oval_developer@lists.cisecurity.org

A list for people interested in developing the OVAL language.

View all threads

rpmverifyfile question

WM
William Munyan
Wed, Sep 23, 2020 3:09 PM

Hello OVAL developers,

In looking at the implementation of the "rpmverifyfile" construct in the Linux schema, I am seeing that the output is consistent with the output of the "rpm -V" command and many of its options.  All that is fine.  However, when I utilize some of the behaviors such as "--nouser" or "--nofiledigest", my output results aren't changing.  Should I expect the corresponding placeholder to change from a "." to a "?" when using the "--no..." option?  Should, in the resulting "rpmverifyfile_item", the value for "..._differs" automatically show a "not performed" when the corresponding behavior is present, no matter the output of the command?

For example, should the presence of a behavior of "nomode='true'" yield an item element of "<mode_differs>not performed</mode_differs>", or should the "mode_differs" element not be present in the item (since it's a 0..1)?  Or is either one of those a valid result?

Thanks for any advice!
-Bill M.

Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
[CIS_WEB_Logo_Type_RGB_Flat]https://www.cisecurity.org/
[CIS Email Icons 01_23-02] https://www.facebook.com/CenterforIntSec    [CIS Email Icons 01_23-03] https://twitter.com/CISecurity    [CIS Email Icons 01_23-04] https://www.youtube.com/user/TheCISecurity    [CIS Email Icons 01_23-05] https://www.linkedin.com/company/the-center-for-internet-security

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

Hello OVAL developers, In looking at the implementation of the "rpmverifyfile" construct in the Linux schema, I am seeing that the output is consistent with the output of the "rpm -V" command and many of its options. All that is fine. However, when I utilize some of the behaviors such as "--nouser" or "--nofiledigest", my output results aren't changing. Should I expect the corresponding placeholder to change from a "." to a "?" when using the "--no..." option? Should, in the resulting "rpmverifyfile_item", the value for "..._differs" automatically show a "not performed" when the corresponding behavior is present, no matter the output of the command? For example, should the presence of a behavior of "nomode='true'" yield an item element of "<mode_differs>not performed</mode_differs>", or should the "mode_differs" element not be present in the item (since it's a 0..1)? Or is either one of those a valid result? Thanks for any advice! -Bill M. Bill Munyan Solutions/Software Architect; Security Best Practices 31 Tech Valley Drive East Greenbush, NY 12061 william.munyan@cisecurity.org<mailto:william.munyan@cisecurity.org> (518) 516-6128 (w) (518) 281-1233 (c) [CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/> [CIS Email Icons 01_23-02] <https://www.facebook.com/CenterforIntSec> [CIS Email Icons 01_23-03] <https://twitter.com/CISecurity> [CIS Email Icons 01_23-04] <https://www.youtube.com/user/TheCISecurity> [CIS Email Icons 01_23-05] <https://www.linkedin.com/company/the-center-for-internet-security> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
DS
David Solin
Wed, Sep 23, 2020 3:26 PM

I can’t say what OpenSCAP does, but, we don’t pass these options directly into an RPM command-line.

Currently, we simply set the corresponding entity result to “not performed” (assuming a failure wasn’t reflected in the output, in which case I think do flag the failure).  Probably, we should assign a value of “not performed” whether or not we noticed a corresponding failure.  But to my knowledge it’s never come up.  I don’t believe these options are exercised by any real-world content.

Best regards,
—David Solin

On Sep 23, 2020, at 10:09 AM, William Munyan via OVAL_Developer oval_developer@lists.cisecurity.org wrote:

Hello OVAL developers,

In looking at the implementation of the “rpmverifyfile” construct in the Linux schema, I am seeing that the output is consistent with the output of the “rpm –V” command and many of its options.  All that is fine.  However, when I utilize some of the behaviors such as “--nouser” or “--nofiledigest”, my output results aren’t changing.  Should I expect the corresponding placeholder to change from a “.” to a “?” when using the “--no…” option?  Should, in the resulting “rpmverifyfile_item”, the value for “…_differs” automatically show a “not performed” when the corresponding behavior is present, no matter the output of the command?

For example, should the presence of a behavior of “nomode=’true’” yield an item element of “<mode_differs>not performed</mode_differs>”, or should the “mode_differs” element not be present in the item (since it’s a 0..1)?  Or is either one of those a valid result?

Thanks for any advice!
-Bill M.

Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.munyan@cisecurity.org mailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
<image001.png> https://www.cisecurity.org/
<image002.png> https://protect-us.mimecast.com/s/FCMbC4xvlEHBOqyrfOsiPh?domain=facebook.com    <image003.png> https://protect-us.mimecast.com/s/T9APC5ywmJHZ72oAhOqqnb?domain=twitter.com  <image004.png> https://protect-us.mimecast.com/s/uB7OC68xnLSrvqEXSmh_0G?domain=youtube.com    <image005.png> https://protect-us.mimecast.com/s/JznrC73yoNCAKwvLuNWaxm?domain=linkedin.com

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. _______________________________________________
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

I can’t say what OpenSCAP does, but, we don’t pass these options directly into an RPM command-line. Currently, we simply set the corresponding entity result to “not performed” (assuming a failure wasn’t reflected in the output, in which case I think do flag the failure). Probably, we should assign a value of “not performed” whether or not we noticed a corresponding failure. But to my knowledge it’s never come up. I don’t believe these options are exercised by any real-world content. Best regards, —David Solin > On Sep 23, 2020, at 10:09 AM, William Munyan via OVAL_Developer <oval_developer@lists.cisecurity.org> wrote: > > Hello OVAL developers, > > In looking at the implementation of the “rpmverifyfile” construct in the Linux schema, I am seeing that the output is consistent with the output of the “rpm –V” command and many of its options. All that is fine. However, when I utilize some of the behaviors such as “--nouser” or “--nofiledigest”, my output results aren’t changing. Should I expect the corresponding placeholder to change from a “.” to a “?” when using the “--no…” option? Should, in the resulting “rpmverifyfile_item”, the value for “…_differs” automatically show a “not performed” when the corresponding behavior is present, no matter the output of the command? > > For example, should the presence of a behavior of “nomode=’true’” yield an item element of “<mode_differs>not performed</mode_differs>”, or should the “mode_differs” element not be present in the item (since it’s a 0..1)? Or is either one of those a valid result? > > Thanks for any advice! > -Bill M. > > Bill Munyan > Solutions/Software Architect; Security Best Practices > 31 Tech Valley Drive > East Greenbush, NY 12061 > > william.munyan@cisecurity.org <mailto:william.munyan@cisecurity.org> > (518) 516-6128 (w) > (518) 281-1233 (c) > <image001.png> <https://www.cisecurity.org/> > <image002.png> <https://protect-us.mimecast.com/s/FCMbC4xvlEHBOqyrfOsiPh?domain=facebook.com> <image003.png> <https://protect-us.mimecast.com/s/T9APC5ywmJHZ72oAhOqqnb?domain=twitter.com> <image004.png> <https://protect-us.mimecast.com/s/uB7OC68xnLSrvqEXSmh_0G?domain=youtube.com> <image005.png> <https://protect-us.mimecast.com/s/JznrC73yoNCAKwvLuNWaxm?domain=linkedin.com> > > > This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org <mailto:OVAL_Developer@lists.cisecurity.org> > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org <http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org>
Šimon Lukašík
Thu, Sep 24, 2020 6:39 AM

Hello all,

OpenSCAP does not use rpm command-line tool. Instead, librpm is used
directly as it provides more fine grained interface to query the data.

We have found that in many cases command-line tools cannot be used
either for performance reasons (need to run the tool multiple times,
getting more results than needed, and other overhead), or simply because
the required information is missing. librpm is just one of such cases.

Note: here is relevant code for rpmverifyfile: https://protect-us.mimecast.com/s/S-epCM8KROSq1mxWCwdKTf?domain=github.com

Kind regards,

Šimon Lukašík
Member of technical staff
Office of the Chief Technologist
Red Hat Public Sector

William Munyan via OVAL_Developer oval_developer@lists.cisecurity.org writes:

Hello OVAL developers,

In looking at the implementation of the "rpmverifyfile" construct in the Linux schema, I am seeing that the output is consistent with the output of the "rpm -V" command and many of its options.  All that is fine.  However, when I utilize some of the behaviors such as "--nouser" or "--nofiledigest", my output results aren't changing.  Should I expect the corresponding placeholder to change from a "." to a "?" when using the "--no..." option?  Should, in the resulting "rpmverifyfile_item", the value for "..._differs" automatically show a "not performed" when the corresponding behavior is present, no matter the output of the command?

For example, should the presence of a behavior of "nomode='true'" yield an item element of "<mode_differs>not performed</mode_differs>", or should the "mode_differs" element not be present in the item (since it's a 0..1)?  Or is either one of those a valid result?

Thanks for any advice!
-Bill M.

Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
[CIS_WEB_Logo_Type_RGB_Flat]https://www.cisecurity.org/
[CIS Email Icons 01_23-02] https://protect-us.mimecast.com/s/oULPCNkKVQt08yVXC4pDb0?domain=facebook.com    [CIS Email Icons 01_23-03] https://protect-us.mimecast.com/s/QwHMCOYXWVUpjQ54TkkkyQ?domain=twitter.com    [CIS Email Icons 01_23-04] https://protect-us.mimecast.com/s/2Si-CPNK0XtKRVvMCjRl2q?domain=youtube.com    [CIS Email Icons 01_23-05] https://protect-us.mimecast.com/s/qlksCQWKYZukpZBrHrBnto?domain=linkedin.com

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Hello all, OpenSCAP does not use `rpm` command-line tool. Instead, librpm is used directly as it provides more fine grained interface to query the data. We have found that in many cases command-line tools cannot be used either for performance reasons (need to run the tool multiple times, getting more results than needed, and other overhead), or simply because the required information is missing. librpm is just one of such cases. Note: here is relevant code for rpmverifyfile: https://protect-us.mimecast.com/s/S-epCM8KROSq1mxWCwdKTf?domain=github.com Kind regards, -- Šimon Lukašík Member of technical staff Office of the Chief Technologist Red Hat Public Sector William Munyan via OVAL_Developer <oval_developer@lists.cisecurity.org> writes: > Hello OVAL developers, > > In looking at the implementation of the "rpmverifyfile" construct in the Linux schema, I am seeing that the output is consistent with the output of the "rpm -V" command and many of its options. All that is fine. However, when I utilize some of the behaviors such as "--nouser" or "--nofiledigest", my output results aren't changing. Should I expect the corresponding placeholder to change from a "." to a "?" when using the "--no..." option? Should, in the resulting "rpmverifyfile_item", the value for "..._differs" automatically show a "not performed" when the corresponding behavior is present, no matter the output of the command? > > For example, should the presence of a behavior of "nomode='true'" yield an item element of "<mode_differs>not performed</mode_differs>", or should the "mode_differs" element not be present in the item (since it's a 0..1)? Or is either one of those a valid result? > > Thanks for any advice! > -Bill M. > > Bill Munyan > Solutions/Software Architect; Security Best Practices > 31 Tech Valley Drive > East Greenbush, NY 12061 > > william.munyan@cisecurity.org<mailto:william.munyan@cisecurity.org> > (518) 516-6128 (w) > (518) 281-1233 (c) > [CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/> > [CIS Email Icons 01_23-02] <https://protect-us.mimecast.com/s/oULPCNkKVQt08yVXC4pDb0?domain=facebook.com> [CIS Email Icons 01_23-03] <https://protect-us.mimecast.com/s/QwHMCOYXWVUpjQ54TkkkyQ?domain=twitter.com> [CIS Email Icons 01_23-04] <https://protect-us.mimecast.com/s/2Si-CPNK0XtKRVvMCjRl2q?domain=youtube.com> [CIS Email Icons 01_23-05] <https://protect-us.mimecast.com/s/qlksCQWKYZukpZBrHrBnto?domain=linkedin.com> > > > This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
DS
David Solin
Thu, Sep 24, 2020 2:41 PM

Setting aside any normative questions, let me pose Bill’s question in a completely different way:

Does the collection of OVAL linux-def:rpmverifyfile_object require that item entities corresponding to behavior flags end up with a value of “not performed”?

Our interpretation is that yes, it does.

On Sep 24, 2020, at 1:39 AM, Šimon Lukašík slukasik@redhat.com wrote:

Hello all,

OpenSCAP does not use rpm command-line tool. Instead, librpm is used
directly as it provides more fine grained interface to query the data.

We have found that in many cases command-line tools cannot be used
either for performance reasons (need to run the tool multiple times,
getting more results than needed, and other overhead), or simply because
the required information is missing. librpm is just one of such cases.

Note: here is relevant code for rpmverifyfile: https://protect-us.mimecast.com/s/EKAGCZ6GkqH5LRL3iP_zqm?domain=github.com https://protect-us.mimecast.com/s/3C7NCR6KZ2Hv1l1Af9qMqV?domain=github.com

Kind regards,

Šimon Lukašík
Member of technical staff
Office of the Chief Technologist
Red Hat Public Sector

William Munyan via OVAL_Developer oval_developer@lists.cisecurity.org writes:

Hello OVAL developers,

In looking at the implementation of the "rpmverifyfile" construct in the Linux schema, I am seeing that the output is consistent with the output of the "rpm -V" command and many of its options. All that is fine. However, when I utilize some of the behaviors such as "--nouser" or "--nofiledigest", my output results aren't changing. Should I expect the corresponding placeholder to change from a "." to a "?" when using the "--no..." option? Should, in the resulting "rpmverifyfile_item", the value for "..._differs" automatically show a "not performed" when the corresponding behavior is present, no matter the output of the command?

For example, should the presence of a behavior of "nomode='true'" yield an item element of "<mode_differs>not performed</mode_differs>", or should the "mode_differs" element not be present in the item (since it's a 0..1)? Or is either one of those a valid result?

Thanks for any advice!
-Bill M.

Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
[CIS_WEB_Logo_Type_RGB_Flat]https://www.cisecurity.org/
[CIS Email Icons 01_23-02] <https://protect-us.mimecast.com/s/2WGsC1wpgxSMomo7fytzrQ?domain=facebook.com https://protect-us.mimecast.com/s/OmdMCVO24gHx6K6DSz8OCk?domain=facebook.com> [CIS Email Icons 01_23-03] <https://protect-us.mimecast.com/s/GuR3C2kqjztpXGXNU0Qdvq?domain=twitter.com https://protect-us.mimecast.com/s/mrSGCW6K5kH5KYKAiK6SxV?domain=twitter.com> [CIS Email Icons 01_23-04] <https://protect-us.mimecast.com/s/HOJYC31rkBSplMl5UOMYlN?domain=youtube.com https://protect-us.mimecast.com/s/XX3-CXDXgmCXRNRxUkEjGL?domain=youtube.com> [CIS Email Icons 01_23-05] <https://protect-us.mimecast.com/s/cOdGC4xvlEHBOWOpsX3don?domain=linkedin.com https://protect-us.mimecast.com/s/xuhrCYEYjoSLqZqzfMzugG?domain=linkedin.com>

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org

Setting aside any normative questions, let me pose Bill’s question in a completely different way: Does the collection of OVAL linux-def:rpmverifyfile_object require that item entities corresponding to behavior flags end up with a value of “not performed”? Our interpretation is that yes, it does. > On Sep 24, 2020, at 1:39 AM, Šimon Lukašík <slukasik@redhat.com> wrote: > > > Hello all, > > OpenSCAP does not use `rpm` command-line tool. Instead, librpm is used > directly as it provides more fine grained interface to query the data. > > We have found that in many cases command-line tools cannot be used > either for performance reasons (need to run the tool multiple times, > getting more results than needed, and other overhead), or simply because > the required information is missing. librpm is just one of such cases. > > Note: here is relevant code for rpmverifyfile: https://protect-us.mimecast.com/s/EKAGCZ6GkqH5LRL3iP_zqm?domain=github.com <https://protect-us.mimecast.com/s/3C7NCR6KZ2Hv1l1Af9qMqV?domain=github.com> > > Kind regards, > -- > Šimon Lukašík > Member of technical staff > Office of the Chief Technologist > Red Hat Public Sector > > > > William Munyan via OVAL_Developer <oval_developer@lists.cisecurity.org> writes: > > > Hello OVAL developers, > > > > In looking at the implementation of the "rpmverifyfile" construct in the Linux schema, I am seeing that the output is consistent with the output of the "rpm -V" command and many of its options. All that is fine. However, when I utilize some of the behaviors such as "--nouser" or "--nofiledigest", my output results aren't changing. Should I expect the corresponding placeholder to change from a "." to a "?" when using the "--no..." option? Should, in the resulting "rpmverifyfile_item", the value for "..._differs" automatically show a "not performed" when the corresponding behavior is present, no matter the output of the command? > > > > For example, should the presence of a behavior of "nomode='true'" yield an item element of "<mode_differs>not performed</mode_differs>", or should the "mode_differs" element not be present in the item (since it's a 0..1)? Or is either one of those a valid result? > > > > Thanks for any advice! > > -Bill M. > > > > Bill Munyan > > Solutions/Software Architect; Security Best Practices > > 31 Tech Valley Drive > > East Greenbush, NY 12061 > > > > william.munyan@cisecurity.org<mailto:william.munyan@cisecurity.org> > > (518) 516-6128 (w) > > (518) 281-1233 (c) > > [CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/> > > [CIS Email Icons 01_23-02] <https://protect-us.mimecast.com/s/2WGsC1wpgxSMomo7fytzrQ?domain=facebook.com <https://protect-us.mimecast.com/s/OmdMCVO24gHx6K6DSz8OCk?domain=facebook.com>> [CIS Email Icons 01_23-03] <https://protect-us.mimecast.com/s/GuR3C2kqjztpXGXNU0Qdvq?domain=twitter.com <https://protect-us.mimecast.com/s/mrSGCW6K5kH5KYKAiK6SxV?domain=twitter.com>> [CIS Email Icons 01_23-04] <https://protect-us.mimecast.com/s/HOJYC31rkBSplMl5UOMYlN?domain=youtube.com <https://protect-us.mimecast.com/s/XX3-CXDXgmCXRNRxUkEjGL?domain=youtube.com>> [CIS Email Icons 01_23-05] <https://protect-us.mimecast.com/s/cOdGC4xvlEHBOWOpsX3don?domain=linkedin.com <https://protect-us.mimecast.com/s/xuhrCYEYjoSLqZqzfMzugG?domain=linkedin.com>> > > > > > > This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. > > _______________________________________________ > > OVAL_Developer mailing list > > OVAL_Developer@lists.cisecurity.org > > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org > _______________________________________________ > OVAL_Developer mailing list > OVAL_Developer@lists.cisecurity.org > http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org