Quantcast

Each user must have unique UID definition

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Each user must have unique UID definition

gauravphoenix
Requesting community feedback. 

Since I couldn't find any similar compliance definition in OVAL repository, I've written attached definition which evaluates to true if all users have unique UIDs. This is often required by compliance requirements such as PCI. 

I am using the count and unique functions made available in v5.10. Logic: evaluate to true if (count of all UIDs == count of unique UIDs) 

Curious to know if there is alternative/better way. 

Cheers,
Gaurav 
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

pci.xml (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Each user must have unique UID definition

joval
I don't think you need to specify this:

<instance datatype="int" operation="greater than">0</instance>

in oval:com.pivotalsecurity.oval:obj:1, do you?  The instance is always >= 1.

On 12/28/2011 11:11 PM, Gaurav Kumar wrote:
Requesting community feedback. 

Since I couldn't find any similar compliance definition in OVAL repository, I've written attached definition which evaluates to true if all users have unique UIDs. This is often required by compliance requirements such as PCI. 

I am using the count and unique functions made available in v5.10. Logic: evaluate to true if (count of all UIDs == count of unique UIDs) 

Curious to know if there is alternative/better way. 

Cheers,
Gaurav 
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Each user must have unique UID definition

gauravphoenix
I think its required/suggested by schema. If I remove that, I get warning- 

The element 'textfilecontent54_object' in namespace 'http://oval.mitre.org/XMLSchema/oval-definitions-5#independent' has incomplete content. List of possible elements expected: 'instance' in namespace 'http://oval.mitre.org/XMLSchema/oval-definitions-5#independent'.

On Thu, Dec 29, 2011 at 10:02 AM, David Solin <[hidden email]> wrote:
<instance datatype="int" operation="greater than">0</instance>



--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Each user must have unique UID definition

Hansbury, Matt
In reply to this post by gauravphoenix
Hi Guarav,

I took a look at this Definition and had some feedback:

1. This Definition has a few validation issues.  Specifically:
        a. The <contributor> element inside the <oval_repository> element is incorrect.  It needs to be wrapped like:

                <dates>
                        <submitted date="2010-09-23T15:01:11">
              <contributor organization="Org">Name</contributor>
                    </submitted>
                </dates>

        b. There is a var_check="all" attribute on the <filepath> element for the textconent54_object, but doesn't have a var_ref attribute.  This is required so it knows what variable to use for the Object.  I *believe* you can just remove this, as  I don't think it is required for your Definition.

        c. There is a mis-matched datatype between the var_ref in oval:com.pivotalsecurity.oval:ste:1 & oval:com.pivotalsecurity.oval:var:1.  The variable is an int, but the var_ref expects a string.   I think you can just do:

      <value var_ref="oval:com.pivotalsecurity.oval:var:1" datatype="int"></value>

to fix this, but you'll need to confirm that that is the correct intent of the check.  

        d. Compliance based OVAL Definitions should have an associated CCE with them as a reference.  This isn't a showstopper, but it would be nice to have one specified, especially if such a CCE exists already.  

        e. There were also a couple of RegEx warnings about anchors, but those aren't a big deal (and in some cases are kind of wrong anyway)

Note that the first error was from the Repository metadata schema, the second two from the Language Schematron, and the last two from the Authoring Style guide Schematron.  All of these errors/warnings come up when you run the full validation set on the content, as described here (under "Submission Validation"):

http://oval.mitre.org/repository/about/submission.html

Aside from the validation issues, the content seems reasonable, as far as I can tell, with regard to your approach.  I did notice that not all of the Objects are used (obj:2 for instance), so you may want to clean it up a bit.  Otherwise, I would think the combination of count and unique is reasonable.

I would recommend you go through and fix the issues from above and then re-submit.  I could fix them, but in a couple of cases I'd be making a guess as to your intent.  

Thanks
Matt

-----Original Message-----
From: Gaurav Kumar [mailto:[hidden email]]
Sent: Thursday, December 29, 2011 12:11 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Each user must have unique UID definition

Requesting community feedback.


