|
|
30358
|
Remove default value from var_check attribute. |
Closed |
2011-05-03 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:16:13
|
|
Details:
In the EntityAttributeGroup, the var_check attribute currently has a default value of "all". The intent is that if there is a var_ref attribute but var_check is not present, var_check should be considered to be "all". However, by specifying the default "all", then when using a schema aware or validating parser a var_check attribute is always created with the value "all" - even if it is not appropriate to have a var_check attribute. This causes Schematron validation errors which enforce that when there is a var_check there should also be a var_ref.
The solution is to remove the default value and add a description of the expected behavior when var_ref is present but var_check is not present to the documentation/specification.
|
|
Follow-ups:
Date Added: 2011-05-03 19:06:19
See the associated item 24683. It states that a var_check is not required, but a best practice. The Schematron message says "a var_check must also be provided". I changed the message to say "a var_check should also be provided".
Date Added: 2011-06-10 18:02:16
This change will be included in draft 2 of version 5.10.
|
|
|
30359
|
Add explicit default "datatype" attribute values for EntityXxxxxType complex types. |
Closed |
2011-05-03 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:16:00
|
|
Details:
Many of the EntityXxxxxType complex types do not have an explicit default value for the "datatype" attribute. It was believed that the default value would be inherited from the EntitySimpleBaseType, but testing has revealed this not to be the case.
|
|
Follow-ups:
Date Added: 2011-05-13 12:49:45
All instances of the datatype attribute have been made required with a fixed or enumerated values, or optional with a default value of "string".
Date Added: 2011-06-10 18:01:58
This change will be included in draft 2 of version 5.10.
|
|
|
30360
|
Make datatype attribute required for EVRStringTypes |
Closed |
2011-05-03 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:15:20
|
|
Details:
Currently in oval-definitions-schema.xsd Entity(State|Object)EVRStringType have the use of the datatype attribute set to "optional". It should be required. It is required in the System Characteristics schema.
|
|
Follow-ups:
Date Added: 2011-06-10 18:01:25
This change will be included in draft 2 of version 5.10.
|
|
|
30493
|
Create a single "test" to be used for all tests. |
Closed |
2011-05-11 |
Deferred |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-27 16:48:16
|
|
Details:
Currently, there are myriad xxx_test elements. All of these elements contain object and subject references. Since all of the tests are structurally the same, they could be replaced by a single, universal "test".
|
|
Follow-ups:
Date Added: 2011-05-11 17:03:10
An implementation of this was presented at the Spring 2011 SCAP Developer Days. The community was divided on the proposal and so it has been deferred - possibly for consideration in OVAL 6.0
|
|
|
30952
|
Schematron rules for objects in EntityAttributeGroup go to the wrong level. |
Closed |
2011-06-08 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-07-25 14:32:40
|
|
Details:
The EntityAttributeGroup contains Schematron rules related to var_ref and var_check attributes. The rules search for the applicable context using */* XPath pattern. For objects, the path should always be objects/*/* as there are no deeper elements, but some of the rules have */*/*. These ought to be fixed.
However, there are changes to the language being planned that would create items at this third level down. So while the current rules are not correct, they are not causing any problems and may be put in force soon.
|
|
Follow-ups:
Date Added: 2011-07-19 11:30:48
Due to the fact that we ow have a EntityObjectRecordType we need to add */*/* to match the lower level field elements that are part of a record.
This change will be included in the version 5.10 release candidate.
|
|
|
25830
|
clarify the interpretation of filesystem searching behaviors |
Closed |
2010-04-23 |
Fixed |
|
Priority:
Medium High
| Category:
Definition Schemas
| Date Closed:
2011-08-26 17:05:55
|
|
Details:
There are different ways one might implement filesystem searching behaviors. As of this writing, the interpreter reference implementation implements a model where behaviors are applied in a second phase, after all items matching the relevant entities are found. E.g. for recurse_direction, those directories form the base from which upward and downward recursion is done.
That model is counterintuitive for recurse_file_system. For example, if you specify recurse_file_system=defined and an entity specifies some files/directories on C:\ with operation=pattern match, you probably intend for only files/directories on the C drive which match the entities to be collected. But if you implement the behavior in the two phases described above, first you will get everything on the C drive and all filesystems mounted on it, and that will constitute the "defined" filesystems for the behaviors, not just the C drive filesystem.
So we need to clarify what these behaviors really mean, especially in the face of entities which use operation=pattern match, which can cause their own filesystem traversals.
|
|
Follow-ups:
Date Added: 2010-04-24 17:26:10
Related discussion:
> >I just wanted to us to be clear about this. Perhaps we should specifically
> >say
> >that recurse_file_system=all or local applies to all paths, even before the
> >recurse_direction behavior is applied. recurse_file_system=defined only
> >applies
> >during application of the recurse_direction behavior, simply because it's
> >too
> >hard to figure out what filesystems are defined from a regex. Or we could
> >say
> >that recurse_file_system=defined only applies to all paths, even before
> >recursion behavior is applied, when the path entity uses one of the
> >equals/not
> >equals operations. If the pattern match operation is used,
> >recurse_file_system=defined may only reasonably be applied after the
> >filesystems
> >are first defined by finding all matches to the pattern. And be clear that
> >that
> >could include a lot more filesystems than may be intended.
