Question about state entity comparison with item entity where status = "does not exist"

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about state entity comparison with item entity where status = "does not exist"

joval
When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.

Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.

Regards,
—David Solin
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

wmunyan
David,
I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:

http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-state-entity-with-a-nonexistent-item-entity-tc7582251.html
and
http://making-security-measurable.1364806.n2.nabble.com/Item-Collection-Evaluation-tc7582334.html

Looks like the main takeaway is that the result should be "unknown".

It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.

Cheers,
-Bill M.

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Wednesday, March 04, 2015 9:23 AM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.

Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.

Regards,
—David Solin
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . .
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
Hmm.  Interesting threads!  Two new questions, then…

1) Did we, in 5.11, decide to permit variables to have 0 values?

2) Isn’t “not applicable” superior as a state entity comparison result against a non-existent item entity, vs. “unknown”?  Unknown makes sense when there is no corresponding item entity (which is equivalent to actually having an entity with a status of “not collected”), but when there is one with a state of “does not exist”… well, how could we not know the answer?  That would only mean we have not decided what it should mean, not that it’s not possible to determine the result.  Let’s not be too lazy!

Of course, a state entity-level existence check would be the most complete solution to this problem.  Incidentally, if we decided that the result should be “error”, I submit that we’ll be re-creating the problem we all seem to have with non-existent variable values, per my first question.

Regards,
—David Solin



> On Mar 4, 2015, at 9:52 AM, William Munyan <[hidden email]> wrote:
>
> David,
> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>
> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-state-entity-with-a-nonexistent-item-entity-tc7582251.html
> and
> http://making-security-measurable.1364806.n2.nabble.com/Item-Collection-Evaluation-tc7582334.html
>
> Looks like the main takeaway is that the result should be "unknown".
>
> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>
> Cheers,
> -Bill M.
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 04, 2015 9:23 AM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>
> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>
> Regards,
> —David Solin
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> ...
> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>
> . . .

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

dpeddicord
In reply to this post by wmunyan
Bill and David,
If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
Or perhaps I am misunderstanding the issue (likely.)
Cheers.
Don Peddicord



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of William Munyan
Sent: Wednesday, March 04, 2015 10:53 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

David,
I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:

http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-state-entity-with-a-nonexistent-item-entity-tc7582251.html
and
http://making-security-measurable.1364806.n2.nabble.com/Item-Collection-Evaluation-tc7582334.html

Looks like the main takeaway is that the result should be "unknown".

It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.

Cheers,
-Bill M.

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Wednesday, March 04, 2015 9:23 AM
To: [hidden email]
Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.

Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.

Regards,
—David Solin
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . .
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
Hi Don,

The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.

What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?

To illustrate, how do you compare these?

<win-def:process58_state>
  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

<win-sc:process_item id="9">
  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
  <win-sc:command_line status="does not exist"></win-sc:command_line>
  <win-sc:pid datatype="int">0</win-sc:pid>
  <win-sc:ppid datatype="int">0</win-sc:ppid>
  <win-sc:priority>0</win-sc:priority>
  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
  <win-sc:name>Idle</win-sc:name>
</win-sc:process_item>

I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.

Regards,
—David Solin



> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>
> Bill and David,
> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
> Or perhaps I am misunderstanding the issue (likely.)
> Cheers.
> Don Peddicord
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of William Munyan
> Sent: Wednesday, March 04, 2015 10:53 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> David,
> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>
> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-state-entity-with-a-nonexistent-item-entity-tc7582251.html
> and
> http://making-security-measurable.1364806.n2.nabble.com/Item-Collection-Evaluation-tc7582334.html
>
> Looks like the main takeaway is that the result should be "unknown".
>
> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>
> Cheers,
> -Bill M.
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 04, 2015 9:23 AM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>
> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>
> Regards,
> —David Solin
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> ...
> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>
> . . .

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

dpeddicord
David ,
 Thanks for the clarification.
I don't agree that  error is the response.
But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
Good Question.

Cheers,
Don Peddicord


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Thursday, March 05, 2015 8:55 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

Hi Don,

The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.

What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?

To illustrate, how do you compare these?

<win-def:process58_state>
  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

<win-sc:process_item id="9">
  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
  <win-sc:command_line status="does not exist"></win-sc:command_line>
  <win-sc:pid datatype="int">0</win-sc:pid>
  <win-sc:ppid datatype="int">0</win-sc:ppid>
  <win-sc:priority>0</win-sc:priority>
  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
  <win-sc:name>Idle</win-sc:name>
</win-sc:process_item>

I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.

Regards,
—David Solin



> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>
> Bill and David,
> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
> Or perhaps I am misunderstanding the issue (likely.) Cheers.
> Don Peddicord
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> William Munyan
> Sent: Wednesday, March 04, 2015 10:53 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> David,
> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>
> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
> and
> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
> n-Evaluation-tc7582334.html
>
> Looks like the main takeaway is that the result should be "unknown".
>
> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>
> Cheers,
> -Bill M.
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 04, 2015 9:23 AM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>
> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>
> Regards,
> —David Solin
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> ...
> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>
> . . .

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

John Ulmer
I like 'unknown.'

Item was collected and 'exists.'
Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.

State field has nothing to check against.

If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.

Ergo, like, Don, I end up at 'unknown .'

------------------------------------
John R.  Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
[hidden email]


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
Sent: Thursday, March 05, 2015 9:47 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

David ,
 Thanks for the clarification.
I don't agree that  error is the response.
But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
Good Question.

Cheers,
Don Peddicord


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Thursday, March 05, 2015 8:55 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

Hi Don,

The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.

What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?

To illustrate, how do you compare these?

<win-def:process58_state>
  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

<win-sc:process_item id="9">
  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
  <win-sc:command_line status="does not exist"></win-sc:command_line>
  <win-sc:pid datatype="int">0</win-sc:pid>
  <win-sc:ppid datatype="int">0</win-sc:ppid>
  <win-sc:priority>0</win-sc:priority>
  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
  <win-sc:name>Idle</win-sc:name>
</win-sc:process_item>

I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.

Regards,
—David Solin



> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>
> Bill and David,
> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
> Or perhaps I am misunderstanding the issue (likely.) Cheers.
> Don Peddicord
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> William Munyan
> Sent: Wednesday, March 04, 2015 10:53 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> David,
> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>
> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
> and
> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
> n-Evaluation-tc7582334.html
>
> Looks like the main takeaway is that the result should be "unknown".
>
> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>
> Cheers,
> -Bill M.
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 04, 2015 9:23 AM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>
> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>
> Regards,
> —David Solin
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> ...
> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>
> . . .
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
Hi Don & John,

The reason I favor “not applicable” is twofold:

1) It has quite a different effect on the evaluation logic than “unknown” — “not applicable” is much more benign, whereas “unknown” will have a strong tendency to lead to “unknown” test results.  See the logic diagrams for OperatorEnumeration: http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperatorEnumeration

2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.

Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.

If we did that, by the way, the result of my example below would be “false”.

Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
1) An empty item entity could be added with a status of “not collected”
2) An empty item entity could be added with a status of “error”

The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.

Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.