Since I couldn't find any similar compliance definition in OVAL repository, I've written attached definition which evaluates to true if all users have unique UIDs. This is often required by compliance requirements such as PCI.


I am using the count and unique functions made available in v5.10. Logic: evaluate to true if (count of all UIDs == count of unique UIDs)


Curious to know if there is alternative/better way.


Cheers,
Gaurav
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Each user must have unique UID definition

gauravphoenix
I realized that I've not sent updated file. Attached is updated file with the fixes. Note that I'm using CCE-6224-0 which is available in RHEL-4 (and surprisingly not available under RHEL-5 configuration). Also, the regex warning was wrong so I've not updated that. 

Thanks,
Gaurav

On Wed, Feb 22, 2012 at 3:19 PM, Hansbury, Matt <[hidden email]> wrote:
Hi Guarav,

I took a look at this Definition and had some feedback:

1. This Definition has a few validation issues.  Specifically:
       a. The <contributor> element inside the <oval_repository> element is incorrect.  It needs to be wrapped like:

               <dates>
                       <submitted date="2010-09-23T15:01:11">
                                       <contributor organization="Org">Name</contributor>
                               </submitted>
               </dates>

       b. There is a var_check="all" attribute on the <filepath> element for the textconent54_object, but doesn't have a var_ref attribute.  This is required so it knows what variable to use for the Object.  I *believe* you can just remove this, as  I don't think it is required for your Definition.

       c. There is a mis-matched datatype between the var_ref in oval:com.pivotalsecurity.oval:ste:1 & oval:com.pivotalsecurity.oval:var:1.  The variable is an int, but the var_ref expects a string.   I think you can just do:

       <value var_ref="oval:com.pivotalsecurity.oval:var:1" datatype="int"></value>

to fix this, but you'll need to confirm that that is the correct intent of the check.

       d. Compliance based OVAL Definitions should have an associated CCE with them as a reference.  This isn't a showstopper, but it would be nice to have one specified, especially if such a CCE exists already.

       e. There were also a couple of RegEx warnings about anchors, but those aren't a big deal (and in some cases are kind of wrong anyway)

Note that the first error was from the Repository metadata schema, the second two from the Language Schematron, and the last two from the Authoring Style guide Schematron.  All of these errors/warnings come up when you run the full validation set on the content, as described here (under "Submission Validation"):

http://oval.mitre.org/repository/about/submission.html

Aside from the validation issues, the content seems reasonable, as far as I can tell, with regard to your approach.  I did notice that not all of the Objects are used (obj:2 for instance), so you may want to clean it up a bit.  Otherwise, I would think the combination of count and unique is reasonable.

I would recommend you go through and fix the issues from above and then re-submit.  I could fix them, but in a couple of cases I'd be making a guess as to your intent.

Thanks
Matt

-----Original Message-----
From: Gaurav Kumar [mailto:[hidden email]]
Sent: Thursday, December 29, 2011 12:11 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: [OVAL-DISCUSSION-LIST] Each user must have unique UID definition

Requesting community feedback.


Since I couldn't find any similar compliance definition in OVAL repository, I've written attached definition which evaluates to true if all users have unique UIDs. This is often required by compliance requirements such as PCI.


I am using the count and unique functions made available in v5.10. Logic: evaluate to true if (count of all UIDs == count of unique UIDs)


Curious to know if there is alternative/better way.


Cheers,
Gaurav
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].



--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

pci.xml (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Each user must have unique UID definition

jasenj1

This submission has been processed and is now available in the OVAL repository. Our static downloads will be updated to include this submission later today.


- Jasen.

From: Gaurav Kumar <[hidden email]>
Reply-To: "OVAL Discussion List (Closed Public Discussion)" <[hidden email]>
Date: Sat, 31 Mar 2012 12:31:17 -0700
To: <[hidden email]>
Subject: Re: [OVAL-DISCUSSION-LIST] Each user must have unique UID definition

I realized that I've not sent updated file. Attached is updated file with the fixes. Note that I'm using CCE-6224-0 which is available in RHEL-4 (and surprisingly not available under RHEL-5 configuration). Also, the regex warning was wrong so I've not updated that. 

Thanks,
Gaurav

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Loading...