oval_developer@lists.cisecurity.org
A list for people interested in developing the OVAL language.
View all threadsOVAL State Elements with @var_ref
OVAL Developers,
We are encountering a situation that doesn't seem to be well-defined in the specification. We have an OVAL state element whose value is being populated through the use of a var_ref. However, when resolving that var_ref, the variable does not resolve to any values. Because the variable being resolved is a local_variable containing an object_component, the specification dictates that when the OVAL object doesn't return any OVAL items, the variable's flag value is resolved to be "error".
The question then becomes, what of the evaluation of the state element as compared to the collected items. Does the resolved var_ref's flag of "error" determine a result? Or does the state element's var_check then determine the result?
Example OVAL State:
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="logging.properties owner user_id" id="oval:org.cisecurity.:ste:1292505" version="1">
<user_id datatype="int" var_ref="oval:org.cisecurity:var:12925051"/>
</file_state>
Example OVAL Variable:
<local_variable comment="Collect a User ID" datatype="int" id="oval:org.cisecurity:var:12925051" version="1">
<object_component item_field="user_id" object_ref="oval:org.cisecurity:obj:12925052"/>
</local_variable>
Example OVAL Object (referenced by object_component):
<password_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.cisecurity:obj:12925052" version="1">
<username datatype="string">nonexistent_user</username>
</password_object>
For the purposes of this discussion, assume the "nonexistent_user" isn't present on the target system. The local_variable flag would be set to "error" and the state element user_id would have no values to be compared with. What should the result of this state when compared with a collected file_item?
Thanks for any feedback!
-Bill M.
Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061
william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
[CIS_WEB_Logo_Type_RGB_Flat]https://www.cisecurity.org/
[CIS Email Icons 01_23-02] https://www.facebook.com/CenterforIntSec [CIS Email Icons 01_23-03] https://twitter.com/CISecurity [CIS Email Icons 01_23-04] https://www.youtube.com/user/TheCISecurity [CIS Email Icons 01_23-05] https://www.linkedin.com/company/the-center-for-internet-security
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
Hi Bill,
I think this is handled by the specification. The object flag would transitively become “error”, meaning the test result would also be “error”.
Many OVAL definitions are written to avoid this, by adding an inventory-like criterion for the variable component’s target object, so that the definition can resolve to a meaningful result in this case.
Best regards,
—David Solin
On Dec 15, 2020, at 11:01 AM, William Munyan via OVAL_Developer oval_developer@lists.cisecurity.org wrote:
OVAL Developers,
We are encountering a situation that doesn’t seem to be well-defined in the specification. We have an OVAL state element whose value is being populated through the use of a var_ref. However, when resolving thatvar_ref, the variable does not resolve to any values. Because the variable being resolved is a local_variable containing an object_component, the specification dictates that when the OVAL object doesn’t return any OVAL items, the variable’s flag value is resolved to be “error”.
The question then becomes, what of the evaluation of the state element as compared to the collected items. Does the resolved var_ref’s flag of “error” determine a result? Or does the state element’s var_check then determine the result?
Example OVAL State:
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="logging.properties owner user_id" id="oval:org.cisecurity.:ste:1292505" version="1">
<user_id datatype="int" var_ref="oval:org.cisecurity:var:12925051"/>
</file_state>
Example OVAL Variable:
<local_variable comment="Collect a User ID" datatype="int" id="oval:org.cisecurity:var:12925051" version="1">
<object_component item_field="user_id" object_ref="oval:org.cisecurity:obj:12925052"/>
</local_variable>
Example OVAL Object (referenced by object_component):
<password_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.cisecurity:obj:12925052" version="1">
<username datatype="string">nonexistent_user</username>
</password_object>
For the purposes of this discussion, assume the “nonexistent_user” isn’t present on the target system. The local_variable flag would be set to “error” and the state element user_id would have no values to be compared with. What should the result of this state when compared with a collected file_item?
Thanks for any feedback!
-Bill M.
Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061
william.munyan@cisecurity.org mailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
<image001.png> https://www.cisecurity.org/
<image002.png> https://www.facebook.com/CenterforIntSec <image003.png> https://twitter.com/CISecurity <image004.png> https://www.youtube.com/user/TheCISecurity <image005.png> https://www.linkedin.com/company/the-center-for-internet-security
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. _______________________________________________
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
David,
Thanks for the quick reply. In this case I would think the password_object’s flag below would yield “does not exist”, which would cause the local_variable’s flag to be resolved to “error”. If that local_variable were referenced by an object, I would agree that object’s flag would transitively become “error”. Then no matter what the OVAL state, the test result would be “error”.
However, I am not seeing in the spec, how that transitive operation would affect an OVAL state. The var_check could be a “none satisfy”, which should cause the test to fail if any owner had been assigned to the file (i.e. the collected file_item indicated a non-null user_id).
I don’t want to sound like I’m asking you to look something up for me in the spec, but where would the answer for this be in the spec? I am looking at section 5.3.6.4 “Variable Check Evaluation”.
Cheers,
-Bill M.
From: David Solin solin@jovalcm.com
Sent: Tuesday, December 15, 2020 12:13 PM
To: William Munyan William.Munyan@cisecurity.org
Cc: oval_developer@lists.cisecurity.org; Michael Saubier Michael.Saubier@cisecurity.org
Subject: Re: [OVAL DEVELOPER] OVAL State Elements with @var_ref
Hi Bill,
I think this is handled by the specification. The object flag would transitively become “error”, meaning the test result would also be “error”.
Many OVAL definitions are written to avoid this, by adding an inventory-like criterion for the variable component’s target object, so that the definition can resolve to a meaningful result in this case.
Best regards,
—David Solin
On Dec 15, 2020, at 11:01 AM, William Munyan via OVAL_Developer <oval_developer@lists.cisecurity.orgmailto:oval_developer@lists.cisecurity.org> wrote:
OVAL Developers,
We are encountering a situation that doesn’t seem to be well-defined in the specification. We have an OVAL state element whose value is being populated through the use of a var_ref. However, when resolving thatvar_ref, the variable does not resolve to any values. Because the variable being resolved is a local_variable containing an object_component, the specification dictates that when the OVAL object doesn’t return any OVAL items, the variable’s flag value is resolved to be “error”.
The question then becomes, what of the evaluation of the state element as compared to the collected items. Does the resolved var_ref’s flag of “error” determine a result? Or does the state element’s var_check then determine the result?
Example OVAL State:
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unixhttp://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="logging.properties owner user_id" id="oval:org.cisecurity.:ste:1292505" version="1">
<user_id datatype="int" var_ref="oval:org.cisecurity:var:12925051"/>
</file_state>
Example OVAL Variable:
<local_variable comment="Collect a User ID" datatype="int" id="oval:org.cisecurity:var:12925051" version="1">
<object_component item_field="user_id" object_ref="oval:org.cisecurity:obj:12925052"/>
</local_variable>
Example OVAL Object (referenced by object_component):
<password_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unixhttp://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.cisecurity:obj:12925052" version="1">
<username datatype="string">nonexistent_user</username>
</password_object>
For the purposes of this discussion, assume the “nonexistent_user” isn’t present on the target system. The local_variable flag would be set to “error” and the state element user_id would have no values to be compared with. What should the result of this state when compared with a collected file_item?
Thanks for any feedback!
-Bill M.
Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061
william.munyan@cisecurity.orgmailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
<image001.png>https://www.cisecurity.org/
<image002.png>https://www.facebook.com/CenterforIntSec <image003.png>https://twitter.com/CISecurity <image004.png>https://www.youtube.com/user/TheCISecurity <image005.png>https://www.linkedin.com/company/the-center-for-internet-security
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. _______________________________________________
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.orgmailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
.....
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
Hi Bill,
This situation is covered in section 5.3.3.3.3 of the OVAL Language Specification, wherein the table shows variable_error_flag -> object_error_flag.
