I¹m working with OVAL probe code on Linux and have a question about the
meaning of the ³not performed² value in
linux-sc:EntityItemRpmVerifyResultType. The OVAL 5.11 spec for this type
says:
Œnot performed¹ indicates that a test could not be performed and is
equivalent to the Œ?¹ value reported by the rpm -V command.
However, there are several other reasons why a verification test might not
be performed:
-
The object behaviors in the OVAL test might explicitly tell us not to
perform a particular verification test.
-
An rpm spec file will let you specify the verification behavior for a
specific file via %verify. For example, I ran into a case where a
particular file was specified with Œ%verify(not md5 size mtime)¹ in the
source rpm spec file, which means that rpm -V won¹t ever run those
particular tests for that file.
In both those case, the probe code I¹m working with is returning Œnot
performed¹ for the omitted tests, which makes logical sense. However,
that doesn¹t actually match what the OVAL spec says. In both cases, it is
not true that the test in question ³couldn¹t be performed². And also, rpm
-Vv does not return a Œ?¹ for the affected test in either of these cases.
Instead, you just get Œ.¹ which means the test ³passed².
So I¹m torn between returning a verify result that is actually correct
(³not performed²) vs. returning something that matches what rpm -Vv
returns (³pass²). Case #1 is a little more clear cut in my mind; ³not
performed² seems correct in that case. Case #2 is more ambiguous. You
could argue that the spec file turns a verification test into a no-op in
that case, so ³pass² is more appropriate.
Any advice on what the correct behavior would be for these cases?
Thanks in advance for any wisdom you can provide an OVAL novice like me.
‹Greg
Greg Williams | Senior Software Engineer
TRIPWIRE | CONFIDENCE: SECURED
www.tripwire.com
...
I¹m working with OVAL probe code on Linux and have a question about the
meaning of the ³not performed² value in
linux-sc:EntityItemRpmVerifyResultType. The OVAL 5.11 spec for this type
says:
Œnot performed¹ indicates that a test could not be performed and is
equivalent to the Œ?¹ value reported by the rpm -V command.
However, there are several other reasons why a verification test might not
be performed:
1. The object behaviors in the OVAL test might explicitly tell us not to
perform a particular verification test.
2. An rpm spec file will let you specify the verification behavior for a
specific file via %verify. For example, I ran into a case where a
particular file was specified with Œ%verify(not md5 size mtime)¹ in the
source rpm spec file, which means that rpm -V won¹t ever run those
particular tests for that file.
In both those case, the probe code I¹m working with is returning Œnot
performed¹ for the omitted tests, which makes logical sense. However,
that doesn¹t actually match what the OVAL spec says. In both cases, it is
not true that the test in question ³couldn¹t be performed². And also, rpm
-Vv does not return a Œ?¹ for the affected test in either of these cases.
Instead, you just get Œ.¹ which means the test ³passed².
So I¹m torn between returning a verify result that is actually correct
(³not performed²) vs. returning something that matches what rpm -Vv
returns (³pass²). Case #1 is a little more clear cut in my mind; ³not
performed² seems correct in that case. Case #2 is more ambiguous. You
could argue that the spec file turns a verification test into a no-op in
that case, so ³pass² is more appropriate.
Any advice on what the correct behavior would be for these cases?
Thanks in advance for any wisdom you can provide an OVAL novice like me.
‹Greg
--------
Greg Williams | Senior Software Engineer
TRIPWIRE | CONFIDENCE: SECURED
www.tripwire.com
...
