[OVAL DEVELOPER] [Non-DoD Source] Re: Solaris 11 Facet, Variant, and Image Test Implementation
McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
douglas.mcilroy at navy.mil
Tue Nov 17 14:57:16 EST 2015
Thank you for your response, Darren. I was indeed looking closely at the pkg command for a solution, but was not sure how it would fit in with the logic of the facet, variant, and image OVAL tests. In light of your verification that leveraging the pkg command is the correct direction, I would like clarification of how that command would handle the path entity that is required by the facet, variant, and image objects. After closely examining the pkg man page, I'm still not sure how to use it for evaluating these system characteristics with respect to a given image path.
From: Darren J Moffat [Darren.Moffat at Oracle.COM]
Sent: Friday, November 13, 2015 9:28 AM
To: McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600; oval_developer at lists.cisecurity.org
Subject: [Non-DoD Source] Re: [OVAL DEVELOPER] Solaris 11 Facet, Variant, and Image Test Implementation
> I have been tasked with developing an implementation of the Solaris
> facet, variant, and image OVAL tests for Solaris 11. However, after
> researching the online Solaris definitions schema documentation
> Solaris schema proposal documentation
> and Oracle's Image Packaging System documentation, I am still not clear
> on what kind of interface these OVAL tests are designed to exploit.
> Solaris 11 provides a toolchain of shell commands for interrogating the
> IPS, none of which seem to map well to the facet, variant, and image
> OVAL test logic as I currently understand it. Also, I have so far not
> been able to isolate the location of any configuration files that could
> be mined for the relevant system characteristics. Any ideas about what I
> am missing? Any insight is appreciated.
There are no configuration/state files you can use; and even if you find
them (they do exist) you must not use them they are internal interfaces
that are subject to change at any time.
Currently the only interface to IPS is the pkg(1) command. The state of
facets and variants and the image tests should all be able to be
answered using the pkg(1) command with its parsable output.
There is an API to this in development that will providing bindings for
C, Java, Python and REST, this will be via the RAD subsystem in
Solaris 11. However it hasn't shipped yet.
We in Solaris engineering are planning on delivering changes to OpenSCAP
to use this interface as the implementation of the IPS part of the
Solaris OVAL schema.
Darren J Moffat
More information about the OVAL_Developer