oval_developer@lists.cisecurity.org

A list for people interested in developing the OVAL language.

View all threads

multi path check in OVAL

DP
Dragos Prisaca
Wed, Aug 1, 2018 11:46 AM

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.

Good Morning, I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: /HOSTS/exampleHOST1/tmp/jack/config.xml /HOSTS/exampleHOST1/tmp /ryan/config.xml /HOSTS/exampleHOST1/tmp /lisa/config.xml /HOSTS/exampleHOST2/tmp/sam/psl/config.xml /HOSTS/exampleHOST2/tmp /bob/config.xml To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. The exampleHOST names are not known. THOUGHTS: I’m not sure if this can be implemented in OVAL. Respectfully, _Dragos.
DS
David Solin
Wed, Aug 1, 2018 1:13 PM

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca dprisaca@gmail.com wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Hi Dragos, You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. Is that what you’re thinking? Best regards, —David Solin > On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > Good Morning, > > I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. > > ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. > > EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: > > /HOSTS/exampleHOST1/tmp/jack/config.xml > /HOSTS/exampleHOST1/tmp /ryan/config.xml > /HOSTS/exampleHOST1/tmp /lisa/config.xml > /HOSTS/exampleHOST2/tmp/sam/psl/config.xml > /HOSTS/exampleHOST2/tmp /bob/config.xml > > To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. > The exampleHOST names are not known. > > THOUGHTS: I’m not sure if this can be implemented in OVAL. > > Respectfully, > _Dragos. > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
DP
Dragos Prisaca
Wed, Aug 1, 2018 7:04 PM

Thank you for the response David!
I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...):
<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file
└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,
_Dragos.

On Aug 1, 2018, at 9:13 AM, David Solin solin@jovalcm.com wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca dprisaca@gmail.com wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Thank you for the response David! I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...): <variable_item id=“1” status="exists" ...> <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> <value datatype="string">exampleHost1</value> <value datatype="string">exampleHost2</value> <value datatype="string">exampleHost3</value> </variable_item> But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities. How should the test look like, so the following configuration fails? /opt/HOSTS/ ├── exampleHost1 │ ├── tmp │ │ └── config.xml │ └── tmp2 │ └── config.xml ├── exampleHost2 │ └── tmp │ └── No config xml file └── exampleHost3 └── tmp └── config.xml ... Respectfully, _Dragos. > On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com> wrote: > > Hi Dragos, > > You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? > > I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. > > Is that what you’re thinking? > > Best regards, > —David Solin > > >> On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com> wrote: >> >> Good Morning, >> >> I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. >> >> ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. >> >> EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: >> >> /HOSTS/exampleHOST1/tmp/jack/config.xml >> /HOSTS/exampleHOST1/tmp /ryan/config.xml >> /HOSTS/exampleHOST1/tmp /lisa/config.xml >> /HOSTS/exampleHOST2/tmp/sam/psl/config.xml >> /HOSTS/exampleHOST2/tmp /bob/config.xml >> >> To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. >> The exampleHOST names are not known. >> >> THOUGHTS: I’m not sure if this can be implemented in OVAL. >> >> Respectfully, >> _Dragos. >> _______________________________________________ >> OVAL_Developer mailing list >> OVAL_Developer@lists.cisecurity.org >> http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org >
DS
David Solin
Wed, Aug 1, 2018 8:09 PM

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo>
  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo>
  2. Create a variable_object representing all the unique directory names under /HOSTS
  3. Create a variable_object representing all the unique pathname captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3, and compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,
—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca dprisaca@gmail.com wrote:

Thank you for the response David!
I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...):
<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file
└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,
_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com mailto:solin@jovalcm.com> wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Hi Dragos, Your sample appears to check that: 1) All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo> 2) There is at least one [hostname] subdirectory containing a config.xml As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>. What I think you could do to assert this would be: 1) Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo> 2) Create a variable_object representing all the _unique_ directory names under /HOSTS 3) Create a variable_object representing all the _unique_ pathname captures from the xmlfilecontent_object with the filter described in #1 Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”. That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it. Alternatively, you could simply count the number of items for 2 and 3, and compare those values. I believe that would do what you want, either way. WDYT? Best regards, —David Solin > On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > Thank you for the response David! > I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...): > <variable_item id=“1” status="exists" ...> > <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> > <value datatype="string">exampleHost1</value> > <value datatype="string">exampleHost2</value> > <value datatype="string">exampleHost3</value> > </variable_item> > > But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities. > > How should the test look like, so the following configuration fails? > > /opt/HOSTS/ > ├── exampleHost1 > │ ├── tmp > │ │ └── config.xml > │ └── tmp2 > │ └── config.xml > ├── exampleHost2 > │ └── tmp > │ └── No config xml file > └── exampleHost3 > └── tmp > └── config.xml > ... > > Respectfully, > _Dragos. > > <oval-def-115.xml> > > >> On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com <mailto:solin@jovalcm.com>> wrote: >> >> Hi Dragos, >> >> You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? >> >> I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. >> >> Is that what you’re thinking? >> >> Best regards, >> —David Solin >> >> >>> On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: >>> >>> Good Morning, >>> >>> I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. >>> >>> ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. >>> >>> EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: >>> >>> /HOSTS/exampleHOST1/tmp/jack/config.xml >>> /HOSTS/exampleHOST1/tmp /ryan/config.xml >>> /HOSTS/exampleHOST1/tmp /lisa/config.xml >>> /HOSTS/exampleHOST2/tmp/sam/psl/config.xml >>> /HOSTS/exampleHOST2/tmp /bob/config.xml >>> >>> To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. >>> The exampleHOST names are not known. >>> >>> THOUGHTS: I’m not sure if this can be implemented in OVAL. >>> >>> Respectfully, >>> _Dragos. >>> _______________________________________________ >>> OVAL_Developer mailing list >>> OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> >>> http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org >> >
DP
Dragos Prisaca
Thu, Aug 2, 2018 7:40 PM

Thank you so much David! I believe your proposed solution works for me.
Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values.

Respectfully,
_Dragos.

