oval_developer@lists.cisecurity.org
A list for people interested in developing the OVAL language.
View all threadsSolaris 11 Facet, Variant, and Image Test Implementation
Good afternoon,
I have been tasked with developing an implementation of the Solaris facet, variant, and image OVAL tests for Solaris 11. However, after researching the online Solaris definitions schema documentation (https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/solaris-definitions-schema.html), Solaris schema proposal documentation (https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates), and Oracle's Image Packaging System documentation, I am still not clear on what kind of interface these OVAL tests are designed to exploit. Solaris 11 provides a toolchain of shell commands for interrogating the IPS, none of which seem to map well to the facet, variant, and image OVAL test logic as I currently understand it. Also, I have so far not been able to isolate the location of any configuration files that could be mined for the relevant system characteristics. Any ideas about what I am missing? Any insight is appreciated.
Thanks,
Douglas M.
...
I have been tasked with developing an implementation of the Solaris
facet, variant, and image OVAL tests for Solaris 11. However, after
researching the online Solaris definitions schema documentation
(https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/solaris-definitions-schema.html),
Solaris schema proposal documentation
(https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates),
and Oracle's Image Packaging System documentation, I am still not clear
on what kind of interface these OVAL tests are designed to exploit.
Solaris 11 provides a toolchain of shell commands for interrogating the
IPS, none of which seem to map well to the facet, variant, and image
OVAL test logic as I currently understand it. Also, I have so far not
been able to isolate the location of any configuration files that could
be mined for the relevant system characteristics. Any ideas about what I
am missing? Any insight is appreciated.
There are no configuration/state files you can use; and even if you find
them (they do exist) you must not use them they are internal interfaces
that are subject to change at any time.
Currently the only interface to IPS is the pkg(1) command. The state of
facets and variants and the image tests should all be able to be
answered using the pkg(1) command with its parsable output.
There is an API to this in development that will providing bindings for
C, Java, Python and REST, this will be via the RAD[1] subsystem in
Solaris 11. However it hasn't shipped yet.
We in Solaris engineering are planning on delivering changes to OpenSCAP
to use this interface as the implementation of the IPS part of the
Solaris OVAL schema.
[1] http://docs.oracle.com/cd/E53394_01/html/E54825/index.html
--
Darren J Moffat
...
Thank you for your response, Darren. I was indeed looking closely at the pkg command for a solution, but was not sure how it would fit in with the logic of the facet, variant, and image OVAL tests. In light of your verification that leveraging the pkg command is the correct direction, I would like clarification of how that command would handle the path entity that is required by the facet, variant, and image objects. After closely examining the pkg man page, I'm still not sure how to use it for evaluating these system characteristics with respect to a given image path.
Thanks,
Douglas M.
From: Darren J Moffat [Darren.Moffat@Oracle.COM]
Sent: Friday, November 13, 2015 9:28 AM
To: McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600; oval_developer@lists.cisecurity.org
Subject: [Non-DoD Source] Re: [OVAL DEVELOPER] Solaris 11 Facet, Variant, and Image Test Implementation
I have been tasked with developing an implementation of the Solaris
facet, variant, and image OVAL tests for Solaris 11. However, after
researching the online Solaris definitions schema documentation
(https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/solaris-definitions-schema.html),
Solaris schema proposal documentation
(https://github.com/OVALProject/Sandbox/tree/master/resources/x-solaris-updates),
and Oracle's Image Packaging System documentation, I am still not clear
on what kind of interface these OVAL tests are designed to exploit.
Solaris 11 provides a toolchain of shell commands for interrogating the
IPS, none of which seem to map well to the facet, variant, and image
OVAL test logic as I currently understand it. Also, I have so far not
been able to isolate the location of any configuration files that could
be mined for the relevant system characteristics. Any ideas about what I
am missing? Any insight is appreciated.
There are no configuration/state files you can use; and even if you find
them (they do exist) you must not use them they are internal interfaces
that are subject to change at any time.
Currently the only interface to IPS is the pkg(1) command. The state of
facets and variants and the image tests should all be able to be
answered using the pkg(1) command with its parsable output.
There is an API to this in development that will providing bindings for
C, Java, Python and REST, this will be via the RAD[1] subsystem in
Solaris 11. However it hasn't shipped yet.
We in Solaris engineering are planning on delivering changes to OpenSCAP
to use this interface as the implementation of the IPS part of the
Solaris OVAL schema.
[1] http://docs.oracle.com/cd/E53394_01/html/E54825/index.html
--
Darren J Moffat
...
On 11/17/15 19:57, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
wrote:
Thank you for your response, Darren. I was indeed looking closely at the
pkg command for a solution, but was not sure how it would fit in with
the logic of the facet, variant, and image OVAL tests. In light of your
verification that leveraging the pkg command is the correct direction, I
would like clarification of how that command would handle the path
entity that is required by the facet, variant, and image objects. After
closely examining the pkg man page, I'm still not sure how to use it for
evaluating these system characteristics with respect to a given image path.
The path in those objects is the path to the image. If you are looking
at a live system then that path is almost always going to be "/" because
that is where the root of the installed image is.
If you run pkg(1) against another image like this 'pkg -R /mnt facet'
then the path in the object would be "/mnt".
Currently the most interesting case for a path that isn't "/" is for
looking at an alternate boot environment image, ie a Solaris OS install
that is not currently running.
There is also the concept of a "user image", ie one which isn't a normal
Solaris OS installation but just some other IPS packages. The intention
of this is for application installations that aren't tightly tied to the
OS package versions but are still delivered in IPS.
