Chrome 18.0.1025.168 CVEs

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Chrome 18.0.1025.168 CVEs

Shane Shaffer
Attached are definitions for the 5 CVEs addressed by Chrome 18.0.1025.168 on Windows.

Shane Shaffer
Technical Director, Security Automation
G2, Inc.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

ChromeCVEs_18_0_1025_168.xml (22K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 18.0.1025.168 CVEs

jasenj1
This submission has been processed and is now available in the OVAL Repository.

- Jasen.

From: Shane Shaffer <[hidden email]>
Reply-To: oval-discussion-list OVAL Discussion List/Closed Public Discussi <[hidden email]>
Date: Tuesday, May 1, 2012 8:37 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi <[hidden email]>
Subject: [OVAL-DISCUSSION-LIST] Chrome 18.0.1025.168 CVEs

Attached are definitions for the 5 CVEs addressed by Chrome 18.0.1025.168 on Windows.

Shane Shaffer
Technical Director, Security Automation
G2, Inc.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Panos Kampanakis (pkampana)

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

PGP.sig (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Hansbury, Matt

Hi Panos,

 

First, I’d like to say up front that I know very little about the component schema for Cisco IOS.  That said, I think I should be able to help you here. 

 

You didn’t include any test OVAL, so I’m making a few assumptions, but I think what you’re looking to do may be possible, at least from the OVAL side of things. (The IOS side, as I said earlier, I don’t know much about)  I think what you’re looking to do here is to apply the line_test against each value stored in a local_variable, correct?  I think this is possible using a var_ref on the show_subcommand entity.  Here is a small OVAL snippet that hopefully illustrated this (validated, but untested):

 

    <tests>
        <line_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:tst:1" version="0" check="all" check_existence="at_least_one_exists" comment="test 1">
            <object object_ref="oval:example:obj:1"/>
        </line_test>
    </tests>
    <objects>
        <line_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:obj:1" version="0">
            <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
        </line_object>
    </objects>
    <states>
        <line_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:ste:1" version="0">
            <config_line operation="equals">some kind of value</config_line>
        </line_state>
    </states>
    <variables>
        <constant_variable id="oval:example:var:1" version="0" datatype="string" comment="var">
            <value>sh access-list x</value>
            <value>sh access-list y</value>
            <value>sh access-list x</value>
        </constant_variable>
    </variables>

 

Note that for simplicity, I used a constant_variable here, but it should operate the same as if you used a local_variable that evaluated to 3 values.  I *believe* the above will collect 3 Items, one for each Variable value.  The collected Item will depend a bit on the show_subcommand entity, but I’m assuming each of the 3 collected Items will contain a config_line value, which will be compared against the State.   The test State here is quite simple, just does a string compare, but you could certainly do more complex things.

 

So…does this work?  Or am I missing something?  If this helps, great.  If I have missed something, it would be great if you could post the OVAL you have so far to help me understand the intent. 

 

Thanks

Matt

 

From: Panos Kampanakis [mailto:[hidden email]]
Sent: Tuesday, May 01, 2012 1:53 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

joval
Matt's test should indeed work.  line_items will be collected corresponding to each of the commands.  There is one caveat, however.  The ios:line_object[show_subcommand] documentation is somewhat ambiguous: "The name of a SHOW sub-command."

I don't know which interpreter you're using, but jOVAL's implementation of the line_object currently will either prepend the word "show" to the subcommand value, or if the value already starts with "show" (as all of the existing public MITRE definitions do) it will run the command outright.  Thus, these commands will fail; "sh access-list x" will become "show sh access-list x" which will certainly be an invalid command.  We decided against simply attempting to execute the raw value because someone could then conceivably alter a setting using an OVAL test.

Perhaps we can come to a consensus on what exactly the show_subcommand should contain.  Should we require that values start with "sh", "sho", or "show"?

Regards,
--David

On 5/2/2012 9:55 AM, Hansbury, Matt wrote:

Hi Panos,

 

First, I’d like to say up front that I know very little about the component schema for Cisco IOS.  That said, I think I should be able to help you here. 

 

You didn’t include any test OVAL, so I’m making a few assumptions, but I think what you’re looking to do may be possible, at least from the OVAL side of things. (The IOS side, as I said earlier, I don’t know much about)  I think what you’re looking to do here is to apply the line_test against each value stored in a local_variable, correct?  I think this is possible using a var_ref on the show_subcommand entity.  Here is a small OVAL snippet that hopefully illustrated this (validated, but untested):

 

    <tests>
        <line_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:tst:1" version="0" check="all" check_existence="at_least_one_exists" comment="test 1">
            <object object_ref="oval:example:obj:1"/>
        </line_test>
    </tests>
    <objects>
        <line_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:obj:1" version="0">
            <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
        </line_object>
    </objects>
    <states>
        <line_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:ste:1" version="0">
            <config_line operation="equals">some kind of value</config_line>
        </line_state>
    </states>
    <variables>
        <constant_variable id="oval:example:var:1" version="0" datatype="string" comment="var">
            <value>sh access-list x</value>
            <value>sh access-list y</value>
            <value>sh access-list x</value>
        </constant_variable>
    </variables>

 

Note that for simplicity, I used a constant_variable here, but it should operate the same as if you used a local_variable that evaluated to 3 values.  I *believe* the above will collect 3 Items, one for each Variable value.  The collected Item will depend a bit on the show_subcommand entity, but I’m assuming each of the 3 collected Items will contain a config_line value, which will be compared against the State.   The test State here is quite simple, just does a string compare, but you could certainly do more complex things.

 

So…does this work?  Or am I missing something?  If this helps, great.  If I have missed something, it would be great if you could post the OVAL you have so far to help me understand the intent. 

 

Thanks

Matt

 

From: Panos Kampanakis [[hidden email]]
Sent: Tuesday, May 01, 2012 1:53 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Luis Nunez
My vote is for "show".  It helps to be clear on the command intentions.

By the way the three example commands will list out 3 sets of access control lists.  

-ln

On May 2, 2012, at 1:25 PM, David Solin wrote:

Matt's test should indeed work.  line_items will be collected corresponding to each of the commands.  There is one caveat, however.  The ios:line_object[show_subcommand] documentation is somewhat ambiguous: "The name of a SHOW sub-command."

I don't know which interpreter you're using, but jOVAL's implementation of the line_object currently will either prepend the word "show" to the subcommand value, or if the value already starts with "show" (as all of the existing public MITRE definitions do) it will run the command outright.  Thus, these commands will fail; "sh access-list x" will become "show sh access-list x" which will certainly be an invalid command.  We decided against simply attempting to execute the raw value because someone could then conceivably alter a setting using an OVAL test.

Perhaps we can come to a consensus on what exactly the show_subcommand should contain.  Should we require that values start with "sh", "sho", or "show"?

Regards,
--David

On 5/2/2012 9:55 AM, Hansbury, Matt wrote:

Hi Panos,

 

First, I’d like to say up front that I know very little about the component schema for Cisco IOS.  That said, I think I should be able to help you here. 

 

You didn’t include any test OVAL, so I’m making a few assumptions, but I think what you’re looking to do may be possible, at least from the OVAL side of things. (The IOS side, as I said earlier, I don’t know much about)  I think what you’re looking to do here is to apply the line_test against each value stored in a local_variable, correct?  I think this is possible using a var_ref on the show_subcommand entity.  Here is a small OVAL snippet that hopefully illustrated this (validated, but untested):

 

    <tests>
        <line_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:tst:1" version="0" check="all" check_existence="at_least_one_exists" comment="test 1">
            <object object_ref="oval:example:obj:1"/>
        </line_test>
    </tests>
    <objects>
        <line_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:obj:1" version="0">
            <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
        </line_object>
    </objects>
    <states>
        <line_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:ste:1" version="0">
            <config_line operation="equals">some kind of value</config_line>
        </line_state>
    </states>
    <variables>
        <constant_variable id="oval:example:var:1" version="0" datatype="string" comment="var">
            <value>sh access-list x</value>
            <value>sh access-list y</value>
            <value>sh access-list x</value>
        </constant_variable>
    </variables>

 

Note that for simplicity, I used a constant_variable here, but it should operate the same as if you used a local_variable that evaluated to 3 values.  I *believe* the above will collect 3 Items, one for each Variable value.  The collected Item will depend a bit on the show_subcommand entity, but I’m assuming each of the 3 collected Items will contain a config_line value, which will be compared against the State.   The test State here is quite simple, just does a string compare, but you could certainly do more complex things.

 

So…does this work?  Or am I missing something?  If this helps, great.  If I have missed something, it would be great if you could post the OVAL you have so far to help me understand the intent. 

 

Thanks

Matt

 

From: Panos Kampanakis [[hidden email]]
Sent: Tuesday, May 01, 2012 1:53 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Panos Kampanakis (pkampana)
In reply to this post by Hansbury, Matt

Thank you Matt.

 

I didn’t realize that the show_subcommand was inheriting the var_ref attribute. I will try it out.

 

When we use the object that is practically the list of the outputs of the “show acl x, y and z” in the oval:example:tst:1.

Is it safe to assume that the test should return false if it fails in all 3 values of the object?

 

Rgs,

Panos

 

 

 

From: Hansbury, Matt [mailto:[hidden email]]
Sent: Wednesday, May 02, 2012 10:56 AM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hi Panos,

 

First, I’d like to say up front that I know very little about the component schema for Cisco IOS.  That said, I think I should be able to help you here. 

 

You didn’t include any test OVAL, so I’m making a few assumptions, but I think what you’re looking to do may be possible, at least from the OVAL side of things. (The IOS side, as I said earlier, I don’t know much about)  I think what you’re looking to do here is to apply the line_test against each value stored in a local_variable, correct?  I think this is possible using a var_ref on the show_subcommand entity.  Here is a small OVAL snippet that hopefully illustrated this (validated, but untested):

 

    <tests>
        <line_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:tst:1" version="0" check="all" check_existence="at_least_one_exists" comment="test 1">
            <object object_ref="oval:example:obj:1"/>
        </line_test>
    </tests>
    <objects>
        <line_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:obj:1" version="0">
            <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
        </line_object>
    </objects>
    <states>
        <line_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:ste:1" version="0">
            <config_line operation="equals">some kind of value</config_line>
        </line_state>
    </states>
    <variables>
        <constant_variable id="oval:example:var:1" version="0" datatype="string" comment="var">
            <value>sh access-list x</value>
            <value>sh access-list y</value>
            <value>sh access-list x</value>
        </constant_variable>
    </variables>

 

Note that for simplicity, I used a constant_variable here, but it should operate the same as if you used a local_variable that evaluated to 3 values.  I *believe* the above will collect 3 Items, one for each Variable value.  The collected Item will depend a bit on the show_subcommand entity, but I’m assuming each of the 3 collected Items will contain a config_line value, which will be compared against the State.   The test State here is quite simple, just does a string compare, but you could certainly do more complex things.

 

So…does this work?  Or am I missing something?  If this helps, great.  If I have missed something, it would be great if you could post the OVAL you have so far to help me understand the intent. 

 

Thanks

Matt

 

From: Panos Kampanakis [[hidden email]]
Sent: Tuesday, May 01, 2012 1:53 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

PGP.sig (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Panos Kampanakis (pkampana)
In reply to this post by joval

Thanks David.

 

I think that even though “show” can be assumed and thus not included in the text, it makes sense to keep it for clarity.

 

For example, lets say I want to get the “show interface Fastethernet0/0”. I could do

<show_subcommand> show interface Fastethernet0/0</show_subcommand>

or

<show_subcommand> interface Fastethernet0/0</show_subcommand>

 

But if I am in config mode “interface Fastethernet0/0” is a configuration command. So, I can imagine show subcommand looking like actual config command which can confuse the eye.

 

Panos

 

 

 

From: David Solin [mailto:[hidden email]]
Sent: Wednesday, May 02, 2012 1:26 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Matt's test should indeed work.  line_items will be collected corresponding to each of the commands.  There is one caveat, however.  The ios:line_object[show_subcommand] documentation is somewhat ambiguous: "The name of a SHOW sub-command."

I don't know which interpreter you're using, but jOVAL's implementation of the line_object currently will either prepend the word "show" to the subcommand value, or if the value already starts with "show" (as all of the existing public MITRE definitions do) it will run the command outright.  Thus, these commands will fail; "sh access-list x" will become "show sh access-list x" which will certainly be an invalid command.  We decided against simply attempting to execute the raw value because someone could then conceivably alter a setting using an OVAL test.

Perhaps we can come to a consensus on what exactly the show_subcommand should contain.  Should we require that values start with "sh", "sho", or "show"?

Regards,
--David

On 5/2/2012 9:55 AM, Hansbury, Matt wrote:

Hi Panos,

 

First, I’d like to say up front that I know very little about the component schema for Cisco IOS.  That said, I think I should be able to help you here. 

