Re: Looping

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
Attempting to move the discussion.  More to follow if successful on this move attempt.


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:36 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Looping

Hi John,

If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.

If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).

I’m curious, what error are you seeing?  Everything you listed appears sound to me.

Best regards,
--David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>
> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
> # grep authpriv.* /etc/syslog.conf
>
> Once the file is determined, perform the following command:
> # grep password <file> | more
>
> Look for any lines that do not have sshd as the associated service.
> If root has logged in over the network and sshd is not running, this is a finding.
>
> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>
> 1) We need to find the location of the authpriv message logs:
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>      <ind:path>/etc</ind:path>
>      <ind:filename>syslog.conf</ind:filename>
>      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - The subexpression will hold the value of the logfile
>
> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>    </local_variable>
>
> 3) Now that we have the location, we can parse the file for strings we should or should not see
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>
> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>    </local_variable>
>
> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>    </ind:textfilecontent54_state>
>
>
> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>
> Any help with the logic would be greatly appreciated!
>
>
> V/r,
> John W. Garrett
>
>
>
>
> On 5/12/2015 2:26 PM, David Solin wrote:
>> Hi John,
>>
>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>
>> Regards,
>> —David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email]
>>
>>
>>
>>
>>
>>
>>
>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>
>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>
>>> For a given file the following exists:
>>> /home/joe
>>> /home/bob
>>> /home/hello
>>> /home/world
>>>
>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>
>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>
>>> In bash it would be something like:
>>>
>>> while read list; do
>>>    ls -R $list
>>>    something...
>>> done << given_file
>>>
>>> Any ideas?
>>>
>>> --John G.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>> you have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
Can I get a test response to see if this was confirmed as true for the move?


V/r,
John W. Garrett

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:56 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Attempting to move the discussion.  More to follow if successful on this move attempt.


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:36 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Looping

Hi John,

If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.

If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).

I’m curious, what error are you seeing?  Everything you listed appears sound to me.

Best regards,
--David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>
> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
> # grep authpriv.* /etc/syslog.conf
>
> Once the file is determined, perform the following command:
> # grep password <file> | more
>
> Look for any lines that do not have sshd as the associated service.
> If root has logged in over the network and sshd is not running, this is a finding.
>
> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>
> 1) We need to find the location of the authpriv message logs:
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>      <ind:path>/etc</ind:path>
>      <ind:filename>syslog.conf</ind:filename>
>      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - The subexpression will hold the value of the logfile
>
> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>    </local_variable>
>
> 3) Now that we have the location, we can parse the file for strings we should or should not see
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>
> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>    </local_variable>
>
> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>    </ind:textfilecontent54_state>
>
>
> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>
> Any help with the logic would be greatly appreciated!
>
>
> V/r,
> John W. Garrett
>
>
>
>
> On 5/12/2015 2:26 PM, David Solin wrote:
>> Hi John,
>>
>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>
>> Regards,
>> —David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email]
>>
>>
>>
>>
>>
>>
>>
>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>
>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>
>>> For a given file the following exists:
>>> /home/joe
>>> /home/bob
>>> /home/hello
>>> /home/world
>>>
>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>
>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>
>>> In bash it would be something like:
>>>
>>> while read list; do
>>>    ls -R $list
>>>    something...
>>> done << given_file
>>>
>>> Any ideas?
>>>
>>> --John G.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>> you have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

Hansbury, Matt
John,

All set, received this message on the developer list.  

Thanks
matt

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:58 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Can I get a test response to see if this was confirmed as true for the move?


V/r,
John W. Garrett

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:56 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Attempting to move the discussion.  More to follow if successful on this move attempt.


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:36 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Looping

Hi John,

If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.

If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).

I’m curious, what error are you seeing?  Everything you listed appears sound to me.

