Hello Pravin, thank you for checking with us (I have merged former Gautam's reply here too to have all the facts together).
----- Original Message ----- > From: "S, Gautam" <gaut...@hpe.com> > To: open-scap-list@redhat.com > Sent: Monday, April 4, 2016 11:00:10 AM > Subject: Re: [Open-scap] Template for file pattern match > > Hi Pravin, > FWIW regarding the question of OVAL template for regex match - we track it under: [1] https://github.com/OpenSCAP/scap-security-guide/issues/1083 > This was something I also wondered about. However, there are some subtle > aspects that might affect this which I learned once I gave it a shot. > > 1) Not all pattern matches are same. Some search whether a pattern exists in > a file, some check for the absence, some check for the first match only, > some for all matches, some checks will involve external variables passed in > as well. At the very least, you will need </path/to/file>,<regex to > find>,<check_existence>,<instance> for basic ones. > > 2) You will have to keep the title, description and comments extremely > generic or else update them individually and they are generated. I found > this to be a huge deterrent to making everything into a template. There's this count_oval_objects.py utility: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/utils/count_oval_objects.py from which output, when run, is clear the <textfilecontent54_object> is clearly the most used OVAL template e.g. for RHEL/6 content (I would assume the result will be the same for different products too). But like Gautam already clarified above, from the SSG experience there would be very small count of cases where the basic <ind:filepath> regex OVAL template would be sufficient. IOW if you would have a look at those existing OVAL checks already using <ind:textfilecontent54_object> often the final form of the OVAL ends up in the state where: * it's necessary to reference some external_variable, * it's necessary to have more rules (more objects), * it's necessary to have more states, * it's necessary to reference some OVAL rule dependency, * it's necessary for the regex to search the last occurrence of somestring in file etc etc. This is not to say the OVAL <ind:textfilecontent54_object> template wouldn't be useful for SSG. But there are these corner cases / additional requirements listed above, often leading to state when new <ind:textfilecontent54_object> OVAL check is written from scratch, rather than from template. The current state being in [1] we are discussing the possible form of such a template -- facing the need quickly to write dozen of simple OVAL checks checking some regex in some file, OVAL template might seem handy. But the expectation is to have the templated OVAL checks stable / unmodified across the SSG releases (so one day we could replace all those checks currently present in the repository with their dynamic [re]generation during the SSG package build). On the other hand, any corner case (external_variable, dependency on another OVAL etc) is diverging from common template (assuming very basic simple template). And therefore diverging from above approach (since in the moment the developer would end up writing such OVAL check from scratch just because the template is too simple and could not help them to speed up the OVAL checks development, I am not completely convinced it's worthy to investing the time into the design of such a template and MAINLY into investing the time into keeping such a template in working state). So I would say / IMHO the next step WRT to [1] would be to use the already included "count_oval_objects.py" utility and determine how many (in % compared to the whole count of <ind:textfilecontent54_object> OVAL checks already implemented for that product) of the <ind:textfilecontent54_object> OVAL checks have the simplest form, and how many (again in % compared to already having <ind:txtfilecontent54_object> OVAL checks for that product) is derived from the basic form due some reason (some corner case). Once we know this information, we can proceed further (if just to implement basic OVAL template, or have more templates for each of the subtle different cases [depending on another OVAL, using external variable etc.]). Hope this helps. Thank you && Regards, Jan -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S.: There's SCAP Security Guide (SCAP content) dedicated mailing list too --> Cc'ed it too (so people can react to the topic). > > Thank you. > > Regards, > Gautam. > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > --- > > Hi All, > > I tried searching the ssg project for a template that could find a pattern in > a given file. I feel this would be one of > the most used templates where we need to find if a file contains an > expression. This would be used for audit rules, sshd > configuration, password complexity configuration, password aging > configuration, login configuration and probably many > others. We could create a CSV as below: > > > </path/to/file>,<regex to find> > > > Is someone working on it or have it or any idea how to do it? > > > Thanks and regards, > > Pravin Goyal > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
