[Open-scap] Problem with set filtering

Marshall Miller mmiller at tresys.com
Tue Aug 24 20:46:27 UTC 2010 

On Tue, 2010-08-24 at 15:35 +0200, Daniel Kopecek wrote:
> Hello,
> 
> On Fri, 20 Aug 2010 10:09:08 -0400
> Marshall Miller <mmiller at tresys.com> wrote:
> 
> > We have a test which gathers up all shadow objects and then filters
> > out the objects that have a non-empty password field.
> > 
> > It appears to work correctly when there exists an entry with an empty
> > password.  When every entry has a non-empty password we usually get a
> > result of unknown, but sometimes the process hangs.
> 
> thanks for the report. The problem is hidden in the usage of
> the local_variable in the attached content. Currently, we throw an
> error when a referenced variable doesn't have any value. The hang is
> caused by a bug in the probe system. In such a complex situation the
> error propagation doesn't work correctly but we'll fix that. However,
> the question is how to handle the local_variable that doesn't return
> any value (in the case there aren't users with an empty password).
> 
>  The OVAL 5.5 documentation seems to be inconsistent. Here's what it
>  says about the var_ref attribute in EntityBaseType:
> 
> 	If there is an error computing the value of the variable, then
> 	that error should be passed up to the entity referencing it. If
> 	the variable being referenced does not have a value (for example,
> 	if the variable pertains to the size of a file, but the file does
> 	not exist) then one of two results are possible. If the entity is
> 	part of an object declaration, then the object is considered to
> 	not exist. If the entity is part of a state declaration, then the
> 	state comparison should result in an error.
> 
> In your case, the entity referencing the problematic variable is part
> of an object declaration. So according to the documentation we should
> change the behavior of the library in this case. Or maybe not because
> in a different place the documentation says the following:
> 
> 	== EntityObjectBaseType ==
> 	...
> 	If the entity uses a var_ref and the associated variable defines
> 	more than one values, the optional var_check attribute defines how
> 	the data collection should proceed. For example, if an object entity
> 	'filename' with an operation of 'does not equal' references a variable
> 	that returns five different values, and the var_check attribute has a
> 	value of 'all', then an actual file on the system matches only if the
> 	actual filename does not equal any of the variable values. If a variable
> 	does not return any value, then an error should be thrown during OVAL
> 	analysis.

It does appear that the documentation is inconsistent.  I'm not sure exactly what the expected behavior is, but the description for EntityBaseType seems to make the most sense.  I searched through the OVAL archives but couldn't find any discussion on the topic.  Are you going to consult the OVAL list or would you rather I do it?

I am attaching updated content that should be able to handle either case.

-- 
Marshall Miller
Tresys Technology
443-539-0710
-------------- next part --------------
A non-text attachment was scrubbed...
Name: passwords-exist2.oval.xml
Type: application/xml
Size: 4856 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20100824/828d2be7/attachment.wsdl>

More information about the Open-scap-list mailing list