oval_developer@lists.cisecurity.org
A list for people interested in developing the OVAL language.
View all threadsUpdate to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
SPAWAR is presenting proposals for two new OVAL tests for the Windows Operating System. Specifically two new test to gather settings for Internet Information Servers (IIS) Web Server Application.
OVAL 5.11.2 lacks a robust, straight-forward, and efficient mechanism to query Microsoft Internet Information Server (versions 7.0 – 10) configuration settings. The existing OVAL cmdlet test is inadequate as it fails to provide adequate data resolution. For instance, if an Internet Information Server (IIS) installation hosts multiple websites, the cmdlet test results do not enable the user to determine from which website a reported setting was collected.
The Microsoft AppCmd.exe application is the primary method for querying and managing IIS servers. We propose two new OVAL tests, the appcmd and appcmdlistconfig tests to query IIS data using AppCmd.exe. This email includes proposals covering the appcmd test and appcmdlistconfig test.
Please review attached pdf files regarding additions to OVAL 5.11.2. Also included in this email are two change2zip files (update extension of file to .zip), one to accompany each PDF file.
V/R
Bryan Wilson
SPAWAR Systems Center Atlantic
Bryan.L.Wilson@navy.mil
...
Bryan,
Thanks for this proposal, I look forward to diving a little deeper into it soon. Have you taken a look at the proposed IIS schema extension that CIS put into the OVAL Language sandbox? The tests included in there might be something useful as well. I'm happy to go over any of the schema elements; perhaps we can integrate our two proposals?
https://github.com/OVALProject/Sandbox/blob/master/x-iis78-schema.xsd
https://github.com/OVALProject/Sandbox/blob/master/x-iis78-system-characteristics-schema.xsd
Cheers,
-Bill M (CIS)
-----Original Message-----
From: OVAL_Developer [mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US)
Sent: Friday, March 24, 2017 10:35 AM
To: OVAL Developer List oval_developer@lists.cisecurity.org
Subject: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
SPAWAR is presenting proposals for two new OVAL tests for the Windows Operating System. Specifically two new test to gather settings for Internet Information Servers (IIS) Web Server Application.
OVAL 5.11.2 lacks a robust, straight-forward, and efficient mechanism to query Microsoft Internet Information Server (versions 7.0 – 10) configuration settings. The existing OVAL cmdlet test is inadequate as it fails to provide adequate data resolution. For instance, if an Internet Information Server (IIS) installation hosts multiple websites, the cmdlet test results do not enable the user to determine from which website a reported setting was collected.
The Microsoft AppCmd.exe application is the primary method for querying and managing IIS servers. We propose two new OVAL tests, the appcmd and appcmdlistconfig tests to query IIS data using AppCmd.exe. This email includes proposals covering the appcmd test and appcmdlistconfig test.
Please review attached pdf files regarding additions to OVAL 5.11.2. Also included in this email are two change2zip files (update extension of file to .zip), one to accompany each PDF file.
V/R
Bryan Wilson
SPAWAR Systems Center Atlantic
Bryan.L.Wilson@navy.mil
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
Bill,
Very interesting. At first glance it looks like the method of how the settings are gathered is abstracted. There are many common areas the appcmd and appcmdlistconfig test would be utilized so there is some overlap here. For example it appears objects that are used to gather application pool settings are defined. Question, how the list of what settings included with the object was defined? One challenge I ran into with defining OVAL tests related to AppCmd.exe was that the list of available and configurable settings (that map to IIS Websites, Application pools, virtual directories and Webserver settings) seemed large and not well defined via Microsoft documentation.
I would like to request more information at this time regarding this proposed update. I also need more time to review the files discussed in this email. Are there any other supporting documentation related to the links below?
V/R
Bryan
-----Original Message-----
From: William Munyan [mailto:William.Munyan@cisecurity.org]
Sent: Friday, March 24, 2017 10:45 AM
To: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US); OVAL Developer List
Subject: [Non-DoD Source] RE: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
Bryan,
Thanks for this proposal, I look forward to diving a little deeper into it soon. Have you taken a look at the proposed IIS schema extension that CIS put into the OVAL Language sandbox? The tests included in there might be something useful as well. I'm happy to go over any of the schema elements; perhaps we can integrate our two proposals?
