How to make result returned as "unknown"?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to make result returned as "unknown"?

gauravphoenix
Now that I've a definition which uses external file to provide values, I am wondering if there is a way I can make the definition return result as "Unknown" if none of the values satisfy. 

For example, if php.ini has not been found in any of the specified directories like  "/etc/php/apache2",  "/someDir" etc , I want the definition to return result as "Unknown" as opposed to "False". I think it is achievable using combination of ExistenceEnumeration and CheckEnumeration but after playing with couple of options, I am not able to get desired output- perhaps because I am finding enumeration matrix a bit complex to understand.  

Thanks,
Gaurav
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: How to make result returned as "unknown"?

joval
Create a definition that OR's an unknown_test with your test result.  If your test returns true, the result will be true.  If your result returns false, the result (FALSE | unknown) is unknown.

On 12/21/2011 3:08 PM, Gaurav Kumar wrote:
Now that I've a definition which uses external file to provide values, I am wondering if there is a way I can make the definition return result as "Unknown" if none of the values satisfy. 

For example, if php.ini has not been found in any of the specified directories like  "/etc/php/apache2",  "/someDir" etc , I want the definition to return result as "Unknown" as opposed to "False". I think it is achievable using combination of ExistenceEnumeration and CheckEnumeration but after playing with couple of options, I am not able to get desired output- perhaps because I am finding enumeration matrix a bit complex to understand.  

Thanks,
Gaurav
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: How to make result returned as "unknown"?

gauravphoenix
Thanks David! unknown_test is quite helpful for the scenario I am working on. 

On Wed, Dec 21, 2011 at 6:35 PM, David Solin <[hidden email]> wrote:
Create a definition that OR's an unknown_test with your test result.  If your test returns true, the result will be true.  If your result returns false, the result (FALSE | unknown) is unknown.


On 12/21/2011 3:08 PM, Gaurav Kumar wrote:
Now that I've a definition which uses external file to provide values, I am wondering if there is a way I can make the definition return result as "Unknown" if none of the values satisfy. 

For example, if php.ini has not been found in any of the specified directories like  "/etc/php/apache2",  "/someDir" etc , I want the definition to return result as "Unknown" as opposed to "False". I think it is achievable using combination of ExistenceEnumeration and CheckEnumeration but after playing with couple of options, I am not able to get desired output- perhaps because I am finding enumeration matrix a bit complex to understand.  

Thanks,
Gaurav
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: How to make result returned as "unknown"?

gauravphoenix
Similar to "unknown" result, is there a "not applicable" option? 

For example, if I find that PHP has not been loaded by Apache2, I want to return "not applicable" result. I tried setting applicability_check to true but it makes the definition evaluate to true or false only. 


On Wed, Dec 21, 2011 at 9:20 PM, Gaurav Kumar <[hidden email]> wrote:
Thanks David! unknown_test is quite helpful for the scenario I am working on. 

On Wed, Dec 21, 2011 at 6:35 PM, David Solin <[hidden email]> wrote:
Create a definition that OR's an unknown_test with your test result.  If your test returns true, the result will be true.  If your result returns false, the result (FALSE | unknown) is unknown.


On 12/21/2011 3:08 PM, Gaurav Kumar wrote:
Now that I've a definition which uses external file to provide values, I am wondering if there is a way I can make the definition return result as "Unknown" if none of the values satisfy. 

For example, if php.ini has not been found in any of the specified directories like  "/etc/php/apache2",  "/someDir" etc , I want the definition to return result as "Unknown" as opposed to "False". I think it is achievable using combination of ExistenceEnumeration and CheckEnumeration but after playing with couple of options, I am not able to get desired output- perhaps because I am finding enumeration matrix a bit complex to understand.  

Thanks,
Gaurav
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" value="+14256869695" target="_blank">(425)686-9695 




--
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: How to make result returned as "unknown"?

Jon Baker
Administrator

Gaurav,

 

We added the applicability check attribute to help with situations like you have described in your example. This attribute was added in OVAL 5.10 and discussed in the following thread in the nabble archives:

http://making-security-measurable.1364806.n2.nabble.com/Proposal-for-extending-Oval-criteria-criterion-and-extend-definition-to-specify-applicabilityChecks-tt6271556.html#a6461712

 

This attribute is described in section 4.3.9 of the specification.

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Gaurav Kumar [mailto:[hidden email]]
Sent: Sunday, December 25, 2011 5:29 AM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] How to make result returned as "unknown"?

 

Similar to "unknown" result, is there a "not applicable" option? 

 

For example, if I find that PHP has not been loaded by Apache2, I want to return "not applicable" result. I tried setting applicability_check to true but it makes the definition evaluate to true or false only. 

 

 

On Wed, Dec 21, 2011 at 9:20 PM, Gaurav Kumar <[hidden email]> wrote:

Thanks David! unknown_test is quite helpful for the scenario I am working on. 

 

On Wed, Dec 21, 2011 at 6:35 PM, David Solin <[hidden email]> wrote:

Create a definition that OR's an unknown_test with your test result.  If your test returns true, the result will be true.  If your result returns false, the result (FALSE | unknown) is unknown.



On 12/21/2011 3:08 PM, Gaurav Kumar wrote:

Now that I've a definition which uses external file to provide values, I am wondering if there is a way I can make the definition return result as "Unknown" if none of the values satisfy. 

 

For example, if php.ini has not been found in any of the specified directories like  "/etc/php/apache2",  "/someDir" etc , I want the definition to return result as "Unknown" as opposed to "False". I think it is achievable using combination of ExistenceEnumeration and CheckEnumeration but after playing with couple of options, I am not able to get desired output- perhaps because I am finding enumeration matrix a bit complex to understand.  

 

Thanks,

Gaurav

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



 

--

 
Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:<a href="tel:%28425%29686-9695" target="_blank">(425)686-9695 

 



 

--

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email: [hidden email] | Phone:(425)686-9695 

 

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].