On Aug 1, 2018, at 4:09 PM, David Solin solin@jovalcm.com wrote:

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo>
  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo>
  2. Create a variable_object representing all the unique directory names under /HOSTS
  3. Create a variable_object representing all the unique pathname captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3, and compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,
—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Thank you for the response David!
I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...):
<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file
└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,
_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com mailto:solin@jovalcm.com> wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Thank you so much David! I believe your proposed solution works for me. Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values. Respectfully, _Dragos. > On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com> wrote: > > Hi Dragos, > > Your sample appears to check that: > > 1) All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo> > 2) There is at least one [hostname] subdirectory containing a config.xml > > As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>. > > What I think you could do to assert this would be: > > 1) Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo> > 2) Create a variable_object representing all the _unique_ directory names under /HOSTS > 3) Create a variable_object representing all the _unique_ pathname captures from the xmlfilecontent_object with the filter described in #1 > > Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”. > > That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it. > > Alternatively, you could simply count the number of items for 2 and 3, and compare those values. > > I believe that would do what you want, either way. > > WDYT? > > Best regards, > —David Solin > >> On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: >> >> Thank you for the response David! >> I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...): >> <variable_item id=“1” status="exists" ...> >> <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> >> <value datatype="string">exampleHost1</value> >> <value datatype="string">exampleHost2</value> >> <value datatype="string">exampleHost3</value> >> </variable_item> >> >> But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities. >> >> How should the test look like, so the following configuration fails? >> >> /opt/HOSTS/ >> ├── exampleHost1 >> │ ├── tmp >> │ │ └── config.xml >> │ └── tmp2 >> │ └── config.xml >> ├── exampleHost2 >> │ └── tmp >> │ └── No config xml file >> └── exampleHost3 >> └── tmp >> └── config.xml >> ... >> >> Respectfully, >> _Dragos. >> >> <oval-def-115.xml> >> >> >>> On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com <mailto:solin@jovalcm.com>> wrote: >>> >>> Hi Dragos, >>> >>> You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? >>> >>> I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. >>> >>> Is that what you’re thinking? >>> >>> Best regards, >>> —David Solin >>> >>> >>>> On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: >>>> >>>> Good Morning, >>>> >>>> I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. >>>> >>>> ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. >>>> >>>> EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: >>>> >>>> /HOSTS/exampleHOST1/tmp/jack/config.xml >>>> /HOSTS/exampleHOST1/tmp /ryan/config.xml >>>> /HOSTS/exampleHOST1/tmp /lisa/config.xml >>>> /HOSTS/exampleHOST2/tmp/sam/psl/config.xml >>>> /HOSTS/exampleHOST2/tmp /bob/config.xml >>>> >>>> To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. >>>> The exampleHOST names are not known. >>>> >>>> THOUGHTS: I’m not sure if this can be implemented in OVAL. >>>> >>>> Respectfully, >>>> _Dragos. >>>> _______________________________________________ >>>> OVAL_Developer mailing list >>>> OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> >>>> http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org <http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org> >>> >> >
DS
David Solin
Thu, Aug 2, 2018 8:07 PM

It’s funny, I’ve been trying on and off to propose something like an InstanceFunctionType to do that for several years … but we keep coming up with work-arounds like this!

Even just describing what exactly iteration would mean in the context of OVAL is a fairly complicated business, and as you know OVAL already has a steep (yet also long!) learning curve.  If you have any ideas I’d be happy to collaborate.

Best regards,
—David Solin

On Aug 2, 2018, at 2:40 PM, Dragos Prisaca dprisaca@gmail.com wrote:

Thank you so much David! I believe your proposed solution works for me.
Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values.

Respectfully,
_Dragos.

On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com mailto:solin@jovalcm.com> wrote:

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo>
  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo>
  2. Create a variable_object representing all the unique directory names under /HOSTS
  3. Create a variable_object representing all the unique pathname captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3, and compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,
—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Thank you for the response David!
I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...):
<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file
└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,
_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com mailto:solin@jovalcm.com> wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

It’s funny, I’ve been trying on and off to propose something like an InstanceFunctionType to do that for several years … but we keep coming up with work-arounds like this! Even just describing what exactly iteration would mean in the context of OVAL is a fairly complicated business, and as you know OVAL already has a steep (yet also long!) learning curve. If you have any ideas I’d be happy to collaborate. Best regards, —David Solin > On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > Thank you so much David! I believe your proposed solution works for me. > Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values. > > Respectfully, > _Dragos. > >> On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com <mailto:solin@jovalcm.com>> wrote: >> >> Hi Dragos, >> >> Your sample appears to check that: >> >> 1) All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo> >> 2) There is at least one [hostname] subdirectory containing a config.xml >> >> As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>. >> >> What I think you could do to assert this would be: >> >> 1) Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo> >> 2) Create a variable_object representing all the _unique_ directory names under /HOSTS >> 3) Create a variable_object representing all the _unique_ pathname captures from the xmlfilecontent_object with the filter described in #1 >> >> Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”. >> >> That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it. >> >> Alternatively, you could simply count the number of items for 2 and 3, and compare those values. >> >> I believe that would do what you want, either way. >> >> WDYT? >> >> Best regards, >> —David Solin >> >>> On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: >>> >>> Thank you for the response David! >>> I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...): >>> <variable_item id=“1” status="exists" ...> >>> <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> >>> <value datatype="string">exampleHost1</value> >>> <value datatype="string">exampleHost2</value> >>> <value datatype="string">exampleHost3</value> >>> </variable_item> >>> >>> But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities. >>> >>> How should the test look like, so the following configuration fails? >>> >>> /opt/HOSTS/ >>> ├── exampleHost1 >>> │ ├── tmp >>> │ │ └── config.xml >>> │ └── tmp2 >>> │ └── config.xml >>> ├── exampleHost2 >>> │ └── tmp >>> │ └── No config xml file >>> └── exampleHost3 >>> └── tmp >>> └── config.xml >>> ... >>> >>> Respectfully, >>> _Dragos. >>> >>> <oval-def-115.xml> >>> >>> >>>> On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com <mailto:solin@jovalcm.com>> wrote: >>>> >>>> Hi Dragos, >>>> >>>> You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? >>>> >>>> I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. >>>> >>>> Is that what you’re thinking? >>>> >>>> Best regards, >>>> —David Solin >>>> >>>> >>>>> On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: >>>>> >>>>> Good Morning, >>>>> >>>>> I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. >>>>> >>>>> ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. >>>>> >>>>> EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: >>>>> >>>>> /HOSTS/exampleHOST1/tmp/jack/config.xml >>>>> /HOSTS/exampleHOST1/tmp /ryan/config.xml >>>>> /HOSTS/exampleHOST1/tmp /lisa/config.xml >>>>> /HOSTS/exampleHOST2/tmp/sam/psl/config.xml >>>>> /HOSTS/exampleHOST2/tmp /bob/config.xml >>>>> >>>>> To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. >>>>> The exampleHOST names are not known. >>>>> >>>>> THOUGHTS: I’m not sure if this can be implemented in OVAL. >>>>> >>>>> Respectfully, >>>>> _Dragos. >>>>> _______________________________________________ >>>>> OVAL_Developer mailing list >>>>> OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> >>>>> http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org <http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org> >>>> >>> >> >
WM
William Munyan
Thu, Aug 2, 2018 8:46 PM