> >
This sounds right. If a use specifies a regex I don't think the 'defined' value for the behavior makes sense.
(defined may not make sense at all with operation=pattern match?)
Date Added: 2010-04-24 17:29:18
schema documentation for recurse_file_system:
"'recurse_file_system' defines the file system limitation of any recursion, either 'local' limiting data collection to local file systems (as opposed to file systems mounted from an external system), or 'defined' to keep any recursion within the file system that the file_object (path+filename) has specified. The default value is 'all' meaning to use all available file systems for data collection."
... the recurse_file_system behavior does not say anything about how it does or does not relate to the recurse_direction behavior.
(should add that recurse_direction enables/disables recurse_file_system?)
Date Added: 2010-04-24 17:33:12
> >Another related point: it is documented that recursion behaviors are not
> >applicable when the filepath entity is used. Actually, if we decide that
> >behaviors apply when matching a pattern in the first phase, it would be
> >just as
> >applicable to filepath as when the path entity is used, when
> >operation=pattern
> >match. In fact, the FileFinder implementation for this actually calls
> >FindPaths
> >(see AbsFileFinder::GetFilePathsForPattern) to recursively search
> >directories,
> >and I had to pass in a recursion policy object that allowed everything,
> >since
> >that's how my modified API works. I could just as easily create a
> >different
> >filesystem recursion policy object, if we decided it was applicable to
> >filepath's.
> >
I still don't think the recurse_direction and max_depth make sense for file paths. However, I think that recurse_file_system=local and recurse_file_system=all apply with a filepath. I think this would be consistent with your suggestion above.
(document some behaviors to also be applicable to filepath?)
Date Added: 2011-08-12 00:24:18
The following clarifications were made for the second release candidate of version 5.10:
- clarified that the max_depth behavior has a default value of -1 meaning no limitation to recursion. This applies to all occurrences of the max-depth behavior.
- clarified the documentation on the recurse_file_system behavior to indicate that this behavior is always applicable. Added note that it is recommended to limit searching to the local file systems only. Added note that the defined value only applies when using an equality operation. Added Schematron rule to report errors when the 'defined' value is used and the operation is not 'equals'.
- clarified documentation on max_depth, recurse_direction, and recurse to state that they only apply with an equality operation. Registry related behaviors of the same name were also clarified.
|
|
|
28156
|
splist_object doesn't uniquely identify a list |
Closed |
2010-10-27 |
Deferred |
|
Priority:
Very Low
| Category:
Definition Schemas
| Date Closed:
2011-07-19 01:34:05
|
|
Details:
splist_item has fields which are easily obtainable from a Sharepoint SPList
object, but splist_object does not uniquely specify an SPList object to read.
splist_item doesn't have enough entities to be able to differentiate one item
from another.
splist_object has one entity, spsiteurl, which ostensibly identifies an SPSite.
SPSite objects contain SPWeb objects, and SPWeb objects contain SPList objects.
splist_item has the spsiteurl entity, and a few other non-identifying entities,
which come from an SPList object.
We need to clarify the meaning of this test, and probably add some more
identifying entities to the oval object and/or item.
|
|
Follow-ups:
Date Added: 2011-07-19 01:34:04
It looks like in the SPWeb object there is a GetList() method which allows you to specify the server-relative url of a SPList in SPWeb object. So at a minimum, we will at least need to specify the server-relative url of the list.
GetList() Method
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.getlist.aspx
We could simply search for the SPLists in any of the SPWeb objects in a SPSite or we could specify a single SPWeb object to search for the SPLists. We need to decide what was intended for this test.
As a result, this tracker item will be deferred for the OVAL 5.10 release until we can investigate it further.
|
|
|
28199
|
update documentation to reflect that the spsiteadministration test uses the SPQuota object |
Closed |
2010-10-29 |
Fixed |
|
Priority:
Very Low
| Category:
Definition Schemas
| Date Closed:
2011-07-25 14:32:45
|
|
Details:
spsiteadministration_object is documented to get values from the SPSiteAdministration SharePoint object. The one object entity is a site url. The item entities simply represent some storage quota limits. Those values are retrieved from an SPQuota object returned by the Quota property of an SPSite. You never actually need to use SPSiteAdministration at all. The reference implementation does not use the SPSiteAdministration object.
|
|
Follow-ups:
n/a
|
|
|
29511
|
Need a none-of-the-above value for lin-def:EntityStateFileSystemTypeType |
Closed |
2011-03-16 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:16:33
|
|
Details:
We are bound to encounter filesystem types which don't have a corresponding value in the lin-def:EntityStateFileSystemTypeType enumeration. We need a special value to use for this.
|
|
Follow-ups:
Date Added: 2011-05-17 12:38:57
Added "UNKNOWN" to enumeration.
