[Open-scap] OpenSCAP 1.0.8 Issue ...
Simon Lukasik
slukasik at redhat.com
Wed May 14 16:15:12 UTC 2014
On 05/13/2014 09:14 PM, Trey Henefield wrote:
>
>
> All,
>
> I am testing the boundaries of SCAP content. I found numerous cases
> where there is a need to perform a check on files referenced in a file.
>
> For example, checking the group owner for all files referenced in
> /etc/shells.
>
> Here is the example code I have created for this purpose:
>
> #######################################
>
> <def-group>
>
> <definition class="compliance" id="file_groupowner_shell_files"
> version="1">
>
> <metadata>
>
> <title>Test Rule</title>
>
> <affected family="unix">
>
> <platform>Red Hat Enterprise Linux 6</platform>
>
> </affected>
>
> <description>Rule for testing.</description>
>
> </metadata>
>
> <criteria>
>
> <criterion test_ref="test_file_groupowner_shell_files" />
>
> </criteria>
>
> </definition>
>
> <local_variable id="var_file_groupowner_shell_files_list"
> comment="List of files referenced in /etc/shells" datatype="string"
> version="1">
>
> <object_component
> item_field="subexpression"
> object_ref="object_file_groupowner_shell_files_list" />
>
> </local_variable>
>
> <ind:textfilecontent54_object
> id="object_file_groupowner_shell_files_list" version="1">
>
> <ind:filepath>/etc/shells</ind:filepath>
>
> <ind:pattern operation="pattern match">^(/.*)$</ind:pattern>
>
> <ind:instance operation="greater than or equal"
> datatype="int">1</ind:instance>
>
> </ind:textfilecontent54_object>
>
> <unix:file_test check="all" check_existence="all_exist"
> comment="Testing group owner" id="test_file_groupowner_shell_files"
> version="1">
>
> <unix:object object_ref="object_file_groupowner_shell_files" />
>
> <unix:state state_ref="state_file_groupowner_shell_files" />
>
> </unix:file_test>
>
> <unix:file_object comment="List of files referenced in /etc/shells"
> id="object_file_groupowner_shell_files" version="1">
>
> <unix:filepath var_ref="var_file_groupowner_shell_files_list"
> var_check="all" />
>
> </unix:file_object>
>
> <unix:file_state id="state_file_groupowner_shell_files" version="1">
>
> <unix:group_id datatype="int">0</unix:group_id>
>
> </unix:file_state>
>
> </def-group>
>
> #######################################
>
> The above code works properly when used with SCC v3.1.2.
>
> However when using OpenSCAP v1.0.8, it fails on validating the existence
> of the files referenced through the local_variable.
>
> I have tested both pass and fail cases with SCC. I have also tried
> changing “all_exist” to “any_exist”, but results in no files getting
> checked in OpenSCAP because it does not detect them as existing. I have
> enabled “--oval-results” and can see the local_variable getting properly
> populated as the following:
>
> <object id="oval:ssg:obj:121" version="1" flag="does not exist">
>
> <variable_value
> variable_id="oval:ssg:var:124">/bin/sh</variable_value>
>
> <variable_value
> variable_id="oval:ssg:var:124">/bin/bash</variable_value>
>
> <variable_value
> variable_id="oval:ssg:var:124">/sbin/nologin</variable_value>
>
> <variable_value
> variable_id="oval:ssg:var:124">/bin/dash</variable_value>
>
> <variable_value
> variable_id="oval:ssg:var:124">/bin/tcsh</variable_value>
>
> <variable_value
> variable_id="oval:ssg:var:124">/bin/csh</variable_value>
>
> </object>
>
> Is this a bug in 1.0.8?
>
Hello Trey,
Thank you for checking with us. After a while of head scratching I can
confirm that this is *not* a bug in OpenSCAP. This content should always
evaluate to false. So the result=false is expected and correct behavior.
If any other scanner evaluates this content to true, please file a bug
against that particular scanner.
The problem is in your content. Instead of clause
var_check="all"
please make a use of
var_check="at least one"
and you will get expected behavior. For more information please consult
documentation regarding 'var_check' at
http://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/oval-definitions-schema.html
Best regards,
--
Simon Lukasik
Security Technologies, Red Hat, Inc.
More information about the Open-scap-list
mailing list