Hello,

The OVAL user_object specifies the following: “…In a domain environment, users should be identified in the form: "domain\user name". …” What should be used for domain?
The section 2.62 – “Representation of Windows Principal Names” of the OVAL specification document (https://protect-us.mimecast.com/s/rzlHCXDXgmCXXQz9C6Tjyq?domain=github.com) references Windows SDK function LookupAccountName, which provides the NetBIOS domain name.
Should the NetBIOS domain name or DNS domain name be used for “domain”?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/llAOCYEYjoSLL749fGqJSn?domain=scap.nist.gov

Thank you David!

Any other thoughts from the community? Do we have an agreement here? Can we update the specification to clearly specify that the NetBIOS is expected?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/YFo6CgJDA1HAAzqzHNy5T7?domain=scap.nist.gov

From: David Solin solin@jovalcm.com
Sent: Wednesday, September 11, 2019 1:22 PM
To: Prisaca, Dragos (Assoc) dragos.prisaca@nist.gov
Cc: oval_developer@lists.cisecurity.org oval_developer@lists.cisecurity.org
Subject: Re: [OVAL DEVELOPER] Clarification about the domain name

Hi Dragos,

In the specification document, the table on p.164 wherein the user entity of win-sc:user_item is described, said description specifically references the section you’ve noted (note however that the section number of the reference is wrong — 2.63 instead of 2.62 — but the title is the same, and if you right-click on the reference and select “update field” you’ll see that the section number updates to 2.62, so it does actually point to the correct section in the document).

This seems like conclusively strong evidence that the NetBIOS name of the domain is what’s intended to be collected.

Best regards,
—David Solin

On Sep 11, 2019, at 11:40 AM, Prisaca, Dragos (Assoc) via OVAL_Developer <oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org> wrote:

Hello,

The OVAL user_object specifies the following: “…In a domain environment, users should be identified in the form: "domain\user name". …” What should be used for domain?
The section 2.62 – “Representation of Windows Principal Names” of the OVAL specification document (https://protect-us.mimecast.com/s/avQZCmZ0KltjjQpQtQbYmf?domain=github.comhttps://protect-us.mimecast.com/s/aOE7CjRgE7innxYxTRln8k?domain=gcc01.safelinks.protection.outlook.com) references Windows SDK function LookupAccountName, which provides the NetBIOS domain name.
Should the NetBIOS domain name or DNS domain name be used for “domain”?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/YFo6CgJDA1HAAzqzHNy5T7?domain=scap.nist.govhttps://protect-us.mimecast.com/s/LJG4CkRjG9iOOJkJCQAMTZ?domain=gcc01.safelinks.protection.outlook.com

OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.orghttps://protect-us.mimecast.com/s/8GGUClYkJjU22Y1YtqUG-F?domain=gcc01.safelinks.protection.outlook.com

David,

I think clarification might be necessary for this as our team made the assumption that since Windows 2000, the DNS Domain Name IS the domain name, and that the NetBIOS domain name is there just for legacy support for Windows NT.  I’d have to go back and audit our tool over the years, but I’m guessing we’ve reported on the DNS domain for years, but since content rarely uses the domain name for anything it hasn’t been an issue.

Content could likely be written to support both DNS domain name or Netbios names as well, with either regular expressions or multiple state comparisons or’d together.

BTW, thanks for CC’ing me as I rarely, if ever, actually get emails from the OVAL developer list, and we haven’t figured out if it’s a https://protect-us.mimecast.com/s/bwkkCYEYjoSLLyjWs0D78P?domain=mail.mil issue or list serve issue, it’s been an issue ever since we transition from MITRE to CIS.  As an example, I didn’t get any of the thread below, just the current email that I’m explicitly on…  Adding Bryan Wilson to this, assuming he hasn’t seen any of the thread below either.

Jack Vander Pol
NIWC Atlantic
Jack.vanderpol@navy.mil

From: David Solin solin@jovalcm.com
Sent: Friday, September 13, 2019 9:09 AM
To: Prisaca, Dragos (Assoc) dragos.prisaca@nist.gov
Cc: oval_developer@lists.cisecurity.org; Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) jack.r.vanderpol.civ@mail.mil
Subject: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

Hi Dragos,

We can certainly make it even more explicit, but… is it really even necessary?  The user_object has been part of the SCAP validation program at least since SCAP 1.2 (and probably 1.0), and as far as I know, there’s never been any question about whether the entity in question refers to anything other than the NetBIOS name of the domain.