Date Added: 2011-06-10 18:01:35
This change will be included in draft 2 of version 5.10.
|
|
|
29512
|
Need a none-of-the-above value for linux-sc:EntityStateFileSystemTypeType |
Closed |
2011-03-16 |
Fixed |
|
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2011-06-14 15:15:09
|
|
Details:
We are bound to encounter filesystem types which don't have a corresponding
value in the linux-sc:EntityStateFileSystemTypeType enumeration. We need a
special value to use for this.
|
|
Follow-ups:
Date Added: 2011-05-12 18:28:11
Added value "UNKNOWN" to linux-definitions-schema.xsd and linux-system-characteristics-schema.xsd.
Date Added: 2011-06-10 18:01:11
This change will be included in draft 2 of version 5.10.
|
|
|
29906
|
rpmverify: allow the filepath entity to refer to directories |
Closed |
2011-04-05 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:12:28
|
|
Details:
The 'rpm' tool can do some verifications on directories, but the schema documentation says the filepath entity cannot refer to directories. That means some possible verification failures cannot be represented, resulting in false negatives. We need to allow the filepath entity to refer to directories.
|
|
Follow-ups:
Date Added: 2011-06-09 17:25:37
Added path & filename elements as found in file_object & state.
Date Added: 2011-06-10 12:29:51
Reverted that change to allow a choice between path+filename and filepath. In this case the change will be to simply remove the documentation that said a directory cannot be expressed in the filepath entity.
The revised documentation now says, "The filepath element specifies the absolute path for a file or directory in the specified package."
This change will be available in draft 2 of version 5.10
|
|
|
29970
|
Split rpmverify test into two tests |
Closed |
2011-04-08 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-08-26 17:08:14
|
|
Details:
The rpmverify test as it is currently defined is really a file-based test. The behaviors which affect package-global verifications really don't belong there. We need to split the package global parts into a different test. Those behaviors include nodeps, noscripts, nosignature, nodigest. The nofiles behavior would not make sense anymore.
Suggestions include moving those verifications into the rpminfo test, or creating a new test, e.g. rpmverifypackage or rpmverifyrpm.
|
|
Follow-ups:
Date Added: 2011-07-20 01:05:26
Due to discussion with the community, it has been decided that the rpmverify test should not be broken up into two tests. Please see the following oval-developer-list post for more information.
http://making-security-measurable.1364806.n2.nabble.com/linux-rpmverify-test-file-vs-package-global-verifications-tp6255327p6255327.html
As a result, the dependency_check_passed, digest_check_passed, verification_script_successful, and signature_check_passed entities were added to hold the results of these checks during rpm verification. Documentation was also added to the nofiles behavior to state that when nofiles behavior is used, the file-based verification checks shouldn't be collected.
These changes will be available in OVAL 5.10 release candidate 1.
Date Added: 2011-08-23 16:47:45
After further consideration, it makes more sense to split the rpmverify_test into two different tests (rpmverifyfile_test and rpmverifypackage_test). The rpmverifyfile_test will handle all verification checks for the files in an rpm whereas the rpmverifypackage_test will handle all verification checks for the rpm as a whole.
Date Added: 2011-08-24 18:08:24
This change will be available in OVAL 5.10 Release Candidate 2.
|
|
|
30044
|
Need to support empty value in filename entities when operation=pattern match |
Closed |
2011-04-13 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:14:09
|
|
Details:
There is a schematron check for the filename entity in the file_test which causes an error if the filename entity has an empty value but there is no var_ref or xsi:nil attributes. This is incorrect because the empty string is a valid regular expression, so should be allowed if operation="pattern match", with no var_ref or xsi:nil attributes.
|
|
Follow-ups:
Date Added: 2011-05-13 12:40:02
For all filename Schematron rules that enforced the name could not be empty (all objects with filename elements) added a rule to check that the operation is not "pattern match" as an empty string is a valid pattern.
Date Added: 2011-05-16 15:29:33
Yes, I would like the schema to align with these two rules.
-Danny
>-----Original Message-----
>From: Baker, Jon
>Sent: Friday, May 13, 2011 8:15 PM
>To: Haynes, Dan; Jacobsen, Jasen
>Cc: Chisholm, Michael A.; oval-team-list
>Subject: RE: [ oval OVAL Schema Item #30044] Need to support empty value
>in filename entities when operation=pattern match (trackeritem-30044)
>
>I think we are agreeing that:
>
>1- any time the datatype is s string the value can be the empty string
>2- when nil or var_ref are used the value must be the empty string
>
>This is slightly different than what is currently committed to svn trunk. Are
>you guys confortable with updating the schema to align with the above
>statement?
>
>Jon
>
>============================================
>Jonathan O. Baker
>G022 - IA Industry Collaboration
>The MITRE Corporation
>Email: bakerj@mitre.org
>
>
>>-----Original Message-----
>>From: Haynes, Dan
>>Sent: Friday, May 13, 2011 11:54 AM
>>To: Baker, Jon; Jacobsen, Jasen
>>Cc: Chisholm, Michael A.
