MS Bulletins - April 2015

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

MS Bulletins - April 2015

Kumarswamy S
Hi,
      Please find the attached bulletins for the month of April 2015.


Regards,
Kumarswamy S
Saner Personal
A free vulnerability mitigation
software. Build strong defence.
http://www.secpod.com/saner-personal.html

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

ms15-033-mitre.xml (68K) Download Attachment
ms15-033-mitre-mac.xml (7K) Download Attachment
ms15-034-mitre.xml (45K) Download Attachment
ms15-035-mitre.xml (67K) Download Attachment
ms15-038-mitre.xml (102K) Download Attachment
ms15-039-mitre.xml (67K) Download Attachment
ms15-040-mitre.xml (8K) Download Attachment
ms15-041-mitre.xml (133K) Download Attachment
ms15-042-mitre.xml (13K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: MS Bulletins - April 2015

Evgeniy Pavlov
Hi!
What about this submission? It's critical update.

-------
Evgeniy Pavlov,
SCAP-developer
Phone: +7(495)543-31-01 ext. 20
http://www.altex-soft.com/

----- Исходное сообщение -----
От: "Kumarswamy S" <[hidden email]>
Кому: "MITRE submit_content" <[hidden email]>
Отправленные: Пятница, 17 Апрель 2015 г 16:46:11
Тема: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015

Hi,
      Please find the attached bulletins for the month of April 2015.


Regards,
Kumarswamy S
Saner Personal
A free vulnerability mitigation
software. Build strong defence.
http://www.secpod.com/saner-personal.html

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Evgeniy Pavlov ALTEX-SOFT
Reply | Threaded
Open this post in threaded view
|

Re: MS Bulletins - April 2015

mcokus
In reply to this post by Kumarswamy S
Kumarswamy,

Thank you for your submission.  All the files, except ms-15-039-mitre.xml, have been processed and are in the repository.  The static download page will be update shortly.

The ms-15-039 submission contained a version error: "oval:org.mitre.oval:def:415 had a version less than expected."  This def was updated shortly before you made your submission.  Please check the changes to make sure they cause no problems.  Then revise the ms-15-039-mitre.xml submission file accordingly, and resubmit it.

Thanks,

--mike

Mike Cokus
Systems Engineer
The MITRE Corporation
+1.757.896.8553
+1.757.826.8316 (fax)
[hidden email]

>-----Original Message-----
>From: Kumarswamy S [mailto:[hidden email]]
>Sent: Friday, April 17, 2015 9:46 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>
>Hi,
>      Please find the attached bulletins for the month of April 2015.
>
>
>Regards,
>Kumarswamy S
>Saner Personal
>A free vulnerability mitigation
>software. Build strong defence.
>http://www.secpod.com/saner-personal.html
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DISCUSSION-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: MS Bulletins - April 2015

Kumarswamy S
Mike,
     
     Please find the updated file ms-15-039-mitre.xml.

Regards,
Kumarswamy S
Saner Personal
A free vulnerability mitigation
software. Build strong defence.
http://www.secpod.com/saner-personal.html


> Kumarswamy,
>
> Thank you for your submission.  All the files, except ms-15-039-mitre.xml, have been processed and are in the repository.  The static download page will be update shortly.
>
> The ms-15-039 submission contained a version error: "oval:org.mitre.oval:def:415 had a version less than expected."  This def was updated shortly before you made your submission.  Please check the changes to make sure they cause no problems.  Then revise the ms-15-039-mitre.xml submission file accordingly, and resubmit it.
>
> Thanks,
>
> --mike
>
> Mike Cokus
> Systems Engineer
> The MITRE Corporation
> +1.757.896.8553
> +1.757.826.8316 (fax)
> [hidden email]
>
>> -----Original Message-----
>> From: Kumarswamy S [mailto:[hidden email]]
>> Sent: Friday, April 17, 2015 9:46 AM
>> To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>> Subject: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>>
>> Hi,
>>       Please find the attached bulletins for the month of April 2015.
>>
>>
>> Regards,
>> Kumarswamy S
>> Saner Personal
>> A free vulnerability mitigation
>> software. Build strong defence.
>> http://www.secpod.com/saner-personal.html
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message.  If you have difficulties, write to OVAL-
>> [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

ms15-039-mitre.xml (68K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: MS Bulletins - April 2015

Kumarswamy S
Mike,

       May I know the status of the submission (ms-15-039-mitre.xml) ?

Regards,
Kumarswamy S
Saner Personal
A free vulnerability mitigation
software. Build strong defence.
http://www.secpod.com/saner-personal.html


> Mike,
>         Please find the updated file ms-15-039-mitre.xml.
>
> Regards,
> Kumarswamy S
> Saner Personal
> A free vulnerability mitigation
> software. Build strong defence.
> http://www.secpod.com/saner-personal.html
>
>
>> Kumarswamy,
>>
>> Thank you for your submission.  All the files, except
>> ms-15-039-mitre.xml, have been processed and are in the repository.  
>> The static download page will be update shortly.
>>
>> The ms-15-039 submission contained a version error:
>> "oval:org.mitre.oval:def:415 had a version less than expected." This
>> def was updated shortly before you made your submission. Please check
>> the changes to make sure they cause no problems. Then revise the
>> ms-15-039-mitre.xml submission file accordingly, and resubmit it.
>>
>> Thanks,
>>
>> --mike
>>
>> Mike Cokus
>> Systems Engineer
>> The MITRE Corporation
>> +1.757.896.8553
>> +1.757.826.8316 (fax)
>> [hidden email]
>>
>>> -----Original Message-----
>>> From: Kumarswamy S [mailto:[hidden email]]
>>> Sent: Friday, April 17, 2015 9:46 AM
>>> To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>>> Subject: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>>>
>>> Hi,
>>>       Please find the attached bulletins for the month of April 2015.
>>>
>>>
>>> Regards,
>>> Kumarswamy S
>>> Saner Personal
>>> A free vulnerability mitigation
>>> software. Build strong defence.
>>> http://www.secpod.com/saner-personal.html
>>>
>>> To unsubscribe, send an email message to [hidden email] with
>>> SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message.  If you have difficulties, write to OVAL-
>>> [hidden email].
>
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to
> [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: MS Bulletins - April 2015

mcokus
My apologies, Kumarswamy.  It looks like I missed this email.  I will process the submission today.

--mike

Mike Cokus
Systems Engineer
The MITRE Corporation
+1.757.896.8553
+1.757.826.8316 (fax)
[hidden email]

>-----Original Message-----
>From: Kumarswamy S [mailto:[hidden email]]
>Sent: Tuesday, May 12, 2015 5:30 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: Re: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>
>Mike,
>
>       May I know the status of the submission (ms-15-039-mitre.xml) ?
>
>Regards,
>Kumarswamy S
>Saner Personal
>A free vulnerability mitigation
>software. Build strong defence.
>http://www.secpod.com/saner-personal.html
>
>
>> Mike,
>>         Please find the updated file ms-15-039-mitre.xml.
>>
>> Regards,
>> Kumarswamy S
>> Saner Personal
>> A free vulnerability mitigation
>> software. Build strong defence.
>> http://www.secpod.com/saner-personal.html
>>
>>
>>> Kumarswamy,
>>>
>>> Thank you for your submission.  All the files, except
>>> ms-15-039-mitre.xml, have been processed and are in the repository.
>>> The static download page will be update shortly.
>>>
>>> The ms-15-039 submission contained a version error:
>>> "oval:org.mitre.oval:def:415 had a version less than expected." This
>>> def was updated shortly before you made your submission. Please check
>>> the changes to make sure they cause no problems. Then revise the
>>> ms-15-039-mitre.xml submission file accordingly, and resubmit it.
>>>
>>> Thanks,
>>>
>>> --mike
>>>
>>> Mike Cokus
>>> Systems Engineer
>>> The MITRE Corporation
>>> +1.757.896.8553
>>> +1.757.826.8316 (fax)
>>> [hidden email]
>>>
>>>> -----Original Message-----
>>>> From: Kumarswamy S [mailto:[hidden email]]
>>>> Sent: Friday, April 17, 2015 9:46 AM
>>>> To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>>>> Subject: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>>>>
>>>> Hi,
>>>>       Please find the attached bulletins for the month of April 2015.
>>>>
>>>>
>>>> Regards,
>>>> Kumarswamy S
>>>> Saner Personal
>>>> A free vulnerability mitigation
>>>> software. Build strong defence.
>>>> http://www.secpod.com/saner-personal.html
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>with
>>>> SIGNOFF OVAL-DISCUSSION-LIST
>>>> in the BODY of the message.  If you have difficulties, write to OVAL-
>>>> [hidden email].
>>
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message.  If you have difficulties, write to
>> [hidden email].
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DISCUSSION-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
Reply | Threaded
Open this post in threaded view
|