I assume any update to the Windows specification document itself would align with the normal community process.  I’ve copied Jack (the OVAL area supervisor for Windows) in case he has any comment.

Best regards,
—David Solin

On Sep 13, 2019, at 7:55 AM, Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > > wrote:

Thank you David!

Any other thoughts from the community? Do we have an agreement here? Can we update the specification to clearly specify that the NetBIOS is expected?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/W9RMCZ6GkqH55WXqFjKQis < https://protect-us.mimecast.com/s/W9RMCZ6GkqH55WXqFjKQis >

From: David Solin <solin@jovalcm.com < Caution-mailto:solin@jovalcm.com mailto:solin@jovalcm.com %3c Caution-mailto:solin@jovalcm.com  > >
Sent: Wednesday, September 11, 2019 1:22 PM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > >
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org >  <oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org %3c Caution-mailto:oval_developer@lists.cisecurity.org  > >
Subject: Re: [OVAL DEVELOPER] Clarification about the domain name

Hi Dragos,

In the specification document, the table on p.164 wherein the user entity of win-sc:user_item is described, said description specifically references the section you’ve noted (note however that the section number of the reference is wrong — 2.63 instead of 2.62 — but the title is the same, and if you right-click on the reference and select “update field” you’ll see that the section number updates to 2.62, so it does actually point to the correct section in the document).

This seems like conclusively strong evidence that the NetBIOS name of the domain is what’s intended to be collected.

Best regards,
—David Solin

On Sep 11, 2019, at 11:40 AM, Prisaca, Dragos (Assoc) via OVAL_Developer <oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org %3c Caution-mailto:oval_developer@lists.cisecurity.org  > > wrote:

Hello,

The OVAL user_object specifies the following: “…In a domain environment, users should be identified in the form: "domain\user name". …” What should be used for domain?
The section 2.62 – “Representation of Windows Principal Names” of the OVAL specification document (https://protect-us.mimecast.com/s/KaOCC1wpgxSMMQLATpn4fW < https://protect-us.mimecast.com/s/MKdRC2kqjztppD02t2sNkB > ) references Windows SDK function LookupAccountName, which provides the NetBIOS domain name.
Should the NetBIOS domain name or DNS domain name be used for “domain”?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/W9RMCZ6GkqH55WXqFjKQis < https://protect-us.mimecast.com/s/LzEYC31rkBSpprWgtQ4sZY >

OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org < Caution-mailto:OVAL_Developer@lists.cisecurity.org >
https://protect-us.mimecast.com/s/4UZeC4xvlEHBBwR2TMBPo6 < https://protect-us.mimecast.com/s/hRADC5ywmJHZZrwPSNz-Is >

To Clarify.  This in fact was an update that only impacts SCC 5.2.1.  This update was made to fix a reported bug reported.  What happens is when SCC queries a domain controller for local account names the Fully Qualified Domain Name (FQDN) or DNS name.  However it was reported that our tool was incorrectly stripping off the domain name on domain controller.  This was replicated in our lab and the bug was fixed.  However when this bug was fixed the fix included using the DNS (FQDN) name instead of striped down netbios name.  This should only impact reviews of domain controllers for SCC, it will not impact how domain accounts are handled on member servers if they are part of a local group.

To summarize.
SCC 5.2 : On DC review if the local system reports user names in FQDN (DNS name) the tool will incorrectly strip the entire domain name from the user account.  This bug was reported, replicated in our lab.
SCC 5.2.1 (latest release): On DC review if the local system reports user names in FQDN (DNS name) the tool will now not strip that name entirely but will use the FQDN (DNS name) (instead of Netbios name). If the consensus or the oval standard says it should be the Netbios name that will require a tool update.  This would be a trivial code update but will have to wait until next release of SCC.