Best regards,
David Solin
[hidden email]



> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>
> I like 'unknown.'
>
> Item was collected and 'exists.'
> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>
> State field has nothing to check against.
>
> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>
> Ergo, like, Don, I end up at 'unknown .'
>
> ------------------------------------
> John R.  Ulmer
> SPAWAR Systems Center Atlantic
> (843)218-5953
> [hidden email]
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
> Sent: Thursday, March 05, 2015 9:47 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> David ,
> Thanks for the clarification.
> I don't agree that  error is the response.
> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
> Good Question.
>
> Cheers,
> Don Peddicord
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
> Sent: Thursday, March 05, 2015 8:55 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> Hi Don,
>
> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>
> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>
> To illustrate, how do you compare these?
>
> <win-def:process58_state>
>  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
> </win-def:process58_state>
>
> <win-sc:process_item id="9">
>  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
>  <win-sc:command_line status="does not exist"></win-sc:command_line>
>  <win-sc:pid datatype="int">0</win-sc:pid>
>  <win-sc:ppid datatype="int">0</win-sc:ppid>
>  <win-sc:priority>0</win-sc:priority>
>  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
>  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
>  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
>  <win-sc:name>Idle</win-sc:name>
> </win-sc:process_item>
>
> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>
> Regards,
> —David Solin
>
>
>
>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>
>> Bill and David,
>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>> Don Peddicord
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> William Munyan
>> Sent: Wednesday, March 04, 2015 10:53 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> David,
>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>
>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
>> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>> and
>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
>> n-Evaluation-tc7582334.html
>>
>> Looks like the main takeaway is that the result should be "unknown".
>>
>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>
>> Cheers,
>> -Bill M.
>>
>> -----Original Message-----
>> From: David Solin [mailto:[hidden email]]
>> Sent: Wednesday, March 04, 2015 9:23 AM
>> To: [hidden email]
>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>
>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>
>> Regards,
>> —David Solin
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> ...
>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>
>> . . .
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

wmunyan
In reply to this post by John Ulmer
Don & John,

I'm not sure I agree with that.  "Unknown" results are documented "...because an assertion of whether or not the item matches the state could not be determined since the entity of the item was not collected".

So I would argue that if an item's entity (the <command_line> in this example) is set to "not collected" then "unknown" would be a feasible result, because the system did not attempt to collect a value, so an evaluation engine cannot determine if it matches the state.

Because this item was collected, I feel like there should be some determination of a result.  It doesn’t seem like any of the existing result enumeration values fit this use case 100%.

Having just read David's reply, I would agree with him that a check_existence attribute to the "EntityState" base types makes sense.

Cheers,
-Bill M.

-----Original Message-----
From: Ulmer, John R. [mailto:[hidden email]]
Sent: Thursday, March 05, 2015 10:06 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

I like 'unknown.'

Item was collected and 'exists.'
Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.

State field has nothing to check against.

If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.

Ergo, like, Don, I end up at 'unknown .'

------------------------------------
John R.  Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
[hidden email]


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
Sent: Thursday, March 05, 2015 9:47 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

David ,
 Thanks for the clarification.
I don't agree that  error is the response.
But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
Good Question.

Cheers,
Don Peddicord


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Thursday, March 05, 2015 8:55 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

Hi Don,

The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.

What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?

To illustrate, how do you compare these?

<win-def:process58_state>
  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

<win-sc:process_item id="9">
  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
  <win-sc:command_line status="does not exist"></win-sc:command_line>
  <win-sc:pid datatype="int">0</win-sc:pid>
  <win-sc:ppid datatype="int">0</win-sc:ppid>
  <win-sc:priority>0</win-sc:priority>
  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
  <win-sc:name>Idle</win-sc:name>
</win-sc:process_item>

I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.

Regards,
—David Solin



> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>
> Bill and David,
> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
> Or perhaps I am misunderstanding the issue (likely.) Cheers.
> Don Peddicord
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> William Munyan
> Sent: Wednesday, March 04, 2015 10:53 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> David,
> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>
> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
> and
> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
> n-Evaluation-tc7582334.html
>
> Looks like the main takeaway is that the result should be "unknown".
>
> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>
> Cheers,
> -Bill M.
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Wednesday, March 04, 2015 9:23 AM
> To: [hidden email]
> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>
> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>
> Regards,
> —David Solin
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> ...
> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>
> . . .

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . .
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

John Ulmer
In reply to this post by joval
I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?

Thinking about your suggestion
        " ...need to do is add a check_existence attribute of type
        ExistenceEnumeration to both EntityStateSimpleBaseType
        and EntityStateComplexBaseType, with a default value of
        at_least_one_exists”."

That might work perfectly and then noise of how to handle this situation disappears.

------------------------------------
John R.  Ulmer
SPAWAR Systems Center Atlantic
(843)218-5953
[hidden email]


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Thursday, March 05, 2015 10:24 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

Hi Don & John,

The reason I favor “not applicable” is twofold:

1) It has quite a different effect on the evaluation logic than “unknown” — “not applicable” is much more benign, whereas “unknown” will have a strong tendency to lead to “unknown” test results.  See the logic diagrams for OperatorEnumeration: http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperatorEnumeration

2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.

Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.

If we did that, by the way, the result of my example below would be “false”.

Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
1) An empty item entity could be added with a status of “not collected”
2) An empty item entity could be added with a status of “error”

The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.

Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.

Best regards,
David Solin
[hidden email]



> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>
> I like 'unknown.'
>
> Item was collected and 'exists.'
> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>
> State field has nothing to check against.
>
> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>
> Ergo, like, Don, I end up at 'unknown .'
>
> ------------------------------------
> John R.  Ulmer
> SPAWAR Systems Center Atlantic
> (843)218-5953
> [hidden email]
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
> Sent: Thursday, March 05, 2015 9:47 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> David ,
> Thanks for the clarification.
> I don't agree that  error is the response.
> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
> Good Question.
>
> Cheers,
> Don Peddicord
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
> Sent: Thursday, March 05, 2015 8:55 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> Hi Don,
>
> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>
> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>
> To illustrate, how do you compare these?
>
> <win-def:process58_state>
>  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
> </win-def:process58_state>
>
> <win-sc:process_item id="9">
>  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
>  <win-sc:command_line status="does not exist"></win-sc:command_line>
>  <win-sc:pid datatype="int">0</win-sc:pid>
>  <win-sc:ppid datatype="int">0</win-sc:ppid>
>  <win-sc:priority>0</win-sc:priority>
>  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
>  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
>  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
>  <win-sc:name>Idle</win-sc:name>
> </win-sc:process_item>
>
> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>
> Regards,
> —David Solin
>
>
>
>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>
>> Bill and David,
>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>> Don Peddicord
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> William Munyan
>> Sent: Wednesday, March 04, 2015 10:53 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> David,
>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>
>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
>> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>> and
>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
>> n-Evaluation-tc7582334.html
>>
>> Looks like the main takeaway is that the result should be "unknown".
>>
>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>
>> Cheers,
>> -Bill M.
>>
>> -----Original Message-----
>> From: David Solin [mailto:[hidden email]]
>> Sent: Wednesday, March 04, 2015 9:23 AM
>> To: [hidden email]
>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>
>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>
>> Regards,
>> —David Solin
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> ...
>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>
>> . . .
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
I’ve made the schema changes I described in a 5.11.X branch of our open-source data model project, including document annotations:

https://github.com/joval/jOVAL/blob/5.11.X/scap/schemas/oval-5.11/oval-definitions-schema.xsd

Let me know if you have any feedback.