Best regards,
—David Solin
On Dec 15, 2020, at 12:41 PM, William Munyan William.Munyan@cisecurity.org wrote:
David,
Thanks for the quick reply. In this case I would think the password_object’s flag below would yield “does not exist”, which would cause the local_variable’s flag to be resolved to “error”. If that local_variable were referenced by an object, I would agree that object’s flag would transitively become “error”. Then no matter what the OVAL state, the test result would be “error”.
However, I am not seeing in the spec, how that transitive operation would affect an OVAL state. The var_check could be a “none satisfy”, which should cause the test to fail if any owner had been assigned to the file (i.e. the collected file_item indicated a non-null user_id).
I don’t want to sound like I’m asking you to look something up for me in the spec, but where would the answer for this be in the spec? I am looking at section 5.3.6.4 “Variable Check Evaluation”.
Cheers,
-Bill M.
From: David Solin <solin@jovalcm.com mailto:solin@jovalcm.com>
Sent: Tuesday, December 15, 2020 12:13 PM
To: William Munyan <William.Munyan@cisecurity.org mailto:William.Munyan@cisecurity.org>
Cc: oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org; Michael Saubier <Michael.Saubier@cisecurity.org mailto:Michael.Saubier@cisecurity.org>
Subject: Re: [OVAL DEVELOPER] OVAL State Elements with @var_ref
Hi Bill,
I think this is handled by the specification. The object flag would transitively become “error”, meaning the test result would also be “error”.
Many OVAL definitions are written to avoid this, by adding an inventory-like criterion for the variable component’s target object, so that the definition can resolve to a meaningful result in this case.
Best regards,
—David Solin
On Dec 15, 2020, at 11:01 AM, William Munyan via OVAL_Developer <oval_developer@lists.cisecurity.org mailto:oval_developer@lists.cisecurity.org> wrote:
OVAL Developers,
We are encountering a situation that doesn’t seem to be well-defined in the specification. We have an OVAL state element whose value is being populated through the use of a var_ref. However, when resolving thatvar_ref, the variable does not resolve to any values. Because the variable being resolved is a local_variable containing an object_component, the specification dictates that when the OVAL object doesn’t return any OVAL items, the variable’s flag value is resolved to be “error”.
The question then becomes, what of the evaluation of the state element as compared to the collected items. Does the resolved var_ref’s flag of “error” determine a result? Or does the state element’s var_check then determine the result?
Example OVAL State:
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" comment="logging.properties owner user_id" id="oval:org.cisecurity.:ste:1292505" version="1">
<user_id datatype="int" var_ref="oval:org.cisecurity:var:12925051"/>
</file_state>
Example OVAL Variable:
<local_variable comment="Collect a User ID" datatype="int" id="oval:org.cisecurity:var:12925051" version="1">
<object_component item_field="user_id" object_ref="oval:org.cisecurity:obj:12925052"/>
</local_variable>
Example OVAL Object (referenced by object_component):
<password_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:org.cisecurity:obj:12925052" version="1">
<username datatype="string">nonexistent_user</username>
</password_object>
For the purposes of this discussion, assume the “nonexistent_user” isn’t present on the target system. The local_variable flag would be set to “error” and the state element user_id would have no values to be compared with. What should the result of this state when compared with a collected file_item?
Thanks for any feedback!
-Bill M.
Bill Munyan
Solutions/Software Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061
william.munyan@cisecurity.org mailto:william.munyan@cisecurity.org
(518) 516-6128 (w)
(518) 281-1233 (c)
<image001.png> https://www.cisecurity.org/
<image002.png> https://www.facebook.com/CenterforIntSec <image003.png> https://twitter.com/CISecurity <image004.png> https://www.youtube.com/user/TheCISecurity <image005.png> https://www.linkedin.com/company/the-center-for-internet-security
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. _______________________________________________
OVAL_Developer mailing list
OVAL_Developer@lists.cisecurity.org mailto:OVAL_Developer@lists.cisecurity.org
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org
.....
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .