Hi, Thank you for contacting me. See my replies inline below. Jan Černý Security Technologies | Red Hat, Inc.
----- Original Message ----- > From: "Dragos Prisaca" <dragos.pris...@g2-inc.com> > To: open-scap-list@redhat.com > Sent: Monday, March 6, 2017 10:00:40 PM > Subject: [Open-scap] Issues with the recurse_direction="up" > > Hello, > > Here are few more issues related the file_test: > 1. Incorrect item collected by OpenSCAP 1.2.10 > > Given the following object: > <unix:file_object id="oval:nist.validation.macosFileTest:obj:185" > xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; > comment="@recurse='symlinks and directories'" version="1"> > <unix:behaviors max_depth="1" recurse_file_system="local" > recurse_direction="down"/> > <unix:path operation="equals" > datatype="string">/scapVal/File-Test-Level2</unix:path> > <unix:filename operation="pattern match">.+</unix:filename> > </unix:file_object> > and the following folder structure: > > /scapVal/File-Test-Level2 > drwxr-xr-x. 2 root root 6 Feb 28 15:46 Level3-Folder020 > drwxr-xr-x. 2 root root 6 Feb 28 15:46 Level3-Folder030 > drwxr-xr-x. 2 root root 6 Feb 28 15:46 Level3-Folder050 > drwxr-xr-x. 3 root root 54 Feb 28 15:46 Level3-Folder010 > drwxr-xr-x. 3 root root 29 Feb 28 15:46 Level4-Folder011 > -rw-r--r--. 1 root root 49 Feb 28 15:46 > Level3-File010.txt > drwxr-xr-x. 2 root root 30 Feb 28 15:46 Level3-Folder040 > > OpenSCAP collects two items: > <unix-sys:file_item id="14726417" status="exists"> > > <unix-sys:filepath>/scapVal/File-Test-Level2/Level3-Folder010/Level3-File010.txt</unix-sys:filepath> > > <unix-sys:path>/scapVal/File-Test-Level2/Level3-Folder010</unix-sys:path> > <unix-sys:filename>Level3-File010.txt</unix-sys:filename> > <unix-sys:type>regular</unix-sys:type> … > </unix-sys:file_item> > > <unix-sys:file_item id="14726416" status="exists"> > > <unix-sys:path>/scapVal/File-Test-Level2/Level3-Folder010/Level4-Folder011/Level5-Folder012</unix-sys:path> > <unix-sys:filename/> > <unix-sys:type>directory</unix-sys:type> ... > </unix-sys:file_item> > I believe the item with id="14726416" was incorrectly collected because the > obj:185 supposed to collect only files. I am sorry, but I can't reproduce this issue, neither with openscap 1.2.10, nor with latest 1.2.13. I created a similar directory structure and OVAL. But it always collected only files for me. I think I'm missing something. I would need the whole OVAL to be able to help you. Is there any symlink in your structure? > > > 2. A similar issue related to #1 it happens when the recurse_direction="up". > Here is an example: > <unix:file_object > xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; > id="oval:nist.validation.macosFileTest:obj:181" comment="@recurse='symlinks > and directories'" version="1"> > <unix:behaviors max_depth="0" recurse_file_system="local" > recurse="symlinks and directories" recurse_direction="up"/> > <unix:path>/scapVal/File-Test-Level2/Level3-Folder010</unix:path> > <unix:filename datatype="string" operation="pattern > match">.+</unix:filename> > </unix:file_object> > > <object id="oval:nist.validation.macosFileTest:obj:181" version="1" > flag="complete"> > <reference item_ref="14726417"/> > <reference item_ref="14726426"/> > <reference item_ref="14726427"/> > </object> > <unix-sys:file_item id="14726417" status="exists"> > > <unix-sys:filepath>/scapVal/File-Test-Level2/Level3-Folder010/Level3-File010.txt</unix-sys:filepath> > <unix-sys:path>/scapVal/File-Test-Level2/Level3-Folder010</unix-sys:path> > <unix-sys:filename>Level3-File010.txt</unix-sys:filename> > <unix-sys:type>regular</unix-sys:type> > </unix-sys:file_item> > <unix-sys:file_item id="14726426" status="exists"> > > <unix-sys:filepath>/scapVal/File-Test-Level2/Level3-Folder010/Level4-Folder011</unix-sys:filepath> > <unix-sys:path>/scapVal/File-Test-Level2/Level3-Folder010</unix-sys:path> > <unix-sys:filename>Level4-Folder011</unix-sys:filename> > <unix-sys:type>directory</unix-sys:type> > </unix-sys:file_item> > <unix-sys:file_item id="14726427" status="exists"> > > <unix-sys:filepath>/scapVal/File-Test-Level2/Level3-Folder010</unix-sys:filepath> > <unix-sys:path>/scapVal/File-Test-Level2</unix-sys:path> > <unix-sys:filename>Level3-Folder010</unix-sys:filename> > <unix-sys:type>directory</unix-sys:type> > </unix-sys:file_item> > > Since the recurse_direction="up" and the file Level3-File010.txt is a > 'child', it should not be collected. Also, the other 2 items corresponding > to folders should not be collected because they are directories. In fact , > the obj:181 should have flag="does not exist". I have noticed that you have set max_depth="0". In the OVAL specification, UNIX Definitions Schema, I have found the following: ... 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion ... Therefore I think no recursion should be performed, neither up nor down. I think only the files and directories located directly in /scapVal/File-Test-Level2/Level3-Folder010 should be collected. Therefore I think OpenSCAP works correctly in this case. Yeah, OVAL is tricky :D > > 3. According to unix-system-characteristics-schema.html, when <unix:filename > xsi:nil="true" datatype="string"/>, the filename element of the file_item > should be “<unix-sys:filename xsi:nil="true"/>”, but OpenSCAP creates: > “<unix-sys:filename/>”. I agree that this is a bug and it seems to me as easy fix. > > Please let me know if you have any questions. > > Respectfully, > _Dragos. > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