Hey guys, I have been seeing this thread along the developer list, and I am happy to collaborate on something like this as well.  We’ve talked about trying something with an “Iterator” function here as well, so if there’s work to be done, we’re happy to help.

Cheers,
-Bill M.

From: OVAL_Developer oval_developer-bounces@lists.cisecurity.org On Behalf Of David Solin
Sent: Thursday, August 2, 2018 4:08 PM
To: Dragos Prisaca dprisaca@gmail.com
Cc: oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] multi path check in OVAL

It’s funny, I’ve been trying on and off to propose something like an InstanceFunctionType to do that for several years … but we keep coming up with work-arounds like this!

Even just describing what exactly iteration would mean in the context of OVAL is a fairly complicated business, and as you know OVAL already has a steep (yet also long!) learning curve.  If you have any ideas I’d be happy to collaborate.

Best regards,
—David Solin

On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.commailto:dprisaca@gmail.com> wrote:

Thank you so much David! I believe your proposed solution works for me.
Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values.

Respectfully,
_Dragos.

On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.commailto:solin@jovalcm.com> wrote:

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo>
  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo>
  2. Create a variable_object representing all the unique directory names under /HOSTS
  3. Create a variable_object representing all the unique pathname captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3, and compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,
—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.commailto:dprisaca@gmail.com> wrote:

Thank you for the response David!
I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...):
<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>
But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file
└── exampleHost3
└── tmp
└── config.xml
...
Respectfully,
_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.commailto:solin@jovalcm.com> wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.commailto:dprisaca@gmail.com> wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

.....
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

Hey guys, I have been seeing this thread along the developer list, and I am happy to collaborate on something like this as well. We’ve talked about trying something with an “Iterator” function here as well, so if there’s work to be done, we’re happy to help. Cheers, -Bill M. From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.org> On Behalf Of David Solin Sent: Thursday, August 2, 2018 4:08 PM To: Dragos Prisaca <dprisaca@gmail.com> Cc: oval_developer@lists.cisecurity.org Subject: Re: [OVAL DEVELOPER] multi path check in OVAL It’s funny, I’ve been trying on and off to propose something like an InstanceFunctionType to do that for several years … but we keep coming up with work-arounds like this! Even just describing what exactly iteration would mean in the context of OVAL is a fairly complicated business, and as you know OVAL already has a steep (yet also long!) learning curve. If you have any ideas I’d be happy to collaborate. Best regards, —David Solin On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.com<mailto:dprisaca@gmail.com>> wrote: Thank you so much David! I believe your proposed solution works for me. Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values. Respectfully, _Dragos. On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com<mailto:solin@jovalcm.com>> wrote: Hi Dragos, Your sample appears to check that: 1) All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo> 2) There is at least one [hostname] subdirectory containing a config.xml As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>. What I think you could do to assert this would be: 1) Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo> 2) Create a variable_object representing all the _unique_ directory names under /HOSTS 3) Create a variable_object representing all the _unique_ pathname captures from the xmlfilecontent_object with the filter described in #1 Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”. That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it. Alternatively, you could simply count the number of items for 2 and 3, and compare those values. I believe that would do what you want, either way. WDYT? Best regards, —David Solin On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com<mailto:dprisaca@gmail.com>> wrote: Thank you for the response David! I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...): <variable_item id=“1” status="exists" ...> <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> <value datatype="string">exampleHost1</value> <value datatype="string">exampleHost2</value> <value datatype="string">exampleHost3</value> </variable_item> But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities. How should the test look like, so the following configuration fails? /opt/HOSTS/ ├── exampleHost1 │ ├── tmp │ │ └── config.xml │ └── tmp2 │ └── config.xml ├── exampleHost2 │ └── tmp │ └── No config xml file └── exampleHost3 └── tmp └── config.xml ... Respectfully, _Dragos. <oval-def-115.xml> On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com<mailto:solin@jovalcm.com>> wrote: Hi Dragos, You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. Is that what you’re thinking? Best regards, —David Solin On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com<mailto:dprisaca@gmail.com>> wrote: Good Morning, I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: /HOSTS/exampleHOST1/tmp/jack/config.xml /HOSTS/exampleHOST1/tmp /ryan/config.xml /HOSTS/exampleHOST1/tmp /lisa/config.xml /HOSTS/exampleHOST2/tmp/sam/psl/config.xml /HOSTS/exampleHOST2/tmp /bob/config.xml To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. The exampleHOST names are not known. THOUGHTS: I’m not sure if this can be implemented in OVAL. Respectfully, _Dragos. _______________________________________________ OVAL_Developer mailing list OVAL_Developer@lists.cisecurity.org<mailto:OVAL_Developer@lists.cisecurity.org> http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
DP
Dragos Prisaca
Thu, Aug 2, 2018 9:33 PM

I am wondering if this issue can't be easily resolved with a function that
will convert variable's value entities to items.
For instance, the following item:

<variable_item status="exists" id="1"...>
<value>1</value>
<value>2</value>
</variable_item>

will be converted to 2 items (because there are 2 values):

<variable_item status="exists" id="10"...>
<value>1</value>
</variable_item>
<variable_item status="exists" id="11"...>
<value>2</value>
</variable_item>

I think this may allow authors to create a test with check="all" that will
iterate through all the items.

Thanks,

_Dragos

On Thu, Aug 2, 2018 at 4:46 PM William Munyan William.Munyan@cisecurity.org
wrote:

Hey guys, I have been seeing this thread along the developer list, and I
am happy to collaborate on something like this as well.  We’ve talked about
trying something with an “Iterator” function here as well, so if there’s
work to be done, we’re happy to help.