Also,

I too don’t seem to be getting emails from this mail group.  Something seems broken on my end.  Please Reply all so my email is included for responses

From: Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) jack.r.vanderpol.civ@mail.mil
Sent: Friday, September 13, 2019 9:31 AM
To: David Solin solin@jovalcm.com; Prisaca, Dragos (Assoc) dragos.prisaca@nist.gov; Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (USA) bryan.l.wilson.civ@mail.mil
Cc: oval_developer@lists.cisecurity.org
Subject: RE: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

David,

I think clarification might be necessary for this as our team made the assumption that since Windows 2000, the DNS Domain Name IS the domain name, and that the NetBIOS domain name is there just for legacy support for Windows NT.  I’d have to go back and audit our tool over the years, but I’m guessing we’ve reported on the DNS domain for years, but since content rarely uses the domain name for anything it hasn’t been an issue.

Content could likely be written to support both DNS domain name or Netbios names as well, with either regular expressions or multiple state comparisons or’d together.

BTW, thanks for CC’ing me as I rarely, if ever, actually get emails from the OVAL developer list, and we haven’t figured out if it’s a https://protect-us.mimecast.com/s/9ZHQCG6XLyH11zZNuKvRVd?domain=mail.mil issue or list serve issue, it’s been an issue ever since we transition from MITRE to CIS.  As an example, I didn’t get any of the thread below, just the current email that I’m explicitly on…  Adding Bryan Wilson to this, assuming he hasn’t seen any of the thread below either.

Jack Vander Pol
NIWC Atlantic
Jack.vanderpol@navy.milmailto:Jack.vanderpol@navy.mil

From: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>
Sent: Friday, September 13, 2019 9:09 AM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.govmailto:dragos.prisaca@nist.gov>
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org; Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) <jack.r.vanderpol.civ@mail.milmailto:jack.r.vanderpol.civ@mail.mil>
Subject: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

Hi Dragos,

We can certainly make it even more explicit, but… is it really even necessary?  The user_object has been part of the SCAP validation program at least since SCAP 1.2 (and probably 1.0), and as far as I know, there’s never been any question about whether the entity in question refers to anything other than the NetBIOS name of the domain.

I assume any update to the Windows specification document itself would align with the normal community process.  I’ve copied Jack (the OVAL area supervisor for Windows) in case he has any comment.

Best regards,
—David Solin

On Sep 13, 2019, at 7:55 AM, Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > > wrote:

Thank you David!

Any other thoughts from the community? Do we have an agreement here? Can we update the specification to clearly specify that the NetBIOS is expected?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/qHOZCJ6KOGHqqjLWhGX-G8 < https://protect-us.mimecast.com/s/qHOZCJ6KOGHqqjLWhGX-G8 >

From: David Solin <solin@jovalcm.com < Caution-mailto:solin@jovalcm.com mailto:solin@jovalcm.com %3c Caution-mailto:solin@jovalcm.com  > >
Sent: Wednesday, September 11, 2019 1:22 PM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > >
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org >  <oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org %3c Caution-mailto:oval_developer@lists.cisecurity.org  > >
Subject: Re: [OVAL DEVELOPER] Clarification about the domain name

Hi Dragos,

In the specification document, the table on p.164 wherein the user entity of win-sc:user_item is described, said description specifically references the section you’ve noted (note however that the section number of the reference is wrong — 2.63 instead of 2.62 — but the title is the same, and if you right-click on the reference and select “update field” you’ll see that the section number updates to 2.62, so it does actually point to the correct section in the document).

This seems like conclusively strong evidence that the NetBIOS name of the domain is what’s intended to be collected.

