[Open-scap] Process58 - command_line

Trey Henefield trey.henefield at ultra-ats.com
Wed Mar 11 15:59:12 UTC 2015 

Absolutely!

So here is the oval check I produced to test this:

<def-group>
  <definition class="compliance" id="test_rule" version="1">
    <metadata>
      <title>Test Rule</title>
      <affected family="unix">
      </affected>
      <description>Rule for testing.</description>
    </metadata>
    <criteria operator="OR">
       <criterion comment="Xwindows is not running" test_ref="test_xwindows_running" />
        <criteria operator="AND">
          <criterion comment="Xwindows has '-auth' option enabled" test_ref="test_xwindows_auth" />
          <criterion comment="Xwindows has '-audit 4' option enabled" test_ref="test_xwindows_audit" />
          <criterion comment="Xwindows has '-s 15' option enabled" test_ref="test_xwindows_screensaver" />
       </criteria>
    </criteria>
  </definition>

  <unix:process58_test check="all" check_existence="none_exist" comment="Testing xwindows process existence" id="test_xwindows_running" version="1">
    <unix:object object_ref="object_xwindows_running" />
  </unix:process58_test>
  <unix:process58_object comment="xwindows process" id="object_xwindows_running" version="1">
    <unix:command_line datatype="string" operation="pattern match">X</unix:command_line>
    <unix:pid datatype="int" operation="greater than">0</unix:pid>
  </unix:process58_object>

  <unix:process58_test check="all" check_existence="all_exist" comment="Xwindows has '-auth' option enabled" id="test_xwindows_auth" version="1">
    <unix:object object_ref="object_xwindows_auth" />
  </unix:process58_test>
  <unix:process58_object comment="xwindows '-auth' option" id="object_xwindows_auth" version="1">
    <unix:command_line datatype="string" operation="pattern match">^(?:/usr/bin/)*X(?:org)*[\s]*:0(?:.*)?[\s]+-auth(?:$|[\s]+(?:.*)?$)</unix:command_line>
    <unix:pid datatype="int" operation="greater than">0</unix:pid>
  </unix:process58_object>

  <unix:process58_test check="all" check_existence="all_exist" comment="Xwindows has '-audit 4' option enabled" id="test_xwindows_audit" version="1">
    <unix:object object_ref="object_xwindows_audit" />
  </unix:process58_test>
  <unix:process58_object comment="xwindows '-audit 4' option" id="object_xwindows_audit" version="1">
    <unix:command_line datatype="string" operation="pattern match">^(?:/usr/bin/)*X(?:org)*[\s]*:0(?:.*)?[\s]+(-audit[\s]+4)(?:$|[\s]+(?:.*)?$)</unix:command_line>
    <unix:pid datatype="int" operation="greater than">0</unix:pid>
  </unix:process58_object>

  <unix:process58_test check="all" check_existence="all_exist" comment="Xwindows has '-s 15' option enabled" id="test_xwindows_screensaver" version="1">
    <unix:object object_ref="object_xwindows_screensaver" />
  </unix:process58_test>
  <unix:process58_object comment="xwindows '-s 15' option" id="object_xwindows_screensaver" version="1">
    <unix:command_line datatype="string" operation="pattern match">^(?:/usr/bin/)*X(?:org)*[\s]*:0(?:.*)?[\s]+(-s[\s]+([0-9]|1[0-5]))(?:$|[\s]+(?:.*)?$)</unix:command_line>
    <unix:pid datatype="int" operation="greater than">0</unix:pid>
  </unix:process58_object>

  <external_variable comment="Test Variable"
  datatype="int" id="var_test"
  version="1" />

</def-group>

Best regards,

Trey Henefield, CISSP
Senior IAVA Engineer

Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA

Trey.Henefield at ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450

www.ultra-ats.com

From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-bounces at redhat.com] On Behalf Of Shawn Wells
Sent: Wednesday, March 11, 2015 10:38 AM
To: open-scap-list at redhat.com
Subject: Re: [Open-scap] Process58 - command_line


On 3/10/15 11:40 AM, Trey Henefield wrote:
Greetings,
 I am writing a SCAP check to capture the ps output for the X Server, in an effort to capture the actual parameters passed when starting the X Server. This is in reference to the RHEL5 STIG requirement GEN000000-LNX00360.
 I am using openscap v1.0.8, which shows to support OVAL 5.10.1.
 The problem I have is that the command_line test only returns the process command and not the full output of the parameters passed to the command.
 However, according to the OVAL specification for 5.10.1, it says that the full set of parameters should be returned.
 https://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/unix-definitions-schema.html#process58_test
 Here is what I get:
 <unix-sys:command_line>X</unix-sys:command_line>
What I had expected was:
<unix-sys:command_line>/usr/bin/X :0 -auth /home/test/.serverauth.7854</unix-sys:command_line>
Is this a bug, or by design?

Can you share your code?

Disclaimer
The information contained in this communication from trey.henefield at ultra-ats.com sent at 2015-03-11 11:59:25 is confidential and may be legally privileged.
It is intended solely for use by open-scap-list at redhat.com and others authorized to receive it. If you are not open-scap-list at redhat.com you are hereby notified that
any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20150311/ddcca33f/attachment.htm>

More information about the Open-scap-list mailing list