Cheers,

-Bill M.

From: OVAL_Developer oval_developer-bounces@lists.cisecurity.org *On
Behalf Of *David Solin
Sent: Thursday, August 2, 2018 4:08 PM
To: Dragos Prisaca dprisaca@gmail.com
Cc: oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] multi path check in OVAL

It’s funny, I’ve been trying on and off to propose something like an
InstanceFunctionType to do that for several years … but we keep coming up
with work-arounds like this!

Even just describing what exactly iteration would mean in the context of
OVAL is a fairly complicated business, and as you know OVAL already has a
steep (yet also long!) learning curve.  If you have any ideas I’d be happy
to collaborate.

Best regards,

—David Solin

On Aug 2, 2018, at 2:40 PM, Dragos Prisaca dprisaca@gmail.com wrote:

Thank you so much David! I believe your proposed solution works for me.

Also, would be nice if OVAL language can be update it to allow iteration
thought variable’s values.

Respectfully,

_Dragos.

On Aug 1, 2018, at 4:09 PM, David Solin solin@jovalcm.com wrote:

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory contain
    a <foo>bar</foo>

  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname] directory,
there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the
    config.xml files found under /HOSTS containing a <foo>bar</foo>

  2. Create a variable_object representing all the unique directory names
    under /HOSTS

  3. Create a variable_object representing all the unique pathname
    captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of objects
2 and 3, using object 2 as the object, and in the state, a var_ref to
object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2,
there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3, and
compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,

—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca dprisaca@gmail.com wrote:

Thank you for the response David!

I’ve attached an example of my test. I can check all the files to see if
they have the required setting. I can collect all the host names (i.e.
exampleHost1, 2, 3 ...):

<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if every
host->config.xml has <foo>bar</>. It would have been easy if there are
multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file

└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,

_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin solin@jovalcm.com wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e.,
exampleHOST1), but you cannot create a single test encompassing both
subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL
variable to iterate across multiple values during an evaluation (having
only one value at a time), instead of its having multiple values at the
same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca dprisaca@gmail.com wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If
there are any resolutions to this issue I’d be appreciative in hearing your
thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS
file within multiple directory trees contains a specific xml element set to
a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the
element <foo>bar</foo> for each of the 2 HOST directories. The directory
structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE
config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org

http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

.....
This message and attachments may contain confidential information. If it
appears that this message was sent to you by mistake, any retention,
dissemination, distribution or copying of this message and attachments is
strictly prohibited. Please notify the sender immediately and permanently
delete the message and any attachments.

. . . . .

I am wondering if this issue can't be easily resolved with a function that will convert variable's value entities to items. For instance, the following item: <variable_item status="exists" id="1"...> <value>1</value> <value>2</value> </variable_item> will be converted to 2 items (because there are 2 values): <variable_item status="exists" id="10"...> <value>1</value> </variable_item> <variable_item status="exists" id="11"...> <value>2</value> </variable_item> I think this may allow authors to create a test with check="all" that will iterate through all the items. Thanks, _Dragos On Thu, Aug 2, 2018 at 4:46 PM William Munyan <William.Munyan@cisecurity.org> wrote: > Hey guys, I have been seeing this thread along the developer list, and I > am happy to collaborate on something like this as well. We’ve talked about > trying something with an “Iterator” function here as well, so if there’s > work to be done, we’re happy to help. > > > > Cheers, > > -Bill M. > > > > *From:* OVAL_Developer <oval_developer-bounces@lists.cisecurity.org> *On > Behalf Of *David Solin > *Sent:* Thursday, August 2, 2018 4:08 PM > *To:* Dragos Prisaca <dprisaca@gmail.com> > *Cc:* oval_developer@lists.cisecurity.org > *Subject:* Re: [OVAL DEVELOPER] multi path check in OVAL > > > > > > It’s funny, I’ve been trying on and off to propose something like an > InstanceFunctionType to do that for several years … but we keep coming up > with work-arounds like this! > > > > Even just describing what exactly iteration would mean in the context of > OVAL is a fairly complicated business, and as you know OVAL already has a > steep (yet also long!) learning curve. If you have any ideas I’d be happy > to collaborate. > > > > Best regards, > > —David Solin > > > > On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > > > Thank you so much David! I believe your proposed solution works for me. > > Also, would be nice if OVAL language can be update it to allow iteration > thought variable’s values. > > > > Respectfully, > > _Dragos. > > > > On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com> wrote: > > > > Hi Dragos, > > > > Your sample appears to check that: > > > > 1) All instances of config.xml under a /HOSTS/[hostname] directory contain > a <foo>bar</foo> > > 2) There is at least one [hostname] subdirectory containing a config.xml > > > > As you know it does not check that under each /HOSTS/[hostname] directory, > there exists at least one config.xml containing <foo>bar</foo>. > > > > What I think you could do to assert this would be: > > > > 1) Create an xmlfilecontent_object with a filter, representing all the > config.xml files found under /HOSTS containing a <foo>bar</foo> > > 2) Create a variable_object representing all the _unique_ directory names > under /HOSTS > > 3) Create a variable_object representing all the _unique_ pathname > captures from the xmlfilecontent_object with the filter described in #1 > > > > Then, write a variable_test asserting equivalence of the values of objects > 2 and 3, using object 2 as the object, and in the state, a var_ref to > object 3 with @var_check=“only one”. > > > > That would assert that for each discrete value of an item for object 2, > there is only one discrete value for an item of object 3 that matches it. > > > > Alternatively, you could simply count the number of items for 2 and 3, and > compare those values. > > > > I believe that would do what you want, either way. > > > > WDYT? > > > > Best regards, > > —David Solin > > > > On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > > > Thank you for the response David! > > I’ve attached an example of my test. I can check all the files to see if > they have the required setting. I can collect all the host names (i.e. > exampleHost1, 2, 3 ...): > > <variable_item id=“1” status="exists" ...> > <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> > <value datatype="string">exampleHost1</value> > <value datatype="string">exampleHost2</value> > <value datatype="string">exampleHost3</value> > </variable_item> > > But I can’t iterate through the values of the item id=“1” and see if every > host->config.xml has <foo>bar</>. It would have been easy if there are > multiple items instead of a variable_item with multiple entities. > > > > How should the test look like, so the following configuration fails? > > > > /opt/HOSTS/ > ├── exampleHost1 > │ ├── tmp > │ │ └── config.xml > │ └── tmp2 > │ └── config.xml > ├── exampleHost2 > │ └── tmp > │ └── No config xml file > > └── exampleHost3 > └── tmp > └── config.xml > ... > > Respectfully, > > _Dragos. > > > > <oval-def-115.xml> > > > > > > On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com> wrote: > > > > Hi Dragos, > > You can create a test for this condition for each subdirectory (i.e., > exampleHOST1), but you cannot create a single test encompassing both > subdirectories. Is that the issue? > > I believe in order to do so, it would have to be possible to force an OVAL > variable to iterate across multiple values during an evaluation (having > only one value at a time), instead of its having multiple values at the > same time — if that makes sense. > > Is that what you’re thinking? > > Best regards, > —David Solin > > > > On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > Good Morning, > > I’ve came across an interesting issue within the xml file content test. If > there are any resolutions to this issue I’d be appreciative in hearing your > thoughts. > > ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS > file within multiple directory trees contains a specific xml element set to > a certain value. > > EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the > element <foo>bar</foo> for each of the 2 HOST directories. The directory > structure could look like the following: > > /HOSTS/exampleHOST1/tmp/jack/config.xml > /HOSTS/exampleHOST1/tmp /ryan/config.xml > /HOSTS/exampleHOST1/tmp /lisa/config.xml > /HOSTS/exampleHOST2/tmp/sam/psl/config.xml > /HOSTS/exampleHOST2/tmp /bob/config.xml > > To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE > config.xml containing the element <foo>bar</foo>. > The exampleHOST names are not known. > > THOUGHTS: I’m not sure if this can be implemented in OVAL. > > Respectfully, > _Dragos. > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org > > > > > > > > > > > > ..... > This message and attachments may contain confidential information. If it > appears that this message was sent to you by mistake, any retention, > dissemination, distribution or copying of this message and attachments is > strictly prohibited. Please notify the sender immediately and permanently > delete the message and any attachments. > > . . . . . >
DS
David Solin
Thu, Aug 2, 2018 10:01 PM

