Windows Inventory Definitions

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows Inventory Definitions

Andrew Buttner
Administrator
I was recently pulling together some Windows inventory defs from the OVAL Repository.  For example def:105 (XP is installed).  There was a recent modification that changed the criteria of the definition from looking for a value of 5.1 in the CurrentVersion key to using the ProductName key and looking for a "windows xp" string match.  Similar changes were made for the other Windows platforms.

Did we really want this change?  This inventory definition now has a very different meaning.  Instead of testing a version of the operating system, it is now testing the name.  The XP definition will now return true (it used to return false) for "Windows XP 64-Bit Edition version 2003" and for "Windows XP Professional x64 Edition" even though both of these are based off of the 5.2 core OS (Windows 2003).  This goes back to the marketing name issue in CPE.

What is the OVAL def testing, that you have an OS installed with a marketing name of windows XP?  Or is it supposed to be testing that you have Windows version 5.1 installed?

In my experiences with patches and with configuration setting, it seems that we would want to align this definition with the OS version, not the name?  Maybe we need both types of inventory definitions to handle different needs.

Thoughts?

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Windows Inventory Definitions

Thomas Jones
I agree---partially. To ensure that the inventory is correct with  
regard to the version that should be queried. But how much more valid  
is the version rather than the name? It's still just a string.  
Regardless of convention. Either can be altered accordingly.  
Statistically, it's a stalemate.

I suggest a logic AND of both.

However, let's analyze the situation at hand. The incorrect successful  
validation of a string. The issue at hand is that the pattern match is  
to forgiving. I understand that regex can be very complex and  
increasingly difficult to develop. However, we must all take into  
consideration how our code affects the community.

What good is submitting a sub-par definition if it does not represent  
the OVAL community in a positive light? We need to verify and ensure  
that our code and those of our peers are of the utmost integrity and  
value to the community.

My 2 cents.
Thomas

Sent from my iPhone

On Mar 17, 2010, at 7:59 PM, "Buttner, Drew" <[hidden email]> wrote:

> I was recently pulling together some Windows inventory defs from the  
> OVAL Repository.  For example def:105 (XP is installed).  There was  
> a recent modification that changed the criteria of the definition  
> from looking for a value of 5.1 in the CurrentVersion key to using  
> the ProductName key and looking for a "windows xp" string match.  
> Similar changes were made for the other Windows platforms.
>
> Did we really want this change?  This inventory definition now has a  
> very different meaning.  Instead of testing a version of the  
> operating system, it is now testing the name.  The XP definition  
> will now return true (it used to return false) for "Windows XP 64-
> Bit Edition version 2003" and for "Windows XP Professional x64  
> Edition" even though both of these are based off of the 5.2 core OS  
> (Windows 2003).  This goes back to the marketing name issue in CPE.
>
> What is the OVAL def testing, that you have an OS installed with a  
> marketing name of windows XP?  Or is it supposed to be testing that  
> you have Windows version 5.1 installed?
>
> In my experiences with patches and with configuration setting, it  
> seems that we would want to align this definition with the OS  
> version, not the name?  Maybe we need both types of inventory  
> definitions to handle different needs.
>
> Thoughts?
>
> Thanks
> Drew
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DISCUSSION-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email]
> .

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Windows Inventory Definitions

Harrison, Tim
In reply to this post by Andrew Buttner
Since I submitted some of these changes I will try and explain my reasoning behind them.  I can say this pattern match approach was based on newer definitions for other versions of windows, such as Vista and Server 2008, so I presumed it was the preferred approach.  I put forward updates to the other definitions with the intent making the pattern matches case insensitive as well as to better limit what text was permitted in the value with the hope it would make the pattern matches 'safer'.
 
From a patch perspective you are correct in that XP x64 and XP x86 do not share the same code base and in have a differing set of applicable patches.  The reason for this is that pairings with regards to patching are:
 
Windows XP - 5.1
--------------------------------------
Windows XP x64 - 5.2
Windows 2003 Server- 5.2
Windows 2003 Server R2 - 5.2
--------------------------------------
Windows Vista - 6.0
Windows 2008 Server - 6.0
--------------------------------------
Windows 7 - 6.1
Windows 2008 Server R2 - 6.1
 
However, when it comes to security configuration I understand the pairings to be:
 
Windows XP - 5.1
Windows XP x64 - 5.2
--------------------------------------
Windows 2003 Server- 5.2
Windows 2003 Server R2 - 5.2
--------------------------------------
Windows Vista - 6.0
--------------------------------------
Windows 2008 Server - 6.0
--------------------------------------
Windows 7 - 6.1
--------------------------------------
Windows 2008 Server R2 - 6.1
 
Based on this the product name vs. the OS version depends on what you are looking to accomplish.  My expectation would be that if you are intent upon limiting content to the 32-bit version of Windows XP you would use definition 'def:1353' and that 'def:105' would be reserved for instances where architecture is of no concern.
 
I do not believe we need both types of definitions as it is possible to target different products depending on how you implement the criteria.  For example, currently there is no definition for Windows XP x64 which does not specify a service pack leve, but it is still possible with the current set of definitions to target said platform.  This could be done using this approach:
 
<criteria operator="AND">
     <extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/>
     <extend_definition negate="true" comment="Microsoft Windows XP (32-bit) is installed" definition_ref="oval:org.mitre.oval:def:1353"/>
</criteria>
 
Taking all of this into account I can't see a justifiable reason to change the definitions, but given the flexibility of OVAL I can't really argue against a change.
 
Respectfully,
Tim Harrison
SCAP Content Development
National Institute of Standards and Technology
(717)561-2923
[hidden email]

From: Buttner, Drew [[hidden email]]
Sent: Wednesday, March 17, 2010 8:59 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Windows Inventory Definitions

I was recently pulling together some Windows inventory defs from the OVAL Repository.  For example def:105 (XP is installed).  There was a recent modification that changed the criteria of the definition from looking for a value of 5.1 in the CurrentVersion key to using the ProductName key and looking for a "windows xp" string match.  Similar changes were made for the other Windows platforms.

Did we really want this change?  This inventory definition now has a very different meaning.  Instead of testing a version of the operating system, it is now testing the name.  The XP definition will now return true (it used to return false) for "Windows XP 64-Bit Edition version 2003" and for "Windows XP Professional x64 Edition" even though both of these are based off of the 5.2 core OS (Windows 2003).  This goes back to the marketing name issue in CPE.

What is the OVAL def testing, that you have an OS installed with a marketing name of windows XP?  Or is it supposed to be testing that you have Windows version 5.1 installed?

In my experiences with patches and with configuration setting, it seems that we would want to align this definition with the OS version, not the name?  Maybe we need both types of inventory definitions to handle different needs.

Thoughts?

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].