Looping

John Garrett
My question here revolves around looping and something I don't "think"
OVAL can do; but if it could, it would be useful.

For a given file the following exists:
/home/joe
/home/bob
/home/hello
/home/world

Is there a way to parse and capture the contents of each line to memory,
and from there do something with the capture?  I know I can do it with a
variable for a given line, but multiple lines elude me.

Perhaps we wanted to do a recursive check on the directories for the
presence or lack of a given file.

In bash it would be something like:

while read list; do
     ls -R $list
     something...
done << given_file

Any ideas?

--John G.

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

David Solin-3
Hi John,

You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.

Regards,
—David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>
> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>
> For a given file the following exists:
> /home/joe
> /home/bob
> /home/hello
> /home/world
>
> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>
> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>
> In bash it would be something like:
>
> while read list; do
>    ls -R $list
>    something...
> done << given_file
>
> Any ideas?
>
> --John G.
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: MS Bulletins - April 2015

mcokus
In reply to this post by mcokus
Hello Kumarswamy,

Thank you for your submission.  It has been processed and is in the OVAL repository.  (Sorry for the delay.)  The static download page should be updated shortly.  

--mike

Mike Cokus
Systems Engineer
The MITRE Corporation
+1.757.896.8553
+1.757.826.8316 (fax)
[hidden email]

