Hi All, Found a nasty but cool bug. Tested on OpenSCAP 1.2.5 on SLES 11 SP3.
Here it is. ======================= ======================= <?xml version="1.0" encoding="UTF-8"?> <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:independent-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd"> <generator> <oval:product_name>None</oval:product_name> <oval:product_version>None</oval:product_version> <oval:schema_version>5.11</oval:schema_version> <oval:timestamp>2016-04-04T01:31:55</oval:timestamp> </generator> <definitions> <!-- SRG-OS-000458-GPOS-00203 --> <definition id="oval:test-bug.test.com:def:125" version="1" class="compliance"> <metadata> <title>SRG-OS-000458-GPOS-00203 - Audit sudoers file</title> <affected family="unix"> <platform>cpe:/o:sles11:linux</platform> </affected> <description>This rule verifies that audit entry exists /etc/audit/audit.rules file for for /etc/sudoers file.</description> </metadata> <criteria operator="AND" negate="false" comment="SRG-OS-000458-GPOS-00203"> <criterion comment="SRG-OS-000458-GPOS-00203" test_ref="oval:test-bug.test.com:tst:205" /> </criteria> </definition> </definitions> <tests> <!-- SRG-OS-000458-GPOS-00203 --> <textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:test-bug.test.com:tst:205" version="1" check="all" comment="SRG-OS-000458-GPOS-00203" check_existence="at_least_one_exists"> <object object_ref="oval:test-bug.test.com:obj:165" /> </textfilecontent54_test> </tests> <objects> <!-- SRG-OS-000458-GPOS-00203 --> <textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:test-bug.test.com:obj:165" version="1" comment="SRG-OS-000458-GPOS-00203"> <filepath datatype="string" operation="equals">/etc/audit/audit.rules</filepath> <pattern datatype="string" operation="pattern match">^\-w\s+/etc/sudoers\s+\-p\s+wa</pattern> <instance datatype="int" operation="equals">1</instance> </textfilecontent54_object> </objects> </oval_definitions> ======================= ======================= Running the above works perfectly. Now, here is the bug. Change the textfilecontent54_test tag with sysctl_test without changing anything else (except namespace of course from independent to unix). So, the new test block should look like below: ============= ============= <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:test-bug.test.com:tst:205" version="1" check="all" comment="SRG-OS-000458-GPOS-00203" check_existence="at_least_one_exists"> <object object_ref="oval:test-bug.test.com:obj:165" /> </sysctl_test> ============= ============= This runs as well without any qualms and evaluates both pass and fail condition perfectly. So, the bug is that it does not enforce that test and object are SAME oval probes. The test could be a sysctl test but object it tests could be textfilecontent54. Does OVAL schema allow this? Is this known? Nevertheless, I like this bug and ok to live with it. It is COOL! Thanks and regards, Pravin Goyal
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list