Hi, I'm afraid you have discovered a bug in OpenSCAP. The problem isn't with the filters, but the problem is that OpenSCAP completely ignores directories.
I have reduced your OVAL to just collect everything under /usr/foo, I removed the filters. See the attachement. I run following commands: sudo mkdir -p /usr/foo/bar sudo oscap oval eval --verbose INFO --results results.xml directory_reproducer.xml The results.xml does not contain any collected object, which shouldn't happen, there should be the "bar" directory collected. This needs to be fixed in OpenSCAP source code. Regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: ml+opens...@kcore.org > To: open-scap-list@redhat.com > Sent: Wednesday, April 11, 2018 4:10:14 PM > Subject: [Open-scap] OVAL filtering on directories? > > Hello list, > > I'm fairly new to OVAL, and for a project I'm documenting several of our > configuration rules into XCCDF, and adding OVAL rules to them to be able to > have automated testing afterwards. > > For most it's fairly straightforward, but for one I'm stumped and can't seem > to get it right. > > I want to scan /usr/foo and check that all directories in that directory have > the correct permissions (0755). > (Also same but check that all files have the right selinux context.) > > For some reason, I can't seem to get it to filter the way I want. The oval > collector always returns > Collected: "oval:com.foobar:obj:24" : does not exist > > > OVAL content: > <definition class="compliance" id="oval:com.foobar:def:20" version="1"> > <metadata> > <title>/usr/foo permissions</title> > <description>/usr/foo directory (and subdirectories) should have > permissions 0755 (rwx r-x r-x)</description> > <reference ref_id="REF-000020" source="REF"/> > <affected family="unix"> > <platform>Red Hat Enterprise Linux 7</platform> > </affected> > </metadata> > <criteria operator="AND"> > <criterion comment="/usr/foo permissions" > test_ref="oval:com.foobar:tst:23"/> > <criterion comment="/usr/foo permissions" > test_ref="oval:com.foobar:tst:24"/> > </criteria> > </definition> > > <file_test check="all" check_existence="all_exist" comment="/usr/foo > permissions" id="oval:com.foobar:tst:23" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <object object_ref="oval:com.foobar:obj:23"/> > <state state_ref="oval:com.foobar:ste:20"/> > </file_test> > > <file_test check="all" check_existence="all_exist" comment="/usr/foo > permissions" id="oval:com.foobar:tst:24" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <object object_ref="oval:com.foobar:obj:24"/> > <state state_ref="oval:com.foobar:ste:22"/> > </file_test> > > <file_object id="oval:com.foobar:obj:23" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <path>/usr/foo</path> > <filename xsi:nil="true"/> > </file_object> > <file_object id="oval:com.foobar:obj:24" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <set set_operator="INTERSECTION" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5";> > <object_reference>oval:com.foobar:obj:25</object_reference> > <filter action="include">oval:com.foobar:ste:21</filter> > </set> > </file_object> > > <file_object id="oval:com.foobar:obj:25" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <behaviors recurse="directories" recurse_direction="down"/> > <path>/usr/foo</path> > <filename operation="pattern match">^.*$</filename> > </file_object> > > <file_state id="oval:com.foobar:ste:20" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <suid datatype="boolean">false</suid> > <sgid datatype="boolean">false</sgid> > <sticky datatype="boolean">false</sticky> > <uread datatype="boolean">true</uread> > <uwrite datatype="boolean">true</uwrite> > <uexec datatype="boolean">true</uexec> > <gread datatype="boolean">true</gread> > <gwrite datatype="boolean">false</gwrite> > <gexec datatype="boolean">true</gexec> > <oread datatype="boolean">true</oread> > <owrite datatype="boolean">false</owrite> > <oexec datatype="boolean">true</oexec> > </file_state> > > <file_state id="oval:com.foobar:ste:21" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <type>directory</type> > </file_state> > > <file_state id="oval:com.foobar:ste:22" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";> > <suid datatype="boolean">false</suid> > <sgid datatype="boolean">false</sgid> > <sticky datatype="boolean">false</sticky> > <uread datatype="boolean">true</uread> > <uwrite datatype="boolean">true</uwrite> > <uexec datatype="boolean">true</uexec> > <gread datatype="boolean">true</gread> > <gwrite datatype="boolean">false</gwrite> > <gexec datatype="boolean">true</gexec> > <oread datatype="boolean">true</oread> > <owrite datatype="boolean">false</owrite> > <oexec datatype="boolean">true</oexec> > </file_state> > > > It seems that the include action filter on ste:21 is the problem - if i > remove this, i get a bunch of files returned. If i change this to eg. an > exclude filter on "regular", i'll just get all the other files. But an > include on "directory" seems to not work? > > I also tried using two exclude filters, but that also returned no results. > > Any ideas? > > Thanks in advance. > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list >
directory_reproducer.xml
Description: XML document
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
