If we could make the data type of the variable somehow be restricted to valid check_existence values we would be set!

Regards,

Vladimir Giszpenc

DSCI Contractor Supporting

US Army CERDEC S&TCD IAD Tactical Network Protection Branch

(732) 532-8959

Vlad,

I am not sure I understand the issue you are using as an example here. If I wanted to test if an rpm existed I would use a test like:

<lin-def:rpminfo_test check_existence="at_least_one_exists" id="some:tst:id3" version="1" check="all" comment="…">

     <lin-def:object object_ref="some:obj:id"/>

</lin-def:rpminfo_test>

This test will evaluate to true if at least one exists rpm is found that matches the criteria specified by the object. Now if I already have this test I could simply negate the criterion the refers to the test to give myself a criterion that would evaluate to true if no rpms are found that match the criteria specified by the object.

Is this what you are looking for?

Can you help me understand the issue?

Hi all,

Currently, the way to have an rpm_test test if a package exists and to allow either expected value (exists, does not exist) is to combine two different check_existence tests with corresponding variable checks.

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id1" version="1" check="all" comment="all_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="expected:ste:id1"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="all_exist"

id="some:tst:id2" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id3" version="1" check="all" comment="none_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="some:ste:id2"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="none_exist"

id="some:tst:id3" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

Could we somehow pass in the expected check_existence?

<lin-def:rpminfo_test check_existence="some:var:id" id="some:tst:id"

version="1" check="all" comment="Is the foo package installed?">

        <lin-def:object object_ref="some:obj:id"/> </lin-def:rpminfo_test>

This would reduce the weight of the OVAL significantly by removing tests and reducing the size of the criteria as well.  I realize that parameterized tests are a new thing and I am opening a bottle of worms, but it is worth getting on the table.  If we could make the data type of the variable somehow be restricted to valid check_existence values we would be set!

Regards,

Vladimir Giszpenc

DSCI Contractor Supporting

US Army CERDEC S&TCD IAD Tactical Network Protection Branch

(732) 532-8959

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Jon,

If you have two possible variable values in XCCDF with “enabled” and “disabled” translating to a variable check on the OVAL side comparing XCCDF external variable values to different expected states per test, you get a definition that checks for

If expected state is enabled and test for at least one exists

OR

If expected state is disabled and test for none exists.

I agree that this could be rewritten with expected state is disabled and test not at least one exists.  If one of the possible expected states is all exists though, it can get tricky.  So my question was about passing in the expected check_existence from XCCDF to reduce the OVAL needed to express tailorable content.

Thanks,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

Vlad,

I am not sure I understand the issue you are using as an example here. If I wanted to test if an rpm existed I would use a test like:

<lin-def:rpminfo_test check_existence="at_least_one_exists" id="some:tst:id3" version="1" check="all" comment="…">

     <lin-def:object object_ref="some:obj:id"/>

</lin-def:rpminfo_test>

This test will evaluate to true if at least one exists rpm is found that matches the criteria specified by the object. Now if I already have this test I could simply negate the criterion the refers to the test to give myself a criterion that would evaluate to true if no rpms are found that match the criteria specified by the object.

Is this what you are looking for?

Can you help me understand the issue?

Hi all,

Currently, the way to have an rpm_test test if a package exists and to allow either expected value (exists, does not exist) is to combine two different check_existence tests with corresponding variable checks.

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id1" version="1" check="all" comment="all_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="expected:ste:id1"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="all_exist"

id="some:tst:id2" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id3" version="1" check="all" comment="none_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="some:ste:id2"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="none_exist"

id="some:tst:id3" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

Could we somehow pass in the expected check_existence?

<lin-def:rpminfo_test check_existence="some:var:id" id="some:tst:id"

version="1" check="all" comment="Is the foo package installed?">

        <lin-def:object object_ref="some:obj:id"/> </lin-def:rpminfo_test>

This would reduce the weight of the OVAL significantly by removing tests and reducing the size of the criteria as well.  I realize that parameterized tests are a new thing and I am opening a bottle of worms, but it is worth getting on the table.  If we could make the data type of the variable somehow be restricted to valid check_existence values we would be set!

Regards,

Vladimir Giszpenc

DSCI Contractor Supporting

US Army CERDEC S&TCD IAD Tactical Network Protection Branch

(732) 532-8959

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Ok, I think I understand the idea here. I can see the benefit in terms of simplifying the oval content. However, this change would likely make evaluating oval content a bit more complicated and may reduce the readability of oval content. This is a tradeoff we should be aware of. This is something that we could investigate for a future release.

Jon,

If you have two possible variable values in XCCDF with “enabled” and “disabled” translating to a variable check on the OVAL side comparing XCCDF external variable values to different expected states per test, you get a definition that checks for

If expected state is enabled and test for at least one exists

OR

If expected state is disabled and test for none exists.

I agree that this could be rewritten with expected state is disabled and test not at least one exists.  If one of the possible expected states is all exists though, it can get tricky.  So my question was about passing in the expected check_existence from XCCDF to reduce the OVAL needed to express tailorable content.

Thanks,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959

Vlad,

I am not sure I understand the issue you are using as an example here. If I wanted to test if an rpm existed I would use a test like:

<lin-def:rpminfo_test check_existence="at_least_one_exists" id="some:tst:id3" version="1" check="all" comment="…">

     <lin-def:object object_ref="some:obj:id"/>

</lin-def:rpminfo_test>

This test will evaluate to true if at least one exists rpm is found that matches the criteria specified by the object. Now if I already have this test I could simply negate the criterion the refers to the test to give myself a criterion that would evaluate to true if no rpms are found that match the criteria specified by the object.

Is this what you are looking for?

Can you help me understand the issue?

Hi all,

Currently, the way to have an rpm_test test if a package exists and to allow either expected value (exists, does not exist) is to combine two different check_existence tests with corresponding variable checks.

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id1" version="1" check="all" comment="all_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="expected:ste:id1"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="all_exist"

id="some:tst:id2" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

            <ind-def:variable_test check_existence="all_exist"

id="some:tst:id3" version="1" check="all" comment="none_exist exist was specified">

                  <ind-def:object object_ref="some:obj:id1"/>

                  <ind-def:state state_ref="some:ste:id2"/>

            </ind-def:variable_test>

            <lin-def:rpminfo_test check_existence="none_exist"

id="some:tst:id3" version="1" check="all" comment="The foo package should be installed or not as appropriate">

                  <lin-def:object object_ref="some:obj:id"/>

            </lin-def:rpminfo_test>

Could we somehow pass in the expected check_existence?

<lin-def:rpminfo_test check_existence="some:var:id" id="some:tst:id"

version="1" check="all" comment="Is the foo package installed?">

        <lin-def:object object_ref="some:obj:id"/> </lin-def:rpminfo_test>

This would reduce the weight of the OVAL significantly by removing tests and reducing the size of the criteria as well.  I realize that parameterized tests are a new thing and I am opening a bottle of worms, but it is worth getting on the table.  If we could make the data type of the variable somehow be restricted to valid check_existence values we would be set!

Regards,

Vladimir Giszpenc

DSCI Contractor Supporting

US Army CERDEC S&TCD IAD Tactical Network Protection Branch

(732) 532-8959

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].