I don’t think that solves any underlying problem.  Evaluation against a multi-valued item entity can already be controlled using the entity_check state attribute.  Or, maybe I just don’t understand what you mean.

What is not present in OVAL is a way for a multi-valued variable to take on only one value at a time when used in the context of an object var_ref...

On Aug 2, 2018, at 4:33 PM, Dragos Prisaca dprisaca@gmail.com wrote:

I am wondering if this issue can't be easily resolved with a function that will convert variable's value entities to items.
For instance, the following item:
<variable_item status="exists" id="1"...>
<value>1</value>
<value>2</value>
</variable_item>

will be converted to 2 items (because there are 2 values):
<variable_item status="exists" id="10"...>
<value>1</value>
</variable_item>
<variable_item status="exists" id="11"...>
<value>2</value>
</variable_item>

I think this may allow authors to create a test with check="all" that will iterate through all the items.

Thanks,
_Dragos

On Thu, Aug 2, 2018 at 4:46 PM William Munyan <William.Munyan@cisecurity.org mailto:William.Munyan@cisecurity.org> wrote:
Hey guys, I have been seeing this thread along the developer list, and I am happy to collaborate on something like this as well.  We’ve talked about trying something with an “Iterator” function here as well, so if there’s work to be done, we’re happy to help.

Cheers,

-Bill M.

From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.org mailto:oval_developer-bounces@lists.cisecurity.org> On Behalf Of David Solin
Sent: Thursday, August 2, 2018 4:08 PM
To: Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com>
Cc: oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] multi path check in OVAL

It’s funny, I’ve been trying on and off to propose something like an InstanceFunctionType to do that for several years … but we keep coming up with work-arounds like this!

Even just describing what exactly iteration would mean in the context of OVAL is a fairly complicated business, and as you know OVAL already has a steep (yet also long!) learning curve.  If you have any ideas I’d be happy to collaborate.

Best regards,

—David Solin

On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Thank you so much David! I believe your proposed solution works for me.

Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values.

Respectfully,

_Dragos.

On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com mailto:solin@jovalcm.com> wrote:

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo>

  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo>

  2. Create a variable_object representing all the unique directory names under /HOSTS

  3. Create a variable_object representing all the unique pathname captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3, and compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,

—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Thank you for the response David!

I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...):

<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file

└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,

_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com mailto:solin@jovalcm.com> wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com mailto:dprisaca@gmail.com> wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

.....

