[Open-scap] OVAL filtering on directories?

ml+openscap at kcore.org ml+openscap at kcore.org
Wed Apr 11 14:10:14 UTC 2018 

Hello list,

I'm fairly new to OVAL, and for a project I'm documenting several of our configuration rules into XCCDF, and adding OVAL rules to them to be able to have automated testing afterwards.

For most it's fairly straightforward, but for one I'm stumped and can't seem to get it right.

I want to scan /usr/foo and check that all directories in that directory have the correct permissions (0755).
(Also same but check that all files have the right selinux context.)

For some reason, I can't seem to get it to filter the way I want. The oval collector always returns 
Collected: "oval:com.foobar:obj:24" : does not exist


OVAL content:
    <definition class="compliance" id="oval:com.foobar:def:20" version="1">
      <metadata>
        <title>/usr/foo permissions</title>
        <description>/usr/foo directory (and subdirectories) should have permissions 0755 (rwx r-x r-x)</description>
        <reference ref_id="REF-000020" source="REF"/>
        <affected family="unix">
          <platform>Red Hat Enterprise Linux 7</platform>
        </affected>
      </metadata>
      <criteria operator="AND">
        <criterion comment="/usr/foo permissions" test_ref="oval:com.foobar:tst:23"/>
        <criterion comment="/usr/foo permissions" test_ref="oval:com.foobar:tst:24"/>
      </criteria>
    </definition>

   <file_test check="all" check_existence="all_exist" comment="/usr/foo permissions" id="oval:com.foobar:tst:23" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <object object_ref="oval:com.foobar:obj:23"/>
      <state state_ref="oval:com.foobar:ste:20"/>
    </file_test>

    <file_test check="all" check_existence="all_exist" comment="/usr/foo permissions" id="oval:com.foobar:tst:24" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <object object_ref="oval:com.foobar:obj:24"/>
      <state state_ref="oval:com.foobar:ste:22"/>
    </file_test>

    <file_object id="oval:com.foobar:obj:23" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <path>/usr/foo</path>
      <filename xsi:nil="true"/>
    </file_object>
    <file_object id="oval:com.foobar:obj:24" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <set set_operator="INTERSECTION" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <object_reference>oval:com.foobar:obj:25</object_reference>
        <filter action="include">oval:com.foobar:ste:21</filter>
      </set>
    </file_object>

    <file_object id="oval:com.foobar:obj:25" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <behaviors recurse="directories" recurse_direction="down"/>
      <path>/usr/foo</path>
      <filename operation="pattern match">^.*$</filename>
    </file_object>

    <file_state id="oval:com.foobar:ste:20" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <suid datatype="boolean">false</suid>
      <sgid datatype="boolean">false</sgid>
      <sticky datatype="boolean">false</sticky>
      <uread datatype="boolean">true</uread>
      <uwrite datatype="boolean">true</uwrite>
      <uexec datatype="boolean">true</uexec>
      <gread datatype="boolean">true</gread>
      <gwrite datatype="boolean">false</gwrite>
      <gexec datatype="boolean">true</gexec>
      <oread datatype="boolean">true</oread>
      <owrite datatype="boolean">false</owrite>
      <oexec datatype="boolean">true</oexec>
    </file_state>

    <file_state id="oval:com.foobar:ste:21" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <type>directory</type>
    </file_state>

    <file_state id="oval:com.foobar:ste:22" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
      <suid datatype="boolean">false</suid>
      <sgid datatype="boolean">false</sgid>
      <sticky datatype="boolean">false</sticky>
      <uread datatype="boolean">true</uread>
      <uwrite datatype="boolean">true</uwrite>
      <uexec datatype="boolean">true</uexec>
      <gread datatype="boolean">true</gread>
      <gwrite datatype="boolean">false</gwrite>
      <gexec datatype="boolean">true</gexec>
      <oread datatype="boolean">true</oread>
      <owrite datatype="boolean">false</owrite>
      <oexec datatype="boolean">true</oexec>
    </file_state>


It seems that the include action filter on ste:21 is the problem - if i remove this, i get a bunch of files returned. If i change this to eg. an exclude filter on "regular", i'll just get all the other files. But an include on "directory" seems to not work?

I also tried using two exclude filters, but that also returned no results.

Any ideas?

Thanks in advance.

More information about the Open-scap-list mailing list