Caution-https://github.com/OVALProject/Sandbox/blob/master/x-iis78-schema.xsd
Caution-https://github.com/OVALProject/Sandbox/blob/master/x-iis78-system-characteristics-schema.xsd
Cheers,
-Bill M (CIS)
-----Original Message-----
From: OVAL_Developer [Caution-mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US)
Sent: Friday, March 24, 2017 10:35 AM
To: OVAL Developer List oval_developer@lists.cisecurity.org
Subject: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
SPAWAR is presenting proposals for two new OVAL tests for the Windows Operating System. Specifically two new test to gather settings for Internet Information Servers (IIS) Web Server Application.
OVAL 5.11.2 lacks a robust, straight-forward, and efficient mechanism to query Microsoft Internet Information Server (versions 7.0 – 10) configuration settings. The existing OVAL cmdlet test is inadequate as it fails to provide adequate data resolution. For instance, if an Internet Information Server (IIS) installation hosts multiple websites, the cmdlet test results do not enable the user to determine from which website a reported setting was collected.
The Microsoft AppCmd.exe application is the primary method for querying and managing IIS servers. We propose two new OVAL tests, the appcmd and appcmdlistconfig tests to query IIS data using AppCmd.exe. This email includes proposals covering the appcmd test and appcmdlistconfig test.
Please review attached pdf files regarding additions to OVAL 5.11.2. Also included in this email are two change2zip files (update extension of file to .zip), one to accompany each PDF file.
V/R
Bryan Wilson
SPAWAR Systems Center Atlantic
Bryan.L.Wilson@navy.mil
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
Sorry... I updated my question and had a typo...
Question, how the list of what settings included with the object was defined?
Updated to
Question, how was the list of configurable settings included with the object defined?
Updated Email:
Bill,
Very interesting. At first glance it looks like the method of how the settings are gathered is abstracted. There are many common areas the appcmd and appcmdlistconfig test would be utilized so there is some overlap here. For example it appears objects that are used to gather application pool settings are defined. Question, how was the list of configurable settings included with the object defined? One challenge I ran into with defining OVAL tests related to AppCmd.exe was that the list of available and configurable settings (that map to IIS Websites, Application pools, virtual directories and Webserver settings) seemed large and not well defined via Microsoft documentation.
I would like to request more information at this time regarding this proposed update. I also need more time to review the files discussed in this email. Are there any other supporting documentation related to the links below?
V/R
Bryan
-----Original Message-----
From: William Munyan [mailto:William.Munyan@cisecurity.org]
Sent: Friday, March 24, 2017 10:45 AM
To: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US); OVAL Developer List
Subject: [Non-DoD Source] RE: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
Bryan,
Thanks for this proposal, I look forward to diving a little deeper into it soon. Have you taken a look at the proposed IIS schema extension that CIS put into the OVAL Language sandbox? The tests included in there might be something useful as well. I'm happy to go over any of the schema elements; perhaps we can integrate our two proposals?
Caution-https://github.com/OVALProject/Sandbox/blob/master/x-iis78-schema.xsd
Caution-https://github.com/OVALProject/Sandbox/blob/master/x-iis78-system-characteristics-schema.xsd
Cheers,
-Bill M (CIS)
-----Original Message-----
From: OVAL_Developer [Caution-mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US)
Sent: Friday, March 24, 2017 10:35 AM
To: OVAL Developer List oval_developer@lists.cisecurity.org
Subject: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
SPAWAR is presenting proposals for two new OVAL tests for the Windows Operating System. Specifically two new test to gather settings for Internet Information Servers (IIS) Web Server Application.
OVAL 5.11.2 lacks a robust, straight-forward, and efficient mechanism to query Microsoft Internet Information Server (versions 7.0 – 10) configuration settings. The existing OVAL cmdlet test is inadequate as it fails to provide adequate data resolution. For instance, if an Internet Information Server (IIS) installation hosts multiple websites, the cmdlet test results do not enable the user to determine from which website a reported setting was collected.
The Microsoft AppCmd.exe application is the primary method for querying and managing IIS servers. We propose two new OVAL tests, the appcmd and appcmdlistconfig tests to query IIS data using AppCmd.exe. This email includes proposals covering the appcmd test and appcmdlistconfig test.
Please review attached pdf files regarding additions to OVAL 5.11.2. Also included in this email are two change2zip files (update extension of file to .zip), one to accompany each PDF file.
