[Xccdf-dev] Desired default behavior of the @selected attribute of xccdf:selectableItemType

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Xccdf-dev] Desired default behavior of the @selected attribute of xccdf:selectableItemType

joval
Greetings everyone,

I am wondering how other tool vendors are processing XCCDF groups and rules, when there is no @selected attribute present.  The XCCDF schema says that the default value is "true" -- meaning everything is selected unless otherwise indicated.

However, when I look at STIG content (e.g., U_Solaris_10_X86-V1R1_STIG_Benchmark), it appears to have been authored under the opposite assumption.  All the profiles defined in this benchmark have positive selectors (i.e., //Profile/select[@selected] = true), and none of the Group or Rule entities in the document have a "selected" attribute at all.

This means, regardless of the profile selected in the document, EVERY rule is going to be checked.  But is that right?  Is that what the author intended?  I don't think it is.

I also looked at the SCAP specification document to see if it indicates that the XCCDF selectableItemType@selected default value should be false, but I didn't notice anything suggesting that.

Regards,
--David Solin

--

jOVAL.org: SCAP Simplified.
Learn More | Features | Download


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] Desired default behavior of the @selected attribute of xccdf:selectableItemType

Simon Lukasik
On 06/11/2013 06:36 PM, David Solin wrote:

> Greetings everyone,
>
> I am wondering how other tool vendors are processing XCCDF groups and
> rules, when there is no @selected attribute present.  The XCCDF schema
> says that the default value is "true" -- meaning everything is selected
> unless otherwise indicated.
>
> However, when I look at STIG content (e.g.,
> U_Solaris_10_X86-V1R1_STIG_Benchmark), it appears to have been authored
> under the opposite assumption.  All the profiles defined in this
> benchmark have positive selectors (i.e., //Profile/select[@selected] =
> true), and none of the Group or Rule entities in the document have a
> "selected" attribute at all.
>
> This means, regardless of the profile selected in the document, EVERY
> rule is going to be checked.  But is that right?  Is that what the
> author intended?  I don't think it is.
>
> I also looked at the SCAP specification document to see if it indicates
> that the XCCDF selectableItemType@selected default value should be
> false, but I didn't notice anything suggesting that.
>
> Regards,
> --David Solin
>

Hello David,

I believe that your findings are correct. I call this phenomenon:

    the XCCDF trap into which authors often fell

and I have written blog about it in December [1]. Nevertheless, it would
be great if someone could amend STI guidance.

The problem here is that there are certified scanners in the field which
process STIG guidance as the STIG authors meant, while not following
NISTIR-7275.

Best regards,

--
Simon Lukasik
Security Technologies

[1]: http://isimluk.livejournal.com/#post-isimluk-2848
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] Desired default behavior of the @selected attribute of xccdf:selectableItemType

Alleman, Brady G CTR DISA FSO (US)
In reply to this post by joval
David,

We agree that current STIG content is not using XCCDF rule selection correctly.  This is an artifact of our content management system, which is being addressed.

Respectfully,

--
Brady Alleman
[hidden email]
Phone: +1-717-267-9978 (o)
tapestry technologies
DISA FSO, IA Standards (CTR)

> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On
> Behalf Of David Solin
> Sent: Tuesday, June 11, 2013 12:36 PM
> To: [hidden email]; XCCDF-DEV
> Subject: [Xccdf-dev] Desired default behavior of the @selected
> attribute of xccdf:selectableItemType
>
> Greetings everyone,
>
> I am wondering how other tool vendors are processing XCCDF groups and
> rules, when there is no @selected attribute present.  The XCCDF schema
> says that the default value is "true" -- meaning everything is selected
> unless otherwise indicated.
>
> However, when I look at STIG content (e.g., U_Solaris_10_X86-
> V1R1_STIG_Benchmark), it appears to have been authored under the
> opposite assumption.  All the profiles defined in this benchmark have
> positive selectors (i.e., //Profile/select[@selected] = true), and none
> of the Group or Rule entities in the document have a "selected"
> attribute at all.
>
> This means, regardless of the profile selected in the document, EVERY
> rule is going to be checked.  But is that right?  Is that what the
> author intended?  I don't think it is.
>
> I also looked at the SCAP specification document to see if it indicates
> that the XCCDF selectableItemType@selected default value should be
> false, but I didn't notice anything suggesting that.
>
> Regards,
> --David Solin
>
>
> --
>
>
> jOVAL.org: SCAP Simplified.
> Learn More <http://www.joval.org>  | Features
> <http://www.joval.org/features/>  | Download
> <http://www.joval.org/download/>

_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Xccdf-dev] [scap-dev] Desired default behavior of the @selected attribute of xccdf:selectableItemType

joval
Thanks everyone, that's good to know.

On 6/12/2013 10:27 AM, Alleman, Brady G CTR DISA FSO (US) wrote:
David,

We agree that current STIG content is not using XCCDF rule selection correctly.  This is an artifact of our content management system, which is being addressed.

Respectfully,

--
Brady Alleman
[hidden email]
Phone: +1-717-267-9978 (o)
tapestry technologies
DISA FSO, IA Standards (CTR)

-----Original Message-----
From: [hidden email] [[hidden email]] On
Behalf Of David Solin
Sent: Tuesday, June 11, 2013 12:36 PM
To: [hidden email]; XCCDF-DEV
Subject: [Xccdf-dev] Desired default behavior of the @selected
attribute of xccdf:selectableItemType

Greetings everyone,

I am wondering how other tool vendors are processing XCCDF groups and
rules, when there is no @selected attribute present.  The XCCDF schema
says that the default value is "true" -- meaning everything is selected
unless otherwise indicated.

However, when I look at STIG content (e.g., U_Solaris_10_X86-
V1R1_STIG_Benchmark), it appears to have been authored under the
opposite assumption.  All the profiles defined in this benchmark have
positive selectors (i.e., //Profile/select[@selected] = true), and none
of the Group or Rule entities in the document have a "selected"
attribute at all.

This means, regardless of the profile selected in the document, EVERY
rule is going to be checked.  But is that right?  Is that what the
author intended?  I don't think it is.

I also looked at the SCAP specification document to see if it indicates
that the XCCDF selectableItemType@selected default value should be
false, but I didn't notice anything suggesting that.

Regards,
--David Solin


--


jOVAL.org: SCAP Simplified.
Learn More <http://www.joval.org>  | Features
<http://www.joval.org/features/>  | Download
<http://www.joval.org/download/>

      

_______________________________________________
scap-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].


--

jOVAL.org: SCAP Simplified.
Learn More | Features | Download


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Loading...