 

You didn’t include any test OVAL, so I’m making a few assumptions, but I think what you’re looking to do may be possible, at least from the OVAL side of things. (The IOS side, as I said earlier, I don’t know much about)  I think what you’re looking to do here is to apply the line_test against each value stored in a local_variable, correct?  I think this is possible using a var_ref on the show_subcommand entity.  Here is a small OVAL snippet that hopefully illustrated this (validated, but untested):

 

    <tests>
        <line_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:tst:1" version="0" check="all" check_existence="at_least_one_exists" comment="test 1">
            <object object_ref="oval:example:obj:1"/>
        </line_test>
    </tests>
    <objects>
        <line_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:obj:1" version="0">
            <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
        </line_object>
    </objects>
    <states>
        <line_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:ste:1" version="0">
            <config_line operation="equals">some kind of value</config_line>
        </line_state>
    </states>
    <variables>
        <constant_variable id="oval:example:var:1" version="0" datatype="string" comment="var">
            <value>sh access-list x</value>
            <value>sh access-list y</value>
            <value>sh access-list x</value>
        </constant_variable>
    </variables>

 

Note that for simplicity, I used a constant_variable here, but it should operate the same as if you used a local_variable that evaluated to 3 values.  I *believe* the above will collect 3 Items, one for each Variable value.  The collected Item will depend a bit on the show_subcommand entity, but I’m assuming each of the 3 collected Items will contain a config_line value, which will be compared against the State.   The test State here is quite simple, just does a string compare, but you could certainly do more complex things.

 

So…does this work?  Or am I missing something?  If this helps, great.  If I have missed something, it would be great if you could post the OVAL you have so far to help me understand the intent. 

 

Thanks

Matt

 

From: Panos Kampanakis [[hidden email]]
Sent: Tuesday, May 01, 2012 1:53 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

PGP.sig (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

joval
In reply to this post by Panos Kampanakis (pkampana)
Hi Panos,

The default existence test is "at least one exists", however, since the command will always produce some output (even erroneous output), there will always be an item corresponding to each object (provided of course that the interpreter can support the test).  Hence, Matt's test will always return true.

You should add a line_state to the test that searches for a string pattern you'd like to see to indicate success (or not see, and negate the check), and also set the "check" attribute of the test to "all".

Regards,
--David

On 5/3/2012 10:58 AM, Panos Kampanakis wrote:

Thank you Matt.

 

I didn’t realize that the show_subcommand was inheriting the var_ref attribute. I will try it out.

 

When we use the object that is practically the list of the outputs of the “show acl x, y and z” in the oval:example:tst:1.

Is it safe to assume that the test should return false if it fails in all 3 values of the object?

 

Rgs,

Panos

 

 

 

From: Hansbury, Matt [[hidden email]]
Sent: Wednesday, May 02, 2012 10:56 AM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hi Panos,

 

First, I’d like to say up front that I know very little about the component schema for Cisco IOS.  That said, I think I should be able to help you here. 

 

You didn’t include any test OVAL, so I’m making a few assumptions, but I think what you’re looking to do may be possible, at least from the OVAL side of things. (The IOS side, as I said earlier, I don’t know much about)  I think what you’re looking to do here is to apply the line_test against each value stored in a local_variable, correct?  I think this is possible using a var_ref on the show_subcommand entity.  Here is a small OVAL snippet that hopefully illustrated this (validated, but untested):

 

    <tests>
        <line_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:tst:1" version="0" check="all" check_existence="at_least_one_exists" comment="test 1">
            <object object_ref="oval:example:obj:1"/>
        </line_test>
    </tests>
    <objects>
        <line_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:obj:1" version="0">
            <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
        </line_object>
    </objects>
    <states>
        <line_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios" id="oval:example:ste:1" version="0">
            <config_line operation="equals">some kind of value</config_line>
        </line_state>
    </states>
    <variables>
        <constant_variable id="oval:example:var:1" version="0" datatype="string" comment="var">
            <value>sh access-list x</value>
            <value>sh access-list y</value>
            <value>sh access-list x</value>
        </constant_variable>
    </variables>

 

Note that for simplicity, I used a constant_variable here, but it should operate the same as if you used a local_variable that evaluated to 3 values.  I *believe* the above will collect 3 Items, one for each Variable value.  The collected Item will depend a bit on the show_subcommand entity, but I’m assuming each of the 3 collected Items will contain a config_line value, which will be compared against the State.   The test State here is quite simple, just does a string compare, but you could certainly do more complex things.

 

So…does this work?  Or am I missing something?  If this helps, great.  If I have missed something, it would be great if you could post the OVAL you have so far to help me understand the intent. 

 

Thanks

Matt

 

From: Panos Kampanakis [[hidden email]]
Sent: Tuesday, May 01, 2012 1:53 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

 

Hello everyone,

 

Trying to write more advanced definitions for Cisco I found myself limited because of the Cisco IOS schema. I wanted to confirm that I am correct and there is no alternative way of accomplishing what I want to do.

 

I am using a local variable to parse the config file and get the ACLs applied. That local variable will have let’s say 3 values that will be three show commands:

- “sh access-list x”

- “sh access-list y”

- “sh access-list x”

I want to use these local variable values in a line_test to check if the ACLs are configure properly.

 

It seems there are 2 limitations here:

1) The line_object used in the line_test will not accept a reference to a local variable that practically will give the show_subcommand. The line_object can only take static show commands in its show_subcommand element

2) Even if 1 was possible, if I wanted to have the line_test apply the test for all 3 show commands in my local variable the line test would not perform it.

 

Am I correct?

 

Rgs,

Panos

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Gunnar Engelbach
In reply to this post by Panos Kampanakis (pkampana)
Neither option is really great, actually, but the second is the more
preferable.

If the text contents of the element are treated as a command to be
executed then you are, in effect, allowing the content to have the
interpreter run arbitrary commands, meaning that content can then
potentially be used as an attack vector.  This is particularly bad when
the target of the benchmark is network infrastructure and is further
exacerbated by the current movement to federate content sources and
automate content retrieval.

Also keep in mind that the preferred way to do an assessment of an
active network device is to parse an offline runtime configuration,
where you don't have the ability to run a command.

For these reasons I'd prefer to see updates made to the Cisco schema
that is more in line with the other platform schemes where there are
test/object/states pertinent to each collection type.

That gives the interpreters enough information to collect the necessary
artifact(s) without the exposure of running commands out of the
benchmark content (well, with the exception of the WMI and WSH tests),
and it also (usually) simplifies the tests which reduces errors from
content authors.



--gun

ThreatGuard, Inc.
http://www.ThreatGuard.com


On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:

> Thanks David.
>
> I think that even though “show” can be assumed and thus not included in
> the text, it makes sense to keep it for clarity.
>
> For example, lets say I want to get the “show interface
> Fastethernet0/0”. I could do
>
> <show_subcommand> show interface Fastethernet0/0</show_subcommand>
>
> or
>
> <show_subcommand> interface Fastethernet0/0</show_subcommand>
>
> But if I am in config mode “interface Fastethernet0/0” is a
> configuration command. So, I can imagine show subcommand looking like
> actual config command which can confuse the eye.
>
> Panos
>
> *From:*David Solin [mailto:[hidden email]]
> *Sent:* Wednesday, May 02, 2012 1:26 PM
> *To:* [hidden email]
> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
> cannot use local_variable reference for the subcommand element
>
> Matt's test should indeed work. line_items will be collected
> corresponding to each of the commands. There is one caveat, however. The
> ios:line_object[show_subcommand] documentation is somewhat ambiguous:
> "The name of a SHOW sub-command."
>
> I don't know which interpreter you're using, but jOVAL's implementation
> of the line_object currently will either prepend the word "show" to the
> subcommand value, or if the value already starts with "show" (as all of
> the existing public MITRE definitions do) it will run the command
> outright. Thus, these commands will fail; "sh access-list x" will become
> "show sh access-list x" which will certainly be an invalid command. We
> decided against simply attempting to execute the raw value because
> someone could then conceivably alter a setting using an OVAL test.
>
> Perhaps we can come to a consensus on what exactly the show_subcommand
> should contain. Should we require that values start with "sh", "sho", or
> "show"?
>
> Regards,
> --David
>
> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>
> Hi Panos,
>
> First, I’d like to say up front that I know very little about the
> component schema for Cisco IOS. That said, I think I should be able to
> help you here.
>
> You didn’t include any test OVAL, so I’m making a few assumptions, but I
> think what you’re looking to do may be possible, at least from the OVAL
> side of things. (The IOS side, as I said earlier, I don’t know much
> about) I think what you’re looking to do here is to apply the line_test
> against each value stored in a local_variable, correct? I think this is
> possible using a var_ref on the show_subcommand entity. Here is a small
> OVAL snippet that hopefully illustrated this (validated, but untested):
>
> <tests>
> <line_test
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
> id="oval:example:tst:1" version="0" check="all"
> check_existence="at_least_one_exists" comment="test 1">
> <object object_ref="oval:example:obj:1"/>
> </line_test>
> </tests>
> <objects>
> <line_object
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
> id="oval:example:obj:1" version="0">
> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
> </line_object>
> </objects>
> <states>
> <line_state
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
> id="oval:example:ste:1" version="0">
> <config_line operation="equals">some kind of value</config_line>
> </line_state>
> </states>
> <variables>
> <constant_variable id="oval:example:var:1" version="0" datatype="string"
> comment="var">
> <value>sh access-list x</value>
> <value>sh access-list y</value>
> <value>sh access-list x</value>
> </constant_variable>
> </variables>
>
> Note that for simplicity, I used a constant_variable here, but it should
> operate the same as if you used a local_variable that evaluated to 3
> values. I **believe** the above will collect 3 Items, one for each
> Variable value. The collected Item will depend a bit on the
> show_subcommand entity, but I’m assuming each of the 3 collected Items
> will contain a config_line value, which will be compared against the
> State. The test State here is quite simple, just does a string compare,
> but you could certainly do more complex things.
>
> So…does this work? Or am I missing something? If this helps, great. If I
> have missed something, it would be great if you could post the OVAL you
> have so far to help me understand the intent.
>
> Thanks
>
> Matt
>
> *From:*Panos Kampanakis [mailto:[hidden email]]
> *Sent:* Tuesday, May 01, 2012 1:53 PM
> *To:* oval-discussion-list OVAL Discussion List/Closed Public Discussi
> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
> use local_variable reference for the subcommand element
>
> Hello everyone,
>
> Trying to write more advanced definitions for Cisco I found myself
> limited because of the Cisco IOS schema. I wanted to confirm that I am
> correct and there is no alternative way of accomplishing what I want to do.
>
> I am using a local variable to parse the config file and get the ACLs
> applied. That local variable will have let’s say 3 values that will be
> three show commands:
>
> - “sh access-list x”
>
> - “sh access-list y”
>
> - “sh access-list x”
>
> I want to use these local variable values in a line_test to check if the
> ACLs are configure properly.
>
> It seems there are 2 limitations here:
>
> 1) The line_object used in the line_test will not accept a reference to
> a local variable that practically will give the show_subcommand. The
> line_object can only take static show commands in its show_subcommand
> element
>
> 2) Even if 1 was possible, if I wanted to have the line_test apply the
> test for all 3 show commands in my local variable the line test would
> not perform it.
>
> Am I correct?
>
> Rgs,
>
> Panos
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> --
>
> jOVAL.org: OVAL implemented in Java.
> /Scan any machine from any machine. For free!/
> Learn More <http://www.joval.org> | Features
> <http://www.joval.org/features/> | Download
> <http://www.joval.org/download/>
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Panos Kampanakis (pkampana)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

If the right AAA controls are configured on a box, then a scanner should not
be able to run config or other intrusive commands. I totally see the concern
on potential issues with scanning live devices, and that the preferred way
to do an assessment.

> "that is more in line with the other platform schemes where there are
test/object/states pertinent to each collection type"
  Can you elaborate with an example?

Rgs,
Panos







- -----Original Message-----
From: Gunnar Engelbach [mailto:[hidden email]]
Sent: Thursday, May 03, 2012 12:53 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
local_variable reference for the subcommand element

Neither option is really great, actually, but the second is the more
preferable.

If the text contents of the element are treated as a command to be executed
then you are, in effect, allowing the content to have the interpreter run
arbitrary commands, meaning that content can then potentially be used as an
attack vector.  This is particularly bad when the target of the benchmark is
network infrastructure and is further exacerbated by the current movement to
federate content sources and automate content retrieval.

Also keep in mind that the preferred way to do an assessment of an active
network device is to parse an offline runtime configuration, where you don't
have the ability to run a command.

For these reasons I'd prefer to see updates made to the Cisco schema that is
more in line with the other platform schemes where there are
test/object/states pertinent to each collection type.

That gives the interpreters enough information to collect the necessary
artifact(s) without the exposure of running commands out of the benchmark
content (well, with the exception of the WMI and WSH tests), and it also
(usually) simplifies the tests which reduces errors from content authors.