Best regards,
—David Solin

On Sep 11, 2019, at 11:40 AM, Prisaca, Dragos (Assoc) via OVAL_Developer <oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org %3c Caution-mailto:oval_developer@lists.cisecurity.org  > > wrote:

Hello,

The OVAL user_object specifies the following: “…In a domain environment, users should be identified in the form: "domain\user name". …” What should be used for domain?
The section 2.62 – “Representation of Windows Principal Names” of the OVAL specification document (https://protect-us.mimecast.com/s/9J_lCKr7PKf22RxyU38GIC < https://protect-us.mimecast.com/s/cnhXCL91QMfRRzMDTmmFYZ > ) references Windows SDK function LookupAccountName, which provides the NetBIOS domain name.
Should the NetBIOS domain name or DNS domain name be used for “domain”?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/qHOZCJ6KOGHqqjLWhGX-G8 < https://protect-us.mimecast.com/s/8mubCM8KROSqqnVyhQ5DDS >

OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org < Caution-mailto:OVAL_Developer@lists.cisecurity.org >
https://protect-us.mimecast.com/s/L91LCNkKVQt00g5qT0ZEdf < https://protect-us.mimecast.com/s/t7umCOYXWVUppBrLSALR1_ >

Sounds like a clarification that NetBIOS Domain is the intended domain wouldn’t hurt the OVAL specification, but as David Solin mentioned, it’s likely what most tools are doing already, although safer to not assume, and clearly define.

Also, I’m going to try to use a gmail account to get updates to the oval forum.  What’s really weird is that I sometimes get oval forum notifications on my work email, but it’s completely random, and they never go to my junk folder etc…

Jack Vander Pol
NIWC Atlantic

From: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (USA) bryan.l.wilson.civ@mail.mil
Sent: Friday, September 13, 2019 10:07 AM
To: Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) jack.r.vanderpol.civ@mail.mil; David Solin solin@jovalcm.com; Prisaca, Dragos (Assoc) dragos.prisaca@nist.gov
Cc: oval_developer@lists.cisecurity.org
Subject: RE: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

To Clarify.  This in fact was an update that only impacts SCC 5.2.1.  This update was made to fix a reported bug reported.  What happens is when SCC queries a domain controller for local account names the Fully Qualified Domain Name (FQDN) or DNS name.  However it was reported that our tool was incorrectly stripping off the domain name on domain controller.  This was replicated in our lab and the bug was fixed.  However when this bug was fixed the fix included using the DNS (FQDN) name instead of striped down netbios name.  This should only impact reviews of domain controllers for SCC, it will not impact how domain accounts are handled on member servers if they are part of a local group.

To summarize.
SCC 5.2 : On DC review if the local system reports user names in FQDN (DNS name) the tool will incorrectly strip the entire domain name from the user account.  This bug was reported, replicated in our lab.
SCC 5.2.1 (latest release): On DC review if the local system reports user names in FQDN (DNS name) the tool will now not strip that name entirely but will use the FQDN (DNS name) (instead of Netbios name). If the consensus or the oval standard says it should be the Netbios name that will require a tool update.  This would be a trivial code update but will have to wait until next release of SCC.

Also,

I too don’t seem to be getting emails from this mail group.  Something seems broken on my end.  Please Reply all so my email is included for responses

From: Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) <jack.r.vanderpol.civ@mail.milmailto:jack.r.vanderpol.civ@mail.mil>
Sent: Friday, September 13, 2019 9:31 AM
To: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>; Prisaca, Dragos (Assoc) <dragos.prisaca@nist.govmailto:dragos.prisaca@nist.gov>; Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (USA) <bryan.l.wilson.civ@mail.milmailto:bryan.l.wilson.civ@mail.mil>
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org
Subject: RE: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

David,

I think clarification might be necessary for this as our team made the assumption that since Windows 2000, the DNS Domain Name IS the domain name, and that the NetBIOS domain name is there just for legacy support for Windows NT.  I’d have to go back and audit our tool over the years, but I’m guessing we’ve reported on the DNS domain for years, but since content rarely uses the domain name for anything it hasn’t been an issue.

Content could likely be written to support both DNS domain name or Netbios names as well, with either regular expressions or multiple state comparisons or’d together.

BTW, thanks for CC’ing me as I rarely, if ever, actually get emails from the OVAL developer list, and we haven’t figured out if it’s a https://protect-us.mimecast.com/s/27N_CqxpOwH88MlqCZ_A5z?domain=mail.mil issue or list serve issue, it’s been an issue ever since we transition from MITRE to CIS.  As an example, I didn’t get any of the thread below, just the current email that I’m explicitly on…  Adding Bryan Wilson to this, assuming he hasn’t seen any of the thread below either.