>>Subject: RE: [ oval OVAL Schema Item #30044] Need to support empty value
>in
>>filename entities when operation=pattern match (trackeritem-30044)
>>
>>Yeah, the schema for the various datatypes will do this. However, I am
>>thinking that we don't even want the Schematron rule that allows the empty
>>string only when pattern match is used with filename entities. I think we
>>always want to allow the empty string as a value and Schematron enforce it
>>when nil and var_ref are used.
>>
>>-Danny
>>
Date Added: 2011-06-10 18:00:42
An empty string is now allowed when a pattern match is used.
This change will be included in draft 2 of version 5.10.
|
|
|
30918
|
plist_object needs an instance entity |
Closed |
2011-06-03 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-07-25 14:32:42
|
|
Details:
An "instance" entity was added to plist_item to disambiguate same-named keys. That entity needs to also be added to plist_object, so that those items can be uniquely identified.
|
|
Follow-ups:
Date Added: 2011-06-30 13:59:44
This change may require the creation of a plist510_test. The instance entity will be require in the plist_object with will invalidate any content written against the current version 5.9 and earlier definition of the plist_test.
Date Added: 2011-07-19 00:16:53
This change will be included in the first release candidate for version 5.10
|
|
|
11802
|
add a new test for windows rights inheritance settings |
Closed |
2007-05-16 |
Rejected |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-08-29 12:22:44
|
|
Details:
requested by NIST on 5/9/07. Need a way to test the file permission inheritance settings.
|
|
Follow-ups:
Date Added: 2009-05-11 15:24:13
Is there more information on this tracker item? If it is s simple test addition should we be adding it to version 5.6?
Date Added: 2011-06-14 15:48:54
Rejecting this item due to lack of additional information.
|
|
|
12994
|
add win-def:sharedresourceeffectiverights_test and win-def:sharedresourceauditedpermissions_test |
Closed |
2007-09-13 |
Fixed |
|
Priority:
Medium High
| Category:
Definition Schemas
| Date Closed:
2011-07-25 14:32:50
|
|
Details:
Does OVAL have a way to itemize user-level share permissions for a directory? For example, some security templates state items such as "Everyone" should not be included in the Share permissions on any shared folder. It seems as though the Windows <fileeffectiverights53_test> and correlated objects and states check for Windows NTFS-style file permissions (Security tab) and that the <sharedresource_test> itemizes FAT file system style Share-level permissions. But I have not found how to check NT-style user-level share permissions (i.e., clicking the "Permissions" button on the Sharing tab).
The <sharedresource_object> does not seem to have a method for identifying a "trustee_sid" to check the share permissions of...
|
|
Follow-ups:
Date Added: 2010-08-05 11:57:10
This item was requested in the following email message:
http://making-security-measurable.1364806.n2.nabble.com/question-about-windows-share-permissions-tp23464p23464.html
Date Added: 2011-07-14 17:17:24
A shared resource test for both the SACL and the DACL is needed. This would be similar to the fileeffectiverights53_test and the fileauditedpermissions53_test.
Date Added: 2011-07-15 11:12:40
sharedresourceeffectiverights_test and sharedresourceauditedpermissions_test
Date Added: 2011-07-15 12:06:18
This request will be deferred from version 5.10 given that there is not current community support for the test.
If this tests is reconsidered, the GetNamedSecurityInfo can be used to get information about a SE_LMSHARE as defined in the SE_OBJECT_TYPE Enumeration. However, at this time there does not appear to be a well documented set of object specific right for this sort of object.
Date Added: 2011-07-19 14:33:10
The win-def:sharedresourceeffectiverights_test and the win-def:sharedresourceauditedpermissions_test have been added and will be available in the release candidate for OVAL 5.10.
|
|
|
17373
|
add a new test for active network connections on windows |
Closed |
2008-10-01 |
Rejected |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-08-29 12:22:58
|
|
Details:
Submitted by Ken Lassesen on 8/10/2008 to the developer list
------------------------------------------------------------
I would like the data available to be all of the items obtainable from
Netstat -an
i.e -a -b -e -f -n -o -p -r -s -t
port_test
* add state, add foreign address (if you wish to test that there are
only connections to an internal set of addresses, we need this).