- --gun

ThreatGuard, Inc.
http://www.ThreatGuard.com


On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:

> Thanks David.
>
> I think that even though "show" can be assumed and thus not included
> in the text, it makes sense to keep it for clarity.
>
> For example, lets say I want to get the "show interface
> Fastethernet0/0". I could do
>
> <show_subcommand> show interface Fastethernet0/0</show_subcommand>
>
> or
>
> <show_subcommand> interface Fastethernet0/0</show_subcommand>
>
> But if I am in config mode "interface Fastethernet0/0" is a
> configuration command. So, I can imagine show subcommand looking like
> actual config command which can confuse the eye.
>
> Panos
>
> *From:*David Solin [mailto:[hidden email]]
> *Sent:* Wednesday, May 02, 2012 1:26 PM
> *To:* [hidden email]
> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
> cannot use local_variable reference for the subcommand element
>
> Matt's test should indeed work. line_items will be collected
> corresponding to each of the commands. There is one caveat, however.
> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
> "The name of a SHOW sub-command."
>
> I don't know which interpreter you're using, but jOVAL's
> implementation of the line_object currently will either prepend the
> word "show" to the subcommand value, or if the value already starts
> with "show" (as all of the existing public MITRE definitions do) it
> will run the command outright. Thus, these commands will fail; "sh
> access-list x" will become "show sh access-list x" which will
> certainly be an invalid command. We decided against simply attempting
> to execute the raw value because someone could then conceivably alter a
setting using an OVAL test.

>
> Perhaps we can come to a consensus on what exactly the show_subcommand
> should contain. Should we require that values start with "sh", "sho",
> or "show"?
>
> Regards,
> --David
>
> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>
> Hi Panos,
>
> First, I'd like to say up front that I know very little about the
> component schema for Cisco IOS. That said, I think I should be able to
> help you here.
>
> You didn't include any test OVAL, so I'm making a few assumptions, but
> I think what you're looking to do may be possible, at least from the
> OVAL side of things. (The IOS side, as I said earlier, I don't know
> much
> about) I think what you're looking to do here is to apply the
> line_test against each value stored in a local_variable, correct? I
> think this is possible using a var_ref on the show_subcommand entity.
> Here is a small OVAL snippet that hopefully illustrated this (validated,
but untested):

>
> <tests>
> <line_test
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
> id="oval:example:tst:1" version="0" check="all"
> check_existence="at_least_one_exists" comment="test 1"> <object
> object_ref="oval:example:obj:1"/> </line_test> </tests> <objects>
> <line_object
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
> id="oval:example:obj:1" version="0">
> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
> </line_object> </objects> <states> <line_state
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
> id="oval:example:ste:1" version="0">
> <config_line operation="equals">some kind of value</config_line>
> </line_state> </states> <variables> <constant_variable
> id="oval:example:var:1" version="0" datatype="string"
> comment="var">
> <value>sh access-list x</value>
> <value>sh access-list y</value>
> <value>sh access-list x</value>
> </constant_variable>
> </variables>
>
> Note that for simplicity, I used a constant_variable here, but it
> should operate the same as if you used a local_variable that evaluated
> to 3 values. I **believe** the above will collect 3 Items, one for
> each Variable value. The collected Item will depend a bit on the
> show_subcommand entity, but I'm assuming each of the 3 collected Items
> will contain a config_line value, which will be compared against the
> State. The test State here is quite simple, just does a string
> compare, but you could certainly do more complex things.
>
> So.does this work? Or am I missing something? If this helps, great. If
> I have missed something, it would be great if you could post the OVAL
> you have so far to help me understand the intent.
>
> Thanks
>
> Matt
>
> *From:*Panos Kampanakis [mailto:[hidden email]]
> *Sent:* Tuesday, May 01, 2012 1:53 PM
> *To:* oval-discussion-list OVAL Discussion List/Closed Public Discussi
> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
> use local_variable reference for the subcommand element
>
> Hello everyone,
>
> Trying to write more advanced definitions for Cisco I found myself
> limited because of the Cisco IOS schema. I wanted to confirm that I am
> correct and there is no alternative way of accomplishing what I want to
do.

>
> I am using a local variable to parse the config file and get the ACLs
> applied. That local variable will have let's say 3 values that will be
> three show commands:
>
> - "sh access-list x"
>
> - "sh access-list y"
>
> - "sh access-list x"
>
> I want to use these local variable values in a line_test to check if
> the ACLs are configure properly.
>
> It seems there are 2 limitations here:
>
> 1) The line_object used in the line_test will not accept a reference
> to a local variable that practically will give the show_subcommand.
> The line_object can only take static show commands in its
> show_subcommand element
>
> 2) Even if 1 was possible, if I wanted to have the line_test apply the
> test for all 3 show commands in my local variable the line test would
> not perform it.
>
> Am I correct?
>
> Rgs,
>
> Panos
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> --
>
> jOVAL.org: OVAL implemented in Java.
> /Scan any machine from any machine. For free!/ Learn More
> <http://www.joval.org> | Features <http://www.joval.org/features/> |
> Download <http://www.joval.org/download/>
>
> To unsubscribe, send an email message to [hidden email]
> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
> the BODY of the message. If you have difficulties, write to
> [hidden email]
> <mailto:[hidden email]>.
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
difficulties, write to [hidden email].


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 2317)
Charset: us-ascii

wsBVAwUBT6LQB/8FJ2qmh7PNAQhnlgf/YX5XljLozKAUN2B9ix1K1knEo+bis8Zt
cH8JOKFBzuv/xcBzlH7e09eUl20y9gk5BjxepfKVdtDxC72ohQLRTLcQG6mMxceu
yfFnyJ0hEkycKlpMOI4P6wW1tT16hZDaHjL8Djne3+URUL/BVB1VOe8D3oFqocIc
/CaJL69qv11TMAVnIvw8vkxd37WFjE039FW/maBEh4yW1XTRSfuzo5eFDqw1nuws
JTbBBUhqPFa4nPR1I/oZSrleNdpWIjBSvpsCzZpg6U/90pAa4kzdIONwFQI0f3h/
rIJA6sOoG8oKu85hBr3i+Kd/39yhA0d3zBR415wRVAb4rSN35XLP1w==
=WhDz
-----END PGP SIGNATURE-----

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Luis Nunez
In reply to this post by Gunnar Engelbach
Echoing the same concerns.  OFFLINE method is the preferred.  Thus far I've not see a case where you need to connect to a live device to assess a device.  At least for now the there are two use cases of concern:
-Configuration Hygiene check - best practice settings
-Vulnerability check based on security advisory

Both of which can be done offline.

Also leveraging protocols such as Netconf, RESTful and other management applications one could retrieve the necessary information.

I could see future use cases needing to do live interrogations for malware incident detection, but for now we need to get the fundamentals down.


-ln

On May 3, 2012, at 12:53 PM, Gunnar Engelbach wrote:

> Neither option is really great, actually, but the second is the more preferable.
>
> If the text contents of the element are treated as a command to be executed then you are, in effect, allowing the content to have the interpreter run arbitrary commands, meaning that content can then potentially be used as an attack vector.  This is particularly bad when the target of the benchmark is network infrastructure and is further exacerbated by the current movement to federate content sources and automate content retrieval.
>
> Also keep in mind that the preferred way to do an assessment of an active network device is to parse an offline runtime configuration, where you don't have the ability to run a command.
>
> For these reasons I'd prefer to see updates made to the Cisco schema that is more in line with the other platform schemes where there are test/object/states pertinent to each collection type.
>
> That gives the interpreters enough information to collect the necessary artifact(s) without the exposure of running commands out of the benchmark content (well, with the exception of the WMI and WSH tests), and it also (usually) simplifies the tests which reduces errors from content authors.
>
>
>
> --gun
>
> ThreatGuard, Inc.
> http://www.ThreatGuard.com
>
>
> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>> Thanks David.
>>
>> I think that even though “show” can be assumed and thus not included in
>> the text, it makes sense to keep it for clarity.
>>
>> For example, lets say I want to get the “show interface
>> Fastethernet0/0”. I could do
>>
>> <show_subcommand> show interface Fastethernet0/0</show_subcommand>
>>
>> or
>>
>> <show_subcommand> interface Fastethernet0/0</show_subcommand>
>>
>> But if I am in config mode “interface Fastethernet0/0” is a
>> configuration command. So, I can imagine show subcommand looking like
>> actual config command which can confuse the eye.
>>
>> Panos
>>
>> *From:*David Solin [mailto:[hidden email]]
>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>> cannot use local_variable reference for the subcommand element
>>
>> Matt's test should indeed work. line_items will be collected
>> corresponding to each of the commands. There is one caveat, however. The
>> ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>> "The name of a SHOW sub-command."
>>
>> I don't know which interpreter you're using, but jOVAL's implementation
>> of the line_object currently will either prepend the word "show" to the
>> subcommand value, or if the value already starts with "show" (as all of
>> the existing public MITRE definitions do) it will run the command
>> outright. Thus, these commands will fail; "sh access-list x" will become
>> "show sh access-list x" which will certainly be an invalid command. We
>> decided against simply attempting to execute the raw value because
>> someone could then conceivably alter a setting using an OVAL test.
>>
>> Perhaps we can come to a consensus on what exactly the show_subcommand
>> should contain. Should we require that values start with "sh", "sho", or
>> "show"?
>>
>> Regards,
>> --David
>>
>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>
>> Hi Panos,
>>
>> First, I’d like to say up front that I know very little about the
>> component schema for Cisco IOS. That said, I think I should be able to
>> help you here.
>>
>> You didn’t include any test OVAL, so I’m making a few assumptions, but I
>> think what you’re looking to do may be possible, at least from the OVAL
>> side of things. (The IOS side, as I said earlier, I don’t know much
>> about) I think what you’re looking to do here is to apply the line_test
>> against each value stored in a local_variable, correct? I think this is
>> possible using a var_ref on the show_subcommand entity. Here is a small
>> OVAL snippet that hopefully illustrated this (validated, but untested):
>>
>> <tests>
>> <line_test
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:tst:1" version="0" check="all"
>> check_existence="at_least_one_exists" comment="test 1">
>> <object object_ref="oval:example:obj:1"/>
>> </line_test>
>> </tests>
>> <objects>
>> <line_object
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:obj:1" version="0">
>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>> </line_object>
>> </objects>
>> <states>
>> <line_state
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:ste:1" version="0">
>> <config_line operation="equals">some kind of value</config_line>
>> </line_state>
>> </states>
>> <variables>
>> <constant_variable id="oval:example:var:1" version="0" datatype="string"
>> comment="var">
>> <value>sh access-list x</value>
>> <value>sh access-list y</value>
>> <value>sh access-list x</value>
>> </constant_variable>
>> </variables>
>>
>> Note that for simplicity, I used a constant_variable here, but it should
>> operate the same as if you used a local_variable that evaluated to 3
>> values. I **believe** the above will collect 3 Items, one for each
>> Variable value. The collected Item will depend a bit on the
>> show_subcommand entity, but I’m assuming each of the 3 collected Items
>> will contain a config_line value, which will be compared against the
>> State. The test State here is quite simple, just does a string compare,
>> but you could certainly do more complex things.
>>
>> So…does this work? Or am I missing something? If this helps, great. If I
>> have missed something, it would be great if you could post the OVAL you
>> have so far to help me understand the intent.
>>
>> Thanks
>>
>> Matt
>>
>> *From:*Panos Kampanakis [mailto:[hidden email]]
>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>> *To:* oval-discussion-list OVAL Discussion List/Closed Public Discussi
>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>> use local_variable reference for the subcommand element
>>
>> Hello everyone,
>>
>> Trying to write more advanced definitions for Cisco I found myself
>> limited because of the Cisco IOS schema. I wanted to confirm that I am
>> correct and there is no alternative way of accomplishing what I want to do.
>>
>> I am using a local variable to parse the config file and get the ACLs
>> applied. That local variable will have let’s say 3 values that will be
>> three show commands:
>>
>> - “sh access-list x”
>>
>> - “sh access-list y”
>>
>> - “sh access-list x”
>>
>> I want to use these local variable values in a line_test to check if the
>> ACLs are configure properly.
>>
>> It seems there are 2 limitations here:
>>
>> 1) The line_object used in the line_test will not accept a reference to
>> a local variable that practically will give the show_subcommand. The
>> line_object can only take static show commands in its show_subcommand
>> element
>>
>> 2) Even if 1 was possible, if I wanted to have the line_test apply the
>> test for all 3 show commands in my local variable the line test would
>> not perform it.
>>
>> Am I correct?
>>
>> Rgs,
>>
>> Panos
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> --
>>
>> jOVAL.org: OVAL implemented in Java.
>> /Scan any machine from any machine. For free!/
>> Learn More <http://www.joval.org> | Features
>> <http://www.joval.org/features/> | Download
>> <http://www.joval.org/download/>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Gunnar Engelbach
In reply to this post by Panos Kampanakis (pkampana)
I really had two separate points I was trying to bring out here.

The first is that the OVAL schemas are mutable.  You (or anyone) can
extend the IOS schema to implement tests that make sense for IOS so that
you're not stuck trying to make everything fit into a line_test regex.
We've done it enough times that I can say it's pretty straightforward
and well worth it in the end.