>-----Original Message-----
>From: Cokus, Michael S. [mailto:[hidden email]]
>Sent: Tuesday, May 12, 2015 11:29 AM
>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>Subject: Re: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>
>My apologies, Kumarswamy.  It looks like I missed this email.  I will process the
>submission today.
>
>--mike
>
>Mike Cokus
>Systems Engineer
>The MITRE Corporation
>+1.757.896.8553
>+1.757.826.8316 (fax)
>[hidden email]
>
>>-----Original Message-----
>>From: Kumarswamy S [mailto:[hidden email]]
>>Sent: Tuesday, May 12, 2015 5:30 AM
>>To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>>Subject: Re: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>>
>>Mike,
>>
>>       May I know the status of the submission (ms-15-039-mitre.xml) ?
>>
>>Regards,
>>Kumarswamy S
>>Saner Personal
>>A free vulnerability mitigation
>>software. Build strong defence.
>>http://www.secpod.com/saner-personal.html
>>
>>
>>> Mike,
>>>         Please find the updated file ms-15-039-mitre.xml.
>>>
>>> Regards,
>>> Kumarswamy S
>>> Saner Personal
>>> A free vulnerability mitigation
>>> software. Build strong defence.
>>> http://www.secpod.com/saner-personal.html
>>>
>>>
>>>> Kumarswamy,
>>>>
>>>> Thank you for your submission.  All the files, except
>>>> ms-15-039-mitre.xml, have been processed and are in the repository.
>>>> The static download page will be update shortly.
>>>>
>>>> The ms-15-039 submission contained a version error:
>>>> "oval:org.mitre.oval:def:415 had a version less than expected." This
>>>> def was updated shortly before you made your submission. Please check
>>>> the changes to make sure they cause no problems. Then revise the
>>>> ms-15-039-mitre.xml submission file accordingly, and resubmit it.
>>>>
>>>> Thanks,
>>>>
>>>> --mike
>>>>
>>>> Mike Cokus
>>>> Systems Engineer
>>>> The MITRE Corporation
>>>> +1.757.896.8553
>>>> +1.757.826.8316 (fax)
>>>> [hidden email]
>>>>
>>>>> -----Original Message-----
>>>>> From: Kumarswamy S [mailto:[hidden email]]
>>>>> Sent: Friday, April 17, 2015 9:46 AM
>>>>> To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
>>>>> Subject: [OVAL-DISCUSSION-LIST] MS Bulletins - April 2015
>>>>>
>>>>> Hi,
>>>>>       Please find the attached bulletins for the month of April 2015.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Kumarswamy S
>>>>> Saner Personal
>>>>> A free vulnerability mitigation
>>>>> software. Build strong defence.
>>>>> http://www.secpod.com/saner-personal.html
>>>>>
>>>>> To unsubscribe, send an email message to [hidden email]
>>with
>>>>> SIGNOFF OVAL-DISCUSSION-LIST
>>>>> in the BODY of the message.  If you have difficulties, write to OVAL-
>>>>> [hidden email].
>>>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>with
>>> SIGNOFF OVAL-DISCUSSION-LIST
>>> in the BODY of the message.  If you have difficulties, write to
>>> [hidden email].
>>
>>To unsubscribe, send an email message to [hidden email] with
>>SIGNOFF OVAL-DISCUSSION-LIST
>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>[hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
In reply to this post by David Solin-3
Hi David,

I hate asking to be spoonfed somewhat, but is there a good example out
there for this type of task?  At least the object and how to apply the
variable..

-- John G.

On 5/12/2015 2:26 PM, David Solin wrote:

> Hi John,
>
> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>
> Regards,
> —David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>  
>
>    
>
>
>
>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>
>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>
>> For a given file the following exists:
>> /home/joe
>> /home/bob
>> /home/hello
>> /home/world
>>
>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>
>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>
>> In bash it would be something like:
>>
>> while read list; do
>>     ls -R $list
>>     something...
>> done << given_file
>>
>> Any ideas?
>>
>> --John G.
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
Hi David,

Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:

Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
# grep authpriv.* /etc/syslog.conf

Once the file is determined, perform the following command:
# grep password <file> | more

Look for any lines that do not have sshd as the associated service.
If root has logged in over the network and sshd is not running, this is a finding.

I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.

1) We need to find the location of the authpriv message logs:
    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
      <ind:path>/etc</ind:path>
      <ind:filename>syslog.conf</ind:filename>
      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
      <ind:instance datatype="int" operation="equals">1</ind:instance>
    </ind:textfilecontent54_object>
        - The subexpression will hold the value of the logfile

2) We capture that subexpression from obj:205101, and store it to memory via the variable:
    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
    </local_variable>

3) Now that we have the location, we can parse the file for strings we should or should not see
    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
      <ind:instance datatype="int" operation="equals">1</ind:instance>
    </ind:textfilecontent54_object>
        - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.

4) The following variable will hold the subexpression values from step #3 (obj:205100)
    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
    </local_variable>

5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
    </ind:textfilecontent54_state>


Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...

Any help with the logic would be greatly appreciated!


