Hi, On Tue, Aug 13, 2019 at 4:53 AM Tim Burress <t...@variosecure.net> wrote: > > Hello, > > I'm trying to learn my way around SCAP just now, with the main focus > right now on scans of Linux-based systems using oscap and the related > tools. I'm hitting a bit of a wall when it comes to writing OVAL content > and just wondered if someone could point me to resources that unpack > things from the perspective of someone accustomed to writing software in > "normal" programming languages?
I'm not aware of any comprehensive book about that. The official website can be a good start: - https://oval.mitre.org/ We have created a tutorial for Red Hat Summit about ComplianceAsCode, which also mentions OVAL: - https://github.com/RedHatDemos/SecurityDemos/tree/master/2019Labs/CustomSecurityContent/documentation > > Some more-or-less specific questions: > > o In an object definition like this (condensed from OVAL found in SSG, > where B is a local variable containing a set of file paths): > > <ind:textfilecontent54_object id="A" version="1"> > <ind:filepath var_ref="B" var_check="at least one" /> > <ind:pattern operation="pattern match">^0$</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > > what is the function of var_check="at least one"? I assume that this is > a condition being applied to the value of the variable B, saying that it > must have at least one member, but what happens if the variable B is an > empty set? When var_check is set to "at least one" it means that for a file to be matched its file path must be equal to at least one of the members of variable B. If the variable B is an empty set, the object will be evaluated as "does not exist". var_check is described here: https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html - search for var_check in section EntityAttributeGroup. > > o Basic question: is the order in which entities appear in a file of > OVAL content irrelevant? Given that they are all tagged with types and > ID strings it seems like this would be the case, but OVAL is a new world > where many things are not what they seem, so I thought I would check. The order of objects, states, variables etc. is irrelevant. For example, it doesn't matter if object id=1 is defined before or after object id=2. However, the order of different child elements matters. For example, within <ind:textfilecontent54_object> element the <ind:filepath> element must always be before <ind:pattern> element. OpenSCAP will tell you if you put elements in a wrong order, because it performs XML validation each time. > > o Is there a tool that allows you to debug OVAL at runtime? That is, > much like any other debugger, to set breakpoints and examine the values > of objects/variables/etc at runtime? We don't have any tool. We usually run OpenSCAP with --verbose, or we generate the XML results and we analyse the results. > > o Is there a document/book/tutorial that guides a person through > creating complex OVAL rules (preferably on Linux systems)? Most of the > examples I've found on the web are of the very simple "Hello World" > variety, so lead to more questions than they answer. Something that > walks through even just how to *think* about solving problems in OVAL > would be helpful at this point. I also wish there was something like that. Try to get inspired by the existing rules in SSG. If you have any further question, feel free to ask here anytime. Regards > > Thanks! > > > > _______________________________________________ > Open-scap-list mailing list > Openemail@example.com > https://www.redhat.com/mailman/listinfo/open-scap-list -- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ Open-scap-list mailing list Openfirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/open-scap-list