The second is that OVAL interpreters shouldn't become scripting engines
-- although that's more my personal view and not necessarily the
community consensus.

Yes, organizations can use AAA controls to restrict a user's
capabilities, and I hope that they not only do that, but that they *do*
at least periodically verify that the live running config is really what
they think it is.  The same can be said for any other platform.  But how
many of them do, and how well?  Should that be the line of defense that
we're all counting on?

As far as examples, my inclination would be to look at the output of
commands like "show run" and model based on how that is organized
(system information, authentication, interfaces, routing, etc.) and what
information is thus available.  That is likely to match where you
started at, namely the configuration information for a specific interface.

You started this thread with a need to test access lists, so that
suggests a good place to start.  Call it an accesslist_test.

What information is necessary to designate, unambiguously, which access
list you are interested in?  That helps define your accesslist_object.

What information should you expect to get back for each access list?
out of that comes accesslist_state schema element.


And so on.




On 5/3/2012 2:35 PM, Panos Kampanakis wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> If the right AAA controls are configured on a box, then a scanner should not
> be able to run config or other intrusive commands. I totally see the concern
> on potential issues with scanning live devices, and that the preferred way
> to do an assessment.
>
>> "that is more in line with the other platform schemes where there are
> test/object/states pertinent to each collection type"
>    Can you elaborate with an example?
>
> Rgs,
> Panos
>
>
>
>
>
>
>
> - -----Original Message-----
> From: Gunnar Engelbach [mailto:[hidden email]]
> Sent: Thursday, May 03, 2012 12:53 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
> local_variable reference for the subcommand element
>
> Neither option is really great, actually, but the second is the more
> preferable.
>
> If the text contents of the element are treated as a command to be executed
> then you are, in effect, allowing the content to have the interpreter run
> arbitrary commands, meaning that content can then potentially be used as an
> attack vector.  This is particularly bad when the target of the benchmark is
> network infrastructure and is further exacerbated by the current movement to
> federate content sources and automate content retrieval.
>
> Also keep in mind that the preferred way to do an assessment of an active
> network device is to parse an offline runtime configuration, where you don't
> have the ability to run a command.
>
> For these reasons I'd prefer to see updates made to the Cisco schema that is
> more in line with the other platform schemes where there are
> test/object/states pertinent to each collection type.
>
> That gives the interpreters enough information to collect the necessary
> artifact(s) without the exposure of running commands out of the benchmark
> content (well, with the exception of the WMI and WSH tests), and it also
> (usually) simplifies the tests which reduces errors from content authors.
>
>
>
> - --gun
>
> ThreatGuard, Inc.
> http://www.ThreatGuard.com
>
>
> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>> Thanks David.
>>
>> I think that even though "show" can be assumed and thus not included
>> in the text, it makes sense to keep it for clarity.
>>
>> For example, lets say I want to get the "show interface
>> Fastethernet0/0". I could do
>>
>> <show_subcommand>  show interface Fastethernet0/0</show_subcommand>
>>
>> or
>>
>> <show_subcommand>  interface Fastethernet0/0</show_subcommand>
>>
>> But if I am in config mode "interface Fastethernet0/0" is a
>> configuration command. So, I can imagine show subcommand looking like
>> actual config command which can confuse the eye.
>>
>> Panos
>>
>> *From:*David Solin [mailto:[hidden email]]
>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>> cannot use local_variable reference for the subcommand element
>>
>> Matt's test should indeed work. line_items will be collected
>> corresponding to each of the commands. There is one caveat, however.
>> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>> "The name of a SHOW sub-command."
>>
>> I don't know which interpreter you're using, but jOVAL's
>> implementation of the line_object currently will either prepend the
>> word "show" to the subcommand value, or if the value already starts
>> with "show" (as all of the existing public MITRE definitions do) it
>> will run the command outright. Thus, these commands will fail; "sh
>> access-list x" will become "show sh access-list x" which will
>> certainly be an invalid command. We decided against simply attempting
>> to execute the raw value because someone could then conceivably alter a
> setting using an OVAL test.
>>
>> Perhaps we can come to a consensus on what exactly the show_subcommand
>> should contain. Should we require that values start with "sh", "sho",
>> or "show"?
>>
>> Regards,
>> --David
>>
>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>
>> Hi Panos,
>>
>> First, I'd like to say up front that I know very little about the
>> component schema for Cisco IOS. That said, I think I should be able to
>> help you here.
>>
>> You didn't include any test OVAL, so I'm making a few assumptions, but
>> I think what you're looking to do may be possible, at least from the
>> OVAL side of things. (The IOS side, as I said earlier, I don't know
>> much
>> about) I think what you're looking to do here is to apply the
>> line_test against each value stored in a local_variable, correct? I
>> think this is possible using a var_ref on the show_subcommand entity.
>> Here is a small OVAL snippet that hopefully illustrated this (validated,
> but untested):
>>
>> <tests>
>> <line_test
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:tst:1" version="0" check="all"
>> check_existence="at_least_one_exists" comment="test 1">  <object
>> object_ref="oval:example:obj:1"/>  </line_test>  </tests>  <objects>
>> <line_object
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:obj:1" version="0">
>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>> </line_object>  </objects>  <states>  <line_state
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:ste:1" version="0">
>> <config_line operation="equals">some kind of value</config_line>
>> </line_state>  </states>  <variables>  <constant_variable
>> id="oval:example:var:1" version="0" datatype="string"
>> comment="var">
>> <value>sh access-list x</value>
>> <value>sh access-list y</value>
>> <value>sh access-list x</value>
>> </constant_variable>
>> </variables>
>>
>> Note that for simplicity, I used a constant_variable here, but it
>> should operate the same as if you used a local_variable that evaluated
>> to 3 values. I **believe** the above will collect 3 Items, one for
>> each Variable value. The collected Item will depend a bit on the
>> show_subcommand entity, but I'm assuming each of the 3 collected Items
>> will contain a config_line value, which will be compared against the
>> State. The test State here is quite simple, just does a string
>> compare, but you could certainly do more complex things.
>>
>> So.does this work? Or am I missing something? If this helps, great. If
>> I have missed something, it would be great if you could post the OVAL
>> you have so far to help me understand the intent.
>>
>> Thanks
>>
>> Matt
>>
>> *From:*Panos Kampanakis [mailto:[hidden email]]
>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>> *To:* oval-discussion-list OVAL Discussion List/Closed Public Discussi
>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>> use local_variable reference for the subcommand element
>>
>> Hello everyone,
>>
>> Trying to write more advanced definitions for Cisco I found myself
>> limited because of the Cisco IOS schema. I wanted to confirm that I am
>> correct and there is no alternative way of accomplishing what I want to
> do.
>>
>> I am using a local variable to parse the config file and get the ACLs
>> applied. That local variable will have let's say 3 values that will be
>> three show commands:
>>
>> - "sh access-list x"
>>
>> - "sh access-list y"
>>
>> - "sh access-list x"
>>
>> I want to use these local variable values in a line_test to check if
>> the ACLs are configure properly.
>>
>> It seems there are 2 limitations here:
>>
>> 1) The line_object used in the line_test will not accept a reference
>> to a local variable that practically will give the show_subcommand.
>> The line_object can only take static show commands in its
>> show_subcommand element
>>
>> 2) Even if 1 was possible, if I wanted to have the line_test apply the
>> test for all 3 show commands in my local variable the line test would
>> not perform it.
>>
>> Am I correct?
>>
>> Rgs,
>>
>> Panos
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> --
>>
>> jOVAL.org: OVAL implemented in Java.
>> /Scan any machine from any machine. For free!/ Learn More
>> <http://www.joval.org>  | Features<http://www.joval.org/features/>  |
>> Download<http://www.joval.org/download/>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST in
>> the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 10.2.0 (Build 2317)
> Charset: us-ascii
>
> wsBVAwUBT6LQB/8FJ2qmh7PNAQhnlgf/YX5XljLozKAUN2B9ix1K1knEo+bis8Zt
> cH8JOKFBzuv/xcBzlH7e09eUl20y9gk5BjxepfKVdtDxC72ohQLRTLcQG6mMxceu
> yfFnyJ0hEkycKlpMOI4P6wW1tT16hZDaHjL8Djne3+URUL/BVB1VOe8D3oFqocIc
> /CaJL69qv11TMAVnIvw8vkxd37WFjE039FW/maBEh4yW1XTRSfuzo5eFDqw1nuws
> JTbBBUhqPFa4nPR1I/oZSrleNdpWIjBSvpsCzZpg6U/90pAa4kzdIONwFQI0f3h/
> rIJA6sOoG8oKu85hBr3i+Kd/39yhA0d3zBR415wRVAb4rSN35XLP1w==
> =WhDz
> -----END PGP SIGNATURE-----
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Gunnar Engelbach
In reply to this post by Luis Nunez
On 5/3/2012 4:51 PM, Luis Nunez wrote:
> Echoing the same concerns.  OFFLINE method is the preferred.  Thus far I've not see a case where you need to connect to a live device to assess a device.  At least for now the there are two use cases of concern:
> -Configuration Hygiene check - best practice settings
> -Vulnerability check based on security advisory
>
> Both of which can be done offline.
>
> Also leveraging protocols such as Netconf, RESTful and other management applications one could retrieve the necessary information.


Or, heck, SNMP.

The thing is, these all don't necessarily return the information in
exactly the same format.  So tests written as a regex against the output
of a "sho run" won't necessarily work and potentially remove these other
protocols as collection methods.  But if the tests are written assuming
the artifacts will be parsed into known XML structures then the
collection method doesn't matter.

And with that I think I've put in more than two cents.