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

I don’t think that solves any underlying problem. Evaluation against a multi-valued item entity can already be controlled using the entity_check state attribute. Or, maybe I just don’t understand what you mean. What is not present in OVAL is a way for a multi-valued variable to take on only one value at a time when used in the context of an object var_ref... > On Aug 2, 2018, at 4:33 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > I am wondering if this issue can't be easily resolved with a function that will convert variable's value entities to items. > For instance, the following item: > <variable_item status="exists" id="1"...> > <value>1</value> > <value>2</value> > </variable_item> > > will be converted to 2 items (because there are 2 values): > <variable_item status="exists" id="10"...> > <value>1</value> > </variable_item> > <variable_item status="exists" id="11"...> > <value>2</value> > </variable_item> > > I think this may allow authors to create a test with check="all" that will iterate through all the items. > > > Thanks, > _Dragos > > On Thu, Aug 2, 2018 at 4:46 PM William Munyan <William.Munyan@cisecurity.org <mailto:William.Munyan@cisecurity.org>> wrote: > Hey guys, I have been seeing this thread along the developer list, and I am happy to collaborate on something like this as well. We’ve talked about trying something with an “Iterator” function here as well, so if there’s work to be done, we’re happy to help. > > > > Cheers, > > -Bill M. > > > > From: OVAL_Developer <oval_developer-bounces@lists.cisecurity.org <mailto:oval_developer-bounces@lists.cisecurity.org>> On Behalf Of David Solin > Sent: Thursday, August 2, 2018 4:08 PM > To: Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> > Cc: oval_developer@lists.cisecurity.org <mailto:oval_developer@lists.cisecurity.org> > Subject: Re: [OVAL DEVELOPER] multi path check in OVAL > > > > > > > It’s funny, I’ve been trying on and off to propose something like an InstanceFunctionType to do that for several years … but we keep coming up with work-arounds like this! > > > > Even just describing what exactly iteration would mean in the context of OVAL is a fairly complicated business, and as you know OVAL already has a steep (yet also long!) learning curve. If you have any ideas I’d be happy to collaborate. > > > > Best regards, > > —David Solin > > > > > On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: > > > > Thank you so much David! I believe your proposed solution works for me. > > Also, would be nice if OVAL language can be update it to allow iteration thought variable’s values. > > > > Respectfully, > > _Dragos. > > > > > On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com <mailto:solin@jovalcm.com>> wrote: > > > > Hi Dragos, > > > > Your sample appears to check that: > > > > 1) All instances of config.xml under a /HOSTS/[hostname] directory contain a <foo>bar</foo> > > 2) There is at least one [hostname] subdirectory containing a config.xml > > > > As you know it does not check that under each /HOSTS/[hostname] directory, there exists at least one config.xml containing <foo>bar</foo>. > > > > What I think you could do to assert this would be: > > > > 1) Create an xmlfilecontent_object with a filter, representing all the config.xml files found under /HOSTS containing a <foo>bar</foo> > > 2) Create a variable_object representing all the _unique_ directory names under /HOSTS > > 3) Create a variable_object representing all the _unique_ pathname captures from the xmlfilecontent_object with the filter described in #1 > > > > Then, write a variable_test asserting equivalence of the values of objects 2 and 3, using object 2 as the object, and in the state, a var_ref to object 3 with @var_check=“only one”. > > > > That would assert that for each discrete value of an item for object 2, there is only one discrete value for an item of object 3 that matches it. > > > > Alternatively, you could simply count the number of items for 2 and 3, and compare those values. > > > > I believe that would do what you want, either way. > > > > WDYT? > > > > Best regards, > > —David Solin > > > > On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: > > > > Thank you for the response David! > > I’ve attached an example of my test. I can check all the files to see if they have the required setting. I can collect all the host names (i.e. exampleHost1, 2, 3 ...): > > <variable_item id=“1” status="exists" ...> > <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> > <value datatype="string">exampleHost1</value> > <value datatype="string">exampleHost2</value> > <value datatype="string">exampleHost3</value> > </variable_item> > > But I can’t iterate through the values of the item id=“1” and see if every host->config.xml has <foo>bar</>. It would have been easy if there are multiple items instead of a variable_item with multiple entities. > > > > How should the test look like, so the following configuration fails? > > > > /opt/HOSTS/ > ├── exampleHost1 > │ ├── tmp > │ │ └── config.xml > │ └── tmp2 > │ └── config.xml > ├── exampleHost2 > │ └── tmp > │ └── No config xml file > > └── exampleHost3 > └── tmp > └── config.xml > ... > > Respectfully, > > _Dragos. > > > > <oval-def-115.xml> > > > > > > > On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com <mailto:solin@jovalcm.com>> wrote: > > > > Hi Dragos, > > You can create a test for this condition for each subdirectory (i.e., exampleHOST1), but you cannot create a single test encompassing both subdirectories. Is that the issue? > > I believe in order to do so, it would have to be possible to force an OVAL variable to iterate across multiple values during an evaluation (having only one value at a time), instead of its having multiple values at the same time — if that makes sense. > > Is that what you’re thinking? > > Best regards, > —David Solin > > > > > On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com <mailto:dprisaca@gmail.com>> wrote: > > Good Morning, > > I’ve came across an interesting issue within the xml file content test. If there are any resolutions to this issue I’d be appreciative in hearing your thoughts. > > ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS file within multiple directory trees contains a specific xml element set to a certain value. > > EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the element <foo>bar</foo> for each of the 2 HOST directories. The directory structure could look like the following: > > /HOSTS/exampleHOST1/tmp/jack/config.xml > /HOSTS/exampleHOST1/tmp /ryan/config.xml > /HOSTS/exampleHOST1/tmp /lisa/config.xml > /HOSTS/exampleHOST2/tmp/sam/psl/config.xml > /HOSTS/exampleHOST2/tmp /bob/config.xml > > To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE config.xml containing the element <foo>bar</foo>. > The exampleHOST names are not known. > > THOUGHTS: I’m not sure if this can be implemented in OVAL. > > Respectfully, > _Dragos. > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org <http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org> > > > > > > > > > > > ..... > > This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. > > . . . . .
DP
Dragos Prisaca
Thu, Aug 2, 2018 10:42 PM

Exactly, the convert function will take the multi-valued variable and
convert it to a multi-items variable that can be used in the context of an
object var_ref.

On Thu, Aug 2, 2018 at 6:01 PM David Solin solin@jovalcm.com wrote:

I don’t think that solves any underlying problem.  Evaluation against a
multi-valued item entity can already be controlled using the entity_check
state attribute.  Or, maybe I just don’t understand what you mean.

What is not present in OVAL is a way for a multi-valued variable to take
on only one value at a time when used in the context of an object var_ref...

On Aug 2, 2018, at 4:33 PM, Dragos Prisaca dprisaca@gmail.com wrote:

I am wondering if this issue can't be easily resolved with a function that
will convert variable's value entities to items.
For instance, the following item:
<variable_item status="exists" id="1"...>
<value>1</value>
<value>2</value>
</variable_item>

will be converted to 2 items (because there are 2 values):

<variable_item status="exists" id="10"...>
<value>1</value>
</variable_item>
<variable_item status="exists" id="11"...>
<value>2</value>
</variable_item>

I think this may allow authors to create a test with check="all" that will
iterate through all the items.

Thanks,
_Dragos

On Thu, Aug 2, 2018 at 4:46 PM William Munyan <
William.Munyan@cisecurity.org> wrote:

Hey guys, I have been seeing this thread along the developer list, and I
am happy to collaborate on something like this as well.  We’ve talked about
trying something with an “Iterator” function here as well, so if there’s
work to be done, we’re happy to help.

Cheers,

-Bill M.

From: OVAL_Developer oval_developer-bounces@lists.cisecurity.org *On
Behalf Of *David Solin
Sent: Thursday, August 2, 2018 4:08 PM
To: Dragos Prisaca dprisaca@gmail.com
Cc: oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] multi path check in OVAL

It’s funny, I’ve been trying on and off to propose something like an
InstanceFunctionType to do that for several years … but we keep coming up
with work-arounds like this!