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:11478 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:49262 ESTABLISHED
TCP 127.0.0.1:49262 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:49307 0.0.0.0:0 LISTENING
TCP 127.0.0.1:62514 0.0.0.0:0 LISTENING
TCP 172.16.0.24:139 0.0.0.0:0 LISTENING
TCP 172.16.0.24:49394 207.46.106.16:1863 ESTABLISHED
TCP 172.16.0.24:49415 207.81.255.218:51740 ESTABLISHED
TCP 172.16.0.24:49867 84.244.181.105:80 CLOSE_WAIT
TCP 172.16.0.24:50296 209.85.173.147:80 CLOSE_WAIT
TCP 172.16.0.24:50309 204.2.136.107:80 CLOSE_WAIT
TCP 172.16.0.24:50310 204.2.136.107:80 CLOSE_WAIT
TCP 172.16.0.24:50359 172.16.0.100:445 ESTABLISHED
TCP 172.16.0.24:50404 66.210.59.247:80 ESTABLISHED
TCP 172.16.0.24:50406 12.47.174.75:135 SYN_SENT
TCP 192.168.0.3:139 0.0.0.0:0 LISTENING
TCP [::]:80 [::]:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:1080 [::]:0 LISTENING
TCP [::]:2869 [::]:0 LISTENING
TCP [::]:3389 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49157 [::]:0 LISTENING
TCP [::1]:49308 [::]:0 LISTENING
??? PortIP4_object
IPv4 Statistics
Packets Received = 52035
Received Header Errors = 0
Received Address Errors = 7907
Datagrams Forwarded = 0 <== A potential security
concern
Unknown Protocols Received = 0 <== A potential security
concern
Received Packets Discarded = 20378
Received Packets Delivered = 58879
Output Requests = 38648
Routing Discards = 0 <== A potential security
concern
Discarded Output Packets = 1278
Output Packet No Route = 7 <== A potential security
concern
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0
??? PortIP6_object
IPv6 Statistics
Packets Received = 119
Received Header Errors = 0
Received Address Errors = 30
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 89
Received Packets Delivered = 3114
Output Requests = 3295
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0
??? PortICMP4_object
ICMPv4 Statistics
Received Sent
Messages 2195 485
Errors 0 0
Destination Unreachable 2195 485
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echo Replies 0 0
Echos 0 0
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Router Solicitations 0 0
Router Advertisements 0 0
??? PortICMP6_object
ICMPv6 Statistics
Received Sent
Messages 3 19
Errors 0 0
Destination Unreachable 0 0
Packet Too Big 0 0
Time Exceeded 0 0
Parameter Problems 0 0
Echos 0 0
Echo Replies 0 0
MLD Queries 0 0
MLD Reports 0 0
MLD Dones 0 0
Router Solicitations 0 15
Router Advertisements 3 0
Neighbor Solicitations 0 4
Neighbor Advertisements 0 0
Redirects 0 0
Router Renumberings 0 0
TCP Statistics for IPv4
Active Opens = 1230
Passive Opens = 3
Failed Connection Attempts = 511
Reset Connections = 381
Current Connections = 11
Segments Received = 28402
Segments Sent = 20971
Segments Retransmitted = 2006
TCP Statistics
fo======================================================================
=====
Interface List
11 ...00 1a 73 d7 99 c7 ...... Broadcom 802.11b/g WLAN
10 ...00 1e 37 67 34 83 ...... Bluetooth Device (Personal Area Network)
8 ...00 1b 24 d0 d2 83 ...... NVIDIA nForce Networking Controller
1 ........................... Software Loopback Interface 1
13 ...00 00 00 00 00 00 00 e0
isatap.{0B946E98-5AB6-488A-A4FC-F66E6E99A5B6}
12 ...00 00 00 00 00 00 00 e0
isatap.{E738985D-C727-4B72-A64C-C5C2F499DC55}
15 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
14 ...00 00 00 00 00 00 00 e0
isatap.{3C4C231C-BD71-4AC7-A165-5023550969D3}
22 ...00 00 00 00 00 00 00 e0
isatap.{0B946E98-5AB6-488A-A4FC-F66E6E99A5B6}
========================================================================
===
??? PortRoute4_object
IPv4 Route Table
========================================================================
===
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 172.16.0.1 172.16.0.24
20
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3
40
127.0.0.0 255.0.0.0 On-link 127.0.0.1
306
127.0.0.1 255.255.255.255 On-link 127.0.0.1
306
127.255.255.255 255.255.255.255 On-link 127.0.0.1
306
169.254.0.0 255.255.0.0 On-link 172.16.0.24
30
169.254.255.255 255.255.255.255 On-link 172.16.0.24
276
172.16.0.0 255.255.255.0 On-link 172.16.0.24
276
172.16.0.24 255.255.255.255 On-link 172.16.0.24
276
172.16.0.255 255.255.255.255 On-link 172.16.0.24
276
192.168.0.0 255.255.255.0 On-link 192.168.0.3
296
192.168.0.3 255.255.255.255 On-link 192.168.0.3
296
192.168.0.255 255.255.255.255 On-link 192.168.0.3
296
224.0.0.0 240.0.0.0 On-link 127.0.0.1
306
224.0.0.0 240.0.0.0 On-link 172.16.0.24
276
224.0.0.0 240.0.0.0 On-link 192.168.0.3
296
255.255.255.255 255.255.255.255 On-link 127.0.0.1
306
255.255.255.255 255.255.255.255 On-link 172.16.0.24
276
255.255.255.255 255.255.255.255 On-link 192.168.0.3
296
========================================================================
===
Persistent Routes:
None
??? PortRoute6_object
IPv6 Route Table
========================================================================
===
Active Routes:
If Metric Network Destination Gateway
15 18 ::/0 On-link
1 306 ::1/128 On-link
15 18 2001::/32 On-link
15 266 2001:0:4137:9e50:3c79:1e6a:b9f9:30e3/128
On-link
8 276 fe80::/64 On-link
11 296 fe80::/64 On-link
15 266 fe80::/64 On-link
15 266 fe80::3c79:1e6a:b9f9:30e3/128
On-link
8 276 fe80::854c:9974:5f90:e196/128
On-link
11 296 fe80::e47b:a5ea:6279:2950/128
On-link
1 306 ff00::/8 On-link
15 266 ff00::/8 On-link
8 276 ff00::/8 On-link
11 296 ff00::/8 On-link
========================================================================
===
Persistent Routes:
None
r IPv6
Active Opens = 2
Passive Opens = 1
Failed Connection Attempts = 1
Reset Connections = 2
Current Connections = 0
Segments Received = 17
Segments Sent = 15
Segments Retransmitted = 2
UDP Statistics for IPv4
Datagrams Received = 5771
No Ports = 1395
Receive Errors = 17223
Datagrams Sent = 15051
UDP Statistics for IPv6
Datagrams Received = 133
No Ports = 3
Receive Errors = 86
Datagrams Sent = 3008
This information is NOT available by any current windows WMI object that
I could find.