>
> I could see future use cases needing to do live interrogations for malware incident detection, but for now we need to get the fundamentals down.
>
>
> -ln
>
> On May 3, 2012, at 12:53 PM, Gunnar Engelbach wrote:
>
>> Neither option is really great, actually, but the second is the more preferable.
>>
>> If the text contents of the element are treated as a command to be executed then you are, in effect, allowing the content to have the interpreter run arbitrary commands, meaning that content can then potentially be used as an attack vector.  This is particularly bad when the target of the benchmark is network infrastructure and is further exacerbated by the current movement to federate content sources and automate content retrieval.
>>
>> Also keep in mind that the preferred way to do an assessment of an active network device is to parse an offline runtime configuration, where you don't have the ability to run a command.
>>
>> For these reasons I'd prefer to see updates made to the Cisco schema that is more in line with the other platform schemes where there are test/object/states pertinent to each collection type.
>>
>> That gives the interpreters enough information to collect the necessary artifact(s) without the exposure of running commands out of the benchmark content (well, with the exception of the WMI and WSH tests), and it also (usually) simplifies the tests which reduces errors from content authors.
>>
>>
>>
>> --gun
>>
>> ThreatGuard, Inc.
>> http://www.ThreatGuard.com
>>
>>
>> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>>> Thanks David.
>>>
>>> I think that even though “show” can be assumed and thus not included in
>>> the text, it makes sense to keep it for clarity.
>>>
>>> For example, lets say I want to get the “show interface
>>> Fastethernet0/0”. I could do
>>>
>>> <show_subcommand>  show interface Fastethernet0/0</show_subcommand>
>>>
>>> or
>>>
>>> <show_subcommand>  interface Fastethernet0/0</show_subcommand>
>>>
>>> But if I am in config mode “interface Fastethernet0/0” is a
>>> configuration command. So, I can imagine show subcommand looking like
>>> actual config command which can confuse the eye.
>>>
>>> Panos
>>>
>>> *From:*David Solin [mailto:[hidden email]]
>>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>>> *To:* [hidden email]
>>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>>> cannot use local_variable reference for the subcommand element
>>>
>>> Matt's test should indeed work. line_items will be collected
>>> corresponding to each of the commands. There is one caveat, however. The
>>> ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>>> "The name of a SHOW sub-command."
>>>
>>> I don't know which interpreter you're using, but jOVAL's implementation
>>> of the line_object currently will either prepend the word "show" to the
>>> subcommand value, or if the value already starts with "show" (as all of
>>> the existing public MITRE definitions do) it will run the command
>>> outright. Thus, these commands will fail; "sh access-list x" will become
>>> "show sh access-list x" which will certainly be an invalid command. We
>>> decided against simply attempting to execute the raw value because
>>> someone could then conceivably alter a setting using an OVAL test.
>>>
>>> Perhaps we can come to a consensus on what exactly the show_subcommand
>>> should contain. Should we require that values start with "sh", "sho", or
>>> "show"?
>>>
>>> Regards,
>>> --David
>>>
>>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>>
>>> Hi Panos,
>>>
>>> First, I’d like to say up front that I know very little about the
>>> component schema for Cisco IOS. That said, I think I should be able to
>>> help you here.
>>>
>>> You didn’t include any test OVAL, so I’m making a few assumptions, but I
>>> think what you’re looking to do may be possible, at least from the OVAL
>>> side of things. (The IOS side, as I said earlier, I don’t know much
>>> about) I think what you’re looking to do here is to apply the line_test
>>> against each value stored in a local_variable, correct? I think this is
>>> possible using a var_ref on the show_subcommand entity. Here is a small
>>> OVAL snippet that hopefully illustrated this (validated, but untested):
>>>
>>> <tests>
>>> <line_test
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:tst:1" version="0" check="all"
>>> check_existence="at_least_one_exists" comment="test 1">
>>> <object object_ref="oval:example:obj:1"/>
>>> </line_test>
>>> </tests>
>>> <objects>
>>> <line_object
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:obj:1" version="0">
>>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>>> </line_object>
>>> </objects>
>>> <states>
>>> <line_state
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:ste:1" version="0">
>>> <config_line operation="equals">some kind of value</config_line>
>>> </line_state>
>>> </states>
>>> <variables>
>>> <constant_variable id="oval:example:var:1" version="0" datatype="string"
>>> comment="var">
>>> <value>sh access-list x</value>
>>> <value>sh access-list y</value>
>>> <value>sh access-list x</value>
>>> </constant_variable>
>>> </variables>
>>>
>>> Note that for simplicity, I used a constant_variable here, but it should
>>> operate the same as if you used a local_variable that evaluated to 3
>>> values. I **believe** the above will collect 3 Items, one for each
>>> Variable value. The collected Item will depend a bit on the
>>> show_subcommand entity, but I’m assuming each of the 3 collected Items
>>> will contain a config_line value, which will be compared against the
>>> State. The test State here is quite simple, just does a string compare,
>>> but you could certainly do more complex things.
>>>
>>> So…does this work? Or am I missing something? If this helps, great. If I
>>> have missed something, it would be great if you could post the OVAL you
>>> have so far to help me understand the intent.
>>>
>>> Thanks
>>>
>>> Matt
>>>
>>> *From:*Panos Kampanakis [mailto:[hidden email]]
>>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>>> *To:* oval-discussion-list OVAL Discussion List/Closed Public Discussi
>>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>>> use local_variable reference for the subcommand element
>>>
>>> Hello everyone,
>>>
>>> Trying to write more advanced definitions for Cisco I found myself
>>> limited because of the Cisco IOS schema. I wanted to confirm that I am
>>> correct and there is no alternative way of accomplishing what I want to do.
>>>
>>> I am using a local variable to parse the config file and get the ACLs
>>> applied. That local variable will have let’s say 3 values that will be
>>> three show commands:
>>>
>>> - “sh access-list x”
>>>
>>> - “sh access-list y”
>>>
>>> - “sh access-list x”
>>>
>>> I want to use these local variable values in a line_test to check if the
>>> ACLs are configure properly.
>>>
>>> It seems there are 2 limitations here:
>>>
>>> 1) The line_object used in the line_test will not accept a reference to
>>> a local variable that practically will give the show_subcommand. The
>>> line_object can only take static show commands in its show_subcommand
>>> element
>>>
>>> 2) Even if 1 was possible, if I wanted to have the line_test apply the
>>> test for all 3 show commands in my local variable the line test would
>>> not perform it.
>>>
>>> Am I correct?
>>>
>>> Rgs,
>>>
>>> Panos
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST in
>>> the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST in
>>> the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> --
>>>
>>> jOVAL.org: OVAL implemented in Java.
>>> /Scan any machine from any machine. For free!/
>>> Learn More<http://www.joval.org>  | Features
>>> <http://www.joval.org/features/>  | Download
>>> <http://www.joval.org/download/>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST in
>>> the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email] with
>>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have
>>> difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Panos Kampanakis (pkampana)
In reply to this post by Gunnar Engelbach
Agreed. There are schema updates that need to be pushed through Sandbox...

For the AAA issue, I was trying to say that the scanner or systems
characteristics will inevitably need to contact a device to get the system
information. So the risk of a "show command" causing issues is unavoidable.
But indeed the scanner or the device would need to be smart to not allow
someone to do intrusive stuff while collecting info. Ideally the device
should be properly configured (AAA) to do that and/or the scanner should not
allow more than "show xyz". I think we are on the same page here too.

Rgs,
Panos



-----Original Message-----
From: Gunnar Engelbach [mailto:[hidden email]]
Sent: Thursday, May 03, 2012 5:04 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
local_variable reference for the subcommand element

I really had two separate points I was trying to bring out here.

The first is that the OVAL schemas are mutable.  You (or anyone) can extend
the IOS schema to implement tests that make sense for IOS so that you're not
stuck trying to make everything fit into a line_test regex.
We've done it enough times that I can say it's pretty straightforward and
well worth it in the end.


The second is that OVAL interpreters shouldn't become scripting engines
-- although that's more my personal view and not necessarily the community
consensus.

Yes, organizations can use AAA controls to restrict a user's capabilities,
and I hope that they not only do that, but that they *do* at least
periodically verify that the live running config is really what they think
it is.  The same can be said for any other platform.  But how many of them
do, and how well?  Should that be the line of defense that we're all
counting on?

As far as examples, my inclination would be to look at the output of
commands like "show run" and model based on how that is organized (system
information, authentication, interfaces, routing, etc.) and what information
is thus available.  That is likely to match where you started at, namely the
configuration information for a specific interface.

You started this thread with a need to test access lists, so that suggests a
good place to start.  Call it an accesslist_test.

What information is necessary to designate, unambiguously, which access list
you are interested in?  That helps define your accesslist_object.

What information should you expect to get back for each access list?
out of that comes accesslist_state schema element.


And so on.




On 5/3/2012 2:35 PM, Panos Kampanakis wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> If the right AAA controls are configured on a box, then a scanner
> should not be able to run config or other intrusive commands. I
> totally see the concern on potential issues with scanning live
> devices, and that the preferred way to do an assessment.
>
>> "that is more in line with the other platform schemes where there are
> test/object/states pertinent to each collection type"
>    Can you elaborate with an example?
>
> Rgs,
> Panos
>
>
>
>
>
>
>
> - -----Original Message-----
> From: Gunnar Engelbach [mailto:[hidden email]]
> Sent: Thursday, May 03, 2012 12:53 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
> cannot use local_variable reference for the subcommand element
>
> Neither option is really great, actually, but the second is the more
> preferable.
>
> If the text contents of the element are treated as a command to be
> executed then you are, in effect, allowing the content to have the
> interpreter run arbitrary commands, meaning that content can then
> potentially be used as an attack vector.  This is particularly bad
> when the target of the benchmark is network infrastructure and is
> further exacerbated by the current movement to federate content sources
and automate content retrieval.

>
> Also keep in mind that the preferred way to do an assessment of an
> active network device is to parse an offline runtime configuration,
> where you don't have the ability to run a command.
>
> For these reasons I'd prefer to see updates made to the Cisco schema
> that is more in line with the other platform schemes where there are
> test/object/states pertinent to each collection type.
>
> That gives the interpreters enough information to collect the
> necessary
> artifact(s) without the exposure of running commands out of the
> benchmark content (well, with the exception of the WMI and WSH tests),
> and it also
> (usually) simplifies the tests which reduces errors from content authors.
>
>
>
> - --gun
>
> ThreatGuard, Inc.
> http://www.ThreatGuard.com
>
>
> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>> Thanks David.
>>
>> I think that even though "show" can be assumed and thus not included
>> in the text, it makes sense to keep it for clarity.
>>
>> For example, lets say I want to get the "show interface
>> Fastethernet0/0". I could do
>>
>> <show_subcommand>  show interface Fastethernet0/0</show_subcommand>
>>
>> or
>>
>> <show_subcommand>  interface Fastethernet0/0</show_subcommand>
>>
>> But if I am in config mode "interface Fastethernet0/0" is a
>> configuration command. So, I can imagine show subcommand looking like
>> actual config command which can confuse the eye.
>>
>> Panos
>>
>> *From:*David Solin [mailto:[hidden email]]
>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>> cannot use local_variable reference for the subcommand element
>>
>> Matt's test should indeed work. line_items will be collected
>> corresponding to each of the commands. There is one caveat, however.
>> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>> "The name of a SHOW sub-command."
>>
>> I don't know which interpreter you're using, but jOVAL's
>> implementation of the line_object currently will either prepend the
>> word "show" to the subcommand value, or if the value already starts
>> with "show" (as all of the existing public MITRE definitions do) it
>> will run the command outright. Thus, these commands will fail; "sh
>> access-list x" will become "show sh access-list x" which will
>> certainly be an invalid command. We decided against simply attempting
>> to execute the raw value because someone could then conceivably alter
>> a
> setting using an OVAL test.
>>
>> Perhaps we can come to a consensus on what exactly the
>> show_subcommand should contain. Should we require that values start
>> with "sh", "sho", or "show"?
>>
>> Regards,
>> --David
>>
>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>
>> Hi Panos,
>>
>> First, I'd like to say up front that I know very little about the
>> component schema for Cisco IOS. That said, I think I should be able
>> to help you here.
>>
>> You didn't include any test OVAL, so I'm making a few assumptions,
>> but I think what you're looking to do may be possible, at least from
>> the OVAL side of things. (The IOS side, as I said earlier, I don't
>> know much
>> about) I think what you're looking to do here is to apply the
>> line_test against each value stored in a local_variable, correct? I
>> think this is possible using a var_ref on the show_subcommand entity.
>> Here is a small OVAL snippet that hopefully illustrated this
>> (validated,
> but untested):
>>
>> <tests>
>> <line_test
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:tst:1" version="0" check="all"
>> check_existence="at_least_one_exists" comment="test 1">  <object
>> object_ref="oval:example:obj:1"/>  </line_test>  </tests>  <objects>
>> <line_object
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:obj:1" version="0">
>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>> </line_object>  </objects>  <states>  <line_state
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:ste:1" version="0">
>> <config_line operation="equals">some kind of value</config_line>
>> </line_state>  </states>  <variables>  <constant_variable
>> id="oval:example:var:1" version="0" datatype="string"
>> comment="var">
>> <value>sh access-list x</value>
>> <value>sh access-list y</value>
>> <value>sh access-list x</value>
>> </constant_variable>
>> </variables>
>>
>> Note that for simplicity, I used a constant_variable here, but it
>> should operate the same as if you used a local_variable that
>> evaluated to 3 values. I **believe** the above will collect 3 Items,
>> one for each Variable value. The collected Item will depend a bit on
>> the show_subcommand entity, but I'm assuming each of the 3 collected
>> Items will contain a config_line value, which will be compared
>> against the State. The test State here is quite simple, just does a
>> string compare, but you could certainly do more complex things.
>>
>> So.does this work? Or am I missing something? If this helps, great.
>> If I have missed something, it would be great if you could post the
>> OVAL you have so far to help me understand the intent.
>>
>> Thanks
>>
>> Matt
>>
>> *From:*Panos Kampanakis [mailto:[hidden email]]
>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>> *To:* oval-discussion-list OVAL Discussion List/Closed Public
>> Discussi
>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>> use local_variable reference for the subcommand element
>>
>> Hello everyone,
>>
>> Trying to write more advanced definitions for Cisco I found myself
>> limited because of the Cisco IOS schema. I wanted to confirm that I
>> am correct and there is no alternative way of accomplishing what I
>> want to
> do.
>>
>> I am using a local variable to parse the config file and get the ACLs
>> applied. That local variable will have let's say 3 values that will
>> be three show commands:
>>
>> - "sh access-list x"
>>
>> - "sh access-list y"
>>
>> - "sh access-list x"
>>
>> I want to use these local variable values in a line_test to check if
>> the ACLs are configure properly.
>>
>> It seems there are 2 limitations here:
>>
>> 1) The line_object used in the line_test will not accept a reference
>> to a local variable that practically will give the show_subcommand.
>> The line_object can only take static show commands in its
>> show_subcommand element
>>
>> 2) Even if 1 was possible, if I wanted to have the line_test apply
>> the test for all 3 show commands in my local variable the line test
>> would not perform it.
>>
>> Am I correct?
>>
>> Rgs,
>>
>> Panos
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> --
>>
>> jOVAL.org: OVAL implemented in Java.
>> /Scan any machine from any machine. For free!/ Learn More
>> <http://www.joval.org>  | Features<http://www.joval.org/features/>  |
>> Download<http://www.joval.org/download/>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 10.2.0 (Build 2317)
> Charset: us-ascii
>
> wsBVAwUBT6LQB/8FJ2qmh7PNAQhnlgf/YX5XljLozKAUN2B9ix1K1knEo+bis8Zt
> cH8JOKFBzuv/xcBzlH7e09eUl20y9gk5BjxepfKVdtDxC72ohQLRTLcQG6mMxceu
> yfFnyJ0hEkycKlpMOI4P6wW1tT16hZDaHjL8Djne3+URUL/BVB1VOe8D3oFqocIc
> /CaJL69qv11TMAVnIvw8vkxd37WFjE039FW/maBEh4yW1XTRSfuzo5eFDqw1nuws
> JTbBBUhqPFa4nPR1I/oZSrleNdpWIjBSvpsCzZpg6U/90pAa4kzdIONwFQI0f3h/
> rIJA6sOoG8oKu85hBr3i+Kd/39yhA0d3zBR415wRVAb4rSN35XLP1w==
> =WhDz
> -----END PGP SIGNATURE-----
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
difficulties, write to [hidden email].


