Definition of OVAL Items

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Definition of OVAL Items

Corvin86
Dear Community,

I'm new to the OVAL world. I have coded a few hundred lines in OVAL
but nothing complex. I still have questions like

"What is an OVAL Item?"

 ...couldn't find any tangible/exact definition for that in the newest
OVAL language specification but it's very important to know - I guess
- for things like filter, sets, check_existence ...

I would be glad if you could help me.

best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Definition of OVAL Items

Hansbury, Matt
Hi Corvin,

As you have likely already seen, the OVAL Language Specification is pretty big, which makes it tricky sometimes to follow all of the important aspects when first starting with OVAL.  To answer your specific question, an OVAL Item is a single piece of collected system information.  As a somewhat simplified example, an OVAL Item could contain the value of a registry key or information about a specific file on the file system.  

It's worth mentioning that there is not necessarily a one to one relationship between an OVAL Object and an OVAL Item.  Multiple OVAL Items can be collected for a given OVAL Object, in the cases of things like regular expressions that could match more than one thing on the system under test.  

Hopefully that answers the specific question, but let us know if you have others.  

Thanks
Matt

-----Original Message-----
From: Corvin Meyer-Blankart [mailto:[hidden email]]
Sent: Tuesday, January 10, 2012 1:48 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

Dear Community,

I'm new to the OVAL world. I have coded a few hundred lines in OVAL
but nothing complex. I still have questions like

"What is an OVAL Item?"

 ...couldn't find any tangible/exact definition for that in the newest
OVAL language specification but it's very important to know - I guess
- for things like filter, sets, check_existence ...

I would be glad if you could help me.

best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Definition of OVAL Items

Corvin86
In reply to this post by Corvin86
Hi Matt,

thanks for your answer - that answers my question.
I think I now understand the concept of OVAL items in general.

For clarification I have a new question:
If my object addresses just one specific file/reg_value/partition/policy (or whatever) the interpreter just collects one OVAL item?
As soon as I use values/operations (e.g. regex/pattern match) that address more than one possible file/reg_value/partition/policy it would be likely that the interpreter collects more that one OVAL item?

Can you say this in general? ... or is it possible that the interpreter collects more than one OVAL item even though my object addresses just one specific file/reg_value/partition/policy (or whatever)?

Thanks and best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Definition of OVAL Items

Hansbury, Matt
Hi Corvin,

It's hard to make too many general claims of that nature.  There are many cases where an OVAL Object should collect a single OVAL Item, but there are also a number of scenarios where multiple ones must be collected.  (An OVAL Interpreter must collect all the Items that match the OVAL Object)  Beyond the regular expression case, multiple OVAL Items can also be collected as a result of using operations like 'not equal', 'greater than, etc.) or while using OVAL Variables or behaviors.

In the specific case you mention, where you specify a particular registry value or file, it is reasonable to expect a single OVAL Item to be collected assuming you do not do any kind of recursive lookup on a file, or use operations other than 'equal'.  Still, it is best to be aware of the way OVAL Items are collected and the scenarios where multiple OVAL Items are likely to be found.

I would recommend reviewing the Processing Model of the OVAL Language Specification for more detail regarding how OVAL Objects are interpreted.

Thanks
Matt

-----Original Message-----
From: Corvin Meyer-Blankart [mailto:[hidden email]]
Sent: Wednesday, January 11, 2012 6:13 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

Hi Matt,

thanks for your answer - that answers my question.
I think I now understand the concept of OVAL items in general.

For clarification I have a new question:
If my object addresses just one specific file/reg_value/partition/policy (or whatever) the interpreter just collects one OVAL item?
As soon as I use values/operations (e.g. regex/pattern match) that address more than one possible file/reg_value/partition/policy it would be likely that the interpreter collects more that one OVAL item?

Can you say this in general? ... or is it possible that the interpreter collects more than one OVAL item even though my object addresses just one specific file/reg_value/partition/policy (or whatever)?

Thanks and best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Definition of OVAL Items

Corvin Meyer-Blankart
Hi Matt,

thank you for your answer!

I think I have now a good idea which granularity OVAL Items can have. Thanks for the hint with chapter 5 - 
I'll look it up.

Best regards,
Corvin


2012/1/12 Hansbury, Matt <[hidden email]>
Hi Corvin,

It's hard to make too many general claims of that nature.  There are many cases where an OVAL Object should collect a single OVAL Item, but there are also a number of scenarios where multiple ones must be collected.  (An OVAL Interpreter must collect all the Items that match the OVAL Object)  Beyond the regular expression case, multiple OVAL Items can also be collected as a result of using operations like 'not equal', 'greater than, etc.) or while using OVAL Variables or behaviors.

In the specific case you mention, where you specify a particular registry value or file, it is reasonable to expect a single OVAL Item to be collected assuming you do not do any kind of recursive lookup on a file, or use operations other than 'equal'.  Still, it is best to be aware of the way OVAL Items are collected and the scenarios where multiple OVAL Items are likely to be found.

I would recommend reviewing the Processing Model of the OVAL Language Specification for more detail regarding how OVAL Objects are interpreted.

Thanks
Matt

-----Original Message-----
From: Corvin Meyer-Blankart [mailto:[hidden email]]
Sent: Wednesday, January 11, 2012 6:13 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

Hi Matt,

thanks for your answer - that answers my question.
I think I now understand the concept of OVAL items in general.

For clarification I have a new question:
If my object addresses just one specific file/reg_value/partition/policy (or whatever) the interpreter just collects one OVAL item?
As soon as I use values/operations (e.g. regex/pattern match) that address more than one possible file/reg_value/partition/policy it would be likely that the interpreter collects more that one OVAL item?

