Hi, thank you very much for reporting this bug. It is really weird issue.
I confirm that this happens also with the latest OpenSCAP 1.2.9. In my opinion this behavior should not be allowed. The issue in content was not discovered by standard validation which is performed by OpenSCAP before each scan. But OpenSCAP offers also extended validation using XSLT-based schematron. I have tried to run it on your content: $ oscap oval validate --schematron oval.xml <?xml version="1.0"?> oval:test-bug.test.com:tst:205 - the object child element of a sysctl_test must reference a sysctl_object So it seems to me that we should check whether the test is of same type as object, and if not, display at least an error message. I will file an upstream ticket against OpenSCAP. Best regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Pravin Goyal" <[email protected]> > To: [email protected] > Sent: Thursday, April 21, 2016 10:42:59 AM > Subject: [Open-scap] Found a nasty but cool bug in OpenSCAP 1.2.5 > > > > Hi All, > > Found a nasty but cool bug. Tested on OpenSCAP 1.2.5 on SLES 11 SP3. > > > > > Here it is. > > > > > ======================= > > ======================= > > > > > > <?xml version="1.0" encoding="UTF-8"?> > <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"; > xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"; > xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"; > xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; > xmlns:independent-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"; > xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 > oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 > oval-common-schema.xsd > http://oval.mitre.org/XMLSchema/oval-definitions-5#independent > independent-definitions-schema.xsd > http://oval.mitre.org/XMLSchema/oval-definitions-5#linux > linux-definitions-schema.xsd > http://oval.mitre.org/XMLSchema/oval-definitions-5#unix > unix-definitions-schema.xsd"> > <generator> > <oval:product_name>None</oval:product_name> > <oval:product_version>None</oval:product_version> > <oval:schema_version>5.11</oval:schema_version> > <oval:timestamp>2016-04-04T01:31:55</oval:timestamp> > </generator> > <definitions> > > <!-- SRG-OS-000458-GPOS-00203 --> > <definition id="oval:test-bug.test.com:def:125" > version="1" > class="compliance"> > <metadata> > <title>SRG-OS-000458-GPOS-00203 - Audit sudoers file</title> > <affected family="unix"> > <platform>cpe:/o:sles11:linux</platform> > </affected> > <description>This rule verifies that audit entry exists > /etc/audit/audit.rules file for for /etc/sudoers file.</description> > </metadata> > <criteria operator="AND" > negate="false" > comment="SRG-OS-000458-GPOS-00203"> > <criterion comment="SRG-OS-000458-GPOS-00203" > test_ref="oval:test-bug.test.com:tst:205" /> > </criteria> > </definition> > > </definitions> > > <tests> > > <!-- SRG-OS-000458-GPOS-00203 --> > <textfilecontent54_test > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"; > id="oval:test-bug.test.com:tst:205" > version="1" > check="all" > comment="SRG-OS-000458-GPOS-00203" > check_existence="at_least_one_exists"> > <object object_ref="oval:test-bug.test.com:obj:165" /> > </textfilecontent54_test> > </tests> > > <objects> > > <!-- SRG-OS-000458-GPOS-00203 --> > <textfilecontent54_object > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"; > id="oval:test-bug.test.com:obj:165" > version="1" > comment="SRG-OS-000458-GPOS-00203"> > <filepath datatype="string" > operation="equals">/etc/audit/audit.rules</filepath> > <pattern datatype="string" operation="pattern > match">^\-w\s+/etc/sudoers\s+\-p\s+wa</pattern> > <instance datatype="int" operation="equals">1</instance> > </textfilecontent54_object> > > </objects> > </oval_definitions> > > > > ======================= > > ======================= > > Running the above works perfectly. > Now, here is the bug. Change the textfilecontent54_test tag with sysctl_test > without changing anything else (except namespace of course from independent > to unix). > > So, the new test block should look like below: > > ============= > ============= > <sysctl_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; > id="oval:test-bug.test.com:tst:205" > version="1" > check="all" > comment="SRG-OS-000458-GPOS-00203" > check_existence="at_least_one_exists"> > <object object_ref="oval:test-bug.test.com:obj:165" /> > </ sysctl _test> > > ============= > ============= > > This runs as well without any qualms and evaluates both pass and fail > condition perfectly. So, the bug is that it does not enforce that test and > object are SAME oval probes. The test could be a sysctl test but object it > tests could be textfilecontent54. Does OVAL schema allow this? Is this > known? > > Nevertheless, I like this bug and ok to live with it. It is COOL! > > Thanks and regards, > Pravin Goyal > > > > > > > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
