[Open-scap] Questions about OVAL

Thu Aug 15 11:58:32 UTC 2019

Hi,

On Tue, Aug 13, 2019 at 4:53 AM Tim Burress <tim at variosecure.net> wrote:
>
> Hello,
>
> I'm trying to learn my way around SCAP just now, with the main focus
> right now on scans of Linux-based systems using oscap and the related
> tools. I'm hitting a bit of a wall when it comes to writing OVAL content
> and just wondered if someone could point me to resources that unpack
> things from the perspective of someone accustomed to writing software in
> "normal" programming languages?

I'm not aware of any comprehensive book about that.

The official website can be a good start:
- https://oval.mitre.org/

We have created a tutorial for Red Hat Summit about ComplianceAsCode,
which also mentions OVAL:
- https://github.com/RedHatDemos/SecurityDemos/tree/master/2019Labs/CustomSecurityContent/documentation

>
> Some more-or-less specific questions:
>
> o In an object definition like this (condensed from OVAL found in SSG,
> where B is a local variable containing a set of file paths):
>
> <ind:textfilecontent54_object id="A" version="1">
>     <ind:filepath var_ref="B" var_check="at least one" />
>     <ind:pattern operation="pattern match">^0$</ind:pattern>
>     <ind:instance datatype="int">1</ind:instance>
> </ind:textfilecontent54_object>
>
> what is the function of var_check="at least one"? I assume that this is
> a condition being applied to the value of the variable B, saying that it
> must have at least one member, but what happens if the variable B is an
> empty set?

When var_check is set to "at least one" it means that for a file to be
matched its file path must be equal to at least one of the members of
variable B.

If the variable B is an empty set, the object will be evaluated as
"does not exist".

var_check is described here:
https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html
- search for var_check in section
EntityAttributeGroup.

>
> o Basic question: is the order in which entities appear in a file of
> OVAL content irrelevant? Given that they are all tagged with types and
> ID strings it seems like this would be the case, but OVAL is a new world
> where many things are not what they seem, so I thought I would check.

The order of objects, states, variables etc. is irrelevant. For
example, it doesn't matter if object id=1 is defined before or after
object id=2.

However, the order of different child elements matters. For example,
within <ind:textfilecontent54_object> element the <ind:filepath>
element must always be before <ind:pattern> element. OpenSCAP will
tell you if you put elements in a wrong order, because it performs XML
validation each time.

>
> o Is there a tool that allows you to debug OVAL at runtime? That is,
> much like any other debugger, to set breakpoints and examine the values
> of objects/variables/etc at runtime?

We don't have any tool. We usually run OpenSCAP with --verbose, or we
generate the XML results and we analyse the results.

>
> o Is there a document/book/tutorial that guides a person through
> creating complex OVAL rules (preferably on Linux systems)? Most of the
> examples I've found on the web are of the very simple "Hello World"
> variety, so lead to more questions than they answer. Something that
> walks through even just how to *think* about solving problems in OVAL
> would be helpful at this point.

I also wish there was something like that. Try to get inspired by the
existing rules in SSG. If you have any further question, feel free to
ask here anytime.

Regards

>
> Thanks!
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

-- 
Jan Černý
Security Technologies | Red Hat, Inc.