|
|
Follow-ups:
Date Added: 2009-05-11 15:47:58
Any thoughts on this test? Should we add it to a second draft of version 5.6?
Date Added: 2011-06-14 15:52:30
Rejecting this request since there has been no further community interest in this item.
|
|
|
17374
|
add additional protocols to the win-def:port_test |
Closed |
2008-10-01 |
Rejected |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-08-29 12:23:16
|
|
Details:
The former CS instructor is me would be tempted to say yes because a
protocol is OS independent.
SCTP is specified as being used on the IANA port list, and, of course:
http://www.iana.org/assignments/sctp-parameters
http://www.iana.org/assignments/rtp-parameters
http://wiki.wireshark.org/RTP is interesting because it has pictures of
a scanner and we also see H.245 listed as a protocol (as well as H225,
H245, RTP and RTCP):
More important, the RFC describes it as a protocol:
RFC3550 RTP: A Transport Protocol for Real-Time Applications
http://www.cs.columbia.edu/~hgs/rtp/faq.html#transport actually
discusses the issue and lands on it being a transport protocol.
In theory, we should also add an "UNKNOWN" for proprietary transport
protocols.
-----Original Message-----
From: Buttner, Drew [mailto:abuttner@MITRE.ORG]
Sent: Monday, August 11, 2008 4:47 AM
To: OVAL-DEVELOPER-LIST@LISTS.MITRE.ORG
Subject: Re: [OVAL-DEVELOPER-LIST] Addendu, to port_state
Ken,
I don't personally have knowledge of these, but did 5 minutes of
research and found information on SCTP. I noticed that SCTP (Stream
Control Transmission Protocol) is available on windows via a 3rd party
add-in.
I couldn't find information on DDCP.
For RTP (Real-time Transport Protocol), the information I looked at
seemed to suggest that it is build on top of UDP. Is this really a
separate protocol in terms of the OVAL test?
I did find the following site that lists all the assigned internet
protocols. SCTP is in the list, but the other two are not.
http://www.iana.org/assignments/protocol-numbers
Are all of these valid for the Windows port_test - 'protocol' entity?
Thanks
Drew
>-----Original Message-----
>From: Ken Lassesen [mailto:ken.lassesen@LUMENSION.COM]
>Sent: Sunday, August 10, 2008 3:12 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Addendu, to port_state
>
>Currently UDP and TCP are the only allowed values:
>
>Checking http://www.iana.org/assignments/port-numbers,
>
>We should add:
>+ sctp
>+ ddcp
>+ RTP
>
>To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message. If you have difficulties, write to OVAL-
>DEVELOPER-LIST-request@LISTS.MITRE.ORG.
To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message. If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message. If you have difficulties, write to OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
|
|
Follow-ups:
Date Added: 2009-05-04 13:56:50
Danny. having just completed the port _test, can you verify that this makes sense to add?
Date Added: 2011-06-14 15:53:44
Rejecting this item due to lack of community support.
|
|
|
27121
|
hpux-def:getconf_object/pathname entity should be nillable |
Closed |
2010-07-29 |
Fixed |
|
Priority:
Medium High
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:15:39
|
|
Details:
Currently the documentation for this entity says "This is the pathname to check. Note that pathname is optional in the getconf call. An empty pathname in OVAL should be interpreted as if it was not supplied to the getconf call."
Normally in OVAL the condition described where the pathname is not supplied is supported by making the entity nillable.
|
|
Follow-ups:
Date Added: 2010-08-05 12:01:50
For the time being this item should be left as is since there are not currently any known issues with the item. However, with the next major revision this issue should be corrected.
Date Added: 2011-06-09 12:44:46
Made pathname nillable.