Best regards,
--David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>
> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
> # grep authpriv.* /etc/syslog.conf
>
> Once the file is determined, perform the following command:
> # grep password <file> | more
>
> Look for any lines that do not have sshd as the associated service.
> If root has logged in over the network and sshd is not running, this is a finding.
>
> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>
> 1) We need to find the location of the authpriv message logs:
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>      <ind:path>/etc</ind:path>
>      <ind:filename>syslog.conf</ind:filename>
>      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - The subexpression will hold the value of the logfile
>
> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>    </local_variable>
>
> 3) Now that we have the location, we can parse the file for strings we should or should not see
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>
> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>    </local_variable>
>
> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>    </ind:textfilecontent54_state>
>
>
> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>
> Any help with the logic would be greatly appreciated!
>
>
> V/r,
> John W. Garrett
>
>
>
>
> On 5/12/2015 2:26 PM, David Solin wrote:
>> Hi John,
>>
>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>
>> Regards,
>> —David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email]
>>
>>
>>
>>
>>
>>
>>
>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>
>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>
>>> For a given file the following exists:
>>> /home/joe
>>> /home/bob
>>> /home/hello
>>> /home/world
>>>
>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>
>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>
>>> In bash it would be something like:
>>>
>>> while read list; do
>>>    ls -R $list
>>>    something...
>>> done << given_file
>>>
>>> Any ideas?
>>>
>>> --John G.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>> you have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
David,

I'll do you one better on the errors.  This semi crosses into another thread so I'll mention it here as it will help to answer this question any many others I've posed on other topics.

Examples...  They're great, there are a ton in the Repos.

What we really need are test examples, benchmarks as it were.  You say the code looks good, perhaps it works with Joval but not with ovaldi.  Perhaps ovaldi and SCC but not joval?

So......  I started working on some.  I hope to have the first set published today; the idea being that I will post my example code and oval results file.  In theory EVERYONE should get the exact same results I do with a given set of instructions for a given set of code; if not there is the ambiguity previously mentioned on another one of my threads...  Hopefully this will help set the matter straight!




On this topic, I like it, a variable object!  So I'm coding that up now, gunna see what I come up with; if it works I'll post the solution.

Be in touch soon...


V/r,
John W. Garrett


-----Original Message-----
From: Hansbury, Matt [mailto:[hidden email]]
Sent: Friday, June 12, 2015 2:03 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

John,

All set, received this message on the developer list.  

Thanks
matt

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:58 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Can I get a test response to see if this was confirmed as true for the move?


V/r,
John W. Garrett

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:56 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Attempting to move the discussion.  More to follow if successful on this move attempt.


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:36 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Looping

Hi John,

If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.

If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).

I’m curious, what error are you seeing?  Everything you listed appears sound to me.

Best regards,
--David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>
> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
> # grep authpriv.* /etc/syslog.conf
>
> Once the file is determined, perform the following command:
> # grep password <file> | more
>
> Look for any lines that do not have sshd as the associated service.
> If root has logged in over the network and sshd is not running, this is a finding.
>
> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>
> 1) We need to find the location of the authpriv message logs:
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>      <ind:path>/etc</ind:path>
>      <ind:filename>syslog.conf</ind:filename>
>      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - The subexpression will hold the value of the logfile
>
> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>    </local_variable>
>
> 3) Now that we have the location, we can parse the file for strings we should or should not see
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>
> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>    </local_variable>
>
> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>    </ind:textfilecontent54_state>
>
>
> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>
> Any help with the logic would be greatly appreciated!
>
>
> V/r,
> John W. Garrett
>
>
>
>
> On 5/12/2015 2:26 PM, David Solin wrote:
>> Hi John,
>>
>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>
>> Regards,
>> —David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email]
>>
>>
>>
>>
>>
>>
>>
>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>
>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>
>>> For a given file the following exists:
>>> /home/joe
>>> /home/bob
>>> /home/hello
>>> /home/world
>>>
>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>
>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>
>>> In bash it would be something like:
>>>
>>> while read list; do
>>>    ls -R $list
>>>    something...
>>> done << given_file
>>>
>>> Any ideas?
>>>
>>> --John G.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>> you have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
David,

Attached is my code and the resulting OVAL Results file.  I can't figure this out for the life of me.


V/r,
John W. Garrett

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 2:09 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

David,

I'll do you one better on the errors.  This semi crosses into another thread so I'll mention it here as it will help to answer this question any many others I've posed on other topics.

Examples...  They're great, there are a ton in the Repos.

