Quantcast

The case of the empty REG_MULTI_SZ value

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

The case of the empty REG_MULTI_SZ value

joval
The OVAL language specification says, on the subject of the Windows:Registry_Item:

"If the specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array." (emphasis added)

Well, what should an interpreter do if there are NO strings in the array?  I have observed this is the case for the object oval:mil.disa.fso.windows:obj:370700.  The matching state, oval:mil.disa.fso.windows:ste:370700, appears simply to be checking for any value whatsoever.  I want to validate that the correct thing to do is to return a single registry_item with no value (or status="does not exist") when the registry value exists but it's empty.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The case of the empty REG_MULTI_SZ value

Danny Haynes
Administrator

Hi David,

 

Good question, we don’t really say anything in the documentation.


Just to make sure I am looking at the same thing.  My version of ste:370700 checks for a value matching the regular expression "^$" which just matches the empty string.  Is that the same as your version?

 

Looking at Microsoft’s documentation on reg_multi_sz (http://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx) in the "String Values" section, they say it is not possible to have a zero-length string in the sequence (e.g. empty string).  As a result, an empty array should be handled as you mentioned and the value entity should have a status="does not exist" and no value.  This also aligns with OVAL’s documentation for the registry_item, but, we should probably make that clear.  I will add a tracker to document how to handle reg_multi_sz values with no values.

 

Thanks,

Danny

 

From: David Solin [mailto:[hidden email]] On Behalf Of David Solin
Sent: Monday, February 20, 2012 2:43 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion; Haynes, Dan
Subject: The case of the empty REG_MULTI_SZ value

 

The OVAL language specification says, on the subject of the Windows:Registry_Item:

"If the specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array." (emphasis added)

Well, what should an interpreter do if there are NO strings in the array?  I have observed this is the case for the object oval:mil.disa.fso.windows:obj:370700.  The matching state, oval:mil.disa.fso.windows:ste:370700, appears simply to be checking for any value whatsoever.  I want to validate that the correct thing to do is to return a single registry_item with no value (or status="does not exist") when the registry value exists but it's empty.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The case of the empty REG_MULTI_SZ value

joval
On 2/22/2012 9:58 AM, Haynes, Dan wrote:

Hi David,

 

Good question, we don’t really say anything in the documentation.


Just to make sure I am looking at the same thing.  My version of ste:370700 checks for a value matching the regular expression "^$" which just matches the empty string.  Is that the same as your version?

Yes, that's it.

 

Looking at Microsoft’s documentation on reg_multi_sz (http://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx) in the "String Values" section, they say it is not possible to have a zero-length string in the sequence (e.g. empty string).  As a result, an empty array should be handled as you mentioned and the value entity should have a status="does not exist" and no value.  This also aligns with OVAL’s documentation for the registry_item, but, we should probably make that clear.  I will add a tracker to document how to handle reg_multi_sz values with no values.

Great!  Good catch on the MS documentation.

 

Thanks,

Danny

 

From: David Solin [[hidden email]] On Behalf Of David Solin
Sent: Monday, February 20, 2012 2:43 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion; Haynes, Dan
Subject: The case of the empty REG_MULTI_SZ value

 

The OVAL language specification says, on the subject of the Windows:Registry_Item:

"If the specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array." (emphasis added)

Well, what should an interpreter do if there are NO strings in the array?  I have observed this is the case for the object oval:mil.disa.fso.windows:obj:370700.  The matching state, oval:mil.disa.fso.windows:ste:370700, appears simply to be checking for any value whatsoever.  I want to validate that the correct thing to do is to return a single registry_item with no value (or status="does not exist") when the registry value exists but it's empty.

Regards,
--David Solin

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Loading...