Regards,
—David Solin

> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>
> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>
> Thinking about your suggestion
> " ...need to do is add a check_existence attribute of type
> ExistenceEnumeration to both EntityStateSimpleBaseType
> and EntityStateComplexBaseType, with a default value of
> at_least_one_exists”."
>
> That might work perfectly and then noise of how to handle this situation disappears.
>
> ------------------------------------
> John R.  Ulmer
> SPAWAR Systems Center Atlantic
> (843)218-5953
> [hidden email]
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
> Sent: Thursday, March 05, 2015 10:24 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> Hi Don & John,
>
> The reason I favor “not applicable” is twofold:
>
> 1) It has quite a different effect on the evaluation logic than “unknown” — “not applicable” is much more benign, whereas “unknown” will have a strong tendency to lead to “unknown” test results.  See the logic diagrams for OperatorEnumeration: http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperatorEnumeration
>
> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>
> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>
> If we did that, by the way, the result of my example below would be “false”.
>
> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
> 1) An empty item entity could be added with a status of “not collected”
> 2) An empty item entity could be added with a status of “error”
>
> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>
> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>
> Best regards,
> David Solin
> [hidden email]
>
>
>
>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>
>> I like 'unknown.'
>>
>> Item was collected and 'exists.'
>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>
>> State field has nothing to check against.
>>
>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>
>> Ergo, like, Don, I end up at 'unknown .'
>>
>> ------------------------------------
>> John R.  Ulmer
>> SPAWAR Systems Center Atlantic
>> (843)218-5953
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
>> Sent: Thursday, March 05, 2015 9:47 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> David ,
>> Thanks for the clarification.
>> I don't agree that  error is the response.
>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>> Good Question.
>>
>> Cheers,
>> Don Peddicord
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
>> Sent: Thursday, March 05, 2015 8:55 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> Hi Don,
>>
>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>
>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>
>> To illustrate, how do you compare these?
>>
>> <win-def:process58_state>
>> <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
>> </win-def:process58_state>
>>
>> <win-sc:process_item id="9">
>> <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
>> <win-sc:command_line status="does not exist"></win-sc:command_line>
>> <win-sc:pid datatype="int">0</win-sc:pid>
>> <win-sc:ppid datatype="int">0</win-sc:ppid>
>> <win-sc:priority>0</win-sc:priority>
>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>> <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
>> <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
>> <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
>> <win-sc:name>Idle</win-sc:name>
>> </win-sc:process_item>
>>
>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>
>> Regards,
>> —David Solin
>>
>>
>>
>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>
>>> Bill and David,
>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>> Don Peddicord
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of
>>> William Munyan
>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> David,
>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>
>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
>>> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>> and
>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
>>> n-Evaluation-tc7582334.html
>>>
>>> Looks like the main takeaway is that the result should be "unknown".
>>>
>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>
>>> Cheers,
>>> -Bill M.
>>>
>>> -----Original Message-----
>>> From: David Solin [mailto:[hidden email]]
>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>> To: [hidden email]
>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>
>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>
>>> Regards,
>>> —David Solin
>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>
>>> ...
>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>
>>> . . .
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
In reply to this post by John Ulmer
There is actually one last matter to settle here…

How do we handle the case where a state entity is compared against a nilled item entity?

For instance, if you created a file_state with <filename check_existence=“does not exist”/>, should that be permitted to indicate you want the object to represent a directory?

Regards,
—David Solin



> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>
> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>
> Thinking about your suggestion
> " ...need to do is add a check_existence attribute of type
> ExistenceEnumeration to both EntityStateSimpleBaseType
> and EntityStateComplexBaseType, with a default value of
> at_least_one_exists”."
>
> That might work perfectly and then noise of how to handle this situation disappears.
>
> ------------------------------------
> John R.  Ulmer
> SPAWAR Systems Center Atlantic
> (843)218-5953
> [hidden email]
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
> Sent: Thursday, March 05, 2015 10:24 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> Hi Don & John,
>
> The reason I favor “not applicable” is twofold:
>
> 1) It has quite a different effect on the evaluation logic than “unknown” — “not applicable” is much more benign, whereas “unknown” will have a strong tendency to lead to “unknown” test results.  See the logic diagrams for OperatorEnumeration: http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperatorEnumeration
>
> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>
> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>
> If we did that, by the way, the result of my example below would be “false”.
>
> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
> 1) An empty item entity could be added with a status of “not collected”
> 2) An empty item entity could be added with a status of “error”
>
> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>
> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>
> Best regards,
> David Solin
> [hidden email]
>
>
>
>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>
>> I like 'unknown.'
>>
>> Item was collected and 'exists.'
>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>
>> State field has nothing to check against.
>>
>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>
>> Ergo, like, Don, I end up at 'unknown .'
>>
>> ------------------------------------
>> John R.  Ulmer
>> SPAWAR Systems Center Atlantic
>> (843)218-5953
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
>> Sent: Thursday, March 05, 2015 9:47 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> David ,
>> Thanks for the clarification.
>> I don't agree that  error is the response.
>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>> Good Question.
>>
>> Cheers,
>> Don Peddicord
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
>> Sent: Thursday, March 05, 2015 8:55 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> Hi Don,
>>
>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>
>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>
>> To illustrate, how do you compare these?
>>
>> <win-def:process58_state>
>> <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
>> </win-def:process58_state>
>>
>> <win-sc:process_item id="9">
>> <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
>> <win-sc:command_line status="does not exist"></win-sc:command_line>
>> <win-sc:pid datatype="int">0</win-sc:pid>
>> <win-sc:ppid datatype="int">0</win-sc:ppid>
>> <win-sc:priority>0</win-sc:priority>
>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>> <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
>> <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
>> <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
>> <win-sc:name>Idle</win-sc:name>
>> </win-sc:process_item>
>>
>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>
>> Regards,
>> —David Solin
>>
>>
>>
>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>
>>> Bill and David,
>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>> Don Peddicord
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of
>>> William Munyan
>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> David,
>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>
>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
>>> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>> and
>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
>>> n-Evaluation-tc7582334.html
>>>
>>> Looks like the main takeaway is that the result should be "unknown".
>>>
>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>
>>> Cheers,
>>> -Bill M.
>>>
>>> -----Original Message-----
>>> From: David Solin [mailto:[hidden email]]
>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>> To: [hidden email]
>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>
>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>
>>> Regards,
>>> —David Solin
>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>
>>> ...
>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>
>>> . . .
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
I spoke too soon.  There is even one more question, which unfortunately resembles the original question:

Let’s say that check_existence=“any exist” … how should we then perform the comparison if the item entity doesn’t exist?

I believe that “any exist” doesn’t make sense in this context, so I think I will add a schema restriction to disallow it...

Thoughts?

