[Open-scap] OVAL filtering on directories?

Thu, 12 Apr 2018 03:38:41 -0700 

Hello list,

I'm fairly new to OVAL, and for a project I'm documenting several of our 
configuration rules into XCCDF, and adding OVAL rules to them to be able to 
have automated testing afterwards.

For most it's fairly straightforward, but for one I'm stumped and can't seem to 
get it right.

I want to scan /usr/foo and check that all directories in that directory have 
the correct permissions (0755).
(Also same but check that all files have the right selinux context.)

For some reason, I can't seem to get it to filter the way I want. The oval 
collector always returns 
Collected: "oval:com.foobar:obj:24" : does not exist


OVAL content:
    <definition class="compliance" id="oval:com.foobar:def:20" version="1">
      <metadata>
        <title>/usr/foo permissions</title>
        <description>/usr/foo directory (and subdirectories) should have 
permissions 0755 (rwx r-x r-x)</description>
        <reference ref_id="REF-000020" source="REF"/>
        <affected family="unix">
          <platform>Red Hat Enterprise Linux 7</platform>
        </affected>
      </metadata>
      <criteria operator="AND">
        <criterion comment="/usr/foo permissions" 
test_ref="oval:com.foobar:tst:23"/>
        <criterion comment="/usr/foo permissions" 
test_ref="oval:com.foobar:tst:24"/>
      </criteria>
    </definition>

   <file_test check="all" check_existence="all_exist" comment="/usr/foo 
permissions" id="oval:com.foobar:tst:23" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <object object_ref="oval:com.foobar:obj:23"/>
      <state state_ref="oval:com.foobar:ste:20"/>
    </file_test>

    <file_test check="all" check_existence="all_exist" comment="/usr/foo 
permissions" id="oval:com.foobar:tst:24" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <object object_ref="oval:com.foobar:obj:24"/>
      <state state_ref="oval:com.foobar:ste:22"/>
    </file_test>

    <file_object id="oval:com.foobar:obj:23" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <path>/usr/foo</path>
      <filename xsi:nil="true"/>
    </file_object>
    <file_object id="oval:com.foobar:obj:24" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <set set_operator="INTERSECTION" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5";>
        <object_reference>oval:com.foobar:obj:25</object_reference>
        <filter action="include">oval:com.foobar:ste:21</filter>
      </set>
    </file_object>

    <file_object id="oval:com.foobar:obj:25" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <behaviors recurse="directories" recurse_direction="down"/>
      <path>/usr/foo</path>
      <filename operation="pattern match">^.*$</filename>
    </file_object>

    <file_state id="oval:com.foobar:ste:20" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <suid datatype="boolean">false</suid>
      <sgid datatype="boolean">false</sgid>
      <sticky datatype="boolean">false</sticky>
      <uread datatype="boolean">true</uread>
      <uwrite datatype="boolean">true</uwrite>
      <uexec datatype="boolean">true</uexec>
      <gread datatype="boolean">true</gread>
      <gwrite datatype="boolean">false</gwrite>
      <gexec datatype="boolean">true</gexec>
      <oread datatype="boolean">true</oread>
      <owrite datatype="boolean">false</owrite>
      <oexec datatype="boolean">true</oexec>
    </file_state>

    <file_state id="oval:com.foobar:ste:21" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <type>directory</type>
    </file_state>

    <file_state id="oval:com.foobar:ste:22" version="1" 
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";>
      <suid datatype="boolean">false</suid>
      <sgid datatype="boolean">false</sgid>
      <sticky datatype="boolean">false</sticky>
      <uread datatype="boolean">true</uread>
      <uwrite datatype="boolean">true</uwrite>
      <uexec datatype="boolean">true</uexec>
      <gread datatype="boolean">true</gread>
      <gwrite datatype="boolean">false</gwrite>
      <gexec datatype="boolean">true</gexec>
      <oread datatype="boolean">true</oread>
      <owrite datatype="boolean">false</owrite>
      <oexec datatype="boolean">true</oexec>
    </file_state>


It seems that the include action filter on ste:21 is the problem - if i remove 
this, i get a bunch of files returned. If i change this to eg. an exclude 
filter on "regular", i'll just get all the other files. But an include on 
"directory" seems to not work?

I also tried using two exclude filters, but that also returned no results.

Any ideas?

Thanks in advance.


_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to