Hello, According to the OVAL Unix System Characteristics schema (https://github.com/OVALProject/Language/blob/master/schemas/unix-system-characteristics-schema.xsd), the priority entity of a process58_item is defined as: "This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call." On RHEL systems, I believe the priority can be found in the "/proc/{pid}/stat" - item 18 (priority) which is defined as "For processes running a real-time scheduling policy (policy below; see sched_setscheduler(2)), this is the negated scheduling priority, minus one; that is, a number in the range -2 to -100, corresponding to real-time priorities 1 to 99. For processes running under a non-real-time scheduling policy, this is the raw nice value (setpriority(2)) as represented in the kernel. The kernel stores nice values as numbers in the range 0 (high) to 39 (low), corresponding to the user-visible nice range of -20 to 19." If my understanding is correct, I would suggest to provide additional clarification in the OVAL specification to avoid any confusion. A related issue on RHEL is regarding the ps command and Standard Format Specifiers. The same value stored in stat file can be retrieve by running the command "ps -o priority {pid}", but 'ps -o pri {pid}' returns a different value. For instance, on RHEL6, the 'man ps' does not mention any of these standard format specifiers. Any thoughts? Since the priority property is spread across all *nix systems, are other systems affected by this issue? Any feedback is much appreciated! Respectfully, Dragos Prisaca NVLAP Technical Expert NIST SCAP Validation Program | http://scap.nist.gov/validation ...

Hi Dragos, Thanks for bringing up this issue. I can say that there appears to be no equivalent on AIX, HP-UX, Solaris, BSD or MacOSX to the ‘priority’ Standard Format Specifier. The ps command on all versions of Unix (including Linux) do, however, have specifiers for both ‘pri’ (for priority) and ‘nice’. The ‘nice’ identifier gives you a value that can be feed into the nice command. On Linux it seems you can generally compute the ‘pri’, ‘nice’, and ‘priority’ values from one-another (note, however, that many possible pri and priority values are out-of-range for ‘nice’, and also not that these conversions DO NOT HOLD for other Unix variants, or if it does, the rules seem to depend on the scheduling class): nice = priority - 20 pri = 39 - priority As you said, the OVAL specification isn’t very precise about what we are supposed to collect for the priority entity, it merely says: "This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.” To me, this suggests we should collect the ‘nice’ value. That means sometimes it will be impossible to collect a value, as with certain system processes on Solaris (pids 0, 2 and 3), or processes with out-of-bounds values for nice. OTOH, perhaps the ‘pri’ value would be more useful. In the man page for ps on HP-UX, the specifier is described: “The priority of the process. The meaning of the value depends on the process scheduling class…” So, since the process_item also collects the scheduling class, perhaps it makes the most sense to collect the ‘pri’ specifier. (Then again, there is apparently no such thing as a process scheduling class on MacOSX or BSD.) Finally, we could come up with complicated rules about what value we should collect on which Unix variant, even potentially for what scheduling class, but that would be a horrible mess. Does anyone else have any thoughts? Best regards, —David Solin David A. Solin Co-Founder, Research & Technology solin@jovalcm.com <mailto:solin@jovalcm.com> <http://jovalcm.com/>   <https://www.facebook.com/jovalcm> <https://www.linkedin.com/company/joval-continuous-monitoring> > On Apr 12, 2016, at 5:39 PM, Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov> wrote: > > Hello, > > According to the OVAL Unix System Characteristics schema (https://github.com/OVALProject/Language/blob/master/schemas/unix-system-characteristics-schema.xsd <https://github.com/OVALProject/Language/blob/master/schemas/unix-system-characteristics-schema.xsd>), the priority entity of a process58_item is defined as: “This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.” > On RHEL systems, I believe the priority can be found in the “/proc/{pid}/stat” - item 18 (priority) which is defined as “For processes running a real-time scheduling policy (policy below; see sched_setscheduler(2)), this is the negated scheduling priority, minus one; that is, a number in the range -2 to -100, corresponding to real-time priorities 1 to 99. For processes running under a non-real-time scheduling policy, this is the raw nice value (setpriority(2)) as represented in the kernel. The kernel stores nice values as numbers in the range 0 (high) to 39 (low), corresponding to the user-visible nice range of -20 to 19.” > If my understanding is correct, I would suggest to provide additional clarification in the OVAL specification to avoid any confusion. > > A related issue on RHEL is regarding the ps command and Standard Format Specifiers. The same value stored in stat file can be retrieve by running the command “ps -o priority {pid}”, but ‘ps -o pri {pid}’ returns a different value. For instance, on RHEL6, the ‘man ps’ does not mention any of these standard format specifiers. Any thoughts? > > Since the priority property is spread across all *nix systems, are other systems affected by this issue? > > Any feedback is much appreciated! > > Respectfully, > Dragos Prisaca > NVLAP Technical Expert > NIST SCAP Validation Program | http://scap.nist.gov/validation <http://scap.nist.gov/validation> > > > ... > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org <http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org> ...