To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

PGP.sig (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Panos Kampanakis (pkampana)
In reply to this post by Luis Nunez
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

But still you need to connect to the machine at some point to retrieve its
state/system characteristics at some point, right?
Just wanted to clarify what offline means.

Panos





- -----Original Message-----
From: Luis Nunez [mailto:[hidden email]]
Sent: Thursday, May 03, 2012 4:51 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
local_variable reference for the subcommand element

Echoing the same concerns.  OFFLINE method is the preferred.  Thus far I've
not see a case where you need to connect to a live device to assess a
device.  At least for now the there are two use cases of concern:
- -Configuration Hygiene check - best practice settings -Vulnerability check
based on security advisory

Both of which can be done offline.

Also leveraging protocols such as Netconf, RESTful and other management
applications one could retrieve the necessary information.

I could see future use cases needing to do live interrogations for malware
incident detection, but for now we need to get the fundamentals down.


- -ln

On May 3, 2012, at 12:53 PM, Gunnar Engelbach wrote:

> Neither option is really great, actually, but the second is the more
preferable.
>
> If the text contents of the element are treated as a command to be
executed then you are, in effect, allowing the content to have the
interpreter run arbitrary commands, meaning that content can then
potentially be used as an attack vector.  This is particularly bad when the
target of the benchmark is network infrastructure and is further exacerbated
by the current movement to federate content sources and automate content
retrieval.
>
> Also keep in mind that the preferred way to do an assessment of an active
network device is to parse an offline runtime configuration, where you don't
have the ability to run a command.
>
> For these reasons I'd prefer to see updates made to the Cisco schema that
is more in line with the other platform schemes where there are
test/object/states pertinent to each collection type.
>
> That gives the interpreters enough information to collect the necessary
artifact(s) without the exposure of running commands out of the benchmark
content (well, with the exception of the WMI and WSH tests), and it also
(usually) simplifies the tests which reduces errors from content authors.

>
>
>
> --gun
>
> ThreatGuard, Inc.
> http://www.ThreatGuard.com
>
>
> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>> Thanks David.
>>
>> I think that even though "show" can be assumed and thus not included
>> in the text, it makes sense to keep it for clarity.
>>
>> For example, lets say I want to get the "show interface
>> Fastethernet0/0". I could do
>>
>> <show_subcommand> show interface Fastethernet0/0</show_subcommand>
>>
>> or
>>
>> <show_subcommand> interface Fastethernet0/0</show_subcommand>
>>
>> But if I am in config mode "interface Fastethernet0/0" is a
>> configuration command. So, I can imagine show subcommand looking like
>> actual config command which can confuse the eye.
>>
>> Panos
>>
>> *From:*David Solin [mailto:[hidden email]]
>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>> *To:* [hidden email]
>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>> cannot use local_variable reference for the subcommand element
>>
>> Matt's test should indeed work. line_items will be collected
>> corresponding to each of the commands. There is one caveat, however.
>> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>> "The name of a SHOW sub-command."
>>
>> I don't know which interpreter you're using, but jOVAL's
>> implementation of the line_object currently will either prepend the
>> word "show" to the subcommand value, or if the value already starts
>> with "show" (as all of the existing public MITRE definitions do) it
>> will run the command outright. Thus, these commands will fail; "sh
>> access-list x" will become "show sh access-list x" which will
>> certainly be an invalid command. We decided against simply attempting
>> to execute the raw value because someone could then conceivably alter a
setting using an OVAL test.

>>
>> Perhaps we can come to a consensus on what exactly the
>> show_subcommand should contain. Should we require that values start
>> with "sh", "sho", or "show"?
>>
>> Regards,
>> --David
>>
>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>
>> Hi Panos,
>>
>> First, I'd like to say up front that I know very little about the
>> component schema for Cisco IOS. That said, I think I should be able
>> to help you here.
>>
>> You didn't include any test OVAL, so I'm making a few assumptions,
>> but I think what you're looking to do may be possible, at least from
>> the OVAL side of things. (The IOS side, as I said earlier, I don't
>> know much
>> about) I think what you're looking to do here is to apply the
>> line_test against each value stored in a local_variable, correct? I
>> think this is possible using a var_ref on the show_subcommand entity.
>> Here is a small OVAL snippet that hopefully illustrated this (validated,
but untested):

>>
>> <tests>
>> <line_test
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:tst:1" version="0" check="all"
>> check_existence="at_least_one_exists" comment="test 1"> <object
>> object_ref="oval:example:obj:1"/> </line_test> </tests> <objects>
>> <line_object
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:obj:1" version="0">
>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>> </line_object> </objects> <states> <line_state
>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>> id="oval:example:ste:1" version="0">
>> <config_line operation="equals">some kind of value</config_line>
>> </line_state> </states> <variables> <constant_variable
>> id="oval:example:var:1" version="0" datatype="string"
>> comment="var">
>> <value>sh access-list x</value>
>> <value>sh access-list y</value>
>> <value>sh access-list x</value>
>> </constant_variable>
>> </variables>
>>
>> Note that for simplicity, I used a constant_variable here, but it
>> should operate the same as if you used a local_variable that
>> evaluated to 3 values. I **believe** the above will collect 3 Items,
>> one for each Variable value. The collected Item will depend a bit on
>> the show_subcommand entity, but I'm assuming each of the 3 collected
>> Items will contain a config_line value, which will be compared
>> against the State. The test State here is quite simple, just does a
>> string compare, but you could certainly do more complex things.
>>
>> So.does this work? Or am I missing something? If this helps, great.
>> If I have missed something, it would be great if you could post the
>> OVAL you have so far to help me understand the intent.
>>
>> Thanks
>>
>> Matt
>>
>> *From:*Panos Kampanakis [mailto:[hidden email]]
>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>> *To:* oval-discussion-list OVAL Discussion List/Closed Public
>> Discussi
>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>> use local_variable reference for the subcommand element
>>
>> Hello everyone,
>>
>> Trying to write more advanced definitions for Cisco I found myself
>> limited because of the Cisco IOS schema. I wanted to confirm that I
>> am correct and there is no alternative way of accomplishing what I want
to do.

>>
>> I am using a local variable to parse the config file and get the ACLs
>> applied. That local variable will have let's say 3 values that will
>> be three show commands:
>>
>> - "sh access-list x"
>>
>> - "sh access-list y"
>>
>> - "sh access-list x"
>>
>> I want to use these local variable values in a line_test to check if
>> the ACLs are configure properly.
>>
>> It seems there are 2 limitations here:
>>
>> 1) The line_object used in the line_test will not accept a reference
>> to a local variable that practically will give the show_subcommand.
>> The line_object can only take static show commands in its
>> show_subcommand element
>>
>> 2) Even if 1 was possible, if I wanted to have the line_test apply
>> the test for all 3 show commands in my local variable the line test
>> would not perform it.
>>
>> Am I correct?
>>
>> Rgs,
>>
>> Panos
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> --
>>
>> jOVAL.org: OVAL implemented in Java.
>> /Scan any machine from any machine. For free!/ Learn More
>> <http://www.joval.org> | Features <http://www.joval.org/features/> |
>> Download <http://www.joval.org/download/>
>>
>> To unsubscribe, send an email message to [hidden email]
>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message. If you have difficulties, write to
>> [hidden email]
>> <mailto:[hidden email]>.
>>
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
difficulties, write to [hidden email].


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 2317)
Charset: us-ascii

wsBVAwUBT6MPxv8FJ2qmh7PNAQgD5wgAlyAoQdRRmbFrCmwAA7M8P/yXGkI0LYUH
K/nPuEmj+c0ZtapjIP5S7pKNEpGKQPnOf9+PquWK1pO1N9pXkQOvowYtOITJ1BVZ
/Rq6NvunypTtfLqLDcVUzfsrF61nxZB5T94WqM5AKScyphJ1DtycQzf4iuEwiHHa
b4hInWCoQAlsJ1Gf3u7g63qzrfboVBxTonHfSdrPGTBD2sBSEmip027cPjbRJjsr
WOT5ySTmWJqH+e5Tjah2+azFMKakgC86CAni3tZmiO2V/IFLz49sszLx2oc1p8k6
xUXalrJo5ADvLwxJrKasKrsgwkn5Kcl+g8npYvetdrLC07+zsvw9ew==
=Sd3V
-----END PGP SIGNATURE-----

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Gunnar Engelbach
On 5/3/2012 7:07 PM, Panos Kampanakis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> But still you need to connect to the machine at some point to retrieve its
> state/system characteristics at some point, right?

Not necessarily.  If the machine is configured via a TFTP boot then the
system configuration will already be stored offline on the TFTP server.
  Or you can use the copy or write-memory command to push the running
configuration to a tftp server.

I'm pretty sure SNMP is implemented more directly so retrieving a MIB
doesn't result in executing commands like "show run" on the device.  I
don't know the implementation details for CATTOOLS, Netconf, RESTful to
say how they retrieve data, but very possibly it's by emulating a
terminal connection.

I expect that the majority of the time it's going to boil down to a
person or bit of software doing a terminal connection and running some
show commands.  But it doesn't have to be done that way.