What we really need are test examples, benchmarks as it were.  You say the code looks good, perhaps it works with Joval but not with ovaldi.  Perhaps ovaldi and SCC but not joval?

So......  I started working on some.  I hope to have the first set published today; the idea being that I will post my example code and oval results file.  In theory EVERYONE should get the exact same results I do with a given set of instructions for a given set of code; if not there is the ambiguity previously mentioned on another one of my threads...  Hopefully this will help set the matter straight!




On this topic, I like it, a variable object!  So I'm coding that up now, gunna see what I come up with; if it works I'll post the solution.

Be in touch soon...


V/r,
John W. Garrett


-----Original Message-----
From: Hansbury, Matt [mailto:[hidden email]]
Sent: Friday, June 12, 2015 2:03 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

John,

All set, received this message on the developer list.  

Thanks
matt

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:58 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Can I get a test response to see if this was confirmed as true for the move?


V/r,
John W. Garrett

-----Original Message-----
From: John Garrett [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:56 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

Attempting to move the discussion.  More to follow if successful on this move attempt.


V/r,
John W. Garrett

-----Original Message-----
From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 1:36 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Looping

Hi John,

If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.

If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).

I’m curious, what error are you seeing?  Everything you listed appears sound to me.

Best regards,
--David A. Solin
Co-Founder, Research & Technology
[hidden email]

 

   



> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>
> Hi David,
>
> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>
> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
> # grep authpriv.* /etc/syslog.conf
>
> Once the file is determined, perform the following command:
> # grep password <file> | more
>
> Look for any lines that do not have sshd as the associated service.
> If root has logged in over the network and sshd is not running, this is a finding.
>
> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>
> 1) We need to find the location of the authpriv message logs:
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>      <ind:path>/etc</ind:path>
>      <ind:filename>syslog.conf</ind:filename>
>      <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - The subexpression will hold the value of the logfile
>
> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>    </local_variable>
>
> 3) Now that we have the location, we can parse the file for strings we should or should not see
>    <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>      id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>      <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>      <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>      <ind:instance datatype="int" operation="equals">1</ind:instance>
>    </ind:textfilecontent54_object>
> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>
> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>    <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>      <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>    </local_variable>
>
> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>    <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>      id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>      <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>    </ind:textfilecontent54_state>
>
>
> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>
> Any help with the logic would be greatly appreciated!
>
>
> V/r,
> John W. Garrett
>
>
>
>
> On 5/12/2015 2:26 PM, David Solin wrote:
>> Hi John,
>>
>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>
>> Regards,
>> —David A. Solin
>> Co-Founder, Research & Technology
>> [hidden email]
>>
>>
>>
>>
>>
>>
>>
>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>
>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>
>>> For a given file the following exists:
>>> /home/joe
>>> /home/bob
>>> /home/hello
>>> /home/world
>>>
>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>
>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>
>>> In bash it would be something like:
>>>
>>> while read list; do
>>>    ls -R $list
>>>    something...
>>> done << given_file
>>>
>>> Any ideas?
>>>
>>> --John G.
>>>
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>> you have difficulties, write to [hidden email].
>> To unsubscribe, send an email message to [hidden email]
>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>> have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].

loop-cpe-dictionary.xml (744 bytes) Download Attachment
loop-cpe-oval.xml (5K) Download Attachment
loop-oval.xml (6K) Download Attachment
loop-xccdf.xml (8K) Download Attachment
LOCALHOST_OVAL-Results_loop.xml (17K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Looping

David Solin-3
Hi John,

Several issues.

1) you’ve got a bad pattern:

Error scanning oval:mil.disa.fso.redhat.rhel5:obj:205102: Pattern error: Unmatched closing ')' near index 6
.*?\(.*)?\[\d+\]: Accepted password for root
      ^

I changed the pattern to ".*?(.*)?\[\d+\]: Accepted password for root” (not sure if that’s what you really meant, though).

2) Your XCCDF check refers to a document you didn’t supply (U_RedHat_5_WIP-oval.xml) — I changed it to reference loop-oval.xml

3) A textfilecontent54_test must reference a textfilecontent54_object and textfilecontent54_state.  I assume what you really wanted was a variable_test.

4) You used a deprecated check attribute value (none exist); I changed it to “at least one”.

I’ve attached the fixed XCCDF bundle (loop.zip).

I had to log into my Centos 5 VM as “root” via SSH to generate a syslog entry to match your variable, but when I did, I got the attached ARF (which is the result format for an XCCDF check).

Is that what you were hoping for?

Regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]


 

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].


   



> On Jun 12, 2015, at 1:38 PM, John Garrett <[hidden email]> wrote:
>
> David,
>
> Attached is my code and the resulting OVAL Results file.  I can't figure this out for the life of me.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: John Garrett [mailto:[hidden email]]
> Sent: Friday, June 12, 2015 2:09 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> David,
>
> I'll do you one better on the errors.  This semi crosses into another thread so I'll mention it here as it will help to answer this question any many others I've posed on other topics.
>
> Examples...  They're great, there are a ton in the Repos.
>
> What we really need are test examples, benchmarks as it were.  You say the code looks good, perhaps it works with Joval but not with ovaldi.  Perhaps ovaldi and SCC but not joval?
>
> So......  I started working on some.  I hope to have the first set published today; the idea being that I will post my example code and oval results file.  In theory EVERYONE should get the exact same results I do with a given set of instructions for a given set of code; if not there is the ambiguity previously mentioned on another one of my threads...  Hopefully this will help set the matter straight!
>
>
>
>
> On this topic, I like it, a variable object!  So I'm coding that up now, gunna see what I come up with; if it works I'll post the solution.
>
> Be in touch soon...
>
>
> V/r,
> John W. Garrett
>
>
> -----Original Message-----
> From: Hansbury, Matt [mailto:[hidden email]]
> Sent: Friday, June 12, 2015 2:03 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> John,
>
> All set, received this message on the developer list.  
>
> Thanks
> matt
>
> -----Original Message-----
> From: John Garrett [mailto:[hidden email]]
> Sent: Friday, June 12, 2015 1:58 PM
> To: oval-developer-list OVAL Developer List/Closed Public Discussion
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> Can I get a test response to see if this was confirmed as true for the move?
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: John Garrett [mailto:[hidden email]]
> Sent: Friday, June 12, 2015 1:56 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> Attempting to move the discussion.  More to follow if successful on this move attempt.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [mailto:[hidden email]]
> Sent: Friday, June 12, 2015 1:36 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Looping
>
> Hi John,
>
> If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.
>
> If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).
>
> I’m curious, what error are you seeing?  Everything you listed appears sound to me.
>
> Best regards,
> --David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>>
>> Hi David,
>>
>> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>>
>> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
>> # grep authpriv.* /etc/syslog.conf
>>
>> Once the file is determined, perform the following command:
>> # grep password <file> | more
>>
>> Look for any lines that do not have sshd as the associated service.
>> If root has logged in over the network and sshd is not running, this is a finding.
>>
>> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>>
>> 1) We need to find the location of the authpriv message logs:
>>   <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>>     id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>>     <ind:path>/etc</ind:path>
>>     <ind:filename>syslog.conf</ind:filename>
>>     <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>>     <ind:instance datatype="int" operation="equals">1</ind:instance>
>>   </ind:textfilecontent54_object>
>> - The subexpression will hold the value of the logfile
>>
>> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>>   <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>>     <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>>   </local_variable>
>>
>> 3) Now that we have the location, we can parse the file for strings we should or should not see
>>   <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>>     id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>>     <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>>     <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>>     <ind:instance datatype="int" operation="equals">1</ind:instance>
>>   </ind:textfilecontent54_object>
>> - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>>
>> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>>   <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>>     <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>>   </local_variable>
>>
>> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>>   <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>>     id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>>     <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>>   </ind:textfilecontent54_state>
>>
>>
>> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>>
>> Any help with the logic would be greatly appreciated!
>>
>>
>> V/r,
>> John W. Garrett
>>
>>
>>
>>
>> On 5/12/2015 2:26 PM, David Solin wrote:
>>> Hi John,
>>>
>>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>>
>>> Regards,
>>> —David A. Solin
>>> Co-Founder, Research & Technology
>>> [hidden email]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>>
>>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>>
>>>> For a given file the following exists:
>>>> /home/joe
>>>> /home/bob
>>>> /home/hello
>>>> /home/world
>>>>
>>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>>
>>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>>
>>>> In bash it would be something like:
>>>>
>>>> while read list; do
>>>>   ls -R $list
>>>>   something...
>>>> done << given_file
>>>>
>>>> Any ideas?
>>>>
>>>> --John G.
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>>> you have difficulties, write to [hidden email].
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <loop-cpe-dictionary.xml><loop-cpe-oval.xml><loop-oval.xml><loop-xccdf.xml><LOCALHOST_OVAL-Results_loop.xml>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

