Re: [Xccdf-dev] [OVAL DEVELOPER] SQLEXT OVAL Extension Proposal

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] [OVAL DEVELOPER] SQLEXT OVAL Extension Proposal

David Solin-3
Hi Doug (and cross-posting to xccdf-dev),

I’m not really able to easily discern from the samples on Github… but, recalling the sql511 proposal, is the thrust of this proposal that the behaviors result in splitting out per-host, per-instance or per-database (depending on the behavior specified) into different result files?

Notwithstanding the answer to that question, I have a few initial thoughts:

This is not really a generic SQL test at all, but a Microsoft SQL Server test.  Only MSSQL has readily-discoverable instances.  Other RDBMS’s do not really have readily-discoverable instances, and also, they do not all support having multiple ‘databases’ within a single instance.  This was sort of the sole virtue of the connection_string — it identifies the target instance.  (This is also why both generic database-connectivity mechanisms I’ve personally used, ODBC and JDBC, support the concept of connection properties).

This appears to me to really, at heart, be a proposal to delegate instance/database discovery to the OVAL language.  It is certainly already possible using external_variables to target a piece of OVAL content to whatever combination of instances and databases one pleases — provided that those instances and databases are known to the tool that is doing the targeting (by setting the variable values).

If this is indeed the case, and if databases should indeed be treated as first-class targets, then it would make perfect sense to create entire SCAP benchmarks dedicated to evaluating databases, and measure compliance of each instance against that benchmark, rather than (as this proposal embodies) attempt to combine what should be multiple first-class target assessments into a single machine assessment result.

As an alternative to this approach, I would propose making a few changes to XCCDF and SCAP that would make it possible to do exactly what you guys want and leverage the existing sql57 test:
  1. Create selRefType and selComplexRefType types in XCCDF that make it possible to reference an exported value from a check system
  2. Add support for the XCCDF ComplexValueType in SCAP — defining it as a mechanism to evaluate multiple instances of a check evaluated via the multi-check attribute, or if via a complex-check, according to the complex-check’s operator attribute.

Was this an approach you guys have considered?  I’d be happy to collaborate with you to make these changes to XCCDF.  We could call it XCCDF 1.3.

Best regards,
—David Solin


David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

Facebook Linkedin



On Sep 30, 2015, at 11:41 AM, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600 <[hidden email]> wrote:

Due to the need for automated compliance and vulnerability checks against SQL database management systems and a lack of support for the proposed sql511 test in OVAL 5.11, SPAWAR submits this new proposal for an OVAL extension which addresses the sql511 deficiencies. The current working designation for this proposal is “sqlext” (SQL Test for the OVAL Extension Schema). This is subject to change based upon discussion with the OVAL community regarding standard naming conventions for OVAL extensions. Please see the attached proposal document for further explanation as well as the SQLEXT OVAL Sandbox GitHub fork (https://github.com/mcilroyd/Sandbox/tree/master/resources/x-ind-sqlext) for sample content, results output, and XML schemas. We are looking forward to any feedback and recomendations that the community has to share for SQLEXT.

...<SQLExt Proposal.pdf>_______________________________________________
OVAL_Developer mailing list
[hidden email]
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] [OVAL DEVELOPER] SQLEXT OVAL Extension Proposal

mcilroydm
I failed to reply-all on my last respone to David Solin, so I'm retransmitting the discussing thread for the rest of the mailing list in order to get the conversation back on track.



David,



Yes, this SQLEXT proposal supports behavior for addressing individual RDBMS instances (the term "instance" as used here refers to any query-able server process spawned by a given DBMS software installation) and named database schemas as top-level targets, and then outputting a dedicated result file for each target. Furthermore, SQLEXT is indeed a platform-agnostic SQL probe that can support DBMS products other than Microsoft SQL Server. The following Oracle, MySQL, and PostgreSQL documentation provides guidance for configuring multiple instances of a given DBMS on a host system:



https://docs.oracle.com/cd/E11882_01/server.112/e40540/startup.htm#CNCPT89033



https://dev.mysql.com/doc/refman/5.0/en/multiple-servers.html



https://opensourcedbms.com/dbms/running-multiple-postgresql-9-2-instances-on-one-server-in-centos-6rhel-6fedora/



Also, other DBMS's aside from MS SQL Server, such as MySQL, do support hosting multiple named DB schemas per instance. One common counter-example, though, would be Oracle Database, which allocates an instance for each database schema, leading to the concepts of an Oracle DB "instance" and "database" being effectively equivalent. Therefore, the "instance" and "database" context behaviors would be interchangeable when being implemented for an Oracle DB evaluation.

