oval_developer@lists.cisecurity.org

A list for people interested in developing the OVAL language.

View all threads

help with manipulation of local variables

VP
Vojtech Polasek
Sun, Jan 17, 2021 6:38 PM

Hello,

I would appreciate some advice on manipulating local_variable components.

What I am trying to achieve is:

  1. as an input, take a variable containing some strings delimited with
    commas

  2. split the variable so that I get individual strings (commas go away)

  3. perform some modification of each string individually

  4. and now glue it back together so that the resulting variable is one
    string

I have problem with the step 4. I managed to perform the rest but I
can't find a way how to produce a variable (string) from a variable
which has multiple values.

Is this even possible?

Here is a snippet so that you have an idea what it is about. Basically I
am trying to create a regular expression based on input variable.

<local_variable id="var_sshd_approved_ciphers_splitted"
datatype="string" version="1" comment="approved ciphers values splitted
on comma">
    <split delimiter=",">
      <variable_component var_ref="sshd_approved_ciphers" />
    </split>
  </local_variable>

  <local_variable id="var_sshd_approved_ciphers_splitted_with_begining"
datatype="string" version="1" comment="bla">
    <begin character="(">
      <variable_component var_ref="var_sshd_approved_ciphers_splitted"/>
    </begin>
  </local_variable>

  <local_variable
id="var_sshd_approved_ciphers_splitted_with_begining_and_end"
datatype="string" version="1" comment="bla">
    <end character="(?=,\w+|$),?)?">
      <variable_component
var_ref="var_sshd_approved_ciphers_splitted_with_begining"/>
    </end>
  </local_variable>

  <local_variable id="var_sshd_approved_ciphers_splitted_and_joined"
datatype="string" version="1" comment="bla">
    <concat>
      <literal_component></literal_component>
      <variable_component
var_ref="var_sshd_approved_ciphers_splitted_with_begining_and_end"/>
    </concat>
  </local_variable>

  <local_variable id="var_sshd_use_approved_ciphers_final_regex"
datatype="string" version="1" comment="bla">
    <concat>
      <literal_component>^</literal_component>
      <variable_component
var_ref="var_sshd_approved_ciphers_splitted_and_joined"/>
      <literal_component>$</literal_component>
    </concat>
  </local_variable>

This is the result when I use this oval in Openscap:

I: oscap:     Variable
'oval:ssg-var_sshd_use_approved_ciphers_final_regex:var:1' has values
"^(aes128-ctr(?=,\w+|$),?)?$", "^(aes192-ctr(?=,\w+|$),?)?$",
"^(aes256-ctr(?=,\w+|$),?)?$", "^(aes128-cbc(?=,\w+|$),?)?$",
"^(3des-cbc(?=,\w+|$),?)?$", "^(aes192-cbc(?=,\w+|$),?)?$",
"^(aes256-cbc(?=,\w+|$),?)?$",
"^(rijndael-cbc@lysator.liu.se(?=,\w+|$),?)?$".
[oscap(9756):unknown(7feb8c425880):oval_variable.c:513:_dump_variable_values]

Any ideas please?

Thank you very much.

