[OVAL DEVELOPER] [Non-DoD Source] Re: Solaris 11 Facet, Variant, and Image Test Implementation

McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600 douglas.mcilroy at navy.mil
Fri Nov 20 14:19:18 EST 2015


>> Currently, my solution consists of parsing the 'BASEDIR' field values
>> out of 'pkginfo -l' command output, but I'm not certain that I can trust
>> output from a utility that is part of the legacy package management system.
>That won't help you, pkginfo is an old SVR4 command and has no knowledge
>of IPS and never will. I'd also say it was highly unlikely that any IPS
>user image would also have SVR4 packages in it.

Thanks for that verification.

>Why do you think you need to find the possible user images?

The documentation for these new IPS tests doesn't seem to explicitly make any distinction between boot environment images vs. user images. However, your clarification makes it apparent that the image, variant, and facet tests weren't developed with user images in mind, which means that I can move forward with completing the implementation of these probes.

Thanks,
Douglas M.
________________________________________
From: Darren J Moffat [Darren.Moffat at Oracle.COM]
Sent: Friday, November 20, 2015 9:35 AM
To: McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600; oval_developer at lists.cisecurity.org
Subject: Re: [Non-DoD Source] Re: [OVAL DEVELOPER] Solaris 11 Facet, Variant, and Image Test Implementation

On 11/19/15 19:03, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
wrote:

> Thank you so much for your follow-up Darren. With that clarification,
> only one small matter still remains that I have been puzzling over.
> Listing boot environments (beadm list) is one way to enumerate some
> image root directories. However, I'm still not sure how to interrogate
> the system for a complete enumeration including user image directories.

There is no possible way to find all the user images, they could be
anywhere.

> Currently, my solution consists of parsing the 'BASEDIR' field values
> out of 'pkginfo -l' command output, but I'm not certain that I can trust
> output from a utility that is part of the legacy package management system.

That won't help you, pkginfo is an old SVR4 command and has no knowledge
of IPS and never will. I'd also say it was highly unlikely that any IPS
user image would also have SVR4 packages in it.

Why do you think you need to find the possible user images ?

The way I expected OVAL to be used with IPS image path is via tailoring
values.  I would expect the path to be "/" by default and if someone
wished to run OVAL checks against an alternate boot environment then the
path value would be tailored to point to the root of the IPS image.

As far as we know there is very little to no use of IPS user images
outside of Solaris core development where we use them for testing.  All
the customers that I know of that make extensive use of IPS for their
own software do so by installing into the system image so they get the
benefit of boot environments.

--
Darren J Moffat

...




More information about the OVAL_Developer mailing list