Even just describing what exactly iteration would mean in the context of
OVAL is a fairly complicated business, and as you know OVAL already has a
steep (yet also long!) learning curve.  If you have any ideas I’d be happy
to collaborate.

Best regards,

—David Solin

On Aug 2, 2018, at 2:40 PM, Dragos Prisaca dprisaca@gmail.com wrote:

Thank you so much David! I believe your proposed solution works for me.

Also, would be nice if OVAL language can be update it to allow iteration
thought variable’s values.

Respectfully,

_Dragos.

On Aug 1, 2018, at 4:09 PM, David Solin solin@jovalcm.com wrote:

Hi Dragos,

Your sample appears to check that:

  1. All instances of config.xml under a /HOSTS/[hostname] directory
    contain a <foo>bar</foo>

  2. There is at least one [hostname] subdirectory containing a config.xml

As you know it does not check that under each /HOSTS/[hostname]
directory, there exists at least one config.xml containing <foo>bar</foo>.

What I think you could do to assert this would be:

  1. Create an xmlfilecontent_object with a filter, representing all the
    config.xml files found under /HOSTS containing a <foo>bar</foo>

  2. Create a variable_object representing all the unique directory names
    under /HOSTS

  3. Create a variable_object representing all the unique pathname
    captures from the xmlfilecontent_object with the filter described in #1

Then, write a variable_test asserting equivalence of the values of
objects 2 and 3, using object 2 as the object, and in the state, a var_ref
to object 3 with @var_check=“only one”.

That would assert that for each discrete value of an item for object 2,
there is only one discrete value for an item of object 3 that matches it.

Alternatively, you could simply count the number of items for 2 and 3,
and compare those values.

I believe that would do what you want, either way.

WDYT?

Best regards,

—David Solin

On Aug 1, 2018, at 2:04 PM, Dragos Prisaca dprisaca@gmail.com wrote:

Thank you for the response David!

I’ve attached an example of my test. I can check all the files to see if
they have the required setting. I can collect all the host names (i.e.
exampleHost1, 2, 3 ...):

<variable_item id=“1” status="exists" ...>
<var_ref datatype="string">oval:com.test.app:var:11502</var_ref>
<value datatype="string">exampleHost1</value>
<value datatype="string">exampleHost2</value>
<value datatype="string">exampleHost3</value>
</variable_item>

But I can’t iterate through the values of the item id=“1” and see if
every host->config.xml has <foo>bar</>. It would have been easy if there
are multiple items instead of a variable_item with multiple entities.

How should the test look like, so the following configuration fails?

/opt/HOSTS/
├── exampleHost1
│  ├── tmp
│  │  └── config.xml
│  └── tmp2
│      └── config.xml
├── exampleHost2
│  └── tmp
│      └── No config xml file

└── exampleHost3
└── tmp
└── config.xml
...

Respectfully,

_Dragos.

<oval-def-115.xml>

On Aug 1, 2018, at 9:13 AM, David Solin solin@jovalcm.com wrote:

Hi Dragos,

You can create a test for this condition for each subdirectory (i.e.,
exampleHOST1), but you cannot create a single test encompassing both
subdirectories.  Is that the issue?

I believe in order to do so, it would have to be possible to force an
OVAL variable to iterate across multiple values during an evaluation
(having only one value at a time), instead of its having multiple values at
the same time — if that makes sense.

Is that what you’re thinking?

Best regards,
—David Solin

On Aug 1, 2018, at 6:46 AM, Dragos Prisaca dprisaca@gmail.com wrote:

Good Morning,

I’ve came across an interesting issue within the xml file content test.
If there are any resolutions to this issue I’d be appreciative in hearing
your thoughts.

ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS
file within multiple directory trees contains a specific xml element set to
a certain value.

EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the
element <foo>bar</foo> for each of the 2 HOST directories. The directory
structure could look like the following:

/HOSTS/exampleHOST1/tmp/jack/config.xml
/HOSTS/exampleHOST1/tmp /ryan/config.xml
/HOSTS/exampleHOST1/tmp /lisa/config.xml
/HOSTS/exampleHOST2/tmp/sam/psl/config.xml
/HOSTS/exampleHOST2/tmp /bob/config.xml

To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE
config.xml containing the element <foo>bar</foo>.
The exampleHOST names are not known.

THOUGHTS: I’m not sure if this can be implemented in OVAL.

Respectfully,
_Dragos.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org

http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

.....
This message and attachments may contain confidential information. If it
appears that this message was sent to you by mistake, any retention,
dissemination, distribution or copying of this message and attachments is
strictly prohibited. Please notify the sender immediately and permanently
delete the message and any attachments.

. . . . .