--

Vojtech Polasek

Software engineer, security compliance

Red Hat https://www.redhat.com

vpolasek@redhat.com mailto:vpolasek@redhat.com

https://www.redhat.com

Hello, I would appreciate some advice on manipulating local_variable components. What I am trying to achieve is: 1. as an input, take a variable containing some strings delimited with commas 2. split the variable so that I get individual strings (commas go away) 3. perform some modification of each string individually 4. and now glue it back together so that the resulting variable is one string I have problem with the step 4. I managed to perform the rest but I can't find a way how to produce a variable (string) from a variable which has multiple values. Is this even possible? Here is a snippet so that you have an idea what it is about. Basically I am trying to create a regular expression based on input variable. ### <local_variable id="var_sshd_approved_ciphers_splitted" datatype="string" version="1" comment="approved ciphers values splitted on comma">     <split delimiter=",">       <variable_component var_ref="sshd_approved_ciphers" />     </split>   </local_variable>   <local_variable id="var_sshd_approved_ciphers_splitted_with_begining" datatype="string" version="1" comment="bla">     <begin character="(">       <variable_component var_ref="var_sshd_approved_ciphers_splitted"/>     </begin>   </local_variable>   <local_variable id="var_sshd_approved_ciphers_splitted_with_begining_and_end" datatype="string" version="1" comment="bla">     <end character="(?=,\w+|$),?)?">       <variable_component var_ref="var_sshd_approved_ciphers_splitted_with_begining"/>     </end>   </local_variable>   <local_variable id="var_sshd_approved_ciphers_splitted_and_joined" datatype="string" version="1" comment="bla">     <concat>       <literal_component></literal_component>       <variable_component var_ref="var_sshd_approved_ciphers_splitted_with_begining_and_end"/>     </concat>   </local_variable>   <local_variable id="var_sshd_use_approved_ciphers_final_regex" datatype="string" version="1" comment="bla">     <concat>       <literal_component>^</literal_component>       <variable_component var_ref="var_sshd_approved_ciphers_splitted_and_joined"/>       <literal_component>$</literal_component>     </concat>   </local_variable> ### This is the result when I use this oval in Openscap: I: oscap:     Variable 'oval:ssg-var_sshd_use_approved_ciphers_final_regex:var:1' has values "^(aes128-ctr(?=,\w+|$),?)?$", "^(aes192-ctr(?=,\w+|$),?)?$", "^(aes256-ctr(?=,\w+|$),?)?$", "^(aes128-cbc(?=,\w+|$),?)?$", "^(3des-cbc(?=,\w+|$),?)?$", "^(aes192-cbc(?=,\w+|$),?)?$", "^(aes256-cbc(?=,\w+|$),?)?$", "^(rijndael-cbc@lysator.liu.se(?=,\w+|$),?)?$". [oscap(9756):unknown(7feb8c425880):oval_variable.c:513:_dump_variable_values] Any ideas please? Thank you very much. -- Vojtech Polasek Software engineer, security compliance Red Hat <https://www.redhat.com> vpolasek@redhat.com <mailto:vpolasek@redhat.com> <https://www.redhat.com>
DS
David Solin
Sun, Jan 17, 2021 7:31 PM

Step 4 is not possible in OVAL.  Everything multi-valued becomes a Cartesian product, and there is no way to re-combine multiple values into one again.

Is there an operation you can perform on the individual strings, such as: the cipher must match at least one of these patterns?  It is possible to do that.

On Jan 17, 2021, at 12:38 PM, Vojtech Polasek vpolasek@redhat.com wrote:

Hello,

I would appreciate some advice on manipulating local_variable components.

What I am trying to achieve is:

  1. as an input, take a variable containing some strings delimited with commas

  2. split the variable so that I get individual strings (commas go away)

  3. perform some modification of each string individually

  4. and now glue it back together so that the resulting variable is one string

I have problem with the step 4. I managed to perform the rest but I can't find a way how to produce a variable (string) from a variable which has multiple values.

Is this even possible?

Here is a snippet so that you have an idea what it is about. Basically I am trying to create a regular expression based on input variable.

<local_variable id="var_sshd_approved_ciphers_splitted" datatype="string" version="1" comment="approved ciphers values splitted on comma">
<split delimiter=",">
<variable_component var_ref="sshd_approved_ciphers" />
</split>
</local_variable>

<local_variable id="var_sshd_approved_ciphers_splitted_with_begining" datatype="string" version="1" comment="bla">
<begin character="(">
<variable_component var_ref="var_sshd_approved_ciphers_splitted"/>
</begin>
</local_variable>

<local_variable id="var_sshd_approved_ciphers_splitted_with_begining_and_end" datatype="string" version="1" comment="bla">
<end character="(?=,\w+|$),?)?">
<variable_component var_ref="var_sshd_approved_ciphers_splitted_with_begining"/>
</end>
</local_variable>

<local_variable id="var_sshd_approved_ciphers_splitted_and_joined" datatype="string" version="1" comment="bla">
<concat>
<literal_component></literal_component>
<variable_component var_ref="var_sshd_approved_ciphers_splitted_with_begining_and_end"/>
</concat>
</local_variable>

<local_variable id="var_sshd_use_approved_ciphers_final_regex" datatype="string" version="1" comment="bla">
<concat>
<literal_component>^</literal_component>
<variable_component var_ref="var_sshd_approved_ciphers_splitted_and_joined"/>
<literal_component>$</literal_component>
</concat>
</local_variable>

This is the result when I use this oval in Openscap:

I: oscap:    Variable 'oval:ssg-var_sshd_use_approved_ciphers_final_regex:var:1' has values "^(aes128-ctr(?=,\w+|$),?)?$", "^(aes192-ctr(?=,\w+|$),?)?$", "^(aes256-ctr(?=,\w+|$),?)?$", "^(aes128-cbc(?=,\w+|$),?)?$", "^(3des-cbc(?=,\w+|$),?)?$", "^(aes192-cbc(?=,\w+|$),?)?$", "^(aes256-cbc(?=,\w+|$),?)?$", "^(rijndael-cbc@lysator.liu.se(?=,\w+|$),?)?$" mailto:^(rijndael-cbc@lysator.liu.se(?=,\w+|$),?)?$. [oscap(9756):unknown(7feb8c425880):oval_variable.c:513:_dump_variable_values]

Any ideas please?

