Issues with Cisco IOS schema in 5.11

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Issues with Cisco IOS schema in 5.11

joval
I’ve uncovered a few problems with the changes made to the Cisco IOS schemas in OVAL 5.11:

1) For the new ios-sc:acl_item, the config_line entity should have maxOccurs=“unlimited” (not 1).

2) For the updated ios-sc:interface_item, several of the entity types have been changed from EntityItemStringType to EntityItemAnySimpleType, when I believe the intention was to change them to EntityItemBooleanType:

ip_directed_broadcast_command
proxy_arp_command
shutdown_command

Shall I make the schema changes for 5.11.1?

Best regards,
—David Solin
[hidden email]

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cisco IOS schema in 5.11

Panos Kampanakis (pkampana)
Thank you David.

Agreed on 1 and 2. I think they were a couple of things that initially were correct, but we missed them after the revisions in the Sandbox.

For 1, I also suggest to change config_line to config_lines and acl_config_lines to acl_config_line. It will make them more intuitive.

Rgs,
Panos


-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Wednesday, March 11, 2015 6:34 PM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Issues with Cisco IOS schema in 5.11

I’ve uncovered a few problems with the changes made to the Cisco IOS schemas in OVAL 5.11:

1) For the new ios-sc:acl_item, the config_line entity should have maxOccurs=“unlimited” (not 1).

2) For the updated ios-sc:interface_item, several of the entity types have been changed from EntityItemStringType to EntityItemAnySimpleType, when I believe the intention was to change them to EntityItemBooleanType:

ip_directed_broadcast_command
proxy_arp_command
shutdown_command

Shall I make the schema changes for 5.11.1?

Best regards,
—David Solin
[hidden email]

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

PGP.sig (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cisco IOS schema in 5.11

joval
Hi Panos,

I think it would be fine to keep the names unchanged, that would keep it consistent with the section_item, which has section_config_lines and config_line entities.

I’ve updated our open-source schema to reflect these changes, if anyone is interested:
https://github.com/joval/jOVAL/blob/5.11.X/scap/schemas/oval-5.11/ios-system-characteristics-schema.xsd

Best,
—David Solin
[hidden email]


> On Mar 11, 2015, at 9:05 PM, Panos Kampanakis (pkampana) <[hidden email]> wrote:
>
> Thank you David.
>
> Agreed on 1 and 2. I think they were a couple of things that initially were correct, but we missed them after the revisions in the Sandbox.
>
> For 1, I also suggest to change config_line to config_lines and acl_config_lines to acl_config_line. It will make them more intuitive.
>
> Rgs,
> Panos
>
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 11, 2015 6:34 PM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Issues with Cisco IOS schema in 5.11
>
> I’ve uncovered a few problems with the changes made to the Cisco IOS schemas in OVAL 5.11:
>
> 1) For the new ios-sc:acl_item, the config_line entity should have maxOccurs=“unlimited” (not 1).
>
> 2) For the updated ios-sc:interface_item, several of the entity types have been changed from EntityItemStringType to EntityItemAnySimpleType, when I believe the intention was to change them to EntityItemBooleanType:
>
> ip_directed_broadcast_command
> proxy_arp_command
> shutdown_command
>
> Shall I make the schema changes for 5.11.1?
>
> Best regards,
> —David Solin
> [hidden email]
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cisco IOS schema in 5.11

Panos Kampanakis (pkampana)
In reply to this post by Panos Kampanakis (pkampana)
When looking at this again, we found one more nit in the interface item. There can only be one IPv4 address on an interface. Thus we need to make ipv4_address occur 0 or 1 times, not unbounded.
Panos


-----Original Message-----
From: Panos Kampanakis (pkampana)
Sent: Wednesday, March 11, 2015 10:06 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Issues with Cisco IOS schema in 5.11

* PGP Bad Signature, Signed: 3/11/2015 at 10:05:56 PM

Thank you David.

Agreed on 1 and 2. I think they were a couple of things that initially were correct, but we missed them after the revisions in the Sandbox.

For 1, I also suggest to change config_line to config_lines and acl_config_lines to acl_config_line. It will make them more intuitive.

Rgs,
Panos


-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Wednesday, March 11, 2015 6:34 PM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Issues with Cisco IOS schema in 5.11

I’ve uncovered a few problems with the changes made to the Cisco IOS schemas in OVAL 5.11:

1) For the new ios-sc:acl_item, the config_line entity should have maxOccurs=“unlimited” (not 1).

2) For the updated ios-sc:interface_item, several of the entity types have been changed from EntityItemStringType to EntityItemAnySimpleType, when I believe the intention was to change them to EntityItemBooleanType:

ip_directed_broadcast_command
proxy_arp_command
shutdown_command

Shall I make the schema changes for 5.11.1?

Best regards,
—David Solin
[hidden email]

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

* Panos Kampanakis (pkampana) <[hidden email]>
* 0xA687B3CD

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

PGP.sig (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cisco IOS schema in 5.11

joval
Hi Panos,

Does this apply only to the ios-sc:interface_item, or does it also apply to the iosxe-sc:interface_item and asa-sc:interface_item items as well?

Speaking of iosxe and asa, they also have acl_items, which also appear to have the incorrect maxOccurs=“1” schema setting for alc_item/config_line.  I assume those also need to be corrected!

Best,
David Solin
[hidden email]



> On Mar 12, 2015, at 11:54 AM, Panos Kampanakis (pkampana) <[hidden email]> wrote:
>
> When looking at this again, we found one more nit in the interface item. There can only be one IPv4 address on an interface. Thus we need to make ipv4_address occur 0 or 1 times, not unbounded.
> Panos
>
>
> -----Original Message-----
> From: Panos Kampanakis (pkampana)
> Sent: Wednesday, March 11, 2015 10:06 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Issues with Cisco IOS schema in 5.11
>
> * PGP Bad Signature, Signed: 3/11/2015 at 10:05:56 PM
>
> Thank you David.
>
> Agreed on 1 and 2. I think they were a couple of things that initially were correct, but we missed them after the revisions in the Sandbox.
>
> For 1, I also suggest to change config_line to config_lines and acl_config_lines to acl_config_line. It will make them more intuitive.
>
> Rgs,
> Panos
>
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 11, 2015 6:34 PM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Issues with Cisco IOS schema in 5.11
>
> I’ve uncovered a few problems with the changes made to the Cisco IOS schemas in OVAL 5.11:
>
> 1) For the new ios-sc:acl_item, the config_line entity should have maxOccurs=“unlimited” (not 1).
>
> 2) For the updated ios-sc:interface_item, several of the entity types have been changed from EntityItemStringType to EntityItemAnySimpleType, when I believe the intention was to change them to EntityItemBooleanType:
>
> ip_directed_broadcast_command
> proxy_arp_command
> shutdown_command
>
> Shall I make the schema changes for 5.11.1?
>
> Best regards,
> —David Solin
> [hidden email]
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> * Panos Kampanakis (pkampana) <[hidden email]>
> * 0xA687B3CD
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Issues with Cisco IOS schema in 5.11

joval
I’m sorry, I misspoke — the ASA acl_item appears correct.  (The IOS-XE acl_item config_line entity does not).

David Solin



> On Mar 12, 2015, at 12:13 PM, David Solin <[hidden email]> wrote:
>
> Speaking of iosxe and asa, they also have acl_items, which also appear to have the incorrect maxOccurs=“1” schema setting for alc_item/config_line.  I assume those also need to be corrected!

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download