--
Darren J Moffat
...
Thank you so much for your follow-up Darren. With that clarification, only one small matter still remains that I have been puzzling over. Listing boot environments (beadm list) is one way to enumerate some image root directories. However, I'm still not sure how to interrogate the system for a complete enumeration including user image directories. Currently, my solution consists of parsing the 'BASEDIR' field values out of 'pkginfo -l' command output, but I'm not certain that I can trust output from a utility that is part of the legacy package management system.
Thanks,
Douglas M.
From: Darren J Moffat [Darren.Moffat@Oracle.COM]
Sent: Wednesday, November 18, 2015 4:29 AM
To: McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600; oval_developer@lists.cisecurity.org
Subject: Re: [Non-DoD Source] Re: [OVAL DEVELOPER] Solaris 11 Facet, Variant, and Image Test Implementation
On 11/17/15 19:57, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
wrote:
Thank you for your response, Darren. I was indeed looking closely at the
pkg command for a solution, but was not sure how it would fit in with
the logic of the facet, variant, and image OVAL tests. In light of your
verification that leveraging the pkg command is the correct direction, I
would like clarification of how that command would handle the path
entity that is required by the facet, variant, and image objects. After
closely examining the pkg man page, I'm still not sure how to use it for
evaluating these system characteristics with respect to a given image path.
The path in those objects is the path to the image. If you are looking
at a live system then that path is almost always going to be "/" because
that is where the root of the installed image is.
If you run pkg(1) against another image like this 'pkg -R /mnt facet'
then the path in the object would be "/mnt".
Currently the most interesting case for a path that isn't "/" is for
looking at an alternate boot environment image, ie a Solaris OS install
that is not currently running.
There is also the concept of a "user image", ie one which isn't a normal
Solaris OS installation but just some other IPS packages. The intention
of this is for application installations that aren't tightly tied to the
OS package versions but are still delivered in IPS.
--
Darren J Moffat
...
On 11/19/15 19:03, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
wrote:
Thank you so much for your follow-up Darren. With that clarification,
only one small matter still remains that I have been puzzling over.
Listing boot environments (beadm list) is one way to enumerate some
image root directories. However, I'm still not sure how to interrogate
the system for a complete enumeration including user image directories.
There is no possible way to find all the user images, they could be
anywhere.
Currently, my solution consists of parsing the 'BASEDIR' field values
out of 'pkginfo -l' command output, but I'm not certain that I can trust
output from a utility that is part of the legacy package management system.
That won't help you, pkginfo is an old SVR4 command and has no knowledge
of IPS and never will. I'd also say it was highly unlikely that any IPS
user image would also have SVR4 packages in it.
Why do you think you need to find the possible user images ?
The way I expected OVAL to be used with IPS image path is via tailoring
values. I would expect the path to be "/" by default and if someone
wished to run OVAL checks against an alternate boot environment then the
path value would be tailored to point to the root of the IPS image.
As far as we know there is very little to no use of IPS user images
outside of Solaris core development where we use them for testing. All
the customers that I know of that make extensive use of IPS for their
own software do so by installing into the system image so they get the
benefit of boot environments.
--
Darren J Moffat
...
Currently, my solution consists of parsing the 'BASEDIR' field values
out of 'pkginfo -l' command output, but I'm not certain that I can trust
output from a utility that is part of the legacy package management system.
That won't help you, pkginfo is an old SVR4 command and has no knowledge
of IPS and never will. I'd also say it was highly unlikely that any IPS
user image would also have SVR4 packages in it.
Thanks for that verification.
Why do you think you need to find the possible user images?
The documentation for these new IPS tests doesn't seem to explicitly make any distinction between boot environment images vs. user images. However, your clarification makes it apparent that the image, variant, and facet tests weren't developed with user images in mind, which means that I can move forward with completing the implementation of these probes.
Thanks,
Douglas M.
From: Darren J Moffat [Darren.Moffat@Oracle.COM]
Sent: Friday, November 20, 2015 9:35 AM
To: McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600; oval_developer@lists.cisecurity.org
Subject: Re: [Non-DoD Source] Re: [OVAL DEVELOPER] Solaris 11 Facet, Variant, and Image Test Implementation
On 11/19/15 19:03, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
wrote:
Thank you so much for your follow-up Darren. With that clarification,
only one small matter still remains that I have been puzzling over.
Listing boot environments (beadm list) is one way to enumerate some
image root directories. However, I'm still not sure how to interrogate
the system for a complete enumeration including user image directories.
There is no possible way to find all the user images, they could be
anywhere.
Currently, my solution consists of parsing the 'BASEDIR' field values
out of 'pkginfo -l' command output, but I'm not certain that I can trust
output from a utility that is part of the legacy package management system.
That won't help you, pkginfo is an old SVR4 command and has no knowledge
of IPS and never will. I'd also say it was highly unlikely that any IPS
user image would also have SVR4 packages in it.
Why do you think you need to find the possible user images ?
The way I expected OVAL to be used with IPS image path is via tailoring
values. I would expect the path to be "/" by default and if someone
wished to run OVAL checks against an alternate boot environment then the
path value would be tailored to point to the root of the IPS image.
As far as we know there is very little to no use of IPS user images
outside of Solaris core development where we use them for testing. All
the customers that I know of that make extensive use of IPS for their
own software do so by installing into the system image so they get the
benefit of boot environments.
--
Darren J Moffat
...