Can you say this in general? ... or is it possible that the interpreter collects more than one OVAL item even though my object addresses just one specific file/reg_value/partition/policy (or whatever)?

Thanks and best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Definition of OVAL Items

Deepak Asawa

Hi,

 

I Had a doubt about Oval Schema 5.10.

 

The content we have works with schema 5.9 and there are no Schema validation errors but when I validate the same content on schema 5.10 I am getting following error.

 

E [Xerces] cvc-identity-constraint.4.3: Key 'extendKeyRef' with value 'null' not found for identity constraint of element 'oval_definitions'.

 

Can anybody help me out on the above issue.

 

Thanks,

Deepak Asawa

 

From: Corvin Meyer-Blankart [mailto:[hidden email]]
Sent: Saturday, January 14, 2012 7:51 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

 

Hi Matt,

 

thank you for your answer!

 

I think I have now a good idea which granularity OVAL Items can have. Thanks for the hint with chapter 5 - 
I'll look it up.

 

Best regards,

Corvin

 

 

2012/1/12 Hansbury, Matt <[hidden email]>

Hi Corvin,

It's hard to make too many general claims of that nature.  There are many cases where an OVAL Object should collect a single OVAL Item, but there are also a number of scenarios where multiple ones must be collected.  (An OVAL Interpreter must collect all the Items that match the OVAL Object)  Beyond the regular expression case, multiple OVAL Items can also be collected as a result of using operations like 'not equal', 'greater than, etc.) or while using OVAL Variables or behaviors.

In the specific case you mention, where you specify a particular registry value or file, it is reasonable to expect a single OVAL Item to be collected assuming you do not do any kind of recursive lookup on a file, or use operations other than 'equal'.  Still, it is best to be aware of the way OVAL Items are collected and the scenarios where multiple OVAL Items are likely to be found.

I would recommend reviewing the Processing Model of the OVAL Language Specification for more detail regarding how OVAL Objects are interpreted.


Thanks
Matt

-----Original Message-----
From: Corvin Meyer-Blankart [mailto:[hidden email]]

Sent: Wednesday, January 11, 2012 6:13 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion

Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

Hi Matt,

thanks for your answer - that answers my question.
I think I now understand the concept of OVAL items in general.

For clarification I have a new question:
If my object addresses just one specific file/reg_value/partition/policy (or whatever) the interpreter just collects one OVAL item?
As soon as I use values/operations (e.g. regex/pattern match) that address more than one possible file/reg_value/partition/policy it would be likely that the interpreter collects more that one OVAL item?

Can you say this in general? ... or is it possible that the interpreter collects more than one OVAL item even though my object addresses just one specific file/reg_value/partition/policy (or whatever)?

Thanks and best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Definition of OVAL Items

Jon Baker
Administrator

Deepak,

 

Can you send the oval definition that is not validating?

 

We would be happy to look into the issue.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Deepak Asawa [mailto:[hidden email]]
Sent: Monday, January 16, 2012 5:54 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

 

Hi,

 

I Had a doubt about Oval Schema 5.10.

 

The content we have works with schema 5.9 and there are no Schema validation errors but when I validate the same content on schema 5.10 I am getting following error.

 

E [Xerces] cvc-identity-constraint.4.3: Key 'extendKeyRef' with value 'null' not found for identity constraint of element 'oval_definitions'.

 

Can anybody help me out on the above issue.

 

Thanks,

Deepak Asawa

 

From: Corvin Meyer-Blankart [hidden email]
Sent: Saturday, January 14, 2012 7:51 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

 

Hi Matt,

 

thank you for your answer!

 

I think I have now a good idea which granularity OVAL Items can have. Thanks for the hint with chapter 5 - 
I'll look it up.

 

Best regards,

Corvin

 

 

2012/1/12 Hansbury, Matt <[hidden email]>

Hi Corvin,

It's hard to make too many general claims of that nature.  There are many cases where an OVAL Object should collect a single OVAL Item, but there are also a number of scenarios where multiple ones must be collected.  (An OVAL Interpreter must collect all the Items that match the OVAL Object)  Beyond the regular expression case, multiple OVAL Items can also be collected as a result of using operations like 'not equal', 'greater than, etc.) or while using OVAL Variables or behaviors.

In the specific case you mention, where you specify a particular registry value or file, it is reasonable to expect a single OVAL Item to be collected assuming you do not do any kind of recursive lookup on a file, or use operations other than 'equal'.  Still, it is best to be aware of the way OVAL Items are collected and the scenarios where multiple OVAL Items are likely to be found.

I would recommend reviewing the Processing Model of the OVAL Language Specification for more detail regarding how OVAL Objects are interpreted.


Thanks
Matt

-----Original Message-----
From: Corvin Meyer-Blankart [mailto:[hidden email]]

Sent: Wednesday, January 11, 2012 6:13 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion

Subject: Re: [OVAL-DEVELOPER-LIST] Definition of OVAL Items

Hi Matt,

thanks for your answer - that answers my question.
I think I now understand the concept of OVAL items in general.

For clarification I have a new question:
If my object addresses just one specific file/reg_value/partition/policy (or whatever) the interpreter just collects one OVAL item?
As soon as I use values/operations (e.g. regex/pattern match) that address more than one possible file/reg_value/partition/policy it would be likely that the interpreter collects more that one OVAL item?

Can you say this in general? ... or is it possible that the interpreter collects more than one OVAL item even though my object addresses just one specific file/reg_value/partition/policy (or whatever)?

Thanks and best regards,
Corvin
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].