On 04/14/16 16:57, David Solin wrote: > I can say that there appears to be no equivalent on AIX, HP-UX, Solaris, > BSD or MacOSX to the ‘priority’ Standard Format Specifier. The ps > command on all versions of Unix (including Linux) do, however, have > specifiers for both ‘pri’ (for priority) and ‘nice’. The ‘nice’ > identifier gives you a value that can be feed into the nice command. > > On Linux it seems you can generally compute the ‘pri’, ‘nice’, and > ‘priority’ values from one-another (note, however, that many possible > pri and priority values are out-of-range for ‘nice’, and also not that > these conversions DO NOT HOLD for other Unix variants, or if it does, > the rules seem to depend on the scheduling class): > nice = priority - 20 > pri = 39 - priority Solaris has distinct priority and nice values. It also has many have different scheduling classes. Below is some trimmed output from my Solaris desktop system. Note that there are different priorities, and nice values as well as multiple different scheduling classes in use. $ps -o class,pri,nice,comm -efa CLS PRI NI COMMAND SYS 96 SY sched SDC 99 SD zpool-rpool SDC 99 SD kmem_task TS 59 20 /usr/sbin/init SYS 98 SY pageout TS 59 20 /usr/sbin/console-kit-daemon TS 59 20 /lib/svc/bin/svc.startd TS 59 20 /lib/svc/bin/svc.configd TS 59 20 /usr/lib/pfexecd FX 60 0 /lib/crypto/kcfd TS 59 20 /usr/sbin/sysobjd TS 59 20 /usr/sbin/ibmgmtd IA 59 20 /usr/lib/gvfsd IA 59 20 /opt/onbld/bin/i386/cscope-fast IA 59 20 /bin/zsh IA 59 20 ssh IA 48 20 vi -- Darren J Moffat ...

Indeed, Darren — what do you think an OVAL interpreter should collect for the unix-sc:process_item/priority? > On Apr 14, 2016, at 11:14 AM, Darren J Moffat <Darren.Moffat@ORACLE.COM> wrote: > > > > On 04/14/16 16:57, David Solin wrote: >> I can say that there appears to be no equivalent on AIX, HP-UX, Solaris, >> BSD or MacOSX to the ‘priority’ Standard Format Specifier. The ps >> command on all versions of Unix (including Linux) do, however, have >> specifiers for both ‘pri’ (for priority) and ‘nice’. The ‘nice’ >> identifier gives you a value that can be feed into the nice command. >> >> On Linux it seems you can generally compute the ‘pri’, ‘nice’, and >> ‘priority’ values from one-another (note, however, that many possible >> pri and priority values are out-of-range for ‘nice’, and also not that >> these conversions DO NOT HOLD for other Unix variants, or if it does, >> the rules seem to depend on the scheduling class): >> nice = priority - 20 >> pri = 39 - priority > > Solaris has distinct priority and nice values. It also has many have different scheduling classes. > > Below is some trimmed output from my Solaris desktop system. Note that there are different priorities, and nice values as well as multiple different scheduling classes in use. > > $ps -o class,pri,nice,comm -efa > CLS PRI NI COMMAND > SYS 96 SY sched > SDC 99 SD zpool-rpool > SDC 99 SD kmem_task > TS 59 20 /usr/sbin/init > SYS 98 SY pageout > TS 59 20 /usr/sbin/console-kit-daemon > TS 59 20 /lib/svc/bin/svc.startd > TS 59 20 /lib/svc/bin/svc.configd > TS 59 20 /usr/lib/pfexecd > FX 60 0 /lib/crypto/kcfd > TS 59 20 /usr/sbin/sysobjd > TS 59 20 /usr/sbin/ibmgmtd > IA 59 20 /usr/lib/gvfsd > IA 59 20 /opt/onbld/bin/i386/cscope-fast > IA 59 20 /bin/zsh > IA 59 20 ssh > IA 48 20 vi > > > > -- > Darren J Moffat > > ... > > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org ...