—David Solin


> On Mar 5, 2015, at 1:33 PM, David Solin <[hidden email]> wrote:
>
> There is actually one last matter to settle here…
>
> How do we handle the case where a state entity is compared against a nilled item entity?
>
> For instance, if you created a file_state with <filename check_existence=“does not exist”/>, should that be permitted to indicate you want the object to represent a directory?
>
> Regards,
> —David Solin
>
>
>
>> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>>
>> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>>
>> Thinking about your suggestion
>> " ...need to do is add a check_existence attribute of type
>> ExistenceEnumeration to both EntityStateSimpleBaseType
>> and EntityStateComplexBaseType, with a default value of
>> at_least_one_exists”."
>>
>> That might work perfectly and then noise of how to handle this situation disappears.
>>
>> ------------------------------------
>> John R.  Ulmer
>> SPAWAR Systems Center Atlantic
>> (843)218-5953
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
>> Sent: Thursday, March 05, 2015 10:24 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> Hi Don & John,
>>
>> The reason I favor “not applicable” is twofold:
>>
>> 1) It has quite a different effect on the evaluation logic than “unknown” — “not applicable” is much more benign, whereas “unknown” will have a strong tendency to lead to “unknown” test results.  See the logic diagrams for OperatorEnumeration: http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperatorEnumeration
>>
>> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>>
>> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>>
>> If we did that, by the way, the result of my example below would be “false”.
>>
>> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
>> 1) An empty item entity could be added with a status of “not collected”
>> 2) An empty item entity could be added with a status of “error”
>>
>> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>>
>> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>>
>> Best regards,
>> David Solin
>> [hidden email]
>>
>>
>>
>>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>>
>>> I like 'unknown.'
>>>
>>> Item was collected and 'exists.'
>>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>>
>>> State field has nothing to check against.
>>>
>>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>>
>>> Ergo, like, Don, I end up at 'unknown .'
>>>
>>> ------------------------------------
>>> John R.  Ulmer
>>> SPAWAR Systems Center Atlantic
>>> (843)218-5953
>>> [hidden email]
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
>>> Sent: Thursday, March 05, 2015 9:47 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> David ,
>>> Thanks for the clarification.
>>> I don't agree that  error is the response.
>>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>>> Good Question.
>>>
>>> Cheers,
>>> Don Peddicord
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
>>> Sent: Thursday, March 05, 2015 8:55 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> Hi Don,
>>>
>>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>>
>>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>>
>>> To illustrate, how do you compare these?
>>>
>>> <win-def:process58_state>
>>> <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
>>> </win-def:process58_state>
>>>
>>> <win-sc:process_item id="9">
>>> <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
>>> <win-sc:command_line status="does not exist"></win-sc:command_line>
>>> <win-sc:pid datatype="int">0</win-sc:pid>
>>> <win-sc:ppid datatype="int">0</win-sc:ppid>
>>> <win-sc:priority>0</win-sc:priority>
>>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>>> <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
>>> <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
>>> <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
>>> <win-sc:name>Idle</win-sc:name>
>>> </win-sc:process_item>
>>>
>>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>>
>>> Regards,
>>> —David Solin
>>>
>>>
>>>
>>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>>
>>>> Bill and David,
>>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>>> Don Peddicord
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: [hidden email]
>>>> [mailto:[hidden email]] On Behalf Of
>>>> William Munyan
>>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>>> To: [hidden email]
>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> David,
>>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>>
>>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
>>>> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>>> and
>>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
>>>> n-Evaluation-tc7582334.html
>>>>
>>>> Looks like the main takeaway is that the result should be "unknown".
>>>>
>>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>>
>>>> Cheers,
>>>> -Bill M.
>>>>
>>>> -----Original Message-----
>>>> From: David Solin [mailto:[hidden email]]
>>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>>> To: [hidden email]
>>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>>
>>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>>
>>>> Regards,
>>>> —David Solin
>>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>>
>>>> ...
>>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>>
>>>> . . .
>>>
>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>
>>> To unsubscribe, send an email message to [hidden email] with
>>> SIGNOFF OVAL-DEVELOPER-LIST
>>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

Mark R. Wagner
In reply to this post by joval
Please remove me from your developer list.  I have tried biut had no luck and I still receive quite a few emails.  Thanks

MARK R. WAGNER, P.E.
Artemis, Inc.
14301 First National Bank Parkway, Suite 100
Omaha,  NE  68154
402-651-5190
[hidden email]

________________________________________
From: David Solin <[hidden email]>
Sent: Thursday, March 5, 2015 11:08 AM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

I’ve made the schema changes I described in a 5.11.X branch of our open-source data model project, including document annotations:

https://github.com/joval/jOVAL/blob/5.11.X/scap/schemas/oval-5.11/oval-definitions-schema.xsd

Let me know if you have any feedback.

Regards,
—David Solin

> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>
> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>
> Thinking about your suggestion
>       " ...need to do is add a check_existence attribute of type
>       ExistenceEnumeration to both EntityStateSimpleBaseType
>       and EntityStateComplexBaseType, with a default value of
>       at_least_one_exists”."
>
> That might work perfectly and then noise of how to handle this situation disappears.
>
> ------------------------------------
> John R.  Ulmer
> SPAWAR Systems Center Atlantic
> (843)218-5953
> [hidden email]
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
> Sent: Thursday, March 05, 2015 10:24 AM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> Hi Don & John,
>
> The reason I favor “not applicable” is twofold:
>
> 1) It has quite a different effect on the evaluation logic than “unknown” — “not applicable” is much more benign, whereas “unknown” will have a strong tendency to lead to “unknown” test results.  See the logic diagrams for OperatorEnumeration: http://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-common-schema.html#OperatorEnumeration
>
> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>
> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>
> If we did that, by the way, the result of my example below would be “false”.
>
> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
> 1) An empty item entity could be added with a status of “not collected”
> 2) An empty item entity could be added with a status of “error”
>
> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>
> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>
> Best regards,
> David Solin
> [hidden email]
>
>
>
>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>
>> I like 'unknown.'
>>
>> Item was collected and 'exists.'
>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>
>> State field has nothing to check against.
>>
>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>
>> Ergo, like, Don, I end up at 'unknown .'
>>
>> ------------------------------------
>> John R.  Ulmer
>> SPAWAR Systems Center Atlantic
>> (843)218-5953
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peddicord, Don
>> Sent: Thursday, March 05, 2015 9:47 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> David ,
>> Thanks for the clarification.
>> I don't agree that  error is the response.
>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>> Good Question.
>>
>> Cheers,
>> Don Peddicord
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
>> Sent: Thursday, March 05, 2015 8:55 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> Hi Don,
>>
>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>
>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>
>> To illustrate, how do you compare these?
>>
>> <win-def:process58_state>
>> <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
>> </win-def:process58_state>
>>
>> <win-sc:process_item id="9">
>> <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
>> <win-sc:command_line status="does not exist"></win-sc:command_line>
>> <win-sc:pid datatype="int">0</win-sc:pid>
>> <win-sc:ppid datatype="int">0</win-sc:ppid>
>> <win-sc:priority>0</win-sc:priority>
>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>> <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
>> <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
>> <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
>> <win-sc:name>Idle</win-sc:name>
>> </win-sc:process_item>
>>
>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>
>> Regards,
>> —David Solin
>>
>>
>>
>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>
>>> Bill and David,
>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>> Don Peddicord
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of
>>> William Munyan
>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> David,
>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>
>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a-st
>>> ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>> and
>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collectio
>>> n-Evaluation-tc7582334.html
>>>
>>> Looks like the main takeaway is that the result should be "unknown".
>>>
>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>
>>> Cheers,
>>> -Bill M.
>>>
>>> -----Original Message-----
>>> From: David Solin [mailto:[hidden email]]
>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>> To: [hidden email]
>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>
>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>
>>> Regards,
>>> —David Solin
>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>
>>> ...
>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>
>>> . . .
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

dpeddicord
In reply to this post by joval
David,
There lies the  rub with a state item entity existence attribute.
It seems that the state exists (check existence) should be handled as it is for the object item as that is what is actually applies to.
Therefore,  any_exist would return true ... which would create a type II  error.
I  think that the problem is that the existence test needs to be done for the object item , which of course, is impossible, unless the
All Object item entities are part of the schema as elements (Again, I am unsure of my terminology so please correct.)
I am looking at the unix-def:process58_object. I wonder why the state elements are not available for the object as that would resolve this problem immediately, It does not seem that it would greatly increase the workload on the evaluation tool as those entities are collected anyway.  I realize this would be major change to schema.

Don Peddicord CTR


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Thursday, March 05, 2015 4:24 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"

I spoke too soon.  There is even one more question, which unfortunately resembles the original question:

Let’s say that check_existence=“any exist” … how should we then perform the comparison if the item entity doesn’t exist?

I believe that “any exist” doesn’t make sense in this context, so I think I will add a schema restriction to disallow it...

Thoughts?