Jack Vander Pol
NIWC Atlantic
Jack.vanderpol@navy.milmailto:Jack.vanderpol@navy.mil

From: David Solin <solin@jovalcm.commailto:solin@jovalcm.com>
Sent: Friday, September 13, 2019 9:09 AM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.govmailto:dragos.prisaca@nist.gov>
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org; Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) <jack.r.vanderpol.civ@mail.milmailto:jack.r.vanderpol.civ@mail.mil>
Subject: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

Hi Dragos,

We can certainly make it even more explicit, but… is it really even necessary?  The user_object has been part of the SCAP validation program at least since SCAP 1.2 (and probably 1.0), and as far as I know, there’s never been any question about whether the entity in question refers to anything other than the NetBIOS name of the domain.

I assume any update to the Windows specification document itself would align with the normal community process.  I’ve copied Jack (the OVAL area supervisor for Windows) in case he has any comment.

Best regards,
—David Solin

On Sep 13, 2019, at 7:55 AM, Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > > wrote:

Thank you David!

Any other thoughts from the community? Do we have an agreement here? Can we update the specification to clearly specify that the NetBIOS is expected?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/g7s6CrkqPyt88BogCzf4OH < https://protect-us.mimecast.com/s/g7s6CrkqPyt88BogCzf4OH >

From: David Solin <solin@jovalcm.com < Caution-mailto:solin@jovalcm.com mailto:solin@jovalcm.com %3c Caution-mailto:solin@jovalcm.com  > >
Sent: Wednesday, September 11, 2019 1:22 PM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > >
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org >  <oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org %3c Caution-mailto:oval_developer@lists.cisecurity.org  > >
Subject: Re: [OVAL DEVELOPER] Clarification about the domain name

Hi Dragos,

In the specification document, the table on p.164 wherein the user entity of win-sc:user_item is described, said description specifically references the section you’ve noted (note however that the section number of the reference is wrong — 2.63 instead of 2.62 — but the title is the same, and if you right-click on the reference and select “update field” you’ll see that the section number updates to 2.62, so it does actually point to the correct section in the document).

This seems like conclusively strong evidence that the NetBIOS name of the domain is what’s intended to be collected.

Best regards,
—David Solin

On Sep 11, 2019, at 11:40 AM, Prisaca, Dragos (Assoc) via OVAL_Developer <oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org %3c Caution-mailto:oval_developer@lists.cisecurity.org  > > wrote:

Hello,

The OVAL user_object specifies the following: “…In a domain environment, users should be identified in the form: "domain\user name". …” What should be used for domain?
The section 2.62 – “Representation of Windows Principal Names” of the OVAL specification document (https://protect-us.mimecast.com/s/3j1iCv2xWKt77kKQtzMZhQ < https://protect-us.mimecast.com/s/oqaTCwpyXMSGGw9BUKvx-V > ) references Windows SDK function LookupAccountName, which provides the NetBIOS domain name.
Should the NetBIOS domain name or DNS domain name be used for “domain”?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/g7s6CrkqPyt88BogCzf4OH < https://protect-us.mimecast.com/s/IMhoCxkzYOt11WwYiRjUBK >

OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org < Caution-mailto:OVAL_Developer@lists.cisecurity.org >
https://protect-us.mimecast.com/s/3INRCyPAZQHrrBkxhAHYf_ < https://protect-us.mimecast.com/s/OJaqCzp41VSMMj95fByjMv >

David,

We are in full agreement, Bryan stated we just introduced FQDN in a recent release, and is a bug we need to fix, although that may not have been entirely clear in his email.  We will be using NetBIOS going forward.

Might not hurt to add a couple words to OVAL documentation to make it completely clear though.

