Thanks a ton Bill. It was an oversight. Adding operator="OR" solved this. Thanks a lot.
________________________________ From: William Munyan <[email protected]> Sent: Wednesday, April 20, 2016 9:33 PM To: Pravin Goyal; [email protected] Subject: RE: filter not working for file_object Hi Pravin, When you eliminate the filter and receive a listing of files shown below: I can confirm that there are suid files in /bin. /bin/eject /bin/su /bin/umount /bin/mount /bin/ping /bin/ping6 You confirm that those are all suid files. Your filter is testing for files which are BOTH suid and sgid. Is that the intent? Or do you want files which are either suid OR sgid? If you want files which are either suid or sgid, add an @operator="OR" to your <file_state>: <file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix id="oval:suid-test.test.com:ste:30" version="1" comment="SRG-OS-000327-GPOS-00127-filter-include-suid-and sgid-files" operator="OR"> <suid datatype="boolean" operation="equals">1</suid> <sgid datatype="boolean" operation="equals">1</sgid> </file_state> You could also probably use <set>'s to accomplish that as well, if need be. Hope that helps! Cheers, -Bill M -Bill Munyan Technical Product Executive :: CIS-CAT Security Controls & Automation Center for Internet Security (518) 880-0686 www.cisecurity.org<http://www.cisecurity.org/> Follow us @CISecurity From: [email protected] [mailto:[email protected]] On Behalf Of Pravin Goyal Sent: Wednesday, April 20, 2016 2:01 AM To: [email protected] Subject: [Open-scap] filter not working for file_object Hi All, This is on SLES 11 SP3 with OpenSCAP 1.2.5. I am trying to do a check to find out suid and sgid files in /bin. <file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; id="oval:suid-test.test.com:obj:151" version="1" comment="find-all-suid-and-sgid-files"> <behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" max_depth="1"/> <path datatype="string" operation="equals">/bin</path> <filename datatype="string" operation="pattern match">.*</filename> <filter xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"; action="include">oval:suid-test.test.com:ste:30</filter> </file_object> <file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; id="oval:suid-test.test.com:ste:30" version="1" comment="SRG-OS-000327-GPOS-00127-filter-include-suid-and sgid-files"> <suid datatype="boolean" operation="equals">1</suid> <sgid datatype="boolean" operation="equals">1</sgid> </file_state> But, as soon as I apply the filter, no object gets collected. Is this a known issue? I also tried with filename regex as [a-z]+, but that does not work as well. Any pointers please? I can confirm that there are suid files in /bin. /bin/eject /bin/su /bin/umount /bin/mount /bin/ping /bin/ping6 If I remove the filter, all files under /bin are collected perfectly. So, I am suspicious that filter is breaking things. Thanks and regards, Pravin Goyal ... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . .
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