loop.zip (7K) Download Attachment
xpert-arf.xml (81K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett

David,

 

Thanks for the response.  I’ve temp’ paused my work on the loop so I can push out my Benchmark idea to the community; look for it here soon.

 

As soon as I get that pushed out, I’ve got one other matter to tend to and then I am going to respond to this.  Sadly, I left errors it seems.  I renamed a lot of the content filenames and such, but guessed I missed a few.  Look very forward to seeing your work, and thanks!

 

 

V/r,

John W. Garrett

 

From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 4:45 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

 

Hi John,

Several issues.

1) you’ve got a bad pattern:

Error scanning oval:mil.disa.fso.redhat.rhel5:obj:205102: Pattern error: Unmatched closing ')' near index 6
.*?\(.*)?\[\d+\]: Accepted password for root
      ^

I changed the pattern to ".*?(.*)?\[\d+\]: Accepted password for root” (not sure if that’s what you really meant, though).

2) Your XCCDF check refers to a document you didn’t supply (U_RedHat_5_WIP-oval.xml) — I changed it to reference loop-oval.xml

3) A textfilecontent54_test must reference a textfilecontent54_object and textfilecontent54_state.  I assume what you really wanted was a variable_test.

4) You used a deprecated check attribute value (none exist); I changed it to “at least one”.

I’ve attached the fixed XCCDF bundle (loop.zip).

I had to log into my Centos 5 VM as “root” via SSH to generate a syslog entry to match your variable, but when I did, I got the attached ARF (which is the result format for an XCCDF check).

Is that what you were hoping for?

Regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]


 

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].


  