Jack

From: David Solin solin@jovalcm.com
Sent: Friday, September 13, 2019 4:21 PM
To: Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (USA) bryan.l.wilson.civ@mail.mil; Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) jack.r.vanderpol.civ@mail.mil
Cc: Prisaca, Dragos (Assoc) dragos.prisaca@nist.gov; oval_developer@lists.cisecurity.org; William Munyan William.Munyan@cisecurity.org
Subject: Re: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

Hi Bryan and Jack,

The Windows specification document is riddled with references to the Windows API LookupAccountName and LookupAccountSid functions for resolving back-and-forth between SIDs and trustee names.  I checked and these references go back at least as far as OVAL 5.10.1 (SCAP 1.2):
https://protect-us.mimecast.com/s/VB9DCqxpOwH8OOoWtZkm6A < https://protect-us.mimecast.com/s/VB9DCqxpOwH8OOoWtZkm6A >

These functions go way, way back; both use the NetBIOS domain name.  This is the very first I’ve heard of anyone considering using a(n) FQDN in this context.

In fact, if you go back to the last such object added to the OVAL language — the ntuser_test proposal (which I believe originated from SPAWAR), you’ll see in the sample results that the username entity there was intended to use the NetBIOS domain names as well; see:
https://protect-us.mimecast.com/s/3Pm3CrkqPyt8AAG9tz7yhu < https://protect-us.mimecast.com/s/3Pm3CrkqPyt8AAG9tz7yhu >

So, I really do think that’s long been the understanding, even within SPAWAR.

Of course, we are almost 20 years into the 21st century now.  Microsoft has done lots with UPNs and adding layers of cruft to obscure the underlying fact that Windows Domains are these ancient things whose names can really be no longer than 15 characters.  BUT, I have always thought that exploring that particular brave new world was a job best left in OVAL to the even more mysterious and obscure ind-def:ldap_test and win-def:activedirectory_test.

I’ve also looped in Bill Munyan, in case he’s having email list problems as well.

Best regards,
—David Solin

On Sep 13, 2019, at 9:06 AM, Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (USA) <bryan.l.wilson.civ@mail.mil < Caution-mailto:bryan.l.wilson.civ@mail.mil mailto:bryan.l.wilson.civ@mail.mil %3c Caution-mailto:bryan.l.wilson.civ@mail.mil  > > wrote:

To Clarify.  This in fact was an update that only impacts SCC 5.2.1.  This update was made to fix a reported bug reported.  What happens is when SCC queries a domain controller for local account names the Fully Qualified Domain Name (FQDN) or DNS name.  However it was reported that our tool was incorrectly stripping off the domain name on domain controller.  This was replicated in our lab and the bug was fixed.  However when this bug was fixed the fix included using the DNS (FQDN) name instead of striped down netbios name.  This should only impact reviews of domain controllers for SCC, it will not impact how domain accounts are handled on member servers if they are part of a local group.

To summarize.
SCC 5.2 : On DC review if the local system reports user names in FQDN (DNS name) the tool will incorrectly strip the entire domain name from the user account.  This bug was reported, replicated in our lab.
SCC 5.2.1 (latest release): On DC review if the local system reports user names in FQDN (DNS name) the tool will now not strip that name entirely but will use the FQDN (DNS name) (instead of Netbios name). If the consensus or the oval standard says it should be the Netbios name that will require a tool update.  This would be a trivial code update but will have to wait until next release of SCC.

Also,

I too don’t seem to be getting emails from this mail group.  Something seems broken on my end.  Please Reply all so my email is included for responses

From: Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) <jack.r.vanderpol.civ@mail.mil < Caution-mailto:jack.r.vanderpol.civ@mail.mil mailto:jack.r.vanderpol.civ@mail.mil %3c Caution-mailto:jack.r.vanderpol.civ@mail.mil  > >
Sent: Friday, September 13, 2019 9:31 AM
To: David Solin <solin@jovalcm.com < Caution-mailto:solin@jovalcm.com mailto:solin@jovalcm.com %3c Caution-mailto:solin@jovalcm.com  > >; Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > >; Wilson, Bryan L CIV USN SPAWARSYSCEN LANT SC (USA) <bryan.l.wilson.civ@mail.mil < Caution-mailto:bryan.l.wilson.civ@mail.mil mailto:bryan.l.wilson.civ@mail.mil %3c Caution-mailto:bryan.l.wilson.civ@mail.mil  > >
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org >
Subject: RE: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

David,

I think clarification might be necessary for this as our team made the assumption that since Windows 2000, the DNS Domain Name IS the domain name, and that the NetBIOS domain name is there just for legacy support for Windows NT.  I’d have to go back and audit our tool over the years, but I’m guessing we’ve reported on the DNS domain for years, but since content rarely uses the domain name for anything it hasn’t been an issue.

