Empathy List Archives

DS

David Solin

Wed, Mar 9, 2016 8:44 PM

Hi Everyone,

I’m working on a new test for Windows junctions (similar to Unix symlinks) that’s analogous to the unix-def:symlink_test. Please see the attached schema and test content.

I’d also like to add a @recurse attribute to win-def:FileBehaviors, with the options “directories”, “junctions and directories”, “junctions” (default of “directories”).

Any questions, comments, or thoughts?

Thanks,
—David Solin

David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.com mailto:solin@jovalcm.com
http://jovalcm.com/
https://www.facebook.com/jovalcm https://www.linkedin.com/company/joval-continuous-monitoring

...

Hi Everyone, I’m working on a new test for Windows junctions (similar to Unix symlinks) that’s analogous to the unix-def:symlink_test. Please see the attached schema and test content. I’d also like to add a @recurse attribute to win-def:FileBehaviors, with the options “directories”, “junctions and directories”, “junctions” (default of “directories”). Any questions, comments, or thoughts? Thanks, —David Solin David A. Solin Co-Founder, Research & Technology solin@jovalcm.com <mailto:solin@jovalcm.com> <http://jovalcm.com/> <https://www.facebook.com/jovalcm> <https://www.linkedin.com/company/joval-continuous-monitoring> ...

DS

David Solin

Thu, Mar 10, 2016 2:49 PM

Along these lines, we should also deprecate the FILE_ATTRIBUTE_DIRECTORY entry in the Entity{State/Item]FileTypeType (the win-sc:file_item/type should instead have a “does not exist” flag for directories), and we should add a separate entity (minOccurs=0, maxOccurs=unlimited) to hold the file attributes, making this new entity an enumerated type that contains all the possible attribute values.

This may have a minimal impact on existing content. Searching through the repository, I found no instances of FILE_ATTRIBUTE_DIRECTORY in any of the existing states.

I will create a hypothetical 5.11.1:1.2 version of the Windows schema to illustrate these changes…

David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.com mailto:solin@jovalcm.com
http://jovalcm.com/
https://www.facebook.com/jovalcm https://www.linkedin.com/company/joval-continuous-monitoring

On Mar 9, 2016, at 2:44 PM, David Solin solin@jovalcm.com wrote:

Hi Everyone,

I’m working on a new test for Windows junctions (similar to Unix symlinks) that’s analogous to the unix-def:symlink_test. Please see the attached schema and test content.

I’d also like to add a @recurse attribute to win-def:FileBehaviors, with the options “directories”, “junctions and directories”, “junctions” (default of “directories”).

Any questions, comments, or thoughts?

Thanks,
—David Solin

David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.com mailto:solin@jovalcm.com
http://jovalcm.com/
https://www.facebook.com/jovalcm https://www.linkedin.com/company/joval-continuous-monitoring<x-windows-system-characteristics-schema.xsd>
<win-def_junction_test.xml>

...

Along these lines, we should also deprecate the FILE_ATTRIBUTE_DIRECTORY entry in the Entity{State/Item]FileTypeType (the win-sc:file_item/type should instead have a “does not exist” flag for directories), and we should add a separate entity (minOccurs=0, maxOccurs=unlimited) to hold the file attributes, making this new entity an enumerated type that contains all the possible attribute values. This may have a minimal impact on existing content. Searching through the repository, I found no instances of FILE_ATTRIBUTE_DIRECTORY in any of the existing states. I will create a hypothetical 5.11.1:1.2 version of the Windows schema to illustrate these changes… David A. Solin Co-Founder, Research & Technology solin@jovalcm.com <mailto:solin@jovalcm.com> <http://jovalcm.com/> <https://www.facebook.com/jovalcm> <https://www.linkedin.com/company/joval-continuous-monitoring> > On Mar 9, 2016, at 2:44 PM, David Solin <solin@jovalcm.com> wrote: > > Hi Everyone, > > I’m working on a new test for Windows junctions (similar to Unix symlinks) that’s analogous to the unix-def:symlink_test. Please see the attached schema and test content. > > I’d also like to add a @recurse attribute to win-def:FileBehaviors, with the options “directories”, “junctions and directories”, “junctions” (default of “directories”). > > Any questions, comments, or thoughts? > > Thanks, > —David Solin > > David A. Solin > Co-Founder, Research & Technology > solin@jovalcm.com <mailto:solin@jovalcm.com> > <http://jovalcm.com/> > <https://www.facebook.com/jovalcm> <https://www.linkedin.com/company/joval-continuous-monitoring><x-windows-system-characteristics-schema.xsd> > <win-def_junction_test.xml> ...