Furthermore, in light of the lack of traction that the SQL57 spec has seen so far, we are not sure how productive attempting to augment it any further would be. Not much so far has come of attempting to incorporate SQL57 into the DISA STIGs due to the inflexibility and insecurity of the "connection_string" entity, so SQLEXT is being proposed as an alternative that addresses those complications.



Also, while extending XCCDF to support multiple top-level evaluation targets per host system is a great idea, we needed to pursue a solution that would be available in the near-term and that would support raw-OVAL evaluations that don't include an XCCDF benchmark. However, given that leveraging XCCDF to control the content processing model of a SCAP stream makes more sense than SQLEXT's raw-OVAL top-up approach, an update to the XCCDF spec would be welcome. Especially when considering other non-RDBM applications such as IIS, Apache, and Tomcat that also support being instantiated multiple times with a dedicated configuration for each instance, there definitely needs to be a discussion about how to make SCAP overall more fit for enterprise-grade applications.



________________________________



Thanks for your insights, Douglas. Please see my own thoughts inline, below.


> On Oct 1, 2015, at 4:04 PM, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600 <[hidden email]> wrote:
>
> David,
>
>
>
> Yes, this SQLEXT proposal supports behavior for addressing individual RDBMS instances (the term "instance" as used here refers to any query-able server process spawned by a given DBMS software installation) and named database schemas as top-level targets, and then outputting a dedicated result file for each target. Furthermore, SQLEXT is indeed a platform-agnostic SQL probe that can support DBMS products other than Microsoft SQL Server. The following Oracle, MySQL, and PostgreSQL documentation provides guidance for configuring multiple instances of a given DBMS on a host system:
>
>
>
> https://docs.oracle.com/cd/E11882_01/server.112/e40540/startup.htm#CNCPT89033<https://webmail.east.nmci.navy.mil/owa/redir.aspx?SURL=8uyF8RkZKMWnTr--wJZ9kPOz2VQ0fDPLDE_F--RQwtZoqjXKXMvSCGgAdAB0AHAAcwA6AC8ALwBkAG8AYwBzAC4AbwByAGEAYwBsAGUALgBjAG8AbQAvAGMAZAAvAEUAMQAxADgAOAAyAF8AMAAxAC8AcwBlAHIAdgBlAHIALgAxADEAMgAvAGUANAAwADUANAAwAC8AcwB0AGEAcgB0AHUAcAAuAGgAdABtACMAQwBOAEMAUABUADgAOQAwADMAMwA.&URL=https%3a%2f%2fdocs.oracle.com%2fcd%2fE11882_01%2fserver.112%2fe40540%2fstartup.htm%23CNCPT89033>
>
>
>
> https://dev.mysql.com/doc/refman/5.0/en/multiple-servers.html<https://webmail.east.nmci.navy.mil/owa/redir.aspx?SURL=LrMnWmo4GmUmNf7slgPVQ4F-TtpKCeabORlUDPohVrJoqjXKXMvSCGgAdAB0AHAAcwA6AC8ALwBkAGUAdgAuAG0AeQBzAHEAbAAuAGMAbwBtAC8AZABvAGMALwByAGUAZgBtAGEAbgAvADUALgAwAC8AZQBuAC8AbQB1AGwAdABpAHAAbABlAC0AcwBlAHIAdgBlAHIAcwAuAGgAdABtAGwA&URL=https%3a%2f%2fdev.mysql.com%2fdoc%2frefman%2f5.0%2fen%2fmultiple-servers.html>
>
>
>
> https://opensourcedbms.com/dbms/running-multiple-postgresql-9-2-instances-on-one-server-in-centos-6rhel-6fedora/<https://webmail.east.nmci.navy.mil/owa/redir.aspx?SURL=LQXi24DQw1ziregoW7vVhgYWErhYnnHO4H4fmNScQBBoqjXKXMvSCGgAdAB0AHAAcwA6AC8ALwBvAHAAZQBuAHMAbwB1AHIAYwBlAGQAYgBtAHMALgBjAG8AbQAvAGQAYgBtAHMALwByAHUAbgBuAGkAbgBnAC0AbQB1AGwAdABpAHAAbABlAC0AcABvAHMAdABnAHIAZQBzAHEAbAAtADkALQAyAC0AaQBuAHMAdABhAG4AYwBlAHMALQBvAG4ALQBvAG4AZQAtAHMAZQByAHYAZQByAC0AaQBuAC0AYwBlAG4AdABvAHMALQA2AHIAaABlAGwALQA2AGYAZQBkAG8AcgBhAC8A&URL=https%3a%2f%2fopensourcedbms.com%2fdbms%2frunning-multiple-postgresql-9-2-instances-on-one-server-in-centos-6rhel-6fedora%2f>
>

