On 11/9/17 1:09 PM, Chuck Atkins wrote: > I'm using the compiled datastream SCAP content for Red Hat security > advisories > (https://www.redhat.com/security/data/metrics/ds/com.redhat.rhsa-RHEL7.ds.xml). > > From what I can tell, most of the checks are testing if a package > version indicates whether or not it's already patched. Most of these > are via the OVAL rpminfo_test. What I don't understand is how it > actually works; i.e.: > > <red-def:rpminfo_test check="at least one" > comment="java-1.7.0-openjdk is earlier than 1:1.7.0.55-2.4.7.2.el7_0" > id="oval:com.redhat.rhsa:tst:20140675005" version="601"> > <red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/> > <red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/> > </red-def:rpminfo_test> > > Somehow this test passes even if I don't have the java-1.7.0-openjdk > package installed. Shouldn't it be false in that case since the "at > least one" check wouldn't be satisfied? I understand why you would > want it to be true; so that your tests would pass if not applicable > and pass/fail based on version if it was, but it seems to me you would > need to implement that via a more complicated condition involving both > a test for existence and a test for version info. I just don't see > how the single rpminfo_test achieves that and passes in this case.
Really good question and one that comes up often. That test calls an object: > <red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675005" > version="601"> > <red-def:name>java-1.7.0-openjdk</red-def:name> > </red-def:rpminfo_object> And refers to a state: > <red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140675003" > version="601"> > <red-def:evr datatype="evr_string" operation="less > than">1:1.7.0.55-2.4.7.2.el7_0</red-def:evr> > </red-def:rpminfo_state> At surface value, you'd think the "at least one" check would read something like: # Am I vulnerable? if [ oval:com.redhat.rhsa:obj:20140675005 ] || [ oval:com.redhat.rhsa:ste:20140675003 ]; then echo "VULNERABLE" else echo "NOT VULNERABLE" fi .... at which case, if java-1.7.0-openjdk is even *installed*, the condition of "at least one" would be satisfied and the system marked vulnerable. In reality the rpminfo_test definitions /extend/ the standard test types and require an object (oval:com.redhat.rhsa:obj:20140675005) and looks for an optional state (oval:com.redhat.rhsa:ste:20140675003) to measure against. If state is given, the test logic is more like this: # Am I vulnerable? if [ oval:com.redhat.rhsa:obj:20140675005 ] && [ oval:com.redhat.rhsa:ste:20140675003 ]; then echo "VULNERABLE" else echo "NOT VULNERABLE" fi Hope this helps. ..... and yes, this is an example of how OVAL can be crummy to author and peer review.
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