Date Added: 2011-06-10 17:58:24
This change will be included in draft 2 of version 5.10.
|
|
|
27201
|
document the unix-def:xinetd_test, unix-def:xinetd_object, unix-def:xinetd_state, and unix-sc:xinetd_item |
Closed |
2010-08-05 |
Fixed |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-05-13 11:09:30
|
|
Details:
The documentation is currently missing from most of these items.
|
|
Follow-ups:
Date Added: 2011-05-13 11:01:30
Fixed in version 5.10 Draft 1.
|
|
|
29139
|
create a gobal oval-def:definition element |
Closed |
2011-02-02 |
Fixed |
|
Priority:
Very Low
| Category:
Definition Schemas
| Date Closed:
2011-04-12 17:05:42
|
|
Details:
A request was made to create a global element for defintion in the oval-definitions-schema and change the DefinitionsType (and any other uses of DefinitionType) to reference the new element.
This will allow OVAL definitions to be standalone XML instances just like states, objects, tests, and variables. This would provide a namespace aware method for storing the definition as an XML fragment that is not as easy to do today.
This topic was discussed on the oval-developer-list here:
http://making-security-measurable.1364806.n2.nabble.com/REMINDER-Version-5-9-Release-Candidate-Planned-for-Tomorrow-tp5980952p5981434.html
|
|
Follow-ups:
Date Added: 2011-03-01 00:08:35
This issue has been fixed int he first draft of version 5.10
|
|
|
30052
|
improve documentation of unix-def:FileBehaviors |
Closed |
2011-04-14 |
Duplicate |
|
Priority:
Medium High
| Category:
Definition Schemas
| Date Closed:
2011-06-08 11:34:18
|
|
Details:
The file behaviors in the unix-definitions-schema need to be documented more explicitly. Add documentation to each value
|
|
Follow-ups:
Date Added: 2011-06-07 16:25:31
The behaviors appear to be documented. I'm unclear what needs to be added.
Date Added: 2011-06-07 17:40:25
Is this a duplicate of tracker #25830? I added that one awhile ago now, with a lot more information.
Date Added: 2011-06-08 11:34:17
Closing this item as a duplicate of #25830
|
|
|
30891
|
add <last_write_time> entity to the <win-def:registry_state> and <win-sc:registry_item> |
Closed |
2011-06-02 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:17:16
|
|
Details:
This information is available via the RegQueryInfoKey API (lpftLastWriteTime parameter).
This timestamp is useful when combined with other information for the detection of malicious artifacts, and there may be other possible use cases.
See oval-developer-list archives:
http://making-security-measurable.1364806.n2.nabble.com/Registry-State-Last-Written-Time-Proposal-tp6429646p6429646.html
|
|
Follow-ups:
Date Added: 2011-06-02 11:12:24
This entity has been added to draft 2 of version 5.10
|
|
|
31054
|
add test to support using PowerShell cmdlets to collect system state information |
Closed |
2011-06-17 |
Fixed |
|
Priority:
High
| Category:
n/a
| Date Closed:
2011-08-17 12:40:48
|
|
Details:
A request for a new test that will leverage PowerShell cmdlets was submitted. cmdlet access is needed because configuration settings on Windows are increasingly only accessible via cmdlets.
The oval-developer-list discussion on this topic can be found here:
http://making-security-measurable.1364806.n2.nabble.com/Windows-PowerShell-Proposal-for-SCAP-tp6464505p6464505.html
|
|
Follow-ups:
Date Added: 2011-06-29 12:16:55
This test will be added to draft 3 of version 5.10.
|
|
|
31319
|
add support for the TPM (tpm-definitions-schema) |
Closed |
2011-07-14 |
Deferred |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-14 12:15:01
|
|
Details:
Recently, MITRE/SEDI developed a new draft component schema for OVAL to support interaction with the Trusted Platform Module (TPM). At a basic level, this is no different than most other component schemas: it simply expands OVAL's ability to collect system state information into a new component. However, because of some of the unique features of the TPM, this expansion of OVAL also supports a greater degree of trust in the results provided by an OVAL assessment. This document is intended to educate the OVAL community about TPMs in general and about the exciting possibilities made possible by OVAL interactions with the TPM.
The above document can be found here:
https://oval.mitre.org/language/about/docs/OVAL_and_TPM_White_Paper.pdf
This topic was discussed on the oval-developer-list here:
http://making-security-measurable.1364806.n2.nabble.com/OVAL-and-the-TPM-tp6204855p6204855.html
|
|
Follow-ups:
n/a
|
|
|
31351
|
add DEP status entity to the <win-def:file_state> and <win-sc:file_item> |
Closed |
2011-07-18 |
Rejected |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-29 12:22:16
|
|
Details:
Details of this request are outlined in the following developer list message:
http://making-security-measurable.1364806.n2.nabble.com/Developer-Days-Artifact-Hunting-Slides-tp6463048p6463048.html
See slide 4.
|
|
Follow-ups:
Date Added: 2011-07-19 15:08:14
This information is already available via a combination of WMI and the registry.