Exactly, the convert function will take the multi-valued variable and convert it to a multi-items variable that can be used in the context of an object var_ref. On Thu, Aug 2, 2018 at 6:01 PM David Solin <solin@jovalcm.com> wrote: > I don’t think that solves any underlying problem. Evaluation against a > multi-valued item entity can already be controlled using the entity_check > state attribute. Or, maybe I just don’t understand what you mean. > > What is not present in OVAL is a way for a multi-valued variable to take > on only one value at a time when used in the context of an object var_ref... > > > On Aug 2, 2018, at 4:33 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: > > I am wondering if this issue can't be easily resolved with a function that > will convert variable's value entities to items. > For instance, the following item: > <variable_item status="exists" id="1"...> > <value>1</value> > <value>2</value> > </variable_item> > > will be converted to 2 items (because there are 2 values): > > <variable_item status="exists" id="10"...> > <value>1</value> > </variable_item> > <variable_item status="exists" id="11"...> > <value>2</value> > </variable_item> > > I think this may allow authors to create a test with check="all" that will > iterate through all the items. > > > Thanks, > _Dragos > > On Thu, Aug 2, 2018 at 4:46 PM William Munyan < > William.Munyan@cisecurity.org> wrote: > >> Hey guys, I have been seeing this thread along the developer list, and I >> am happy to collaborate on something like this as well. We’ve talked about >> trying something with an “Iterator” function here as well, so if there’s >> work to be done, we’re happy to help. >> >> >> >> Cheers, >> >> -Bill M. >> >> >> >> *From:* OVAL_Developer <oval_developer-bounces@lists.cisecurity.org> *On >> Behalf Of *David Solin >> *Sent:* Thursday, August 2, 2018 4:08 PM >> *To:* Dragos Prisaca <dprisaca@gmail.com> >> *Cc:* oval_developer@lists.cisecurity.org >> *Subject:* Re: [OVAL DEVELOPER] multi path check in OVAL >> >> >> >> >> >> It’s funny, I’ve been trying on and off to propose something like an >> InstanceFunctionType to do that for several years … but we keep coming up >> with work-arounds like this! >> >> >> >> Even just describing what exactly iteration would mean in the context of >> OVAL is a fairly complicated business, and as you know OVAL already has a >> steep (yet also long!) learning curve. If you have any ideas I’d be happy >> to collaborate. >> >> >> >> Best regards, >> >> —David Solin >> >> >> >> On Aug 2, 2018, at 2:40 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: >> >> >> >> Thank you so much David! I believe your proposed solution works for me. >> >> Also, would be nice if OVAL language can be update it to allow iteration >> thought variable’s values. >> >> >> >> Respectfully, >> >> _Dragos. >> >> >> >> On Aug 1, 2018, at 4:09 PM, David Solin <solin@jovalcm.com> wrote: >> >> >> >> Hi Dragos, >> >> >> >> Your sample appears to check that: >> >> >> >> 1) All instances of config.xml under a /HOSTS/[hostname] directory >> contain a <foo>bar</foo> >> >> 2) There is at least one [hostname] subdirectory containing a config.xml >> >> >> >> As you know it does not check that under each /HOSTS/[hostname] >> directory, there exists at least one config.xml containing <foo>bar</foo>. >> >> >> >> What I think you could do to assert this would be: >> >> >> >> 1) Create an xmlfilecontent_object with a filter, representing all the >> config.xml files found under /HOSTS containing a <foo>bar</foo> >> >> 2) Create a variable_object representing all the _unique_ directory names >> under /HOSTS >> >> 3) Create a variable_object representing all the _unique_ pathname >> captures from the xmlfilecontent_object with the filter described in #1 >> >> >> >> Then, write a variable_test asserting equivalence of the values of >> objects 2 and 3, using object 2 as the object, and in the state, a var_ref >> to object 3 with @var_check=“only one”. >> >> >> >> That would assert that for each discrete value of an item for object 2, >> there is only one discrete value for an item of object 3 that matches it. >> >> >> >> Alternatively, you could simply count the number of items for 2 and 3, >> and compare those values. >> >> >> >> I believe that would do what you want, either way. >> >> >> >> WDYT? >> >> >> >> Best regards, >> >> —David Solin >> >> >> >> On Aug 1, 2018, at 2:04 PM, Dragos Prisaca <dprisaca@gmail.com> wrote: >> >> >> >> Thank you for the response David! >> >> I’ve attached an example of my test. I can check all the files to see if >> they have the required setting. I can collect all the host names (i.e. >> exampleHost1, 2, 3 ...): >> >> <variable_item id=“1” status="exists" ...> >> <var_ref datatype="string">oval:com.test.app:var:11502</var_ref> >> <value datatype="string">exampleHost1</value> >> <value datatype="string">exampleHost2</value> >> <value datatype="string">exampleHost3</value> >> </variable_item> >> >> But I can’t iterate through the values of the item id=“1” and see if >> every host->config.xml has <foo>bar</>. It would have been easy if there >> are multiple items instead of a variable_item with multiple entities. >> >> >> >> How should the test look like, so the following configuration fails? >> >> >> >> /opt/HOSTS/ >> ├── exampleHost1 >> │ ├── tmp >> │ │ └── config.xml >> │ └── tmp2 >> │ └── config.xml >> ├── exampleHost2 >> │ └── tmp >> │ └── No config xml file >> >> └── exampleHost3 >> └── tmp >> └── config.xml >> ... >> >> Respectfully, >> >> _Dragos. >> >> >> >> <oval-def-115.xml> >> >> >> >> >> >> On Aug 1, 2018, at 9:13 AM, David Solin <solin@jovalcm.com> wrote: >> >> >> >> Hi Dragos, >> >> You can create a test for this condition for each subdirectory (i.e., >> exampleHOST1), but you cannot create a single test encompassing both >> subdirectories. Is that the issue? >> >> I believe in order to do so, it would have to be possible to force an >> OVAL variable to iterate across multiple values during an evaluation >> (having only one value at a time), instead of its having multiple values at >> the same time — if that makes sense. >> >> Is that what you’re thinking? >> >> Best regards, >> —David Solin >> >> >> >> On Aug 1, 2018, at 6:46 AM, Dragos Prisaca <dprisaca@gmail.com> wrote: >> >> Good Morning, >> >> I’ve came across an interesting issue within the xml file content test. >> If there are any resolutions to this issue I’d be appreciative in hearing >> your thoughts. >> >> ISSUE: On a Linux target, I’m trying to verify at least one of each HOSTS >> file within multiple directory trees contains a specific xml element set to >> a certain value. >> >> EXAMPLE: I’m looking for AT LEAST ONE config.xml file containing the >> element <foo>bar</foo> for each of the 2 HOST directories. The directory >> structure could look like the following: >> >> /HOSTS/exampleHOST1/tmp/jack/config.xml >> /HOSTS/exampleHOST1/tmp /ryan/config.xml >> /HOSTS/exampleHOST1/tmp /lisa/config.xml >> /HOSTS/exampleHOST2/tmp/sam/psl/config.xml >> /HOSTS/exampleHOST2/tmp /bob/config.xml >> >> To clarify, exampleHOST1 and exampleHOST2 both need AT LEAST ONE >> config.xml containing the element <foo>bar</foo>. >> The exampleHOST names are not known. >> >> THOUGHTS: I’m not sure if this can be implemented in OVAL. >> >> Respectfully, >> _Dragos. >> _______________________________________________ >> OVAL_Developer mailing list >> OVAL_Developer@lists.cisecurity.org >> >> http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org >> >> >> >> >> >> >> >> >> >> >> >> ..... >> This message and attachments may contain confidential information. If it >> appears that this message was sent to you by mistake, any retention, >> dissemination, distribution or copying of this message and attachments is >> strictly prohibited. Please notify the sender immediately and permanently >> delete the message and any attachments. >> >> . . . . . >> > >