Content could likely be written to support both DNS domain name or Netbios names as well, with either regular expressions or multiple state comparisons or’d together.

BTW, thanks for CC’ing me as I rarely, if ever, actually get emails from the OVAL developer list, and we haven’t figured out if it’s a https://protect-us.mimecast.com/s/ZtagCv2xWKt7WW3XHz8HOW?domain=mail.mil issue or list serve issue, it’s been an issue ever since we transition from MITRE to CIS.  As an example, I didn’t get any of the thread below, just the current email that I’m explicitly on…  Adding Bryan Wilson to this, assuming he hasn’t seen any of the thread below either.

Jack Vander Pol
NIWC Atlantic
Jack.vanderpol@navy.milmailto:Jack.vanderpol@navy.mil < Caution-mailto:Jack.vanderpol@navy.mil >

From: David Solin <solin@jovalcm.com < Caution-mailto:solin@jovalcm.com mailto:solin@jovalcm.com %3c Caution-mailto:solin@jovalcm.com  > >
Sent: Friday, September 13, 2019 9:09 AM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-mailto:dragos.prisaca@nist.gov mailto:dragos.prisaca@nist.gov %3c Caution-mailto:dragos.prisaca@nist.gov  > >
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org > ; Vanderpol, Jack R CIV USN SPAWARSYSCEN LANT SC (USA) <jack.r.vanderpol.civ@mail.mil < Caution-mailto:jack.r.vanderpol.civ@mail.mil mailto:jack.r.vanderpol.civ@mail.mil %3c Caution-mailto:jack.r.vanderpol.civ@mail.mil  > >
Subject: [Non-DoD Source] Re: [OVAL DEVELOPER] Clarification about the domain name

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

Hi Dragos,

We can certainly make it even more explicit, but… is it really even necessary?  The user_object has been part of the SCAP validation program at least since SCAP 1.2 (and probably 1.0), and as far as I know, there’s never been any question about whether the entity in question refers to anything other than the NetBIOS name of the domain.

I assume any update to the Windows specification document itself would align with the normal community process.  I’ve copied Jack (the OVAL area supervisor for Windows) in case he has any comment.

Best regards,
—David Solin

On Sep 13, 2019, at 7:55 AM, Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-Caution-mailto:dragos.prisaca@nist.gov  < Caution-mailto:dragos.prisaca@nist.gov%C2%A0%3c%C2%A0Caution-Caution-mailto:dragos.prisaca@nist.gov%C2%A0 mailto:dragos.prisaca@nist.gov %3c Caution-Caution-mailto:dragos.prisaca@nist.gov  %3c Caution-mailto:dragos.prisaca@nist.gov%C2%A0%3c%C2%A0Caution-Caution-mailto:dragos.prisaca@nist.gov%C2%A0  > > > wrote:

Thank you David!

Any other thoughts from the community? Do we have an agreement here? Can we update the specification to clearly specify that the NetBIOS is expected?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/27Z6CwpyXMSGLLWpUKRw5W < https://protect-us.mimecast.com/s/SSxNCxkzYOt1JJ3OURNTiH >  < https://protect-us.mimecast.com/s/27Z6CwpyXMSGLLWpUKRw5W < https://protect-us.mimecast.com/s/SSxNCxkzYOt1JJ3OURNTiH >  >