--gun



> Just wanted to clarify what offline means.
>
> Panos
>
>
>
>
>
> - -----Original Message-----
> From: Luis Nunez [mailto:[hidden email]]
> Sent: Thursday, May 03, 2012 4:51 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
> local_variable reference for the subcommand element
>
> Echoing the same concerns.  OFFLINE method is the preferred.  Thus far I've
> not see a case where you need to connect to a live device to assess a
> device.  At least for now the there are two use cases of concern:
> - -Configuration Hygiene check - best practice settings -Vulnerability check
> based on security advisory
>
> Both of which can be done offline.
>
> Also leveraging protocols such as Netconf, RESTful and other management
> applications one could retrieve the necessary information.
>
> I could see future use cases needing to do live interrogations for malware
> incident detection, but for now we need to get the fundamentals down.
>
>
> - -ln
>
> On May 3, 2012, at 12:53 PM, Gunnar Engelbach wrote:
>
>> Neither option is really great, actually, but the second is the more
> preferable.
>>
>> If the text contents of the element are treated as a command to be
> executed then you are, in effect, allowing the content to have the
> interpreter run arbitrary commands, meaning that content can then
> potentially be used as an attack vector.  This is particularly bad when the
> target of the benchmark is network infrastructure and is further exacerbated
> by the current movement to federate content sources and automate content
> retrieval.
>>
>> Also keep in mind that the preferred way to do an assessment of an active
> network device is to parse an offline runtime configuration, where you don't
> have the ability to run a command.
>>
>> For these reasons I'd prefer to see updates made to the Cisco schema that
> is more in line with the other platform schemes where there are
> test/object/states pertinent to each collection type.
>>
>> That gives the interpreters enough information to collect the necessary
> artifact(s) without the exposure of running commands out of the benchmark
> content (well, with the exception of the WMI and WSH tests), and it also
> (usually) simplifies the tests which reduces errors from content authors.
>>
>>
>>
>> --gun
>>
>> ThreatGuard, Inc.
>> http://www.ThreatGuard.com
>>
>>
>> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>>> Thanks David.
>>>
>>> I think that even though "show" can be assumed and thus not included
>>> in the text, it makes sense to keep it for clarity.
>>>
>>> For example, lets say I want to get the "show interface
>>> Fastethernet0/0". I could do
>>>
>>> <show_subcommand>  show interface Fastethernet0/0</show_subcommand>
>>>
>>> or
>>>
>>> <show_subcommand>  interface Fastethernet0/0</show_subcommand>
>>>
>>> But if I am in config mode "interface Fastethernet0/0" is a
>>> configuration command. So, I can imagine show subcommand looking like
>>> actual config command which can confuse the eye.
>>>
>>> Panos
>>>
>>> *From:*David Solin [mailto:[hidden email]]
>>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>>> *To:* [hidden email]
>>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>>> cannot use local_variable reference for the subcommand element
>>>
>>> Matt's test should indeed work. line_items will be collected
>>> corresponding to each of the commands. There is one caveat, however.
>>> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>>> "The name of a SHOW sub-command."
>>>
>>> I don't know which interpreter you're using, but jOVAL's
>>> implementation of the line_object currently will either prepend the
>>> word "show" to the subcommand value, or if the value already starts
>>> with "show" (as all of the existing public MITRE definitions do) it
>>> will run the command outright. Thus, these commands will fail; "sh
>>> access-list x" will become "show sh access-list x" which will
>>> certainly be an invalid command. We decided against simply attempting
>>> to execute the raw value because someone could then conceivably alter a
> setting using an OVAL test.
>>>
>>> Perhaps we can come to a consensus on what exactly the
>>> show_subcommand should contain. Should we require that values start
>>> with "sh", "sho", or "show"?
>>>
>>> Regards,
>>> --David
>>>
>>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>>
>>> Hi Panos,
>>>
>>> First, I'd like to say up front that I know very little about the
>>> component schema for Cisco IOS. That said, I think I should be able
>>> to help you here.
>>>
>>> You didn't include any test OVAL, so I'm making a few assumptions,
>>> but I think what you're looking to do may be possible, at least from
>>> the OVAL side of things. (The IOS side, as I said earlier, I don't
>>> know much
>>> about) I think what you're looking to do here is to apply the
>>> line_test against each value stored in a local_variable, correct? I
>>> think this is possible using a var_ref on the show_subcommand entity.
>>> Here is a small OVAL snippet that hopefully illustrated this (validated,
> but untested):
>>>
>>> <tests>
>>> <line_test
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:tst:1" version="0" check="all"
>>> check_existence="at_least_one_exists" comment="test 1">  <object
>>> object_ref="oval:example:obj:1"/>  </line_test>  </tests>  <objects>
>>> <line_object
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:obj:1" version="0">
>>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>>> </line_object>  </objects>  <states>  <line_state
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:ste:1" version="0">
>>> <config_line operation="equals">some kind of value</config_line>
>>> </line_state>  </states>  <variables>  <constant_variable
>>> id="oval:example:var:1" version="0" datatype="string"
>>> comment="var">
>>> <value>sh access-list x</value>
>>> <value>sh access-list y</value>
>>> <value>sh access-list x</value>
>>> </constant_variable>
>>> </variables>
>>>
>>> Note that for simplicity, I used a constant_variable here, but it
>>> should operate the same as if you used a local_variable that
>>> evaluated to 3 values. I **believe** the above will collect 3 Items,
>>> one for each Variable value. The collected Item will depend a bit on
>>> the show_subcommand entity, but I'm assuming each of the 3 collected
>>> Items will contain a config_line value, which will be compared
>>> against the State. The test State here is quite simple, just does a
>>> string compare, but you could certainly do more complex things.
>>>
>>> So.does this work? Or am I missing something? If this helps, great.
>>> If I have missed something, it would be great if you could post the
>>> OVAL you have so far to help me understand the intent.
>>>
>>> Thanks
>>>
>>> Matt
>>>
>>> *From:*Panos Kampanakis [mailto:[hidden email]]
>>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>>> *To:* oval-discussion-list OVAL Discussion List/Closed Public
>>> Discussi
>>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>>> use local_variable reference for the subcommand element
>>>
>>> Hello everyone,
>>>
>>> Trying to write more advanced definitions for Cisco I found myself
>>> limited because of the Cisco IOS schema. I wanted to confirm that I
>>> am correct and there is no alternative way of accomplishing what I want
> to do.
>>>
>>> I am using a local variable to parse the config file and get the ACLs
>>> applied. That local variable will have let's say 3 values that will
>>> be three show commands:
>>>
>>> - "sh access-list x"
>>>
>>> - "sh access-list y"
>>>
>>> - "sh access-list x"
>>>
>>> I want to use these local variable values in a line_test to check if
>>> the ACLs are configure properly.
>>>
>>> It seems there are 2 limitations here:
>>>
>>> 1) The line_object used in the line_test will not accept a reference
>>> to a local variable that practically will give the show_subcommand.
>>> The line_object can only take static show commands in its
>>> show_subcommand element
>>>
>>> 2) Even if 1 was possible, if I wanted to have the line_test apply
>>> the test for all 3 show commands in my local variable the line test
>>> would not perform it.
>>>
>>> Am I correct?
>>>
>>> Rgs,
>>>
>>> Panos
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> --
>>>
>>> jOVAL.org: OVAL implemented in Java.
>>> /Scan any machine from any machine. For free!/ Learn More
>>> <http://www.joval.org>  | Features<http://www.joval.org/features/>  |
>>> Download<http://www.joval.org/download/>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>  with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 10.2.0 (Build 2317)
> Charset: us-ascii
>
> wsBVAwUBT6MPxv8FJ2qmh7PNAQgD5wgAlyAoQdRRmbFrCmwAA7M8P/yXGkI0LYUH
> K/nPuEmj+c0ZtapjIP5S7pKNEpGKQPnOf9+PquWK1pO1N9pXkQOvowYtOITJ1BVZ
> /Rq6NvunypTtfLqLDcVUzfsrF61nxZB5T94WqM5AKScyphJ1DtycQzf4iuEwiHHa
> b4hInWCoQAlsJ1Gf3u7g63qzrfboVBxTonHfSdrPGTBD2sBSEmip027cPjbRJjsr
> WOT5ySTmWJqH+e5Tjah2+azFMKakgC86CAni3tZmiO2V/IFLz49sszLx2oc1p8k6
> xUXalrJo5ADvLwxJrKasKrsgwkn5Kcl+g8npYvetdrLC07+zsvw9ew==
> =Sd3V
> -----END PGP SIGNATURE-----
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Luis Nunez
In reply to this post by Panos Kampanakis (pkampana)
Correct.  You still need the config and system state information to analyze.  How it is collected is a problem.  Ideally it would be nice to have a OVAL tool interface with a network management application to retrieve the configuration information.  In the absences of a management system that can supply the config files, one would have to use the crude and rudimentary methods.  SSH and screen scrape "show running-config" individually.  So if you have to connect to the device the suggestion is to run the "show tech-support" command to get a system diagnostics snap shot.  This should enough to perform both use cases.  

I think we will eventually see some combination of offline/online analysis as the capabilities and standards evolve.

-ln



On May 3, 2012, at 7:07 PM, Panos Kampanakis wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> But still you need to connect to the machine at some point to retrieve its
> state/system characteristics at some point, right?
> Just wanted to clarify what offline means.
>
> Panos
>
>
>
>
>
> - -----Original Message-----
> From: Luis Nunez [mailto:[hidden email]]
> Sent: Thursday, May 03, 2012 4:51 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
> local_variable reference for the subcommand element
>
> Echoing the same concerns.  OFFLINE method is the preferred.  Thus far I've
> not see a case where you need to connect to a live device to assess a
> device.  At least for now the there are two use cases of concern:
> - -Configuration Hygiene check - best practice settings -Vulnerability check
> based on security advisory
>
> Both of which can be done offline.
>
> Also leveraging protocols such as Netconf, RESTful and other management
> applications one could retrieve the necessary information.
>
> I could see future use cases needing to do live interrogations for malware
> incident detection, but for now we need to get the fundamentals down.
>
>
> - -ln
>
> On May 3, 2012, at 12:53 PM, Gunnar Engelbach wrote:
>
>> Neither option is really great, actually, but the second is the more
> preferable.
>>
>> If the text contents of the element are treated as a command to be
> executed then you are, in effect, allowing the content to have the
> interpreter run arbitrary commands, meaning that content can then
> potentially be used as an attack vector.  This is particularly bad when the
> target of the benchmark is network infrastructure and is further exacerbated
> by the current movement to federate content sources and automate content
> retrieval.
>>
>> Also keep in mind that the preferred way to do an assessment of an active
> network device is to parse an offline runtime configuration, where you don't
> have the ability to run a command.
>>
>> For these reasons I'd prefer to see updates made to the Cisco schema that
> is more in line with the other platform schemes where there are
> test/object/states pertinent to each collection type.
>>
>> That gives the interpreters enough information to collect the necessary
> artifact(s) without the exposure of running commands out of the benchmark
> content (well, with the exception of the WMI and WSH tests), and it also
> (usually) simplifies the tests which reduces errors from content authors.
>>
>>
>>
>> --gun
>>
>> ThreatGuard, Inc.
>> http://www.ThreatGuard.com
>>
>>
>> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>>> Thanks David.
>>>
>>> I think that even though "show" can be assumed and thus not included
>>> in the text, it makes sense to keep it for clarity.
>>>
>>> For example, lets say I want to get the "show interface
>>> Fastethernet0/0". I could do
>>>
>>> <show_subcommand> show interface Fastethernet0/0</show_subcommand>
>>>
>>> or
>>>
>>> <show_subcommand> interface Fastethernet0/0</show_subcommand>
>>>
>>> But if I am in config mode "interface Fastethernet0/0" is a
>>> configuration command. So, I can imagine show subcommand looking like
>>> actual config command which can confuse the eye.
>>>
>>> Panos
>>>
>>> *From:*David Solin [mailto:[hidden email]]
>>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>>> *To:* [hidden email]
>>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>>> cannot use local_variable reference for the subcommand element
>>>
>>> Matt's test should indeed work. line_items will be collected
>>> corresponding to each of the commands. There is one caveat, however.
>>> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>>> "The name of a SHOW sub-command."
>>>
>>> I don't know which interpreter you're using, but jOVAL's
>>> implementation of the line_object currently will either prepend the
>>> word "show" to the subcommand value, or if the value already starts
>>> with "show" (as all of the existing public MITRE definitions do) it
>>> will run the command outright. Thus, these commands will fail; "sh
>>> access-list x" will become "show sh access-list x" which will
>>> certainly be an invalid command. We decided against simply attempting
>>> to execute the raw value because someone could then conceivably alter a
> setting using an OVAL test.
>>>
>>> Perhaps we can come to a consensus on what exactly the
>>> show_subcommand should contain. Should we require that values start
>>> with "sh", "sho", or "show"?
>>>
>>> Regards,
>>> --David
>>>
>>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>>
>>> Hi Panos,
>>>
>>> First, I'd like to say up front that I know very little about the
>>> component schema for Cisco IOS. That said, I think I should be able
>>> to help you here.
>>>
>>> You didn't include any test OVAL, so I'm making a few assumptions,
>>> but I think what you're looking to do may be possible, at least from
>>> the OVAL side of things. (The IOS side, as I said earlier, I don't
>>> know much
>>> about) I think what you're looking to do here is to apply the
>>> line_test against each value stored in a local_variable, correct? I
>>> think this is possible using a var_ref on the show_subcommand entity.
>>> Here is a small OVAL snippet that hopefully illustrated this (validated,
> but untested):
>>>
>>> <tests>
>>> <line_test
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:tst:1" version="0" check="all"
>>> check_existence="at_least_one_exists" comment="test 1"> <object
>>> object_ref="oval:example:obj:1"/> </line_test> </tests> <objects>
>>> <line_object
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:obj:1" version="0">
>>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>>> </line_object> </objects> <states> <line_state
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:ste:1" version="0">
>>> <config_line operation="equals">some kind of value</config_line>
>>> </line_state> </states> <variables> <constant_variable
>>> id="oval:example:var:1" version="0" datatype="string"
>>> comment="var">
>>> <value>sh access-list x</value>
>>> <value>sh access-list y</value>
>>> <value>sh access-list x</value>
>>> </constant_variable>
>>> </variables>
>>>
>>> Note that for simplicity, I used a constant_variable here, but it
>>> should operate the same as if you used a local_variable that
>>> evaluated to 3 values. I **believe** the above will collect 3 Items,
>>> one for each Variable value. The collected Item will depend a bit on
>>> the show_subcommand entity, but I'm assuming each of the 3 collected
>>> Items will contain a config_line value, which will be compared
>>> against the State. The test State here is quite simple, just does a
>>> string compare, but you could certainly do more complex things.
>>>
>>> So.does this work? Or am I missing something? If this helps, great.
>>> If I have missed something, it would be great if you could post the
>>> OVAL you have so far to help me understand the intent.
>>>
>>> Thanks
>>>
>>> Matt
>>>
>>> *From:*Panos Kampanakis [mailto:[hidden email]]
>>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>>> *To:* oval-discussion-list OVAL Discussion List/Closed Public
>>> Discussi
>>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>>> use local_variable reference for the subcommand element
>>>
>>> Hello everyone,
>>>
>>> Trying to write more advanced definitions for Cisco I found myself
>>> limited because of the Cisco IOS schema. I wanted to confirm that I
>>> am correct and there is no alternative way of accomplishing what I want
> to do.
>>>
>>> I am using a local variable to parse the config file and get the ACLs
>>> applied. That local variable will have let's say 3 values that will
>>> be three show commands:
>>>
>>> - "sh access-list x"
>>>
>>> - "sh access-list y"
>>>
>>> - "sh access-list x"
>>>
>>> I want to use these local variable values in a line_test to check if
>>> the ACLs are configure properly.
>>>
>>> It seems there are 2 limitations here:
>>>
>>> 1) The line_object used in the line_test will not accept a reference
>>> to a local variable that practically will give the show_subcommand.
>>> The line_object can only take static show commands in its
>>> show_subcommand element
>>>
>>> 2) Even if 1 was possible, if I wanted to have the line_test apply
>>> the test for all 3 show commands in my local variable the line test
>>> would not perform it.
>>>
>>> Am I correct?
>>>
>>> Rgs,
>>>
>>> Panos
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> --
>>>
>>> jOVAL.org: OVAL implemented in Java.
>>> /Scan any machine from any machine. For free!/ Learn More
>>> <http://www.joval.org> | Features <http://www.joval.org/features/> |
>>> Download <http://www.joval.org/download/>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]> with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 10.2.0 (Build 2317)
> Charset: us-ascii
>
> wsBVAwUBT6MPxv8FJ2qmh7PNAQgD5wgAlyAoQdRRmbFrCmwAA7M8P/yXGkI0LYUH
> K/nPuEmj+c0ZtapjIP5S7pKNEpGKQPnOf9+PquWK1pO1N9pXkQOvowYtOITJ1BVZ
> /Rq6NvunypTtfLqLDcVUzfsrF61nxZB5T94WqM5AKScyphJ1DtycQzf4iuEwiHHa
> b4hInWCoQAlsJ1Gf3u7g63qzrfboVBxTonHfSdrPGTBD2sBSEmip027cPjbRJjsr
> WOT5ySTmWJqH+e5Tjah2+azFMKakgC86CAni3tZmiO2V/IFLz49sszLx2oc1p8k6
> xUXalrJo5ADvLwxJrKasKrsgwkn5Kcl+g8npYvetdrLC07+zsvw9ew==
> =Sd3V
> -----END PGP SIGNATURE-----
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS schema line_object cannot use local_variable reference for the subcommand element

Gunnar Engelbach
In reply to this post by Panos Kampanakis (pkampana)
On 5/3/2012 7:05 PM, Panos Kampanakis wrote:
> Agreed. There are schema updates that need to be pushed through Sandbox...
>
> For the AAA issue, I was trying to say that the scanner or systems
> characteristics will inevitably need to contact a device to get the system
> information. So the risk of a "show command" causing issues is unavoidable.
> But indeed the scanner or the device would need to be smart to not allow
> someone to do intrusive stuff while collecting info. Ideally the device
> should be properly configured (AAA) to do that and/or the scanner should not
> allow more than "show xyz". I think we are on the same page here too.