> On Jun 12, 2015, at 1:38 PM, John Garrett <[hidden email]> wrote:
>
> David,
>
> Attached is my code and the resulting OVAL Results file.  I can't figure this out for the life of me.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: John Garrett [[hidden email]]
> Sent: Friday, June 12, 2015 2:09 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> David,
>
> I'll do you one better on the errors.  This semi crosses into another thread so I'll mention it here as it will help to answer this question any many others I've posed on other topics.
>
> Examples...  They're great, there are a ton in the Repos.
>
> What we really need are test examples, benchmarks as it were.  You say the code looks good, perhaps it works with Joval but not with ovaldi.  Perhaps ovaldi and SCC but not joval?
>
> So......  I started working on some.  I hope to have the first set published today; the idea being that I will post my example code and oval results file.  In theory EVERYONE should get the exact same results I do with a given set of instructions for a given set of code; if not there is the ambiguity previously mentioned on another one of my threads...  Hopefully this will help set the matter straight!
>
>
>
>
> On this topic, I like it, a variable object!  So I'm coding that up now, gunna see what I come up with; if it works I'll post the solution.
>
> Be in touch soon...
>
>
> V/r,
> John W. Garrett
>
>
> -----Original Message-----
> From: Hansbury, Matt [[hidden email]]
> Sent: Friday, June 12, 2015 2:03 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> John,
>
> All set, received this message on the developer list. 
>
> Thanks
> matt
>
> -----Original Message-----
> From: John Garrett [[hidden email]]
> Sent: Friday, June 12, 2015 1:58 PM
> To: oval-developer-list OVAL Developer List/Closed Public Discussion
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> Can I get a test response to see if this was confirmed as true for the move?
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: John Garrett [[hidden email]]
> Sent: Friday, June 12, 2015 1:56 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> Attempting to move the discussion.  More to follow if successful on this move attempt.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [[hidden email]]
> Sent: Friday, June 12, 2015 1:36 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Looping
>
> Hi John,
>
> If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.
>
> If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).
>
> I’m curious, what error are you seeing?  Everything you listed appears sound to me.
>
> Best regards,
> --David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>>
>> Hi David,
>>
>> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>>
>> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
>> # grep authpriv.* /etc/syslog.conf
>>
>> Once the file is determined, perform the following command:
>> # grep password <file> | more
>>
>> Look for any lines that do not have sshd as the associated service.
>> If root has logged in over the network and sshd is not running, this is a finding.
>>
>> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>>
>> 1) We need to find the location of the authpriv message logs:
>>   <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>>     id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>>     <ind:path>/etc</ind:path>
>>     <ind:filename>syslog.conf</ind:filename>
>>     <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>>     <ind:instance datatype="int" operation="equals">1</ind:instance>
>>   </ind:textfilecontent54_object>
>>       - The subexpression will hold the value of the logfile
>>
>> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>>   <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>>     <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>>   </local_variable>
>>
>> 3) Now that we have the location, we can parse the file for strings we should or should not see
>>   <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>>     id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>>     <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>>     <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>>     <ind:instance datatype="int" operation="equals">1</ind:instance>
>>   </ind:textfilecontent54_object>
>>       - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>>
>> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>>   <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>>     <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>>   </local_variable>
>>
>> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>>   <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>>     id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>>     <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>>   </ind:textfilecontent54_state>
>>
>>
>> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>>
>> Any help with the logic would be greatly appreciated!
>>
>>
>> V/r,
>> John W. Garrett
>>
>>
>>
>>
>> On 5/12/2015 2:26 PM, David Solin wrote:
>>> Hi John,
>>>
>>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>>
>>> Regards,
>>> —David A. Solin
>>> Co-Founder, Research & Technology
>>> [hidden email]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>>
>>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>>
>>>> For a given file the following exists:
>>>> /home/joe
>>>> /home/bob
>>>> /home/hello
>>>> /home/world
>>>>
>>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>>
>>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>>
>>>> In bash it would be something like:
>>>>
>>>> while read list; do
>>>>   ls -R $list
>>>>   something...
>>>> done << given_file
>>>>
>>>> Any ideas?
>>>>
>>>> --John G.
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>>> you have difficulties, write to [hidden email].
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <loop-cpe-dictionary.xml><loop-cpe-oval.xml><loop-oval.xml><loop-xccdf.xml><LOCALHOST_OVAL-Results_loop.xml>


To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

Reply | Threaded
Open this post in threaded view
|

Re: Looping

John Garrett
In reply to this post by David Solin-3

Hi David,

 

Just re-went through this response; everything you said makes sense.  Nice catch on my errors!

 

V/r,

John W. Garrett

 

From: David Solin [mailto:[hidden email]]
Sent: Friday, June 12, 2015 4:45 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Looping

 

Hi John,

Several issues.

1) you’ve got a bad pattern:

Error scanning oval:mil.disa.fso.redhat.rhel5:obj:205102: Pattern error: Unmatched closing ')' near index 6
.*?\(.*)?\[\d+\]: Accepted password for root
      ^

I changed the pattern to ".*?(.*)?\[\d+\]: Accepted password for root” (not sure if that’s what you really meant, though).

2) Your XCCDF check refers to a document you didn’t supply (U_RedHat_5_WIP-oval.xml) — I changed it to reference loop-oval.xml

3) A textfilecontent54_test must reference a textfilecontent54_object and textfilecontent54_state.  I assume what you really wanted was a variable_test.

4) You used a deprecated check attribute value (none exist); I changed it to “at least one”.

I’ve attached the fixed XCCDF bundle (loop.zip).

I had to log into my Centos 5 VM as “root” via SSH to generate a syslog entry to match your variable, but when I did, I got the attached ARF (which is the result format for an XCCDF check).

Is that what you were hoping for?

Regards,
— David A. Solin
Co-Founder, Research & Technology
[hidden email]


 

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].


