------------------------------------------------------------------------------------- OVAL Proposal Form ------------------------------------------------------------------------------------- The OVAL Proposal Form is used by members of the community to prepare proposals for migration into an official release of OVAL. The form will be critical in helping the members of the community understand, review, and vet proposals. Once an OVAL Proposal Form is submitted to the oval-developer-list, the OVAL Moderator will review and verify the proposal for completeness at which point it will be ready for community review and discussion. When a new proposal is introduced to the community, the OVAL Moderator will work with the OVAL Board to determine the impact of the proposal. If the proposal is deemed a high impact change, it must be developed in the OVAL Sandbox which will require the completion of this form as well as an OVAL Board vote before it is migrated into an official release. More information about the OVAL Board Voting Process can be found at [1]. If the proposal is deemed a low impact change, the proposed change can be made directly to an official OVAL release. Please direct any questions or concerns to MITRE at oval@mitre.org. ------------------------------------------------------------------------------------- Steps to Take ------------------------------------------------------------------------------------- 1) Review the OVAL Language Sandbox page [2] and the Requesting Changes to the OVAL Language page [3]. 2) Complete the form provided below. 3) Email the completed form to the oval-developer-list at oval-developer-list@lists.mitre.org with a subject of "FOR REVIEW: Proposal Form". 4) Revise the proposal, as needed, based on community discussion and feedback. ------------------------------------------------------------------------------------- Contact Information ------------------------------------------------------------------------------------- 1) Name: David Solin 2) Email Address: solin@jovalcm.com 3) Phone Number (optional): ------------------------------------------------------------------------------------- Introduction to Proposal ------------------------------------------------------------------------------------- 1) What is the new capability? A new test/object/state making it possible to retrieve information about windows reparse points (AKA filesystem junctions). 2) Why is the new capability needed? This is a completeness issue for the OVAL language. Prior to modifications made for OVAL 5.11.2, the Windows file_item/state type entity was overloaded with with the Windows file type, or the directory attribute. In 5.11.2, this overloading is corrected. The FILE_ATTRIBUTE_DIRECTORY attribute enum value for the type entity is deprecated, and an attribute entity (potentially multi-valued) is added for storing all the file attribute information. One possible value for the new attribute entity is FILE_ATTRIBUTE_REPARSE_POINT. This indicates that the file is a symbolic link. However, there is no way in OVAL to get information about the linked file, as the file_item with this attribute describes the link file itself, not the target. The identical problem was addressed for Unix operating systems with the addition of the unix-def:symlink_test/object/state/unix-sc:item in OVAL 5.11. The win-def:junction_test/object/state/win-sc:item corresponds to exactly with the Unix equivalent. Correspondingly, the "symlinks" recurse behaviors for independent file-based objects (e.g., textfilecontent_object and xmlfilecontent_object) will become meaningful, and also, a new recurse behavior for "junctions" must be added to Windows file-based objects (e.g., file_object). 3) What is the version of the targeted official OVAL release? 5.11.2 ------------------------------------------------------------------------------------- Benefits of Proposal ------------------------------------------------------------------------------------- 1) How does the proposal relate to existing OVAL use cases [4]? Any existing OVAL content referencing a reparse point has an ambiguous meaning in the absence of this new capability, so, simply having the new capability clarifies the meaning of existing Windows content. It also simplifies inventory collection/license usage monitoring use-cases by making it possible to dereference symbolic links on user Desktops. 2) What does this proposal enable that cannot currently be accomplished in the OVAL Language? Currently the OVAL language does not explicitly support filesystem reparse points. 3) What alternative approaches for supporting these use cases were considered and why is this one the best? No alternatives were considered. This solution was introduced on the OVAL-Developer mailing list in March 2016, and no alternatives were proposed. ------------------------------------------------------------------------------------- Impacts of Proposal ------------------------------------------------------------------------------------- 1) Which existing OVAL schemas are affected by this proposal? If a new platform schema is being proposed, is it expected to inherit tests from another schema (e.g. UNIX-based platform schemas typically inherit tests from the UNIX schema)? The win-def and win-sc schemas are impacted. The ind-def and ind-sc schemas are also affected, in that they require updated documentation concerning the applicability of the "symlinks" recurse behavior. 2) Does the proposal break backward compatibility with previous versions? Please see OVAL Versioning Policy [5] for more information. It does not break backwards-compatibility, however, it is possible that existing implementations differ in how they handle the ambiguity of Windows reparse points with respect to the OVAL specification. 2) How will the proposed changes impact OVAL content authors? Content authors will now be able to create tests involving Windows reparse points. 3) How will the proposed changes impact OVAL content consumers? There should not be any impact, except the usual ones surrounding new feature adoption (e.g., their vendor may not yet support the new feature, which may be used in public content). 4) How will the proposed changes impact existing OVAL content? There should be no impact to existing content. 5) How will the proposed changes impact existing OVAL implementations? OVAL implementations will have to implement the new tests, and support newly-relevant recurse behaviors on Windows. 6) Are there any concerns regarding this proposal (e.g., undocumented APIs, etc.)? If so, are there any mitigating factors? No. ------------------------------------------------------------------------------------- Technical Review ------------------------------------------------------------------------------------- 1) Do the schema changes follow the accepted naming and design conventions? They do. 2) Do the schema changes satisfy the requirements specified in the Requesting Changes to the OVAL Language page [3]? Yes. 3) Do the schema changes align with the targeted official release (e.g., changes that break backward compatibility should not target a minor release)? Please see the OVAL Versioning Policy [5] for more information. Yes. 4) Have the new capabilities been successfully implemented and tested with sample content? Yes. ------------------------------------------------------------------------------------- Resource Information ------------------------------------------------------------------------------------- 1) Provide URLs for relevant OVAL Sandbox Issues: N/A 2) Provide URLs for OVAL Sandbox schemas that exemplify the proposed changes: https://github.com/OVALProject/Language/blob/5.11.2/schemas/windows-definitions-schema.xsd https://github.com/OVALProject/Language/blob/5.11.2/schemas/windows-system-characteristics-schema.xsd 3) Provide URLs for the location of sample OVAL Definitions, OVAL System Characteristics, and OVAL Results that exemplify the proposed changes: See http://lists.cisecurity.org/pipermail/oval_developer_lists.cisecurity.org/Week-of-Mon-20160307/000083.html 4) Provide URLs for products or tools that implement the proposed changes: http://jovalcm.com 5) Provide URLs to any other resources that may be relevant to reviewing and verifying the proposal: For information about Windows file attributes, see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx For information about retrieving the target path for a reparse point file handle: https://msdn.microsoft.com/en-us/library/windows/desktop/aa364962(v=vs.85).aspx ------------------------------------------------------------------------------------- References ------------------------------------------------------------------------------------- [1] http://oval.mitre.org/community/board/voting.html [2] http://oval.mitre.org/language/sandbox.html [3] http://oval.mitre.org/language/about/change_requests.html [4] http://oval.mitre.org/adoption/usecasesguide.html [5] http://oval.mitre.org/language/about/versioning.html