 PRI(l)

   The priority of the process. Without the -c option, higher numbers
   mean lower priority. With the -c option, higher numbers mean
   higher priority.

On 04/14/16 17:22, David Solin wrote: > Indeed, Darren — what do you think an OVAL interpreter should collect for the unix-sc:process_item/priority? For Solaris it should collect the priority field from ps(1): PRI(l) The priority of the process. Without the -c option, higher numbers mean lower priority. With the -c option, higher numbers mean higher priority. If the interpreter is actually using the proc file system rather than running the ps command then it should look at the pr_pri field of the lwps_info_t structure for the process. -- Darren J Moffat ...

PRI(l)

  The priority of the process. Without the -c option, higher numbers
  mean lower priority. With the -c option, higher numbers mean
  higher priority.

Hi Darren, So, it seems from what you and Dragos are saying, using the ps command, the ‘priority’ field on Linux, and the ‘pri’ field on all other Unix flavors should be the right value to collect. (For some unknown reason, there being a difference between ‘pri’ and ‘priority’, which is available on Linux alone). Does that seem like the consensus? I’d love for an AIX and HP-UX authority (i.e., from IBM and HP, respectively, to weigh in). Thanks, —David A. Solin Co-Founder, Research & Technology solin@jovalcm.com > On Apr 14, 2016, at 11:39 AM, Darren J Moffat <Darren.Moffat@ORACLE.COM> wrote: > > On 04/14/16 17:22, David Solin wrote: >> Indeed, Darren — what do you think an OVAL interpreter should collect for the unix-sc:process_item/priority? > > For Solaris it should collect the priority field from ps(1): > > PRI(l) > > The priority of the process. Without the -c option, higher numbers > mean lower priority. With the -c option, higher numbers mean > higher priority. > > > If the interpreter is actually using the proc file system rather than running the ps command then it should look at the pr_pri field of the lwps_info_t structure for the process. > > > -- > Darren J Moffat ...

The second answer, from Anton, gives a decent explanation of the difference between priority and nice, which is a good place to start: http://superuser.com/questions/203657/difference-between-nice-value-and-priority-in-the-top-output On Tue, Apr 12, 2016 at 3:39 PM, Prisaca, Dragos (Assoc) < dragos.prisaca@nist.gov> wrote: > Hello, > > According to the OVAL Unix System Characteristics schema ( > https://github.com/OVALProject/Language/blob/master/schemas/unix-system-characteristics-schema.xsd), > the priority entity of a process58_item is defined as: “This is the > scheduling priority with which the process runs. This can be adjusted with > the nice command or nice() system call.” > On RHEL systems, I believe the priority can be found in the > “/proc/{pid}/stat” - item 18 (priority) which is defined as “For processes > running a real-time scheduling policy (policy below; see > sched_setscheduler(2)), this is the negated scheduling priority, minus one; > that is, a number in the range -2 to -100, corresponding to real-time > priorities 1 to 99. For processes running under a non-real-time scheduling > policy, this is the raw nice value (setpriority(2)) as represented in the > kernel. The kernel stores nice values as numbers in the range 0 (high) to > 39 (low), corresponding to the user-visible nice range of -20 to 19.” > If my understanding is correct, I would suggest to provide additional > clarification in the OVAL specification to avoid any confusion. > > A related issue on RHEL is regarding the ps command and Standard Format > Specifiers. The same value stored in stat file can be retrieve by running > the command “ps -o priority {pid}”, but ‘ps -o pri {pid}’ returns a > different value. For instance, on RHEL6, the ‘man ps’ does not mention any > of these standard format specifiers. Any thoughts? > > Since the priority property is spread across all *nix systems, are other > systems affected by this issue? > > Any feedback is much appreciated! > > > Respectfully, > > Dragos Prisaca > > NVLAP Technical Expert > > NIST SCAP Validation Program | http://scap.nist.gov/validation > > > > ... > > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org > > ...