V/R
Bryan Wilson
SPAWAR Systems Center Atlantic
Bryan.L.Wilson@navy.mil
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
FWIW, I like the idea of having a distinct IIS schema, as opposed to adding IIS-specific objects to the Windows schema. While we’re still ironing out the official language revision process, I personally think it would be easier to get a new official platform schema released than to get substantial updates to an existing schema officially approved.
Best regards,
—David Solin
On Mar 24, 2017, at 1:03 PM, Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US) bryan.l.wilson.civ@mail.mil wrote:
Sorry... I updated my question and had a typo...
Question, how the list of what settings included with the object was defined?
Updated to
Question, how was the list of configurable settings included with the object defined?
Updated Email:
Bill,
Very interesting. At first glance it looks like the method of how the settings are gathered is abstracted. There are many common areas the appcmd and appcmdlistconfig test would be utilized so there is some overlap here. For example it appears objects that are used to gather application pool settings are defined. Question, how was the list of configurable settings included with the object defined? One challenge I ran into with defining OVAL tests related to AppCmd.exe was that the list of available and configurable settings (that map to IIS Websites, Application pools, virtual directories and Webserver settings) seemed large and not well defined via Microsoft documentation.
I would like to request more information at this time regarding this proposed update. I also need more time to review the files discussed in this email. Are there any other supporting documentation related to the links below?
V/R
Bryan
-----Original Message-----
From: William Munyan [mailto:William.Munyan@cisecurity.org]
Sent: Friday, March 24, 2017 10:45 AM
To: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US); OVAL Developer List
Subject: [Non-DoD Source] RE: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
Bryan,
Thanks for this proposal, I look forward to diving a little deeper into it soon. Have you taken a look at the proposed IIS schema extension that CIS put into the OVAL Language sandbox? The tests included in there might be something useful as well. I'm happy to go over any of the schema elements; perhaps we can integrate our two proposals?
Caution-https://github.com/OVALProject/Sandbox/blob/master/x-iis78-schema.xsd
Caution-https://github.com/OVALProject/Sandbox/blob/master/x-iis78-system-characteristics-schema.xsd
Cheers,
-Bill M (CIS)
-----Original Message-----
From: OVAL_Developer [Caution-mailto:oval_developer-bounces@lists.cisecurity.org] On Behalf Of Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US)
Sent: Friday, March 24, 2017 10:35 AM
To: OVAL Developer List oval_developer@lists.cisecurity.org
Subject: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
SPAWAR is presenting proposals for two new OVAL tests for the Windows Operating System. Specifically two new test to gather settings for Internet Information Servers (IIS) Web Server Application.
OVAL 5.11.2 lacks a robust, straight-forward, and efficient mechanism to query Microsoft Internet Information Server (versions 7.0 – 10) configuration settings. The existing OVAL cmdlet test is inadequate as it fails to provide adequate data resolution. For instance, if an Internet Information Server (IIS) installation hosts multiple websites, the cmdlet test results do not enable the user to determine from which website a reported setting was collected.
The Microsoft AppCmd.exe application is the primary method for querying and managing IIS servers. We propose two new OVAL tests, the appcmd and appcmdlistconfig tests to query IIS data using AppCmd.exe. This email includes proposals covering the appcmd test and appcmdlistconfig test.
Please review attached pdf files regarding additions to OVAL 5.11.2. Also included in this email are two change2zip files (update extension of file to .zip), one to accompany each PDF file.
V/R
Bryan Wilson
SPAWAR Systems Center Atlantic
Bryan.L.Wilson@navy.mil
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
...
Are the examples of the ci proposed oval update "in action". The benefit of the appcmd tests is it is open to allow a content author to make content that can attain in theory any IIS setting. The CI proposal seems like a good start but I am confused how a content author could use it to make content that could capture the large number of configurable settings for websites (as well as vdirs), application pools and webserver settings. Again it looked to me on first glance that it defined certain settings that could be configured. The AppCmd.exe tests I proposed would allow the content author to test or gather in theory all configurable IIS settings. From what I see with the other proposal... I am not sure if that is possible based on it's current design. I requested more information Friday because I want to make sure I am not missing anything.