Thank you very much.

--
Vojtech Polasek
Software engineer, security compliance
Red Hat  https://www.redhat.com/
vpolasek@redhat.com mailto:vpolasek@redhat.com
https://www.redhat.com/_______________________________________________
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Step 4 is not possible in OVAL. Everything multi-valued becomes a Cartesian product, and there is no way to re-combine multiple values into one again. Is there an operation you can perform on the individual strings, such as: the cipher must match at least one of these patterns? It is possible to do that. > On Jan 17, 2021, at 12:38 PM, Vojtech Polasek <vpolasek@redhat.com> wrote: > > Hello, > > I would appreciate some advice on manipulating local_variable components. > > What I am trying to achieve is: > > 1. as an input, take a variable containing some strings delimited with commas > > 2. split the variable so that I get individual strings (commas go away) > > 3. perform some modification of each string individually > > 4. and now glue it back together so that the resulting variable is one string > > I have problem with the step 4. I managed to perform the rest but I can't find a way how to produce a variable (string) from a variable which has multiple values. > > Is this even possible? > > Here is a snippet so that you have an idea what it is about. Basically I am trying to create a regular expression based on input variable. > > > > ### > > <local_variable id="var_sshd_approved_ciphers_splitted" datatype="string" version="1" comment="approved ciphers values splitted on comma"> > <split delimiter=","> > <variable_component var_ref="sshd_approved_ciphers" /> > </split> > </local_variable> > > <local_variable id="var_sshd_approved_ciphers_splitted_with_begining" datatype="string" version="1" comment="bla"> > <begin character="("> > <variable_component var_ref="var_sshd_approved_ciphers_splitted"/> > </begin> > </local_variable> > > <local_variable id="var_sshd_approved_ciphers_splitted_with_begining_and_end" datatype="string" version="1" comment="bla"> > <end character="(?=,\w+|$),?)?"> > <variable_component var_ref="var_sshd_approved_ciphers_splitted_with_begining"/> > </end> > </local_variable> > > <local_variable id="var_sshd_approved_ciphers_splitted_and_joined" datatype="string" version="1" comment="bla"> > <concat> > <literal_component></literal_component> > <variable_component var_ref="var_sshd_approved_ciphers_splitted_with_begining_and_end"/> > </concat> > </local_variable> > > <local_variable id="var_sshd_use_approved_ciphers_final_regex" datatype="string" version="1" comment="bla"> > <concat> > <literal_component>^</literal_component> > <variable_component var_ref="var_sshd_approved_ciphers_splitted_and_joined"/> > <literal_component>$</literal_component> > </concat> > </local_variable> > ### > > > > This is the result when I use this oval in Openscap: > > I: oscap: Variable 'oval:ssg-var_sshd_use_approved_ciphers_final_regex:var:1' has values "^(aes128-ctr(?=,\w+|$),?)?$", "^(aes192-ctr(?=,\w+|$),?)?$", "^(aes256-ctr(?=,\w+|$),?)?$", "^(aes128-cbc(?=,\w+|$),?)?$", "^(3des-cbc(?=,\w+|$),?)?$", "^(aes192-cbc(?=,\w+|$),?)?$", "^(aes256-cbc(?=,\w+|$),?)?$", "^(rijndael-cbc@lysator.liu.se(?=,\w+|$),?)?$" <mailto:^(rijndael-cbc@lysator.liu.se(?=,\w+|$),?)?$>. [oscap(9756):unknown(7feb8c425880):oval_variable.c:513:_dump_variable_values] > > > > Any ideas please? > > Thank you very much. > > > > -- > Vojtech Polasek > Software engineer, security compliance > Red Hat  <https://www.redhat.com/> > vpolasek@redhat.com <mailto:vpolasek@redhat.com> > <https://www.redhat.com/>_______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org <http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org>