A list for people interested in developing the OVAL language.
View all threadsOVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.com mailto:solin@jovalcm.com
http://jovalcm.com/
https://www.facebook.com/jovalcm https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan william.munyan@cisecurity.org wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149 https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.org http://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.commailto:solin@jovalcm.com
[Joval Continuous Monitoring]http://jovalcm.com
[Facebook] https://www.facebook.com/jovalcm [Linkedin] https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
Hi Bill,
I’m very excited to see proposed support for Docker. Thanks for making this happen!
Have you been able to engage the Docker team or any other authoritative Docker domain experts in the creation of this schema? I’m not questioning your expertise in any way, but I know that in the past, schemas have benefited greatly when authoritative parties get involved.
Best,
David
On Aug 11, 2016, at 1:31 PM, William Munyan William.Munyan@cisecurity.org wrote:
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.com mailto:solin@jovalcm.com
http://jovalcm.com/
https://www.facebook.com/jovalcm https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.org mailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149 https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.org http://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
David E. Ries
Co-Founder, Business Development
ries@jovalcm.com mailto:ries@jovalcm.com
http://jovalcm.com/
https://www.facebook.com/jovalcm https://www.linkedin.com/company/joval-continuous-monitoring
...
----- Original Message -----
From: "William Munyan" William.Munyan@cisecurity.org
To: "David Solin" solin@jovalcm.com
Cc: "oval developer" oval_developer@lists.cisecurity.org, "Oval" oval@cisecurity.org
Sent: Thursday, August 11, 2016 2:31:33 PM
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
David,
The shell command stuff and SUSE should have been removed as part of the
commits/pull requests etc…. I had a request to separate out the SUSE, Shell
Command stuff so I removed them. It is very possible I did something wrong
via Git, but the only files in the PR should pertain to Docker.
Hi Bill,
thanks for your proposal, it looks very interesting. I am also working on a
container proposal and there is a lot of overlap. I suggest we work together
to fulfill all the use-cases.
My PR with notes: https://github.com/OVALProject/Sandbox/pull/147
I also provided some notes in the PR you submitted:
https://github.com/OVALProject/Sandbox/pull/151
My main use-case is being able to generate container image CVE feeds similar
to what is done with RPM or DPKG CVE feeds today. For that I need to query
container labels and container signatures via OVAL.
I am on PTO, I will be back at the end of August to provide more feedback
and patches to your XSD :-)
--
Martin Preisler
Identity Management and Platform Security | Red Hat, Inc.
...
Bill,
So why was the shellcommand_test supposed to be removed?
Kent Landfield
+1.817.637.8026
From: OVAL_Developer oval_developer-bounces@lists.cisecurity.org on behalf of William Munyan William.Munyan@cisecurity.org
Date: Thursday, August 11, 2016 at 2:31 PM
To: David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Oval oval@cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.commailto:solin@jovalcm.com
[oval Continuous Monitoring]http://jovalcm.com
[acebook] https://www.facebook.com/jovalcm [inkedin] https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
...
Kent,
Sorry for any confusion here. There was a comment on the initial PR, requesting that the different schema proposals be separated out into individual PRs. I was having Git-related issues yesterday and as such had to redo some of my PRs.
Also, I am not 100% positive that I wanted to re-propose my shell command extension, as I understand people’s opposition to it, based on an intent of OVAL to abstract away the commands, and not allowing arbitrary commands to be executed on a system. I can certainly re-add the shell command extension as a separate PR in order to engage discussion on the topic, though.
Cheers,
-Bill M.
From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Friday, August 12, 2016 12:34 PM
To: William Munyan; David Solin
Cc: oval_developer@lists.cisecurity.org; Oval
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Bill,
So why was the shellcommand_test supposed to be removed?
Kent Landfield
+1.817.637.8026
From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.orgmailto:oval_developer-bounces@lists.cisecurity.org> on behalf of William Munyan <William.Munyan@cisecurity.orgmailto:William.Munyan@cisecurity.org>
Date: Thursday, August 11, 2016 at 2:31 PM
To: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>
Cc: "oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org" <oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org>, Oval <oval@cisecurity.orgmailto:oval@cisecurity.org>
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.commailto:solin@jovalcm.com
[oval Continuous Monitoring]http://jovalcm.com
[acebook] https://www.facebook.com/jovalcm [inkedin] https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
So why are we still thinking like this? There is history here with MITRE and positioning OVAL’s checking capabilities, but that never was the need of the language or the users. Customers have been asking for this flexibility for years and even when there was real movement in this direction, it was blocked by the Moderator. I am not faulting MITRE for doing things in their best interest but it really was counter to OVAL’s adoption.
If sites have something they are already running that is a capability OVAL does not have, why would you want to restrict them and not allow the flexibility this type of capability would provide? This has had the effect of inhibiting adoption since organizations have now spent a good deal of time and effort debugging something they cannot use with OVAL. Guess what happens… OVAL loses out.