Of course most (if not all) databases support running multiple instances on the same machine. But apart from MS SQL Server, I don’t believe they are readily discoverable. To determine which instances are running, for Oracle or MySQL or Postgres, it would be necessary for a tool to discover running processes, read their environments and command-line parameters, and reverse-engineer their configurations, in order to determine how to connect to each. If the instances are not running at scan-time, then all bets are off.

This makes the implementation of <instance operation=“pattern match”>.*</instance> VERY problematic.


>
>
> Also, other DBMS's aside from MS SQL Server, such as MySQL, do support hosting multiple named DB schemas per instance. One common counter-example, though, would be Oracle Database, which allocates an instance for each database schema, leading to the concepts of an Oracle DB "instance" and "database" being effectively equivalent. Therefore, the "instance" and "database" context behaviors would be interchangeable when being implemented for an Oracle DB evaluation.
>

Indeed, some do. But to discover their names, you must first connect to a server instance in a management context. And connecting to an instance without all the connection information is problematic.

Perhaps you're actually proposing that the SCAP scanning utility should be pre-populated with lists of all the instances on each machine, and how to connect to them. That would eliminate the discovery problem, but I didn’t get that impression from the proposal.


> Furthermore, in light of the lack of traction that the SQL57 spec has seen so far, we are not sure how productive attempting to augment it any further would be. Not much so far has come of attempting to incorporate SQL57 into the DISA STIGs due to the inflexibility and insecurity of the "connection_string" entity, so SQLEXT is being proposed as an alternative that addresses those complications.
>

I have to say, since it has always been possible to provide a connection_string value via an external_variable, I’ve personally never really understood the complaints. Is it that the variable values would appear in the results? The mask attribute might address that.

In the case of Joval, it’s possible to supply a connection_string with no username/password at all, in which case we use the credential supplied for connecting to the target machine. In practice this can actually be useful when scanning MS SQL Servers that have been configured to leverage the Windows user account database. We have had some success running the CIS MS SQL Server content through our product using the existing features.


>
>
> Also, while extending XCCDF to support multiple top-level evaluation targets per host system is a great idea, we needed to pursue a solution that would be available in the near-term and that would support raw-OVAL evaluations that don't include an XCCDF benchmark. However, given that leveraging XCCDF to control the content processing model of a SCAP stream makes more sense than SQLEXT's raw-OVAL top-up approach, an update to the XCCDF spec would be welcome. Especially when considering other non-RDBM applications such as IIS, Apache, and Tomcat that also support being instantiated multiple times with a dedicated configuration for each instance, there definitely needs to be a discussion about how to make SCAP overall more fit for enterprise-grade applications.
>

I agree. From a technical standpoint, a non-standard upgrade to XCCDF should at least be no “worse” than a non-standard addition to OVAL.