From: David Solin <solin@jovalcm.com < Caution-Caution-mailto:solin@jovalcm.com  < Caution-mailto:solin@jovalcm.com%C2%A0%3c%C2%A0Caution-Caution-mailto:solin@jovalcm.com%C2%A0 mailto:solin@jovalcm.com %3c Caution-Caution-mailto:solin@jovalcm.com  %3c Caution-mailto:solin@jovalcm.com%C2%A0%3c%C2%A0Caution-Caution-mailto:solin@jovalcm.com%C2%A0  > > >
Sent: Wednesday, September 11, 2019 1:22 PM
To: Prisaca, Dragos (Assoc) <dragos.prisaca@nist.gov < Caution-Caution-mailto:dragos.prisaca@nist.gov  < Caution-mailto:dragos.prisaca@nist.gov%C2%A0%3c%C2%A0Caution-Caution-mailto:dragos.prisaca@nist.gov%C2%A0 mailto:dragos.prisaca@nist.gov %3c Caution-Caution-mailto:dragos.prisaca@nist.gov  %3c Caution-mailto:dragos.prisaca@nist.gov%C2%A0%3c%C2%A0Caution-Caution-mailto:dragos.prisaca@nist.gov%C2%A0  > > >
Cc: oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org >  < Caution-Caution-mailto:oval_developer@lists.cisecurity.org < Caution-mailto:oval_developer@lists.cisecurity.org >  >  <oval_developer@lists.cisecurity.org < Caution-Caution-mailto:oval_developer@lists.cisecurity.org  < Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0%3c%C2%A0Caution-Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0 mailto:oval_developer@lists.cisecurity.org %3c Caution-Caution-mailto:oval_developer@lists.cisecurity.org  %3c Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0%3c%C2%A0Caution-Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0  > > >
Subject: Re: [OVAL DEVELOPER] Clarification about the domain name

Hi Dragos,

In the specification document, the table on p.164 wherein the user entity of win-sc:user_item is described, said description specifically references the section you’ve noted (note however that the section number of the reference is wrong — 2.63 instead of 2.62 — but the title is the same, and if you right-click on the reference and select “update field” you’ll see that the section number updates to 2.62, so it does actually point to the correct section in the document).

This seems like conclusively strong evidence that the NetBIOS name of the domain is what’s intended to be collected.

Best regards,
—David Solin

On Sep 11, 2019, at 11:40 AM, Prisaca, Dragos (Assoc) via OVAL_Developer <oval_developer@lists.cisecurity.org < Caution-Caution-mailto:oval_developer@lists.cisecurity.org  < Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0%3c%C2%A0Caution-Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0 mailto:oval_developer@lists.cisecurity.org %3c Caution-Caution-mailto:oval_developer@lists.cisecurity.org  %3c Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0%3c%C2%A0Caution-Caution-mailto:oval_developer@lists.cisecurity.org%C2%A0  > > > wrote:

Hello,

The OVAL user_object specifies the following: “…In a domain environment, users should be identified in the form: "domain\user name". …” What should be used for domain?
The section 2.62 – “Representation of Windows Principal Names” of the OVAL specification document (https://protect-us.mimecast.com/s/bMc2CyPAZQHrNNRncAGnwt < https://protect-us.mimecast.com/s/Y4nrCzp41VSMRRALiBaH_K >  < https://protect-us.mimecast.com/s/YBY1CADXBjCN99zYsOoJmP < https://protect-us.mimecast.com/s/UUoZCBBXDlf7VVOoH73lct >  > ) references Windows SDK function LookupAccountName, which provides the NetBIOS domain name.
Should the NetBIOS domain name or DNS domain name be used for “domain”?

Respectfully,
Dragos Prisaca
NVLAP Technical Expert
NIST SCAP Validation Program | https://protect-us.mimecast.com/s/27Z6CwpyXMSGLLWpUKRw5W < https://protect-us.mimecast.com/s/SSxNCxkzYOt1JJ3OURNTiH >  < https://protect-us.mimecast.com/s/pTFQCDkZGpt5BBkPHn6_LU < https://protect-us.mimecast.com/s/F8aZCERXJri3WWNPiK-uWV >  >

OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org < Caution-mailto:OVAL_Developer@lists.cisecurity.org >  < Caution-Caution-mailto:OVAL_Developer@lists.cisecurity.org < Caution-mailto:OVAL_Developer@lists.cisecurity.org >  >
https://protect-us.mimecast.com/s/TM3ECG6XLyH1JJQgUBHIpM < https://protect-us.mimecast.com/s/UI60CJ6KOGHq88DXt8uApj >  < https://protect-us.mimecast.com/s/IoIJCKr7PKf2qqGJFXvCmf < https://protect-us.mimecast.com/s/8XVrCL91QMfRPPZvFxTEyk >  >