  



> On Jun 12, 2015, at 1:38 PM, John Garrett <[hidden email]> wrote:
>
> David,
>
> Attached is my code and the resulting OVAL Results file.  I can't figure this out for the life of me.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: John Garrett [[hidden email]]
> Sent: Friday, June 12, 2015 2:09 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> David,
>
> I'll do you one better on the errors.  This semi crosses into another thread so I'll mention it here as it will help to answer this question any many others I've posed on other topics.
>
> Examples...  They're great, there are a ton in the Repos.
>
> What we really need are test examples, benchmarks as it were.  You say the code looks good, perhaps it works with Joval but not with ovaldi.  Perhaps ovaldi and SCC but not joval?
>
> So......  I started working on some.  I hope to have the first set published today; the idea being that I will post my example code and oval results file.  In theory EVERYONE should get the exact same results I do with a given set of instructions for a given set of code; if not there is the ambiguity previously mentioned on another one of my threads...  Hopefully this will help set the matter straight!
>
>
>
>
> On this topic, I like it, a variable object!  So I'm coding that up now, gunna see what I come up with; if it works I'll post the solution.
>
> Be in touch soon...
>
>
> V/r,
> John W. Garrett
>
>
> -----Original Message-----
> From: Hansbury, Matt [[hidden email]]
> Sent: Friday, June 12, 2015 2:03 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> John,
>
> All set, received this message on the developer list. 
>
> Thanks
> matt
>
> -----Original Message-----
> From: John Garrett [[hidden email]]
> Sent: Friday, June 12, 2015 1:58 PM
> To: oval-developer-list OVAL Developer List/Closed Public Discussion
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> Can I get a test response to see if this was confirmed as true for the move?
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: John Garrett [[hidden email]]
> Sent: Friday, June 12, 2015 1:56 PM
> To: [hidden email]
> Subject: Re: [OVAL-DEVELOPER-LIST] Looping
>
> Attempting to move the discussion.  More to follow if successful on this move attempt.
>
>
> V/r,
> John W. Garrett
>
> -----Original Message-----
> From: David Solin [[hidden email]]
> Sent: Friday, June 12, 2015 1:36 PM
> To: [hidden email]
> Subject: Re: [OVAL-DISCUSSION-LIST] Looping
>
> Hi John,
>
> If you just want to play with the raw value of a variable and compare it to something, you can use an ind:variable_object.
>
> If you wanted to compare two different variable values with one-another, you could use a variable_test, variable_object (with one var_ref) and variable_state (with the other var_ref).
>
> I’m curious, what error are you seeing?  Everything you listed appears sound to me.
>
> Best regards,
> --David A. Solin
> Co-Founder, Research & Technology
> [hidden email]
>
>
>
>
>
>
>
>> On Jun 12, 2015, at 12:24 PM, John Garrett <[hidden email]> wrote:
>>
>> Hi David,
>>
>> Ok, I believe I have found an example where looping and your idea of capturing and variables might come in handy.  I'm 90% close to having it complete, I just can't wrap my head around how to bridge the last piece together.  Here is the task:
>>
>> Examine /etc/syslog.conf to confirm the location to which "authpriv" messages are being sent.
>> # grep authpriv.* /etc/syslog.conf
>>
>> Once the file is determined, perform the following command:
>> # grep password <file> | more
>>
>> Look for any lines that do not have sshd as the associated service.
>> If root has logged in over the network and sshd is not running, this is a finding.
>>
>> I'm going to leave the test out of my questions here because all I'm really concerned with is the obj/ste/var stuff; depending on how those 3 form will be the basis for a given test.
>>
>> 1) We need to find the location of the authpriv message logs:
>>   <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>>     id="oval:mil.disa.fso.redhat.rhel5:obj:205101" comment="Logfile location -- V-1046" version="1">
>>     <ind:path>/etc</ind:path>
>>     <ind:filename>syslog.conf</ind:filename>
>>     <ind:pattern operation="pattern match">^(?!\s*#)authpriv\.\*\s+(.*)\s*$</ind:pattern>
>>     <ind:instance datatype="int" operation="equals">1</ind:instance>
>>   </ind:textfilecontent54_object>