________________________________
From: David Solin [[hidden email]]
Sent: Wednesday, September 30, 2015 5:28 PM
To: McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600
Cc: [hidden email]; [hidden email]
Subject: Re: [OVAL DEVELOPER] SQLEXT OVAL Extension Proposal

Hi Doug (and cross-posting to xccdf-dev),

I’m not really able to easily discern from the samples on Github… but, recalling the sql511 proposal, is the thrust of this proposal that the behaviors result in splitting out per-host, per-instance or per-database (depending on the behavior specified) into different result files?

Notwithstanding the answer to that question, I have a few initial thoughts:

This is not really a generic SQL test at all, but a Microsoft SQL Server test.  Only MSSQL has readily-discoverable instances.  Other RDBMS’s do not really have readily-discoverable instances, and also, they do not all support having multiple ‘databases’ within a single instance.  This was sort of the sole virtue of the connection_string — it identifies the target instance.  (This is also why both generic database-connectivity mechanisms I’ve personally used, ODBC and JDBC, support the concept of connection properties).

This appears to me to really, at heart, be a proposal to delegate instance/database discovery to the OVAL language.  It is certainly already possible using external_variables to target a piece of OVAL content to whatever combination of instances and databases one pleases — provided that those instances and databases are known to the tool that is doing the targeting (by setting the variable values).

If this is indeed the case, and if databases should indeed be treated as first-class targets, then it would make perfect sense to create entire SCAP benchmarks dedicated to evaluating databases, and measure compliance of each instance against that benchmark, rather than (as this proposal embodies) attempt to combine what should be multiple first-class target assessments into a single machine assessment result.

As an alternative to this approach, I would propose making a few changes to XCCDF and SCAP that would make it possible to do exactly what you guys want and leverage the existing sql57 test:

  1.  Create selRefType and selComplexRefType types in XCCDF that make it possible to reference an exported value from a check system
  2.  Add support for the XCCDF ComplexValueType in SCAP — defining it as a mechanism to evaluate multiple instances of a check evaluated via the multi-check attribute, or if via a complex-check, according to the complex-check’s operator attribute.

Was this an approach you guys have considered?  I’d be happy to collaborate with you to make these changes to XCCDF.  We could call it XCCDF 1.3.

Best regards,
—David Solin



David A. Solin
Co-Founder, Research & Technology
[hidden email]<mailto:[hidden email]>

[Joval Continuous Monitoring] <http://jovalcm.com/>

[Facebook] <https://www.facebook.com/jovalcm> [Linkedin]  <https://www.linkedin.com/company/joval-continuous-monitoring>


On Sep 30, 2015, at 11:41 AM, McIlroy, Douglas M CIV SPAWARSYSCEN-ATLANTIC, 58600 <[hidden email]<mailto:[hidden email]>> wrote:

Due to the need for automated compliance and vulnerability checks against SQL database management systems and a lack of support for the proposed sql511 test in OVAL 5.11, SPAWAR submits this new proposal for an OVAL extension which addresses the sql511 deficiencies. The current working designation for this proposal is “sqlext” (SQL Test for the OVAL Extension Schema). This is subject to change based upon discussion with the OVAL community regarding standard naming conventions for OVAL extensions. Please see the attached proposal document for further explanation as well as the SQLEXT OVAL Sandbox GitHub fork (https://github.com/mcilroyd/Sandbox/tree/master/resources/x-ind-sqlext) for sample content, results output, and XML schemas. We are looking forward to any feedback and recomendations that the community has to share for SQLEXT.

...<SQLExt Proposal.pdf>_______________________________________________
OVAL_Developer mailing list
[hidden email]<mailto:[hidden email]>
http://lists.cisecurity.org/mailman/listinfo/oval_developer_lists.cisecurity.org


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

jovalcm.color.225.png (5K) Download Attachment
fb.rounded.png (564 bytes) Download Attachment
li.rounded.png (596 bytes) Download Attachment