—David Solin


> On Mar 5, 2015, at 1:33 PM, David Solin <[hidden email]> wrote:
>
> There is actually one last matter to settle here…
>
> How do we handle the case where a state entity is compared against a nilled item entity?
>
> For instance, if you created a file_state with <filename check_existence=“does not exist”/>, should that be permitted to indicate you want the object to represent a directory?
>
> Regards,
> —David Solin
>
>
>
>> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>>
>> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>>
>> Thinking about your suggestion
>> " ...need to do is add a check_existence attribute of type
>> ExistenceEnumeration to both EntityStateSimpleBaseType
>> and EntityStateComplexBaseType, with a default value of
>> at_least_one_exists”."
>>
>> That might work perfectly and then noise of how to handle this situation disappears.
>>
>> ------------------------------------
>> John R.  Ulmer
>> SPAWAR Systems Center Atlantic
>> (843)218-5953
>> [hidden email]
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of David
>> Solin
>> Sent: Thursday, March 05, 2015 10:24 AM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> Hi Don & John,
>>
>> The reason I favor “not applicable” is twofold:
>>
>> 1) It has quite a different effect on the evaluation logic than
>> “unknown” — “not applicable” is much more benign, whereas “unknown”
>> will have a strong tendency to lead to “unknown” test results.  See
>> the logic diagrams for OperatorEnumeration:
>> http://oval.mitre.org/language/version5.11/ovaldefinition/documentati
>> on/oval-common-schema.html#OperatorEnumeration
>>
>> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>>
>> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>>
>> If we did that, by the way, the result of my example below would be “false”.
>>
>> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
>> 1) An empty item entity could be added with a status of “not collected”
>> 2) An empty item entity could be added with a status of “error”
>>
>> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>>
>> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>>
>> Best regards,
>> David Solin
>> [hidden email]
>>
>>
>>
>>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>>
>>> I like 'unknown.'
>>>
>>> Item was collected and 'exists.'
>>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>>
>>> State field has nothing to check against.
>>>
>>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>>
>>> Ergo, like, Don, I end up at 'unknown .'
>>>
>>> ------------------------------------
>>> John R.  Ulmer
>>> SPAWAR Systems Center Atlantic
>>> (843)218-5953
>>> [hidden email]
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of
>>> Peddicord, Don
>>> Sent: Thursday, March 05, 2015 9:47 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> David ,
>>> Thanks for the clarification.
>>> I don't agree that  error is the response.
>>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>>> Good Question.
>>>
>>> Cheers,
>>> Don Peddicord
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of
>>> David Solin
>>> Sent: Thursday, March 05, 2015 8:55 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> Hi Don,
>>>
>>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>>
>>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>>
>>> To illustrate, how do you compare these?
>>>
>>> <win-def:process58_state>
>>> <win-def:command_line operation=“not
>>> equals”>winlogon.exe</win-def:command_line>
>>> </win-def:process58_state>
>>>
>>> <win-sc:process_item id="9">
>>> <oval-sc:message level="error">Exception calling
>>> &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The
>>> parameter is incorrect&quot;</oval-sc:message> <win-sc:command_line
>>> status="does not exist"></win-sc:command_line> <win-sc:pid
>>> datatype="int">0</win-sc:pid> <win-sc:ppid
>>> datatype="int">0</win-sc:ppid> <win-sc:priority>0</win-sc:priority>
>>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>>> <win-sc:creation_time datatype="int" status="does not
>>> exist"></win-sc:creation_time> <win-sc:dep_enabled
>>> datatype="boolean" status="error"></win-sc:dep_enabled>
>>> <win-sc:primary_window_text status="does not
>>> exist"></win-sc:primary_window_text>
>>> <win-sc:name>Idle</win-sc:name>
>>> </win-sc:process_item>
>>>
>>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>>
>>> Regards,
>>> —David Solin
>>>
>>>
>>>
>>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>>
>>>> Bill and David,
>>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>>> Don Peddicord
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: [hidden email]
>>>> [mailto:[hidden email]] On Behalf Of
>>>> William Munyan
>>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>>> To: [hidden email]
>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> David,
>>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>>
>>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a
>>>> -st ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>>> and
>>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collec
>>>> tio
>>>> n-Evaluation-tc7582334.html
>>>>
>>>> Looks like the main takeaway is that the result should be "unknown".
>>>>
>>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>>
>>>> Cheers,
>>>> -Bill M.
>>>>
>>>> -----Original Message-----
>>>> From: David Solin [mailto:[hidden email]]
>>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>>> To: [hidden email]
>>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>>
>>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>>
>>>> Regards,
>>>> —David Solin
>>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>>
>>>> ...
>>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>>
>>>> . . .
>>>
>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
Hi Don,

(Terminology-wise, I call a sub-tag an entity.  They all have types, e.g., EntityStateSimpleBaseType, EntityStateAnySimpleType, EntityStateStringType, etc. — hence the name. This holds for objects, states and items, and makes it simple to differentiate them from XML attributes).

Right now, state entities can check only the value of corresponding item entities (and there is the entity_check attribute to tell you what to do if the item entity is multi-valued).  Adding a check_existence attribute makes it possible for them to also assess their existence, and as a side-effect, it settles the questions I have raised about the impact of item entity existence on item-state comparison.

Thinking about it a little more, any_exist is a bit problematic even for the test check_existence attribute.  If there’s no state, then the existence check is just raw existence check, and any_exists would indicate you’re indifferent about whether any items exist or not.  Not terribly useful!

But, what if there are no results and there is a state, and check_existence = any_exist?  The truth tables for the CheckEnumeration do not tell us, for any check, what the result should be if all the counters are set to 0.  We should remedy that, and if we did, then any_exist could also be used in the context of a state entity check_existence attribute.

How about the following proposal…

For t=0, f=0, e=0, u=0, ne=0, na=0, (check) -> (result):
all -> not applicable
at least one -> false
only one -> false
none satisfy -> true

Right now, for these cases, I believe we’re returning “unknown”.  I’m not sure whether that’s based on an existing consensus.  But this proposal seems better.

Best regards,
David Solin
[hidden email]


PS: You can merge states and objects, conceptually anyway, using filters.  But regardless of how such a merge might be accomplished, the problem is still not solved.  What if you actually wanted to gather all the processes that had no command-line?  You’d still need this kind of entity existence check.