V/r,
John W. Garrett




On 5/12/2015 2:26 PM, David Solin wrote:

> Hi John,
>
> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>
> Regards,
> —David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>  
>
>    
>
>
>
>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>
>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>
>> For a given file the following exists:
>> /home/joe
>> /home/bob
>> /home/hello
>> /home/world
>>
>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>
>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>
>> In bash it would be something like:
>>
>> while read list; do
>>     ls -R $list
>>     something...
>> done << given_file
>>
>> Any ideas?
>>
>> --John G.
>>
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

David Solin-3
Hi John,

If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.

If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).

I’m curious, what error are you seeing?  Everything you listed appears sound to me.

Best regards,
--David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>
> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
> # grep authpriv.* /etc/syslog.conf
>
> Once the file is determined, perform the following command:
> # grep password <file> | more
>
> Look for any lines that do not have sshd as the associated service.
> If root has logged in over the network and sshd is not running, this is a finding.
>
> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>
> 1) We need to find the location of the authpriv message logs:
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>      <ind:path>/etc</ind:path>
>      <ind:filename>syslog.conf</ind:filename>
>      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - The subexpression will hold the value of the logfile
>
> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>    </local_variable>
>
> 3) Now that we have the location, we can parse the file for strings we should or should not see
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>
> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>    </local_variable>
>
> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>    </ind:textfilecontent54_state>
>
>
> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>
> Any help with the logic would be greatly appreciated!
>
>
> V/r,
> John W. Garrett
>
>
>
>
> On 5/12/2015 2:26 PM, David Solin wrote:
>> Hi John,
>>
>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>
>> Regards,
>> —David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email]
>>
>>
>>
>>
>>
>>
>>
>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>
>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>
>>> For a given file the following exists:
>>> /home/joe
>>> /home/bob
>>> /home/hello
>>> /home/world
>>>
>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>
>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>
>>> In bash it would be something like:
>>>
>>> while read list; do
>>>    ls -R $list
>>>    something...
>>> done << given_file
>>>
>>> Any ideas?
>>>
>>> --John G.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

Hansbury, Matt
In reply to this post by John Garrett
Hi John,

While it sounds like David Solin has been able to help you out with your questions, I did want to confirm one of the things he mentioned in a previous email.  This list (oval-discussion-list) is intended for conversation on (and submission of) content for the OVAL Repository.  

For more general OVAL questions or issues like the ones you've been asking about, we strongly recommend using the oval-developer-list, as that is where you are more likely to get answers to your questions.  

Thanks
Matt

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:25 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Looping

Hi David,

Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:

Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
# grep authpriv.* /etc/syslog.conf

Once the file is determined, perform the following command:
# grep password <file> | more

Look for any lines that do not have sshd as the associated service.
If root has logged in over the network and sshd is not running, this is a finding.

I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.

1) We need to find the location of the authpriv message logs:
    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
      <ind:path>/etc</ind:path>
      <ind:filename>syslog.conf</ind:filename>
      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
      <ind:instance datatype="int" operation="equals">1</ind:instance>
    </ind:textfilecontent54_object>
        - The subexpression will hold the value of the logfile

2) We capture that subexpression from obj:205101, and store it to memory via the variable:
    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
    </local_variable>

3) Now that we have the location, we can parse the file for strings we should or should not see
    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
      <ind:instance datatype="int" operation="equals">1</ind:instance>
    </ind:textfilecontent54_object>
        - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.

4) The following variable will hold the subexpression values from step #3 (obj:205100)
    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
    </local_variable>

5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
    </ind:textfilecontent54_state>


Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...

Any help with the logic would be greatly appreciated!


V/r,
John W. Garrett




On 5/12/2015 2:26 PM, David Solin wrote:

> Hi John,
>
> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>
> Regards,
> —David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>  
>
>    
>
>
>
>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>
>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>
>> For a given file the following exists:
>> /home/joe
>> /home/bob
>> /home/hello
>> /home/world
>>
>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>
>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>
>> In bash it would be something like:
>>
>> while read list; do
>>     ls -R $list
>>     something...
>> done << given_file
>>
>> Any ideas?
>>
>> --John G.
>>
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].