A list for people interested in developing the OVAL language.
View all threadsI¹m working with OVAL probe code on Linux and have a question about the
meaning of the ³not performed² value in
linux-sc:EntityItemRpmVerifyResultType. The OVAL 5.11 spec for this type
says:
Œnot performed¹ indicates that a test could not be performed and is
equivalent to the Œ?¹ value reported by the rpm -V command.
However, there are several other reasons why a verification test might not
be performed:
The object behaviors in the OVAL test might explicitly tell us not to
perform a particular verification test.
An rpm spec file will let you specify the verification behavior for a
specific file via %verify. For example, I ran into a case where a
particular file was specified with Œ%verify(not md5 size mtime)¹ in the
source rpm spec file, which means that rpm -V won¹t ever run those
particular tests for that file.
In both those case, the probe code I¹m working with is returning Œnot
performed¹ for the omitted tests, which makes logical sense. However,
that doesn¹t actually match what the OVAL spec says. In both cases, it is
not true that the test in question ³couldn¹t be performed². And also, rpm
-Vv does not return a Œ?¹ for the affected test in either of these cases.
Instead, you just get Œ.¹ which means the test ³passed².
So I¹m torn between returning a verify result that is actually correct
(³not performed²) vs. returning something that matches what rpm -Vv
returns (³pass²). Case #1 is a little more clear cut in my mind; ³not
performed² seems correct in that case. Case #2 is more ambiguous. You
could argue that the spec file turns a verification test into a no-op in
that case, so ³pass² is more appropriate.
Any advice on what the correct behavior would be for these cases?
Thanks in advance for any wisdom you can provide an OVAL novice like me.
Greg Williams | Senior Software Engineer
TRIPWIRE | CONFIDENCE: SECURED
www.tripwire.com
...