> On Mar 6, 2015, at 7:21 AM, Peddicord, Don <[hidden email]> wrote:
>
> David,
> There lies the  rub with a state item entity existence attribute.
> It seems that the state exists (check existence) should be handled as it is for the object item as that is what is actually applies to.
> Therefore,  any_exist would return true ... which would create a type II  error.
> I  think that the problem is that the existence test needs to be done for the object item , which of course, is impossible, unless the
> All Object item entities are part of the schema as elements (Again, I am unsure of my terminology so please correct.)
> I am looking at the unix-def:process58_object. I wonder why the state elements are not available for the object as that would resolve this problem immediately, It does not seem that it would greatly increase the workload on the evaluation tool as those entities are collected anyway.  I realize this would be major change to schema.
>
> Don Peddicord CTR
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
> Sent: Thursday, March 05, 2015 4:24 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>
> I spoke too soon.  There is even one more question, which unfortunately resembles the original question:
>
> Let’s say that check_existence=“any exist” … how should we then perform the comparison if the item entity doesn’t exist?
>
> I believe that “any exist” doesn’t make sense in this context, so I think I will add a schema restriction to disallow it...
>
> Thoughts?
>
> —David Solin
>
>
>> On Mar 5, 2015, at 1:33 PM, David Solin <[hidden email]> wrote:
>>
>> There is actually one last matter to settle here…
>>
>> How do we handle the case where a state entity is compared against a nilled item entity?
>>
>> For instance, if you created a file_state with <filename check_existence=“does not exist”/>, should that be permitted to indicate you want the object to represent a directory?
>>
>> Regards,
>> —David Solin
>>
>>
>>
>>> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>>>
>>> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>>>
>>> Thinking about your suggestion
>>> " ...need to do is add a check_existence attribute of type
>>> ExistenceEnumeration to both EntityStateSimpleBaseType
>>> and EntityStateComplexBaseType, with a default value of
>>> at_least_one_exists”."
>>>
>>> That might work perfectly and then noise of how to handle this situation disappears.
>>>
>>> ------------------------------------
>>> John R.  Ulmer
>>> SPAWAR Systems Center Atlantic
>>> (843)218-5953
>>> [hidden email]
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email]
>>> [mailto:[hidden email]] On Behalf Of David
>>> Solin
>>> Sent: Thursday, March 05, 2015 10:24 AM
>>> To: [hidden email]
>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>
>>> Hi Don & John,
>>>
>>> The reason I favor “not applicable” is twofold:
>>>
>>> 1) It has quite a different effect on the evaluation logic than
>>> “unknown” — “not applicable” is much more benign, whereas “unknown”
>>> will have a strong tendency to lead to “unknown” test results.  See
>>> the logic diagrams for OperatorEnumeration:
>>> http://oval.mitre.org/language/version5.11/ovaldefinition/documentati
>>> on/oval-common-schema.html#OperatorEnumeration
>>>
>>> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>>>
>>> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>>>
>>> If we did that, by the way, the result of my example below would be “false”.
>>>
>>> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
>>> 1) An empty item entity could be added with a status of “not collected”
>>> 2) An empty item entity could be added with a status of “error”
>>>
>>> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>>>
>>> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>>>
>>> Best regards,
>>> David Solin
>>> [hidden email]
>>>
>>>
>>>
>>>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>>>
>>>> I like 'unknown.'
>>>>
>>>> Item was collected and 'exists.'
>>>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>>>
>>>> State field has nothing to check against.
>>>>
>>>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>>>
>>>> Ergo, like, Don, I end up at 'unknown .'
>>>>
>>>> ------------------------------------
>>>> John R.  Ulmer
>>>> SPAWAR Systems Center Atlantic
>>>> (843)218-5953
>>>> [hidden email]
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: [hidden email]
>>>> [mailto:[hidden email]] On Behalf Of
>>>> Peddicord, Don
>>>> Sent: Thursday, March 05, 2015 9:47 AM
>>>> To: [hidden email]
>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> David ,
>>>> Thanks for the clarification.
>>>> I don't agree that  error is the response.
>>>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>>>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>>>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>>>> Good Question.
>>>>
>>>> Cheers,
>>>> Don Peddicord
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: [hidden email]
>>>> [mailto:[hidden email]] On Behalf Of
>>>> David Solin
>>>> Sent: Thursday, March 05, 2015 8:55 AM
>>>> To: [hidden email]
>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> Hi Don,
>>>>
>>>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>>>
>>>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>>>
>>>> To illustrate, how do you compare these?
>>>>
>>>> <win-def:process58_state>
>>>> <win-def:command_line operation=“not
>>>> equals”>winlogon.exe</win-def:command_line>
>>>> </win-def:process58_state>
>>>>
>>>> <win-sc:process_item id="9">
>>>> <oval-sc:message level="error">Exception calling
>>>> &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The
>>>> parameter is incorrect&quot;</oval-sc:message> <win-sc:command_line
>>>> status="does not exist"></win-sc:command_line> <win-sc:pid
>>>> datatype="int">0</win-sc:pid> <win-sc:ppid
>>>> datatype="int">0</win-sc:ppid> <win-sc:priority>0</win-sc:priority>
>>>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>>>> <win-sc:creation_time datatype="int" status="does not
>>>> exist"></win-sc:creation_time> <win-sc:dep_enabled
>>>> datatype="boolean" status="error"></win-sc:dep_enabled>
>>>> <win-sc:primary_window_text status="does not
>>>> exist"></win-sc:primary_window_text>
>>>> <win-sc:name>Idle</win-sc:name>
>>>> </win-sc:process_item>
>>>>
>>>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>>>
>>>> Regards,
>>>> —David Solin
>>>>
>>>>
>>>>
>>>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>>>
>>>>> Bill and David,
>>>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>>>> Don Peddicord
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: [hidden email]
>>>>> [mailto:[hidden email]] On Behalf Of
>>>>> William Munyan
>>>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>>>> To: [hidden email]
>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>>
>>>>> David,
>>>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>>>
>>>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a
>>>>> -st ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>>>> and
>>>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collec
>>>>> tio
>>>>> n-Evaluation-tc7582334.html
>>>>>
>>>>> Looks like the main takeaway is that the result should be "unknown".
>>>>>
>>>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>>>
>>>>> Cheers,
>>>>> -Bill M.
>>>>>
>>>>> -----Original Message-----
>>>>> From: David Solin [mailto:[hidden email]]
>>>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>>>> To: [hidden email]
>>>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>>
>>>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>>>
>>>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>>>
>>>>> Regards,
>>>>> —David Solin
>>>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>>>
>>>>> ...
>>>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>>>
>>>>> . . .
>>>>
>>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>>> have difficulties, write to [hidden email].
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>>
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
Or, a somewhat simpler rule could be…

If an item entity doesn’t exist, and the state entity’s check_existence is set to “any_exist”, then the comparison result should be “not applicable”.  That would allow us to keep the current truth tables fully intact, which seems less risky.

I know, it’s a tough thing to weigh in on unless you happen to be experimenting with solutions in your own OVAL engine code…  still, any feedback is welcome.