As for the security concerns…. Let’s get real here. XCCDF has this kind of capability since the beginning and I have yet to hear of a site being compromised using this capability. That has been used as a red herring for just about as long…
Do others really want to not have a scripting capability?
Kent Landfield
+1.817.637.8026
From: William Munyan William.Munyan@cisecurity.org
Date: Friday, August 12, 2016 at 11:40 AM
To: Kent Landfield kent.b.landfield@intel.com, David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Oval oval@cisecurity.org
Subject: RE: [OVAL DEVELOPER] Schema proposal for Docker
Kent,
Sorry for any confusion here. There was a comment on the initial PR, requesting that the different schema proposals be separated out into individual PRs. I was having Git-related issues yesterday and as such had to redo some of my PRs.
Also, I am not 100% positive that I wanted to re-propose my shell command extension, as I understand people’s opposition to it, based on an intent of OVAL to abstract away the commands, and not allowing arbitrary commands to be executed on a system. I can certainly re-add the shell command extension as a separate PR in order to engage discussion on the topic, though.
Cheers,
-Bill M.
From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Friday, August 12, 2016 12:34 PM
To: William Munyan; David Solin
Cc: oval_developer@lists.cisecurity.org; Oval
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Bill,
So why was the shellcommand_test supposed to be removed?
Kent Landfield
+1.817.637.8026
From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.orgmailto:oval_developer-bounces@lists.cisecurity.org> on behalf of William Munyan <William.Munyan@cisecurity.orgmailto:William.Munyan@cisecurity.org>
Date: Thursday, August 11, 2016 at 2:31 PM
To: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>
Cc: "oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org" <oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org>, Oval <oval@cisecurity.orgmailto:oval@cisecurity.org>
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.commailto:solin@jovalcm.com
[val Continuous Monitoring]http://jovalcm.com
[cebook] https://www.facebook.com/jovalcm [nkedin] https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
Hi Kent,
It seems that you are in favor of reopening this discussion. We agree (Bill originally created the test for a reason).
Bill indicated that he’d be happy to submit another PR containing that shellcommand_test. I say submit it, and let the discussion begin.
Do others have an opinion?
Adam
From: OVAL_Developer oval_developer-bounces@lists.cisecurity.org on behalf of "Landfield, Kent B" kent.b.landfield@intel.com
Date: Tuesday, August 23, 2016 at 2:16 PM
To: William Munyan William.Munyan@cisecurity.org, David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Adam Montville oval@cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
So why are we still thinking like this? There is history here with MITRE and positioning OVAL’s checking capabilities, but that never was the need of the language or the users. Customers have been asking for this flexibility for years and even when there was real movement in this direction, it was blocked by the Moderator. I am not faulting MITRE for doing things in their best interest but it really was counter to OVAL’s adoption.
If sites have something they are already running that is a capability OVAL does not have, why would you want to restrict them and not allow the flexibility this type of capability would provide? This has had the effect of inhibiting adoption since organizations have now spent a good deal of time and effort debugging something they cannot use with OVAL. Guess what happens… OVAL loses out.
As for the security concerns…. Let’s get real here. XCCDF has this kind of capability since the beginning and I have yet to hear of a site being compromised using this capability. That has been used as a red herring for just about as long…
Do others really want to not have a scripting capability?
Kent Landfield
+1.817.637.8026
From: William Munyan William.Munyan@cisecurity.org
Date: Friday, August 12, 2016 at 11:40 AM
To: Kent Landfield kent.b.landfield@intel.com, David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Oval oval@cisecurity.org
Subject: RE: [OVAL DEVELOPER] Schema proposal for Docker
Kent,
Sorry for any confusion here. There was a comment on the initial PR, requesting that the different schema proposals be separated out into individual PRs. I was having Git-related issues yesterday and as such had to redo some of my PRs.
Also, I am not 100% positive that I wanted to re-propose my shell command extension, as I understand people’s opposition to it, based on an intent of OVAL to abstract away the commands, and not allowing arbitrary commands to be executed on a system. I can certainly re-add the shell command extension as a separate PR in order to engage discussion on the topic, though.
Cheers,
-Bill M.
From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Friday, August 12, 2016 12:34 PM
To: William Munyan; David Solin
Cc: oval_developer@lists.cisecurity.org; Oval
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Bill,
So why was the shellcommand_test supposed to be removed?
