Greetings, my name is Vojtěch Polášek and I am working in security compliance subsystem at Red Hat. Beside other things, we are participating on development of Openscap scanner [1]. During our review of SCAP 1.3 certification we encountered an interesting case. I would like to ask someone from OVAL as well as NIST for clarification. The issue is described also in [2], upstream. Let me describe the issue. The error is encountered while validating OVAL results file. Imagine a situation where OVAL checks for one object (e.g. a file), but the object can't be found, it does not exist. So the object is reported within /oval_results/results/system/oval_system_characteristics/collected_objects node. It is assigned only ID and then status set to "does not exist". As the object does not exist, it does not make sense to place it into /oval_results/results/system/oval_system_characteristics/system_data node, because it does not reference any item. If this object is the only one, we do not create the "system_data" node at all. And now: Validation of such result file fails Scapval validation with following: RES-181-1     Error if oval-res directives definitions have @content='full' or @content is not provided and oval-res:oval_system_characteristics does not have both oval-res:collected_objects and oval-res:system_data. If we add just empty <system_data /> element, the requirement stops failing, but the Oval schematron validation starts failing. The <system_data> node is expected to contain something, it can't be empty. Additionally, the OVAL specification says this in [3], section 4.6.14: This value indicates that a full detailed result of information is represented in the OVAL Results. Specifically:     • The definition_id property of DefinitionType will be included.     • The result property of DefinitionType will be included.     • The criteria property of DefinitionType will be included.     • The collected_objects and system_data properties, of the system_characteristics property in SystemType, will be included. The value ‘full’ is equivalent to ‘thin’ with the collected_objects and system_data properties, of the system_characteristics property in SystemType, included. I see a problem in this specification, because if the object "does not exist", we don't have anything to put into "system_data" node. So my question is: How to handle this case, when the only object results in status "does not exist"? I feel that both OVAL specification as well as Scapval tool need to clarify this. Thank you and best regards, Vojtěch Polášek [1]: https://github.com/OpenSCAP/openscap [2]: https://github.com/OpenSCAP/openscap/issues/1640 [3]: https://github.com/OVAL-Community/OVAL/blob/master/oval-specifications/oval-language-specification.docx -- Vojtech Polasek Software engineer, security compliance Red Hat <https://www.redhat.com> vpolasek@redhat.com <mailto:vpolasek@redhat.com> <https://www.redhat.com>

 Error if oval-res directives definitions have @content='full' or @content is not provided and oval-res:oval_system_characteristics does not have both oval-res:collected_objects and oval-res:system_data.

Hi Vojtech, I agree. This appears be an issue with the OVAL Specification itself. And, both Scapval and the SCAP Validation program test against the specification. As you said, the OVAL schema’s embedded schematron rule RES-181-1 requires that OVAL results must either have both system_data and collected_objects, or neither. The problem arises when no items are collected because none of the objects exist. In this scenario, in order to accurately capture the scan results, we need collected_objects node(s) with their status set to "does not exist, but it does not make sense to have system_data nodes—there is no collected system data to put there. I suggest that OVAL Specification should be updated via the OVAL Community Proposal Process <https://oval-community-guidelines.readthedocs.io/en/latest/proposal-process/index.html> (specifically RES-181-1 in the XSD, and OVAL Specification section 4.6.14). Once the specification updated is adopted by the community and NIST, I would expect Scapval and validation program to be updated as well. -David David E. Ries Co-Founder, Business Development ries@jovalcm.com <mailto:ries@jovalcm.com> <https://jovalcm.com/> <https://www.facebook.com/jovalcm> <https://www.linkedin.com/company/joval-continuous-monitoring> > On Feb 24, 2021, at 4:59 AM, Vojtech Polasek <vpolasek@redhat.com> wrote: > > Greetings, > > my name is Vojtěch Polášek and I am working in security compliance subsystem at Red Hat. > > Beside other things, we are participating on development of Openscap scanner [1]. > > During our review of SCAP 1.3 certification we encountered an interesting case. I would like to ask someone from OVAL as well as NIST for clarification. The issue is described also in [2], upstream. > > Let me describe the issue. The error is encountered while validating OVAL results file. Imagine a situation where OVAL checks for one object (e.g. a file), but the object can't be found, it does not exist. > > So the object is reported within /oval_results/results/system/oval_system_characteristics/collected_objects node. It is assigned only ID and then status set to "does not exist". > > As the object does not exist, it does not make sense to place it into /oval_results/results/system/oval_system_characteristics/system_data node, because it does not reference any item. > > If this object is the only one, we do not create the "system_data" node at all. And now: > > Validation of such result file fails Scapval validation with following: > > RES-181-1 > > > Error if oval-res directives definitions have @content='full' or @content is not provided and oval-res:oval_system_characteristics does not have both oval-res:collected_objects and oval-res:system_data. > If we add just empty <system_data /> element, the requirement stops failing, but the Oval schematron validation starts failing. The <system_data> node is expected to contain something, it can't be empty. > > Additionally, the OVAL specification says this in [3], section 4.6.14: > > This value indicates that a full detailed result of information is represented in the OVAL Results. Specifically: > • The definition_id property of DefinitionType will be included. > • The result property of DefinitionType will be included. > • The criteria property of DefinitionType will be included. > • The collected_objects and system_data properties, of the system_characteristics property in SystemType, will be included. > The value ‘full’ is equivalent to ‘thin’ with the collected_objects and system_data properties, of the system_characteristics property in SystemType, included. > > > > I see a problem in this specification, because if the object "does not exist", we don't have anything to put into "system_data" node. > > So my question is: > > How to handle this case, when the only object results in status "does not exist"? > > I feel that both OVAL specification as well as Scapval tool need to clarify this. > > > > Thank you and best regards, > > Vojtěch Polášek > > > > [1]: https://github.com/OpenSCAP/openscap <https://github.com/OpenSCAP/openscap> > [2]: https://github.com/OpenSCAP/openscap/issues/1640 <https://github.com/OpenSCAP/openscap/issues/1640> > [3]: https://github.com/OVAL-Community/OVAL/blob/master/oval-specifications/oval-language-specification.docx <https://github.com/OVAL-Community/OVAL/blob/master/oval-specifications/oval-language-specification.docx> > > -- > Vojtech Polasek > Software engineer, security compliance > Red Hat  <https://www.redhat.com/> > vpolasek@redhat.com <mailto:vpolasek@redhat.com> > <https://www.redhat.com/>_______________________________________________ > OVAL_Developer mailing list -- oval_developer@lists.cisecurity.org <mailto:oval_developer@lists.cisecurity.org> > To unsubscribe send an email to oval_developer-leave@lists.cisecurity.org <mailto:oval_developer-leave@lists.cisecurity.org>