-----Original Message-----
From: David Solin [mailto:solin@jovalcm.com]
Sent: Friday, March 24, 2017 6:09 PM
To: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US)
Cc: William Munyan; OVAL Developer List
Subject: Re: [OVAL DEVELOPER] [Non-DoD Source] RE: Update to OVAL 5.11.2 - Addition of appcmd_test and appcmdlistconfig_test for Microsoft Internet Information Server (IIS)
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
FWIW, I like the idea of having a distinct IIS schema, as opposed to adding IIS-specific objects to the Windows schema. While we’re still ironing out the official language revision process, I personally think it would be easier to get a new official platform schema released than to get substantial updates to an existing schema officially approved.
Best regards,
—David Solin
On Mar 24, 2017, at 1:03 PM, Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US) bryan.l.wilson.civ@mail.mil wrote:
Sorry... I updated my question and had a typo...
Question, how the list of what settings included with the object was defined?
Updated to
Question, how was the list of configurable settings included with the object defined?
Updated Email:
Bill,
Very interesting. At first glance it looks like the method of how the settings are gathered is abstracted. There are many common areas the appcmd and appcmdlistconfig test would be utilized so there is some overlap here. For example it appears objects that are used to gather application pool settings are defined. Question, how was the list of configurable settings included with the object defined? One challenge I ran into with defining OVAL tests related to AppCmd.exe was that the list of available and configurable settings (that map to IIS Websites, Application pools, virtual directories and Webserver settings) seemed large and not well defined via Microsoft documentation.
I would like to request more information at this time regarding this proposed update. I also need more time to review the files discussed in this email. Are there any other supporting documentation related to the links below?
V/R
Bryan
-----Original Message-----
From: William Munyan [Caution-mailto:William.Munyan@cisecurity.org]
Sent: Friday, March 24, 2017 10:45 AM
To: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US); OVAL Developer
List
Subject: [Non-DoD Source] RE: [OVAL DEVELOPER] Update to OVAL 5.11.2 -
Addition of appcmd_test and appcmdlistconfig_test for Microsoft
Internet Information Server (IIS)
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
Bryan,
Thanks for this proposal, I look forward to diving a little deeper into it soon. Have you taken a look at the proposed IIS schema extension that CIS put into the OVAL Language sandbox? The tests included in there might be something useful as well. I'm happy to go over any of the schema elements; perhaps we can integrate our two proposals?
Caution-Caution-https://github.com/OVALProject/Sandbox/blob/master/x-i
is78-schema.xsd
Caution-Caution-https://github.com/OVALProject/Sandbox/blob/master/x-i
is78-system-characteristics-schema.xsd
Cheers,
-Bill M (CIS)
-----Original Message-----
From: OVAL_Developer
[Caution-Caution-mailto:oval_developer-bounces@lists.cisecurity.org]
On Behalf Of Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (US)
Sent: Friday, March 24, 2017 10:35 AM
To: OVAL Developer List oval_developer@lists.cisecurity.org
Subject: [OVAL DEVELOPER] Update to OVAL 5.11.2 - Addition of
appcmd_test and appcmdlistconfig_test for Microsoft Internet
Information Server (IIS)
SPAWAR is presenting proposals for two new OVAL tests for the Windows Operating System. Specifically two new test to gather settings for Internet Information Servers (IIS) Web Server Application.
OVAL 5.11.2 lacks a robust, straight-forward, and efficient mechanism to query Microsoft Internet Information Server (versions 7.0 – 10) configuration settings. The existing OVAL cmdlet test is inadequate as it fails to provide adequate data resolution. For instance, if an Internet Information Server (IIS) installation hosts multiple websites, the cmdlet test results do not enable the user to determine from which website a reported setting was collected.
The Microsoft AppCmd.exe application is the primary method for querying and managing IIS servers. We propose two new OVAL tests, the appcmd and appcmdlistconfig tests to query IIS data using AppCmd.exe. This email includes proposals covering the appcmd test and appcmdlistconfig test.
Please review attached pdf files regarding additions to OVAL 5.11.2. Also included in this email are two change2zip files (update extension of file to .zip), one to accompany each PDF file.
V/R
Bryan Wilson
SPAWAR Systems Center Atlantic
Bryan.L.Wilson@navy.mil
...
. . .
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
...
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
Caution-http://lists.cisecurity.org/mailman/listinfo/oval_developer_li
sts.cisecurity.org
...