Kent Landfield
+1.817.637.8026
From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.orgmailto:oval_developer-bounces@lists.cisecurity.org> on behalf of William Munyan <William.Munyan@cisecurity.orgmailto:William.Munyan@cisecurity.org>
Date: Thursday, August 11, 2016 at 2:31 PM
To: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>
Cc: "oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org" <oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org>, Oval <oval@cisecurity.orgmailto:oval@cisecurity.org>
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.commailto:solin@jovalcm.com
[al Continuous Monitoring]http://jovalcm.com
[ebook] https://www.facebook.com/jovalcm [kedin] https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
Yes, I am in favor of reopening the discussion. ;-)
Kent Landfield
+1.817.637.8026
From: Adam Montville Adam.Montville@cisecurity.org
Date: Tuesday, August 23, 2016 at 2:40 PM
To: Kent Landfield kent.b.landfield@intel.com, William Munyan William.Munyan@cisecurity.org, David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Oval oval@cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Kent,
It seems that you are in favor of reopening this discussion. We agree (Bill originally created the test for a reason).
Bill indicated that he’d be happy to submit another PR containing that shellcommand_test. I say submit it, and let the discussion begin.
Do others have an opinion?
Adam
From: OVAL_Developer oval_developer-bounces@lists.cisecurity.org on behalf of "Landfield, Kent B" kent.b.landfield@intel.com
Date: Tuesday, August 23, 2016 at 2:16 PM
To: William Munyan William.Munyan@cisecurity.org, David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Adam Montville oval@cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
So why are we still thinking like this? There is history here with MITRE and positioning OVAL’s checking capabilities, but that never was the need of the language or the users. Customers have been asking for this flexibility for years and even when there was real movement in this direction, it was blocked by the Moderator. I am not faulting MITRE for doing things in their best interest but it really was counter to OVAL’s adoption.
If sites have something they are already running that is a capability OVAL does not have, why would you want to restrict them and not allow the flexibility this type of capability would provide? This has had the effect of inhibiting adoption since organizations have now spent a good deal of time and effort debugging something they cannot use with OVAL. Guess what happens… OVAL loses out.
As for the security concerns…. Let’s get real here. XCCDF has this kind of capability since the beginning and I have yet to hear of a site being compromised using this capability. That has been used as a red herring for just about as long…
Do others really want to not have a scripting capability?
Kent Landfield
+1.817.637.8026
From: William Munyan William.Munyan@cisecurity.org
Date: Friday, August 12, 2016 at 11:40 AM
To: Kent Landfield kent.b.landfield@intel.com, David Solin solin@jovalcm.com
Cc: "oval_developer@lists.cisecurity.org" oval_developer@lists.cisecurity.org, Oval oval@cisecurity.org
Subject: RE: [OVAL DEVELOPER] Schema proposal for Docker
Kent,
Sorry for any confusion here. There was a comment on the initial PR, requesting that the different schema proposals be separated out into individual PRs. I was having Git-related issues yesterday and as such had to redo some of my PRs.
Also, I am not 100% positive that I wanted to re-propose my shell command extension, as I understand people’s opposition to it, based on an intent of OVAL to abstract away the commands, and not allowing arbitrary commands to be executed on a system. I can certainly re-add the shell command extension as a separate PR in order to engage discussion on the topic, though.
Cheers,
-Bill M.
From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Friday, August 12, 2016 12:34 PM
To: William Munyan; David Solin
Cc: oval_developer@lists.cisecurity.org; Oval
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Bill,
So why was the shellcommand_test supposed to be removed?
Kent Landfield
+1.817.637.8026
From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.orgmailto:oval_developer-bounces@lists.cisecurity.org> on behalf of William Munyan <William.Munyan@cisecurity.orgmailto:William.Munyan@cisecurity.org>
Date: Thursday, August 11, 2016 at 2:31 PM
To: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>
Cc: "oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org" <oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org>, Oval <oval@cisecurity.orgmailto:oval@cisecurity.org>
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
David,
The shell command stuff and SUSE should have been removed as part of the commits/pull requests etc…. I had a request to separate out the SUSE, Shell Command stuff so I removed them. It is very possible I did something wrong via Git, but the only files in the PR should pertain to Docker.
Cheers,
-Bill M.
From: David Solin [mailto:solin@jovalcm.com]
Sent: Thursday, August 11, 2016 2:25 PM
To: William Munyan
Cc: Oval; oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Schema proposal for Docker
Hi Bill,
FYI, your pull request also contains a shellcommand_test (and I swear there were some SUSE tests but they seem to have disappeared?).
Best,
—David Solin
David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.commailto:solin@jovalcm.com
[l Continuous Monitoring]http://jovalcm.com
[book] https://www.facebook.com/jovalcm [edin] https://www.linkedin.com/company/joval-continuous-monitoring
On Aug 11, 2016, at 1:14 PM, William Munyan <william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org> wrote:
OVAL Folks,
I have added a pull request to the OVAL Language Sandbox for an extension schema for Docker. The pull request can be found here -- https://github.com/OVALProject/Sandbox/pull/149. Thanks for any considerations, questions, comments, feedback, etc.
Cheers,
-Bill M.
-Bill Munyan
Technical Product Executive :: CIS-CAT
Security Controls & Automation
Center for Internet Security
(518) 880-0690
www.cisecurity.orghttp://www.cisecurity.org/
Follow us @CISecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...