Rule dependencies

3 messages

Rule dependencies

Reply Threaded

Hi all,

If we have a rule that says "The requirement for a password to boot into
single-user mode should be configured correctly", how can we have a
conditional rule based on the first rule that says something like "The
missing requirement for a password to boot into single-user mode should
be justified and documented with the IAO"?

Basically, the second rule should only be evaluated if the first rule
fails. Is this possible?

I realize that one rule is using the OVAL checking system and the other
would need to use the interrogatory checking system but that should not
be an issue.

Thanks,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959
[hidden email]
[hidden email]

---------------------------------------------------------------

To unsubscribe from this mailing list, please send an e-mail to
[hidden email] with the words "unsubscribe xccdf-dev" in the
body. You will need to send this from the email account that you
used to initially subscribe to xccdf-dev.

Charles Schmidt (MITRE)

RE: Rule dependencies

Reply Threaded

Howdy,

This is not currently supported by XCCDF. Doing something like this would require functionality along the lines of the of the "Conditional Checking" feature of the Automation Schema mentioned by Maria Casipe last October. (http://n2.nabble.com/Automation-Schema-td1389412.html)

The use cases driving this functionality will be one of the items I plan to have discussed during the XCCDF block of the upcoming Security Automation Developer Days. (I'll be sending out more on that shortly.)

Charles

>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]] On Behalf Of
>Vladimir Giszpenc
>Sent: Wednesday, May 20, 2009 1:52 PM
>To: Multiple recipients of list
>Subject: Rule dependencies
>
>
>Hi all,
>
>If we have a rule that says "The requirement for a password to boot into
>single-user mode should be configured correctly", how can we have a
>conditional rule based on the first rule that says something like "The
>missing requirement for a password to boot into single-user mode should
>be justified and documented with the IAO"?
>
>Basically, the second rule should only be evaluated if the first rule
>fails. Is this possible?
>
>I realize that one rule is using the OVAL checking system and the other
>would need to use the interrogatory checking system but that should not
>be an issue.
>
>Thanks,
>
>Vladimir Giszpenc
>DSCI Contractor Supporting
>US Army CERDEC S&TCD IAD Tactical Network Protection Branch
>(732) 532-8959
>[hidden email]
>[hidden email]
>
>
>
>
>---------------------------------------------------------------
>
>To unsubscribe from this mailing list, please send an e-mail to
>[hidden email] with the words "unsubscribe xccdf-dev" in the
>body. You will need to send this from the email account that you
>used to initially subscribe to xccdf-dev.

---------------------------------------------------------------

To unsubscribe from this mailing list, please send an e-mail to
[hidden email] with the words "unsubscribe xccdf-dev" in the
body. You will need to send this from the email account that you
used to initially subscribe to xccdf-dev.

Robert Neuman

Re: Rule dependencies

Reply Threaded

(This post was updated on )

In reply to this post by Vladimir Giszpenc

Would that be better expressed as a rule of: "The requirement for a password to boot into
single-user mode should be configured correctly or justified and documented with the IAO."?
<edit>Yes, I agree the two questions should be using the two different interrogators. Ideally if the OVAL check for the first part passes then the second check is not displayed.</edit>

Then if you use OCIL I think you can define additional test actions for failures as listed in the example below.

<boolean_question_test_action id="inter:mitre.org:testaction:1”
question_ref="inter:mitre.org:question:1">
<when_true>
<result>PASS</result>
</when_true>
<when_false>
<test_action_ref>inter:mitre.org:testaction:2</test_action_ref>
</when_false>
<when_not_applicable>
<result>NOT_APPLICABLE</result>
</when_not_applicable>
</boolean_question_test_action>

<boolean_question id=”inter:mitre.org:question:1” model=”MODEL_YES_NO”>
<question_text>
Is the requirement for a password to boot into single-user mode configured correctly?
</question_text>
</boolean_question>

<boolean_question_test_action id="inter:mitre.org:testaction:2”
question_ref="inter:mitre.org:question:2">
<when_true>
<result>PASS</result>
</when_true>
<when_false>
<result>FAIL</result>
</when_false>
<when_not_applicable>
<result>NOT_APPLICABLE</result>
</when_not_applicable>
</boolean_question_test_action>
<boolean_question id=”inter:mitre.org:question:2” model=”MODEL_YES_NO”>
<question_text>
Is the missing requirement for a password to boot into single-user mode justified and documented with the IAO?
</question_text>
</boolean_question>

Vladimir Giszpenc wrote:

Hi all,

If we have a rule that says "The requirement for a password to boot into
single-user mode should be configured correctly", how can we have a
conditional rule based on the first rule that says something like "The
missing requirement for a password to boot into single-user mode should
be justified and documented with the IAO"?

Basically, the second rule should only be evaluated if the first rule
fails. Is this possible?

I realize that one rule is using the OVAL checking system and the other
would need to use the interrogatory checking system but that should not
be an issue.

Thanks,

Vladimir Giszpenc
DSCI Contractor Supporting
US Army CERDEC S&TCD IAD Tactical Network Protection Branch
(732) 532-8959
vlad.giszpenc@us.army.mil
vgiszpenc@dsci.com

---------------------------------------------------------------

To unsubscribe from this mailing list, please send an e-mail to
listproc@nist.gov with the words "unsubscribe xccdf-dev" in the
body. You will need to send this from the email account that you
used to initially subscribe to xccdf-dev.

Robert Neuman