Re: [Xccdf-dev] [OVAL-DEVELOPER-LIST] Platform Applicability and Unsupported Check Systems

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] [OVAL-DEVELOPER-LIST] Platform Applicability and Unsupported Check Systems

joval
(Cross-Posting to the XCCDF-dev list)

We support OCIL, but not for platform checks.  The reason being, since some human intervention beyond the specification is required for targeting anyway, it seemed superfluous for the specification to use OCIL for target applicability.  Or put another way, there's nothing that can be accomplished using OCIL for a CPE check that can't be accomplished when selecting targets and an appropriate profile.

Also, the SCAP 1.2 specification seems to imply that only OVAL inventory-class definitions are allowed in CPE, but on the other hand it doesn't explicitly say that either.

I believe, if we want this kind of functionality in SCAP, then we need to think about some kind of targeting specification.

Regards,
--David Solin

On 10/16/2013 7:52 AM, William Munyan wrote:

All,

I know this is more of an XCCDF question than an OVAL question, specifically, but I am not 100% sure I am part of that list as of yet…So here goes:

 

Given the following Platform Specification:

<cpe-lang:platform-specification>
  <cpe-lang:platform id="platform_1">
    <cpe-lang:title xml:lang="en-US">Test Platform 1</cpe-lang:title>
    <cpe-lang:logical-test operator="AND" negate="false">
      <cpe-lang:check-fact-ref system="http://scap.nist.gov/schema/ocil/2" href=”ocil.xml"

                               id-ref="ocil:validation_program_cpe:questionnaire:1"/>
    </cpe-lang:logical-test>
  </cpe-lang:platform>

</cpe-lang:platform-specification>

 

Next, assume I have a <Benchmark>, <Group>, or <Rule> which references this platform via a <platform idref=”#platform_1”/>.  If my tool does not currently support OCIL as a check system, technically any checks associated with the <check-fact-ref> would resolve to “not checked”.  How would a result of “not checked” be applied to the platform applicability? 

 

I am thinking that, because the system cannot determine whether or not the platform is applicable, it should resolve to the platform being not applicable, but I wanted to toss it out to the group for opinions.

 

Thanks in advance!

-Bill M.

 

Bill Munyan

Center for Internet Security

[hidden email]

 

 

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: SCAP Simplified.
Learn More | Features | Download


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] [OVAL-DEVELOPER-LIST] Platform Applicability and Unsupported Check Systems

Ronayne, James K.-2

I think some guidance to answer these questions comes from NISTIR-7698 (CPE 2.3 Applicability Language).

 

Here is the relevant section.

7.3.3 Evaluating a check-fact-ref Element

“A <cpe:check-fact-ref> element MAY use any check system that meets the basic requirements specified in Section 6.5. However, CPE Language implementations are not required to support all of these check systems. Implementations SHALL support the OVAL check system. Its use in content is indicated by the <cpe:check-fact-ref> element’s @check-system attribute being set to “http://oval.mitre.org/XMLSchema/oval-definitions-5”. Implementations MAY support additional check systems, such as OCIL.”

 

“For all check systems that an implementation supports, the implementation MUST be capable of referencing the check using the attributes specified for the <cpe:check-fact-ref> element and handling the result. The implementation SHALL accept results that clearly map to TRUE and FALSE. The implementation SHALL accept error condition results, such as “error” or “not applicable”, and SHALL treat them as ERROR results. Also, if an implementation does not support a check system that the <cpe:check-fact-ref> element uses, if the specified check content is not accessible, or if any other condition occurs that prevents evaluation of the check, the implementation SHALL treat it as an ERROR result. If a result from the <cpe:check-fact-ref> element is required to calculate a result for its parent <cpe:logical-test> element, then evaluation of the parent element MAY cease.”

 

Jim

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of David Solin
Sent: Wednesday, October 16, 2013 10:19 AM
To: OVAL Developer List (Closed Public Discussion); [hidden email]
Subject: Re: [Xccdf-dev] [OVAL-DEVELOPER-LIST] Platform Applicability and Unsupported Check Systems

 

(Cross-Posting to the XCCDF-dev list)

We support OCIL, but not for platform checks.  The reason being, since some human intervention beyond the specification is required for targeting anyway, it seemed superfluous for the specification to use OCIL for target applicability.  Or put another way, there's nothing that can be accomplished using OCIL for a CPE check that can't be accomplished when selecting targets and an appropriate profile.

Also, the SCAP 1.2 specification seems to imply that only OVAL inventory-class definitions are allowed in CPE, but on the other hand it doesn't explicitly say that either.

I believe, if we want this kind of functionality in SCAP, then we need to think about some kind of targeting specification.

Regards,
--David Solin

On 10/16/2013 7:52 AM, William Munyan wrote:

All,

I know this is more of an XCCDF question than an OVAL question, specifically, but I am not 100% sure I am part of that list as of yet…So here goes:

 

Given the following Platform Specification:

<cpe-lang:platform-specification>
  <cpe-lang:platform id="platform_1">
    <cpe-lang:title xml:lang="en-US">Test Platform 1</cpe-lang:title>
    <cpe-lang:logical-test operator="AND" negate="false">
      <cpe-lang:check-fact-ref system="http://scap.nist.gov/schema/ocil/2" href=”ocil.xml"

                               id-ref="ocil:validation_program_cpe:questionnaire:1"/>
    </cpe-lang:logical-test>
  </cpe-lang:platform>

</cpe-lang:platform-specification>

 

Next, assume I have a <Benchmark>, <Group>, or <Rule> which references this platform via a <platform idref=”#platform_1”/>.  If my tool does not currently support OCIL as a check system, technically any checks associated with the <check-fact-ref> would resolve to “not checked”.  How would a result of “not checked” be applied to the platform applicability? 

 

I am thinking that, because the system cannot determine whether or not the platform is applicable, it should resolve to the platform being not applicable, but I wanted to toss it out to the group for opinions.

 

Thanks in advance!

-Bill M.

 

Bill Munyan

Center for Internet Security

[hidden email]

 

 

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: SCAP Simplified.
Learn More | Features | Download


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Loading...