>>       - The subexpression will hold the value of the logfile
>>
>> 2) We capture that subexpression from obj:205101, and store it to memory via the variable:
>>   <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205100" version="1" datatype="string" comment="Logfile location -- V-1046">
>>     <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205101" item_field="subexpression"/>
>>   </local_variable>
>>
>> 3) Now that we have the location, we can parse the file for strings we should or should not see
>>   <ind:textfilecontent54_object xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
>>     id="oval:mil.disa.fso.redhat.rhel5:obj:205100" comment="V-1046" version="1">
>>     <ind:filepath var_ref="oval:mil.disa.fso.redhat.rhel5:var:205100"/>
>>     <ind:pattern operation="pattern match">.*?\(.*)?\[\d+\]: Accepted password for root</ind:pattern>
>>     <ind:instance datatype="int" operation="equals">1</ind:instance>
>>   </ind:textfilecontent54_object>
>>       - Notice the subexpression, this will hold the "value" I either want to see or not see, again this all depends on how we make the test/def.
>>
>> 4) The following variable will hold the subexpression values from step #3 (obj:205100)
>>   <local_variable id="oval:mil.disa.fso.redhat.rhel5:var:205101" version="1" datatype="string" comment="Protocol Value -- V-1046">
>>     <object_component object_ref="oval:mil.disa.fso.redhat.rhel5:obj:205100" item_field="subexpression"/>
>>   </local_variable>
>>
>> 5) My next thought was to take the variable from step #4 (var:205101) and tell a state what to do with it
>>   <ind:textfilecontent54_state xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" comment="V-1046"
>>     id="oval:mil.disa.fso.redhat.rhel5:ste:205100" version="1">
>>     <ind:subexpression var_ref="oval:mil.disa.fso.redhat.rhel5:var:205101" operation="not equal">sshd</ind:subexpression>
>>   </ind:textfilecontent54_state>
>>
>>
>> Running the produced an error.....  Now, previously you mentioned I could take the variable from step #4 (var:205101) and use it in another object.  How exactly can I do this?  The reason I ask is because what I want to test against is now stored in memory; if I try and throw it at a textfilecontent54_object it is going to request a path/filename/filepath at a minimum.  If I could nil those and just use it as a pattern it would work I think, but alas I cannot...
>>
>> Any help with the logic would be greatly appreciated!
>>
>>
>> V/r,
>> John W. Garrett
>>
>>
>>
>>
>> On 5/12/2015 2:26 PM, David Solin wrote:
>>> Hi John,
>>>
>>> You can capture these values using a variable that references an ind:textfilecontent54_object’s value entity.  The resulting variable would be multi-valued.  You could then use the value in another object, and test all the files for some common attributes or characteristics, and use the var_check attribute to control exactly how you want that to work.
>>>
>>> Regards,
>>> —David A. Solin
>>> Co-Founder, Research & Technology
>>> [hidden email]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On May 12, 2015, at 10:42 AM, John Garrett <[hidden email]> wrote:
>>>>
>>>> My question here revolves around looping and something I don't "think" OVAL can do; but if it could, it would be useful.
>>>>
>>>> For a given file the following exists:
>>>> /home/joe
>>>> /home/bob
>>>> /home/hello
>>>> /home/world
>>>>
>>>> Is there a way to parse and capture the contents of each line to memory, and from there do something with the capture?  I know I can do it with a variable for a given line, but multiple lines elude me.
>>>>
>>>> Perhaps we wanted to do a recursive check on the directories for the presence or lack of a given file.
>>>>
>>>> In bash it would be something like:
>>>>
>>>> while read list; do
>>>>   ls -R $list
>>>>   something...
>>>> done << given_file
>>>>
>>>> Any ideas?
>>>>
>>>> --John G.
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If
>>>> you have difficulties, write to [hidden email].
>>> To unsubscribe, send an email message to [hidden email]
>>> with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you
>>> have difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message.  If you have difficulties, write to [hidden email].
> <loop-cpe-dictionary.xml><loop-cpe-oval.xml><loop-oval.xml><loop-xccdf.xml><LOCALHOST_OVAL-Results_loop.xml>


To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].