<HTML><body> Thanks Simon! That change does seem to provide the intended result. For some reason, I had interpreted var_check to mean checking all or at least one of the values within the variable array. In this case, I want to check all values obtained, so it seemed appropriate. Thank you for the clarification. Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA <a href="mailto:Trey.Henefield@ultra-ats.com">Trey.Henefield@ultra-ats.com</a> Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 <a href="http://www.ultra-ats.com" target="_blank">www.ultra-ats.com</a> -----Original Message----- From: Simon Lukasik [mailto:slukasik@redhat.com] Sent: Wednesday, May 14, 2014 11:15 AM To: Trey Henefield Cc: <a href="mailto:open-scap-list@redhat.com">open-scap-list@redhat.com</a> Subject: Re: [Open-scap] OpenSCAP 1.0.8 Issue ... On 05/13/2014 09:14 PM, Trey Henefield wrote: > > > All, > > I am testing the boundaries of SCAP content. I found numerous cases > where there is a need to perform a check on files referenced in a file. > > For example, checking the group owner for all files referenced in > /etc/shells. > > Here is the example code I have created for this purpose: > > ####################################### > > <def-group> > > <definition class="compliance" id="file_groupowner_shell_files" > version="1"> > > <metadata> > > <title>Test Rule</title> > > <affected family="unix"> > > <platform>Red Hat Enterprise Linux 6</platform> > > </affected> > > <description>Rule for testing.</description> > > </metadata> > > <criteria> > > <criterion test_ref="test_file_groupowner_shell_files" /> > > </criteria> > > </definition> > > <local_variable id="var_file_groupowner_shell_files_list" > comment="List of files referenced in /etc/shells" datatype="string" > version="1"> > > <object_component > item_field="subexpression" > object_ref="object_file_groupowner_shell_files_list" /> > > </local_variable> > > <ind:textfilecontent54_object > id="object_file_groupowner_shell_files_list" version="1"> > > <ind:filepath>/etc/shells</ind:filepath> > > <ind:pattern operation="pattern match">^(/.*)$</ind:pattern> > > <ind:instance operation="greater than or equal" > datatype="int">1</ind:instance> > > </ind:textfilecontent54_object> > > <unix:file_test check="all" check_existence="all_exist" > comment="Testing group owner" id="test_file_groupowner_shell_files" > version="1"> > > <unix:object object_ref="object_file_groupowner_shell_files" /> > > <unix:state state_ref="state_file_groupowner_shell_files" /> > > </unix:file_test> > > <unix:file_object comment="List of files referenced in /etc/shells" > id="object_file_groupowner_shell_files" version="1"> > > <unix:filepath var_ref="var_file_groupowner_shell_files_list" > var_check="all" /> > > </unix:file_object> > > <unix:file_state id="state_file_groupowner_shell_files" > version="1"> > > <unix:group_id datatype="int">0</unix:group_id> > > </unix:file_state> > > </def-group> > > ####################################### > > The above code works properly when used with SCC v3.1.2. > > However when using OpenSCAP v1.0.8, it fails on validating the > existence of the files referenced through the local_variable. > > I have tested both pass and fail cases with SCC. I have also tried > changing "all_exist" to "any_exist", but results in no files getting > checked in OpenSCAP because it does not detect them as existing. I > have enabled "--oval-results" and can see the local_variable getting > properly populated as the following: > > <object id="oval:ssg:obj:121" version="1" flag="does not > exist"> > > <variable_value > variable_id="oval:ssg:var:124">/bin/sh</variable_value> > > <variable_value > variable_id="oval:ssg:var:124">/bin/bash</variable_value> > > <variable_value > variable_id="oval:ssg:var:124">/sbin/nologin</variable_value> > > <variable_value > variable_id="oval:ssg:var:124">/bin/dash</variable_value> > > <variable_value > variable_id="oval:ssg:var:124">/bin/tcsh</variable_value> > > <variable_value > variable_id="oval:ssg:var:124">/bin/csh</variable_value> > > </object> > > Is this a bug in 1.0.8? > Hello Trey, Thank you for checking with us. After a while of head scratching I can confirm that this is *not* a bug in OpenSCAP. This content should always evaluate to false. So the result=false is expected and correct behavior. If any other scanner evaluates this content to true, please file a bug against that particular scanner. The problem is in your content. Instead of clause var_check="all" please make a use of var_check="at least one" and you will get expected behavior. For more information please consult documentation regarding 'var_check' at <a href="http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-definitions-schema.html" target="_blank">http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-definitions-schema.html</a> Best regards, -- Simon Lukasik Security Technologies, Red Hat, Inc. Disclaimer The information contained in this communication from trey.henefield@ultra-ats.com sent at 2014-05-14 13:51:04 is private and may be legally privileged or export controlled. It is intended solely for use by open-scap-list@redhat.com and others authorized to receive it. If you are not open-scap-list@redhat.com you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. </body></HTML>