Best,
—David Solin



> On Mar 6, 2015, at 8:12 AM, David Solin <[hidden email]> wrote:
>
> Hi Don,
>
> (Terminology-wise, I call a sub-tag an entity.  They all have types, e.g., EntityStateSimpleBaseType, EntityStateAnySimpleType, EntityStateStringType, etc. — hence the name. This holds for objects, states and items, and makes it simple to differentiate them from XML attributes).
>
> Right now, state entities can check only the value of corresponding item entities (and there is the entity_check attribute to tell you what to do if the item entity is multi-valued).  Adding a check_existence attribute makes it possible for them to also assess their existence, and as a side-effect, it settles the questions I have raised about the impact of item entity existence on item-state comparison.
>
> Thinking about it a little more, any_exist is a bit problematic even for the test check_existence attribute.  If there’s no state, then the existence check is just raw existence check, and any_exists would indicate you’re indifferent about whether any items exist or not.  Not terribly useful!
>
> But, what if there are no results and there is a state, and check_existence = any_exist?  The truth tables for the CheckEnumeration do not tell us, for any check, what the result should be if all the counters are set to 0.  We should remedy that, and if we did, then any_exist could also be used in the context of a state entity check_existence attribute.
>
> How about the following proposal…
>
> For t=0, f=0, e=0, u=0, ne=0, na=0, (check) -> (result):
> all -> not applicable
> at least one -> false
> only one -> false
> none satisfy -> true
>
> Right now, for these cases, I believe we’re returning “unknown”.  I’m not sure whether that’s based on an existing consensus.  But this proposal seems better.
>
> Best regards,
> David Solin
> [hidden email]
>
>
> PS: You can merge states and objects, conceptually anyway, using filters.  But regardless of how such a merge might be accomplished, the problem is still not solved.  What if you actually wanted to gather all the processes that had no command-line?  You’d still need this kind of entity existence check.
>
>
>> On Mar 6, 2015, at 7:21 AM, Peddicord, Don <[hidden email]> wrote:
>>
>> David,
>> There lies the  rub with a state item entity existence attribute.
>> It seems that the state exists (check existence) should be handled as it is for the object item as that is what is actually applies to.
>> Therefore,  any_exist would return true ... which would create a type II  error.
>> I  think that the problem is that the existence test needs to be done for the object item , which of course, is impossible, unless the
>> All Object item entities are part of the schema as elements (Again, I am unsure of my terminology so please correct.)
>> I am looking at the unix-def:process58_object. I wonder why the state elements are not available for the object as that would resolve this problem immediately, It does not seem that it would greatly increase the workload on the evaluation tool as those entities are collected anyway.  I realize this would be major change to schema.
>>
>> Don Peddicord CTR
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
>> Sent: Thursday, March 05, 2015 4:24 PM
>> To: [hidden email]
>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>
>> I spoke too soon.  There is even one more question, which unfortunately resembles the original question:
>>
>> Let’s say that check_existence=“any exist” … how should we then perform the comparison if the item entity doesn’t exist?
>>
>> I believe that “any exist” doesn’t make sense in this context, so I think I will add a schema restriction to disallow it...
>>
>> Thoughts?
>>
>> —David Solin
>>
>>
>>> On Mar 5, 2015, at 1:33 PM, David Solin <[hidden email]> wrote:
>>>
>>> There is actually one last matter to settle here…
>>>
>>> How do we handle the case where a state entity is compared against a nilled item entity?
>>>
>>> For instance, if you created a file_state with <filename check_existence=“does not exist”/>, should that be permitted to indicate you want the object to represent a directory?
>>>
>>> Regards,
>>> —David Solin
>>>
>>>
>>>
>>>> On Mar 5, 2015, at 9:57 AM, Ulmer, John R. <[hidden email]> wrote:
>>>>
>>>> I'm not sure how and when an OVAL processing tool could determine what is and is not applicable.  The myriad complexities of how content authors can assemble content mean many objects and states are used to feed any number of others (objects and filters and such).  Some objects and states might be relatively straight forward.  Others can be so flexible in what they collect that determining when a 'dne' is because it is not 'applicable' would be quite difficult.  E.g. a textfilecontent subexpression.  If we find the file and match the pattern and fail to match a subexpression, then we end up with an item that exists and can have a subexpression field that is a 'dne.'  How does the processing tool determine if that attempt to gather that subexpression was a reasonable thing for the content author to do in a given context?
>>>>
>>>> Thinking about your suggestion
>>>> " ...need to do is add a check_existence attribute of type
>>>> ExistenceEnumeration to both EntityStateSimpleBaseType
>>>> and EntityStateComplexBaseType, with a default value of
>>>> at_least_one_exists”."
>>>>
>>>> That might work perfectly and then noise of how to handle this situation disappears.
>>>>
>>>> ------------------------------------
>>>> John R.  Ulmer
>>>> SPAWAR Systems Center Atlantic
>>>> (843)218-5953
>>>> [hidden email]
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: [hidden email]
>>>> [mailto:[hidden email]] On Behalf Of David
>>>> Solin
>>>> Sent: Thursday, March 05, 2015 10:24 AM
>>>> To: [hidden email]
>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>
>>>> Hi Don & John,
>>>>
>>>> The reason I favor “not applicable” is twofold:
>>>>
>>>> 1) It has quite a different effect on the evaluation logic than
>>>> “unknown” — “not applicable” is much more benign, whereas “unknown”
>>>> will have a strong tendency to lead to “unknown” test results.  See
>>>> the logic diagrams for OperatorEnumeration:
>>>> http://oval.mitre.org/language/version5.11/ovaldefinition/documentati
>>>> on/oval-common-schema.html#OperatorEnumeration
>>>>
>>>> 2) “Unknown” doesn’t fit because (to me, at least) it implies that the result is not knowable based on the information obtained.  It is the result you get when you attempt to compare a state to something that has not been collected.  But in this case, we actually have attempted to collect these entities and determined that they are not relevant to the item at hand — they cannot be collected (in the example, the system idle process simply has no “command line”).  The schema documentation description for the “does not exist” status says: “This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.”  This perfectly describes the situation at hand.
>>>>
>>>> Any collective decision would provide some necessary relief.  But what we probably really need to do is add a check_existence attribute of type ExistenceEnumeration to both EntityStateSimpleBaseType and EntityStateComplexBaseType, with a default value of “at_least_one_exists”.
>>>>
>>>> If we did that, by the way, the result of my example below would be “false”.
>>>>
>>>> Now, along those lines, let’s say that we’re dealing with one of those cases where the item entity can be multi-valued!  How would we express incomplete collection of those values (i.e., some can be collected, but others cannot for some reason)?  I would propose a few options:
>>>> 1) An empty item entity could be added with a status of “not collected”
>>>> 2) An empty item entity could be added with a status of “error”
>>>>
>>>> The latter would particularly make sense if an error of some kind prevented the collection of all the item entities.  And, one could always add an error message to the item, as I have done in my original example.
>>>>
>>>> Thoughts?  Would this be too much of a change to introduce in OVAL 5.11.1?  I could add this to the schema pretty easily.
>>>>
>>>> Best regards,
>>>> David Solin
>>>> [hidden email]
>>>>
>>>>
>>>>
>>>>> On Mar 5, 2015, at 9:02 AM, Ulmer, John R. <[hidden email]> wrote:
>>>>>
>>>>> I like 'unknown.'
>>>>>
>>>>> Item was collected and 'exists.'
>>>>> Item field 'does not exist,' but, is allowed to 'not exist,' -- min occurs = 0.
>>>>>
>>>>> State field has nothing to check against.
>>>>>
>>>>> If the collection of the item (and its fields) did not produce an error, the item field should not show error.  If the item field does not show 'error,' then the item does not and the state check should not result in error.   The item is a compliant item.
>>>>>
>>>>> Ergo, like, Don, I end up at 'unknown .'
>>>>>
>>>>> ------------------------------------
>>>>> John R.  Ulmer
>>>>> SPAWAR Systems Center Atlantic
>>>>> (843)218-5953
>>>>> [hidden email]
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: [hidden email]
>>>>> [mailto:[hidden email]] On Behalf Of
>>>>> Peddicord, Don
>>>>> Sent: Thursday, March 05, 2015 9:47 AM
>>>>> To: [hidden email]
>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>>
>>>>> David ,
>>>>> Thanks for the clarification.
>>>>> I don't agree that  error is the response.
>>>>> But I am unsure about not applicable  as it is defined as "This value indicates that the specified OVAL Object is not applicable to the system under test."  I usually think of that as a something like an rpm test on a debian system.  Not that a particular  object item  entity (unsure of my terminology here, I want to say item entity field, I cannot seem to find term in schema or spec.) does not exist, When it could possibly exist.
>>>>> Unknown seems logical to me by elimination "This value indicates that it could not be determined if the conditions of the evaluation were satisfied."
>>>>> It is almost like the check existence  should apply...but that would not apply as the obeject does exist.
>>>>> Good Question.
>>>>>
>>>>> Cheers,
>>>>> Don Peddicord
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: [hidden email]
>>>>> [mailto:[hidden email]] On Behalf Of
>>>>> David Solin
>>>>> Sent: Thursday, March 05, 2015 8:55 AM
>>>>> To: [hidden email]
>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>>
>>>>> Hi Don,
>>>>>
>>>>> The existence check is a gate through which a test passes, depending on the total number of items exist that correspond to an object.  I am talking about the next phase, after the existence check, comparing these items to one or more states.
>>>>>
>>>>> What to do when the item entity (e.g., command_line on a win-sc:process_item) has a status of “does not exist”, and there is a corresponding entity in the test's process_state?  What contribution does this sub-check make to the overall evaluation of the item against the state?
>>>>>
>>>>> To illustrate, how do you compare these?
>>>>>
>>>>> <win-def:process58_state>
>>>>> <win-def:command_line operation=“not
>>>>> equals”>winlogon.exe</win-def:command_line>
>>>>> </win-def:process58_state>
>>>>>
>>>>> <win-sc:process_item id="9">
>>>>> <oval-sc:message level="error">Exception calling
>>>>> &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The
>>>>> parameter is incorrect&quot;</oval-sc:message> <win-sc:command_line
>>>>> status="does not exist"></win-sc:command_line> <win-sc:pid
>>>>> datatype="int">0</win-sc:pid> <win-sc:ppid
>>>>> datatype="int">0</win-sc:ppid> <win-sc:priority>0</win-sc:priority>
>>>>> <win-sc:current_dir status="does not exist"></win-sc:current_dir>
>>>>> <win-sc:creation_time datatype="int" status="does not
>>>>> exist"></win-sc:creation_time> <win-sc:dep_enabled
>>>>> datatype="boolean" status="error"></win-sc:dep_enabled>
>>>>> <win-sc:primary_window_text status="does not
>>>>> exist"></win-sc:primary_window_text>
>>>>> <win-sc:name>Idle</win-sc:name>
>>>>> </win-sc:process_item>
>>>>>
>>>>> I am saying the result should be “not applicable”.  Others have suggested the result should be “error” or “unknown”.
>>>>>
>>>>> Regards,
>>>>> —David Solin
>>>>>
>>>>>
>>>>>
>>>>>> On Mar 5, 2015, at 7:37 AM, Peddicord, Don <[hidden email]> wrote:
>>>>>>
>>>>>> Bill and David,
>>>>>> If I am understanding the issue correctly the question is what to do when, for the test:  check_existence="does not exist" is true and there is a state .... in the flow diagram in the OVAL Spec. 01-20-2012 page 100,  if the check_existence is not met the test returns "false"  This is logical to me in that  a comparison to an object which should not exist is superfluous.
>>>>>> Or perhaps I am misunderstanding the issue (likely.) Cheers.
>>>>>> Don Peddicord
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: [hidden email]
>>>>>> [mailto:[hidden email]] On Behalf Of
>>>>>> William Munyan
>>>>>> Sent: Wednesday, March 04, 2015 10:53 AM
>>>>>> To: [hidden email]
>>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>>>
>>>>>> David,
>>>>>> I am not finding anything in specifications either, but I did come across a similar issue during SCAP 1.2 testing, and some discussions that we had around this question:
>>>>>>
>>>>>> http://making-security-measurable.1364806.n2.nabble.com/Comparing-a
>>>>>> -st ate-entity-with-a-nonexistent-item-entity-tc7582251.html
>>>>>> and
>>>>>> http://making-security-measurable.1364806.n2.nabble.com/Item-Collec
>>>>>> tio
>>>>>> n-Evaluation-tc7582334.html
>>>>>>
>>>>>> Looks like the main takeaway is that the result should be "unknown".
>>>>>>
>>>>>> It seems that there isn’t anything currently in the specification which would allow a <state> to be constructed in order to actually have a non-existent item pass, i.e. have an expected value of "does not exist".  It would seem to me that there would need to be some kind of modifications to the <state>'s which would allow them to specify that the expected state is something non-existent.  If we had a way of authoring that, then it would handle how to evaluate the "does not exist" entities.
>>>>>>
>>>>>> Cheers,
>>>>>> -Bill M.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: David Solin [mailto:[hidden email]]
>>>>>> Sent: Wednesday, March 04, 2015 9:23 AM
>>>>>> To: [hidden email]
>>>>>> Subject: [OVAL-DEVELOPER-LIST] Question about state entity comparison with item entity where status = "does not exist"
>>>>>>
>>>>>> When an object matches an item, with an entity whose status is “does not exist” — what should be the result of a comparison against a state entity?  I cannot seem to find any guidance in the specification, but I am thinking that “not applicable” makes the most sense.
>>>>>>
>>>>>> Is it specified and I just failed to find it?  Or, are there other opinions?  If it’s not in the specification, we should add it.
>>>>>>
>>>>>> Regards,
>>>>>> —David Solin
>>>>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>>>>
>>>>>> ...
>>>>>> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
>>>>>>
>>>>>> . . .
>>>>>
>>>>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>>>>>
>>>>> To unsubscribe, send an email message to [hidden email]
>>>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>>>> have difficulties, write to [hidden email].
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>>> have difficulties, write to [hidden email].
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>>> with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you
>>>> have difficulties, write to [hidden email].
>>>
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Question about state entity comparison with item entity where status = "does not exist"