Absolutely.  And yet there's a bit of a catch-22 here.  How are you
going to verify that all your devices are set up properly for safely
doing assessments?  Do an assessment.

So there's a window of vulnerability starting with that first assessment
until all devices are corrected, and further windows every time a new
device is added, replaced, upgraded, restored from backup, config
changes made, etc.

But if the assessment software is not capable of issuing arbitrary
commands, that attack surface is reduced.


--gun



>
> Rgs,
> Panos
>
>
>
> -----Original Message-----
> From: Gunnar Engelbach [mailto:[hidden email]]
> Sent: Thursday, May 03, 2012 5:04 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot use
> local_variable reference for the subcommand element
>
> I really had two separate points I was trying to bring out here.
>
> The first is that the OVAL schemas are mutable.  You (or anyone) can extend
> the IOS schema to implement tests that make sense for IOS so that you're not
> stuck trying to make everything fit into a line_test regex.
> We've done it enough times that I can say it's pretty straightforward and
> well worth it in the end.
>
>
> The second is that OVAL interpreters shouldn't become scripting engines
> -- although that's more my personal view and not necessarily the community
> consensus.
>
> Yes, organizations can use AAA controls to restrict a user's capabilities,
> and I hope that they not only do that, but that they *do* at least
> periodically verify that the live running config is really what they think
> it is.  The same can be said for any other platform.  But how many of them
> do, and how well?  Should that be the line of defense that we're all
> counting on?
>
> As far as examples, my inclination would be to look at the output of
> commands like "show run" and model based on how that is organized (system
> information, authentication, interfaces, routing, etc.) and what information
> is thus available.  That is likely to match where you started at, namely the
> configuration information for a specific interface.
>
> You started this thread with a need to test access lists, so that suggests a
> good place to start.  Call it an accesslist_test.
>
> What information is necessary to designate, unambiguously, which access list
> you are interested in?  That helps define your accesslist_object.
>
> What information should you expect to get back for each access list?
> out of that comes accesslist_state schema element.
>
>
> And so on.
>
>
>
>
> On 5/3/2012 2:35 PM, Panos Kampanakis wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> If the right AAA controls are configured on a box, then a scanner
>> should not be able to run config or other intrusive commands. I
>> totally see the concern on potential issues with scanning live
>> devices, and that the preferred way to do an assessment.
>>
>>> "that is more in line with the other platform schemes where there are
>> test/object/states pertinent to each collection type"
>>     Can you elaborate with an example?
>>
>> Rgs,
>> Panos
>>
>>
>>
>>
>>
>>
>>
>> - -----Original Message-----
>> From: Gunnar Engelbach [mailto:[hidden email]]
>> Sent: Thursday, May 03, 2012 12:53 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>> cannot use local_variable reference for the subcommand element
>>
>> Neither option is really great, actually, but the second is the more
>> preferable.
>>
>> If the text contents of the element are treated as a command to be
>> executed then you are, in effect, allowing the content to have the
>> interpreter run arbitrary commands, meaning that content can then
>> potentially be used as an attack vector.  This is particularly bad
>> when the target of the benchmark is network infrastructure and is
>> further exacerbated by the current movement to federate content sources
> and automate content retrieval.
>>
>> Also keep in mind that the preferred way to do an assessment of an
>> active network device is to parse an offline runtime configuration,
>> where you don't have the ability to run a command.
>>
>> For these reasons I'd prefer to see updates made to the Cisco schema
>> that is more in line with the other platform schemes where there are
>> test/object/states pertinent to each collection type.
>>
>> That gives the interpreters enough information to collect the
>> necessary
>> artifact(s) without the exposure of running commands out of the
>> benchmark content (well, with the exception of the WMI and WSH tests),
>> and it also
>> (usually) simplifies the tests which reduces errors from content authors.
>>
>>
>>
>> - --gun
>>
>> ThreatGuard, Inc.
>> http://www.ThreatGuard.com
>>
>>
>> On 5/3/2012 11:58 AM, Panos Kampanakis (pkampana) wrote:
>>> Thanks David.
>>>
>>> I think that even though "show" can be assumed and thus not included
>>> in the text, it makes sense to keep it for clarity.
>>>
>>> For example, lets say I want to get the "show interface
>>> Fastethernet0/0". I could do
>>>
>>> <show_subcommand>   show interface Fastethernet0/0</show_subcommand>
>>>
>>> or
>>>
>>> <show_subcommand>   interface Fastethernet0/0</show_subcommand>
>>>
>>> But if I am in config mode "interface Fastethernet0/0" is a
>>> configuration command. So, I can imagine show subcommand looking like
>>> actual config command which can confuse the eye.
>>>
>>> Panos
>>>
>>> *From:*David Solin [mailto:[hidden email]]
>>> *Sent:* Wednesday, May 02, 2012 1:26 PM
>>> *To:* [hidden email]
>>> *Subject:* Re: [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object
>>> cannot use local_variable reference for the subcommand element
>>>
>>> Matt's test should indeed work. line_items will be collected
>>> corresponding to each of the commands. There is one caveat, however.
>>> The ios:line_object[show_subcommand] documentation is somewhat ambiguous:
>>> "The name of a SHOW sub-command."
>>>
>>> I don't know which interpreter you're using, but jOVAL's
>>> implementation of the line_object currently will either prepend the
>>> word "show" to the subcommand value, or if the value already starts
>>> with "show" (as all of the existing public MITRE definitions do) it
>>> will run the command outright. Thus, these commands will fail; "sh
>>> access-list x" will become "show sh access-list x" which will
>>> certainly be an invalid command. We decided against simply attempting
>>> to execute the raw value because someone could then conceivably alter
>>> a
>> setting using an OVAL test.
>>>
>>> Perhaps we can come to a consensus on what exactly the
>>> show_subcommand should contain. Should we require that values start
>>> with "sh", "sho", or "show"?
>>>
>>> Regards,
>>> --David
>>>
>>> On 5/2/2012 9:55 AM, Hansbury, Matt wrote:
>>>
>>> Hi Panos,
>>>
>>> First, I'd like to say up front that I know very little about the
>>> component schema for Cisco IOS. That said, I think I should be able
>>> to help you here.
>>>
>>> You didn't include any test OVAL, so I'm making a few assumptions,
>>> but I think what you're looking to do may be possible, at least from
>>> the OVAL side of things. (The IOS side, as I said earlier, I don't
>>> know much
>>> about) I think what you're looking to do here is to apply the
>>> line_test against each value stored in a local_variable, correct? I
>>> think this is possible using a var_ref on the show_subcommand entity.
>>> Here is a small OVAL snippet that hopefully illustrated this
>>> (validated,
>> but untested):
>>>
>>> <tests>
>>> <line_test
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:tst:1" version="0" check="all"
>>> check_existence="at_least_one_exists" comment="test 1">   <object
>>> object_ref="oval:example:obj:1"/>   </line_test>   </tests>   <objects>
>>> <line_object
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:obj:1" version="0">
>>> <show_subcommand var_check="all" var_ref="oval:example:var:1"/>
>>> </line_object>   </objects>   <states>   <line_state
>>> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#ios"
>>> id="oval:example:ste:1" version="0">
>>> <config_line operation="equals">some kind of value</config_line>
>>> </line_state>   </states>   <variables>   <constant_variable
>>> id="oval:example:var:1" version="0" datatype="string"
>>> comment="var">
>>> <value>sh access-list x</value>
>>> <value>sh access-list y</value>
>>> <value>sh access-list x</value>
>>> </constant_variable>
>>> </variables>
>>>
>>> Note that for simplicity, I used a constant_variable here, but it
>>> should operate the same as if you used a local_variable that
>>> evaluated to 3 values. I **believe** the above will collect 3 Items,
>>> one for each Variable value. The collected Item will depend a bit on
>>> the show_subcommand entity, but I'm assuming each of the 3 collected
>>> Items will contain a config_line value, which will be compared
>>> against the State. The test State here is quite simple, just does a
>>> string compare, but you could certainly do more complex things.
>>>
>>> So.does this work? Or am I missing something? If this helps, great.
>>> If I have missed something, it would be great if you could post the
>>> OVAL you have so far to help me understand the intent.
>>>
>>> Thanks
>>>
>>> Matt
>>>
>>> *From:*Panos Kampanakis [mailto:[hidden email]]
>>> *Sent:* Tuesday, May 01, 2012 1:53 PM
>>> *To:* oval-discussion-list OVAL Discussion List/Closed Public
>>> Discussi
>>> *Subject:* [OVAL-DISCUSSION-LIST] Cisco IOS schema line_object cannot
>>> use local_variable reference for the subcommand element
>>>
>>> Hello everyone,
>>>
>>> Trying to write more advanced definitions for Cisco I found myself
>>> limited because of the Cisco IOS schema. I wanted to confirm that I
>>> am correct and there is no alternative way of accomplishing what I
>>> want to
>> do.
>>>
>>> I am using a local variable to parse the config file and get the ACLs
>>> applied. That local variable will have let's say 3 values that will
>>> be three show commands:
>>>
>>> - "sh access-list x"
>>>
>>> - "sh access-list y"
>>>
>>> - "sh access-list x"
>>>
>>> I want to use these local variable values in a line_test to check if
>>> the ACLs are configure properly.
>>>
>>> It seems there are 2 limitations here:
>>>
>>> 1) The line_object used in the line_test will not accept a reference
>>> to a local variable that practically will give the show_subcommand.
>>> The line_object can only take static show commands in its
>>> show_subcommand element
>>>
>>> 2) Even if 1 was possible, if I wanted to have the line_test apply
>>> the test for all 3 show commands in my local variable the line test
>>> would not perform it.
>>>
>>> Am I correct?
>>>
>>> Rgs,
>>>
>>> Panos
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>   with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>   with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> --
>>>
>>> jOVAL.org: OVAL implemented in Java.
>>> /Scan any machine from any machine. For free!/ Learn More
>>> <http://www.joval.org>   | Features<http://www.joval.org/features/>   |
>>> Download<http://www.joval.org/download/>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> <mailto:[hidden email]>   with SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message. If you have difficulties, write to
>>> [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
>> difficulties, write to [hidden email].
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Desktop 10.2.0 (Build 2317)
>> Charset: us-ascii
>>
>> wsBVAwUBT6LQB/8FJ2qmh7PNAQhnlgf/YX5XljLozKAUN2B9ix1K1knEo+bis8Zt
>> cH8JOKFBzuv/xcBzlH7e09eUl20y9gk5BjxepfKVdtDxC72ohQLRTLcQG6mMxceu
>> yfFnyJ0hEkycKlpMOI4P6wW1tT16hZDaHjL8Djne3+URUL/BVB1VOe8D3oFqocIc
>> /CaJL69qv11TMAVnIvw8vkxd37WFjE039FW/maBEh4yW1XTRSfuzo5eFDqw1nuws
>> JTbBBUhqPFa4nPR1I/oZSrleNdpWIjBSvpsCzZpg6U/90pAa4kzdIONwFQI0f3h/
>> rIJA6sOoG8oKu85hBr3i+Kd/39yhA0d3zBR415wRVAb4rSN35XLP1w==
>> =WhDz
>> -----END PGP SIGNATURE-----
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].
>
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].