VJ

Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (US)

Mon, Mar 14, 2016 12:51 PM

Thanks David, unfortunately the DOD prevents all .xml file attachments. Do we have a place on github (or some other online resource) that we could use for sharing data and archiving for future reference?

Sincerely,
Jack Vander Pol

BLOCKED FILE ALERT

A file has been blocked due to the 'Level 1 File Types' rule.
Context: 'win-def_junction_test.xml'
Disallowed due to filename
Ticket Number: '0d24-56e0-8b80-0001'
See your system administrator for further information. Copyright 1999-2013 McAfee, Inc.All Rights Reserved.http://www.mcafee.com

-----Original Message-----
From: OVAL_Developer [mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of David Solin
Sent: Wednesday, March 09, 2016 3:44 PM
To: oval_developer@lists.cisecurity.org
Subject: [Non-DoD Source] [OVAL DEVELOPER] Proposal: x-win-def:junction_test

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

Hi Everyone,

I’m working on a new test for Windows junctions (similar to Unix symlinks) that’s analogous to the unix-def:symlink_test. Please see the attached schema and test content.

I’d also like to add a @recurse attribute to win-def:FileBehaviors, with the options “directories”, “junctions and directories”, “junctions” (default of “directories”).

Any questions, comments, or thoughts?

Thanks,
—David Solin

David A. Solin
Co-Founder, Research & Technology
solin@jovalcm.com < Caution-mailto:solin@jovalcm.com >

[Joval Continuous Monitoring] < Caution-http://jovalcm.com >

[Facebook] < Caution-https://www.facebook.com/jovalcm > [Linkedin] < Caution-https://www.linkedin.com/company/joval-continuous-monitoring >

...

Thanks David, unfortunately the DOD prevents all .xml file attachments. Do we have a place on github (or some other online resource) that we could use for sharing data and archiving for future reference? Sincerely, Jack Vander Pol BLOCKED FILE ALERT A file has been blocked due to the 'Level 1 File Types' rule. Context: 'win-def_junction_test.xml' Disallowed due to filename Ticket Number: '0d24-56e0-8b80-0001' See your system administrator for further information. Copyright 1999-2013 McAfee, Inc.All Rights Reserved.http://www.mcafee.com -----Original Message----- From: OVAL_Developer [mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of David Solin Sent: Wednesday, March 09, 2016 3:44 PM To: oval_developer@lists.cisecurity.org Subject: [Non-DoD Source] [OVAL DEVELOPER] Proposal: x-win-def:junction_test All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser. ________________________________ Hi Everyone, I’m working on a new test for Windows junctions (similar to Unix symlinks) that’s analogous to the unix-def:symlink_test. Please see the attached schema and test content. I’d also like to add a @recurse attribute to win-def:FileBehaviors, with the options “directories”, “junctions and directories”, “junctions” (default of “directories”). Any questions, comments, or thoughts? Thanks, —David Solin David A. Solin Co-Founder, Research & Technology solin@jovalcm.com < Caution-mailto:solin@jovalcm.com > [Joval Continuous Monitoring] < Caution-http://jovalcm.com > [Facebook] < Caution-https://www.facebook.com/jovalcm > [Linkedin] < Caution-https://www.linkedin.com/company/joval-continuous-monitoring > ...