joval
I’ve been sending a lot of emails to the list with some pretty heady questions, and I’m attempting to drive them to a resolution in the 5.11.1 time-frame (which means, very quickly).  So, I thought I should create some examples so people can see exactly what I’m talking about and proposing.  For these examples, I’m going to use the windows process58_test/object/state/item.

Say we have this object:

<win-def:process58_object>
  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
  <win-def:pid operation=“greater than or equals” datatype=“int”>0</win-def:command_line>
</win-def:process58_ovject>

And this state:

<win-def:process58_state>
  <win-def:command_line operation=“not equals”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

(And some test that compares them.)

Here is one (of many) items we get for our object on a typical Windows machine:

<win-sc:process_item id="9">
  <oval-sc:message level="error">Exception calling &quot;IsDepEnabled&quot; with &quot;1&quot; argument(s): &quot;The parameter is incorrect&quot;</oval-sc:message>
  <win-sc:command_line status="does not exist”></win-sc:command_line>
  <win-sc:pid datatype="int">0</win-sc:pid>
  <win-sc:ppid datatype="int">0</win-sc:ppid>
  <win-sc:priority>0</win-sc:priority>
  <win-sc:current_dir status="does not exist"></win-sc:current_dir>
  <win-sc:creation_time datatype="int" status="does not exist"></win-sc:creation_time>
  <win-sc:dep_enabled datatype="boolean" status="error"></win-sc:dep_enabled>
  <win-sc:primary_window_text status="does not exist"></win-sc:primary_window_text>
  <win-sc:name>Idle</win-sc:name>
</win-sc:process_item>

In OVAL 5.11, we have no idea what the tested_item result should be for this item.

Now, let’s say that we add the new attribute I’ve been pushing.  Our state now looks like this (the check_existence is implied even when omitted):

<win-def:process58_state>
  <win-def:command_line operation=“not equals” check_existence=“at_least_one_exists”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

Now when we compare our item to this state, it fails the existence check, so the result is false.

Now, let’s try a slightly different state and see what happens:

<win-def:process58_state>
  <win-def:command_line operation=“not equals” check_existence=“any_exist”>winlogon.exe</win-def:command_line>
</win-def:process58_state>

How to evaluate this?  In the similar case with objects that don’t exist, and test/check_existence=“any exist”, we (Joval) are currently returning the existence check’s result as the test’s result.  I think that makes sense, as there’s nothing to check, and the author has indicated that the “does not exist” case is okay from an existence perspective.

If we take the same approach with our EntityStateItemBaseType check_existence attribute, then the result of the comparison of the above state to the above item will likewise be “true”, again, because it has passed the existence check.

This is how I would now propose to handle the “any exist” case for the newly proposed check_existence attribute.

Does anyone have any questions, issues or objections to this proposal?

Best regards,
—David Solin
[hidden email]

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download