Questions about Ovaldi's implementation of the 'Check' and 'Check Existence' attributes for tests.

2 Messages

Tony W

Questions about Ovaldi's implementation of the 'Check' and 'Check Existence' attributes for tests.

Reply Threaded

Some javascript/style in this post has been disabled (why?)

A couple of questions regarding Ovaldi’s handling of the Test ‘Check’ and ‘Check Existence’ attributes:

In the definition included below, is the check_existence attribute required? It looks like in the schema docs that the default is "at least one exists". Also, doesn't the check_existence attribute only apply to the objects on the system not the state of those objects?

Again from the schema docs, " The required check attribute determines how many of the existing objects must satisfy the state requirements." I'm a bit confused about the 'check' attribute, I don't understand why Ovaldi doesn’t always evaluate the state as long as the object (in this case the Backup Operators group) exists.

I would think the test below would report false if there is any user in the Backup Operators group and would report true otherwise. Shouldn't it still evaluate to true if the group exists, but there are no members in it?

[This is a snippet of a modified version of SCAP-Win2003-MS-OVAL-v61.xml ….. the original is below]

<group_test id="oval:gov.nist.2:tst:382" version="1"

check_existence="any_exist" check="none satisfy" comment="No users are allowed to be members of the Backup Operators Group" xmlns="...">

</group_test>

<group_object id="oval:gov.nist.2:obj:228" version="1" xmlns="...">

<group>Backup Operators</group>

</group_object>

<group_state id="oval:gov.nist.2:ste:273" version="1" xmlns="...">

ORIGINAL

<group_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:gov.nist.2:tst:382" version="1" check="none exist" comment="No users are allowed to be members of the Backup Operators Group">

</group_test>

<group_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:gov.nist.2:obj:228" version="1">

<group>Backup Operators</group>

</group_object>

<group_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" id="oval:gov.nist.2:ste:273" version="1">

</group_state>

Tony Worwood Sr. Software Engineer



15880 N. Greenway-Hayden Loop, Suite 100 \| Scottsdale, AZ 85260 \| www.lumension.com office : 801-802-1457 \| mobile : XXX.XXX.XXXX \| fax : XXX.XXX.XXXX skype ID : tony.worwood.lumension \| email : xxxxx@...

This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Please consider the environment before printing this email

To unsubscribe, send an email message to LISTSERV@... with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....

bakerj

Re: Questions about Ovaldi's implementation of the 'Check' and 'Check Existence' attributes for tests.

Reply Threaded

Tony,

>
>
>In the definition included below, is the check_existence attribute
>required? It looks like in the schema docs that the default is "at
least
>one exists". Also, doesn't the check_existence attribute only apply to
>the objects on the system not the state of those objects?
>

The check_existence attribute is not required. It is optional with a
default value of "at least one exists".

The mapping of version 5.2 check attribute values to 5.3 and later
values was discussed here:
http://www.nabble.com/Mapping-Version-5.3-check_existence-and-check_sta
te-to-previous-5.x-releases-tp11797243p11797263.html

In the thread above you will see that the conversion from 5.2 to 5.3
and later took the meaning of check='none exist' and mapped it to
check_existence="none_exist" and check="none_satisfy". The OVAL
Interpreter follows this mapping. So when it see the check='none exist'
it treats it as check_existence="none_exist". In this case the 'Backup
Operators' group exists and this causes the test to fail.

>
>
>Again from the schema docs, " The required check attribute determines
>how many of the existing objects must satisfy the state requirements."
>I'm a bit confused about the 'check' attribute, I don't understand why
>Ovaldi doesn't always evaluate the state as long as the object (in
this
>case the Backup Operators group) exists.
>

Since the test has already failed the interpreter has no reason to
continue evaluating the state of the items found on the system.

>
>
>I would think the test below would report false if there is any user
in
>the Backup Operators group and would report true otherwise. Shouldn't
it
>still evaluate to true if the group exists, but there are no members
in
>it?
>
>
>
>[This is a snippet of a modified version of
SCAP-Win2003-MS-OVAL-v61.xml

>..... the original is below]
>
><group_test id="oval:gov.nist.2:tst:382" version="1"
>
>check_existence="any_exist" check="none satisfy" comment="No users are
>allowed to be members of the Backup Operators Group" xmlns="...">
>
> <object object_ref="oval:gov.nist.2:obj:228"/>
>
> <state state_ref="oval:gov.nist.2:ste:273"/>
>
></group_test>
>
>
>
><group_object id="oval:gov.nist.2:obj:228" version="1" xmlns="...">
>
> <group>Backup Operators</group>
>
></group_object>
>
>
>
><group_state id="oval:gov.nist.2:ste:273" version="1" xmlns="...">
>
> <user operation="pattern match">.+</user> </group_state>
>
>
>
>ORIGINAL
>
> <group_test xmlns="http://oval.mitre.org/XMLSchema/oval-
>definitions-5#windows" id="oval:gov.nist.2:tst:382" version="1"
>check="none exist" comment="No users are allowed to be members of the
>Backup Operators Group">
>
> <object object_ref="oval:gov.nist.2:obj:228"/>
>
> <state state_ref="oval:gov.nist.2:ste:273"/>
>
> </group_test>
>
>
>
> <group_object xmlns="http://oval.mitre.org/XMLSchema/oval-
>definitions-5#windows" id="oval:gov.nist.2:obj:228" version="1">
>
> <group>Backup Operators</group>
>
> </group_object>
>
>
>
> <group_state xmlns="http://oval.mitre.org/XMLSchema/oval-
>definitions-5#windows" id="oval:gov.nist.2:ste:273" version="1">
>
> <user operation="pattern match">.*</user>
>
> </group_state>
>
>
>
>
>
>
>Tony Worwood
>Sr. Software Engineer
>
>http://www.lumension.com/images/email/clear.gif
>
>Lumension Security Inc. <http://www.lumension.com/>
>
>http://www.lumension.com/images/email/logo_bg.gif
>
>http://www.lumension.com/images/email/clear.gif
>
>15880 N. Greenway-Hayden Loop, Suite 100 | Scottsdale, AZ 85260 |
>www.lumension.com <http://www.lumension.com/>
>
>office : 801-802-1457 | mobile : XXX.XXX.XXXX | fax : XXX.XXX.XXXX
>skype ID : tony.worwood.lumension | email : tony.worwood@...
><mailto:xxxxx@...>
>
>http://www.lumension.com/css/images/clear.gif
>
>This email message is for the sole use of the intended recipient(s)

and

>may contain confidential and privileged information. Any unauthorized
>review, use, disclosure or distribution is prohibited. If you are not
>the intended recipient, please contact the sender by reply email and
>destroy all copies of the original message.
>
>
>Please consider the environment before printing this email
>
>
>
>
>
>To unsubscribe, send an email message to LISTSERV@... with
>SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>difficulties, write to OVAL-DEVELOPER-LIST-request@....

To unsubscribe, send an email message to LISTSERV@... with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message. If you have difficulties, write to OVAL-DEVELOPER-LIST-request@....