The system wide DEP policy can be found by using WMI (see: http://support.microsoft.com/kb/912923). From there, you will either have an absolute setting (AlwaysOn or AlwaysOff) or one of the opt in/out types (OptIn, OptOut). For the opt in/out ones, you can get the exceptions via the registry (see: http://www.winserverhelp.com/2011/02/add-dep-exception-program-application-windows-server-core).
|
|
|
31582
|
product_name in the GeneratorType SHOULD be a CPE Name |
Closed |
2011-08-04 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-26 17:08:02
|
|
Details:
Change schema documentation to suggest using a CPE Name for the product_name field in the GeneratorType. Use CPE Names as defined in CPE 2.3
|
|
Follow-ups:
Date Added: 2011-08-04 15:03:19
This documentation change will be included in the second release candidate of version 5.10.
|
|
|
31729
|
change all uses of the xsd:any element from @processContents="skip" to @processContents="lax" |
Closed |
2011-08-17 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-26 17:07:53
|
|
Details:
This change will allow tools to optionally validate the content of the xsd:any element. With @processContents="skip" we are instructing tools to always skip the content of the <xsd:any> element. Tools should be allowed to validate this content.
|
|
Follow-ups:
Date Added: 2011-08-17 15:52:31
This change will be added to the second release candidate of version 5.10.
|
|
|
31730
|
removed win-def_affected_platform schematron rule from windows-definitions-schema |
Closed |
2011-08-17 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-08-26 17:07:25
|
|
Details:
This rule was intended to ensure that any OVAL Definition that had an affected family of "windows" only used a specific set of string for the platform element. When there are new versions of windows this rule must be updated to include the name of the new version of windows. Unfortunately, this means that there are times when a new version of windows will be reported as an error until the schema can be updated. We ran into this problem earlier this week when processing the recent Microsoft patch Tuesday content. One of the OVAL Definitions attempted to set the platform to "Microsoft Windows Server 2008 R2". Our tools reported this content as invalid.
|
|
Follow-ups:
Date Added: 2011-08-26 17:07:25
This change will be included in the second release candidate of version 5.10.
|
|
|
31348
|
add ASLR status entity to the <win-def:process58_state> and <win-sc:process58_item> |
Open |
2011-07-18 |
Rejected |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
n/a
|
|
Details:
Details of this request are outlined in the following developer list message:
http://making-security-measurable.1364806.n2.nabble.com/Developer-Days-Artifact-Hunting-Slides-tp6463048p6463048.html
See slide 11.
|
|
Follow-ups:
Date Added: 2011-07-19 17:57:41
The ASLR information seems to only be available via the PE Header, which means it will be added to the pefile test, instead of the process58_test. (http://msdn.microsoft.com/en-us/magazine/ms809762.aspx)
|
|
|
31350
|
add ASLR status entity to the <win-def:file_state> and <win-sc:file_item> |
Open |
2011-07-18 |
Rejected |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
n/a
|
|
Details:
Details of this request are outlined in the following developer list message:
http://making-security-measurable.1364806.n2.nabble.com/Developer-Days-Artifact-Hunting-Slides-tp6463048p6463048.html
See slide 4.
|
|
Follow-ups:
Date Added: 2011-07-19 17:58:02
The ASLR information seems to only be available via the PE Header, which means it will be added to the pefile test, instead of the file_test. (http://msdn.microsoft.com/en-us/magazine/ms809762.aspx)
|
|
|
26796
|
ensure that states referenced by filters match their parent objects |
Closed |
2010-07-09 |
Fixed |
|
Priority:
Low
| Category:
n/a
| Date Closed:
2011-08-26 17:06:36
|
|
Details:
In the current schema, nothing is done to ensure that the states referenced by filters correspond to the parent objects that contain them (i.e. a registry_object should only contain filters that reference registry_states). We should change the schema so that this is enforced.
|
|
Follow-ups:
Date Added: 2011-07-14 16:12:11
XSD Schema does not support the sort of interdependency checking that is proposed. A similar enforcement is done between object and state types in a test. This enforcement is done with a Schematron rule in every test definition. A similar technique could be used on every object definition that supports a filter.
Or, the appropriate Schematron rules could be generated dynamically by the code that extracts the Schematron rules from the XSD. I believe the element_mapping contains all of the necessary information to generate these rules. This technique was proposed to support the "one test" proposal. The downside to this approach is that the Schematron is no longer embedded in the XSD and a separate Schematron file MUST be generated and used for validation.
A final approach would be to generate all of the rules and then copy & paste them into the XSD by hand. This could be done, but is rather labor intensive.
We do not want to generate the rules INTO the XSDs because the XSD files have hand-crafted formatting that would be changed if the XSDs were to be processed by XSLT (but I suppose a pure text based approach could be used and not mess up the formatting).
Date Added: 2011-08-11 19:25:04
Created an XSLT stylesheet that processes the component definition schemas and generates the necessary Schematron patterns & rules from the element_mapping of each test.
Then copy & pasted all of the rules into the object definitions of each component schema.
Date Added: 2011-08-26 17:06:36
This change will be included in the second release candidate of version 5.10.
|
|
|
27587
|
add support for a count function |
Closed |
2010-09-02 |
Fixed |
|
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2011-05-13 11:15:38
|
|
Details:
Request from Brady Alleman:
"I've been looking for a way to define a variable as the count of items in another variable, but have not found a solution. Is there a general way to accomplish this? If no method exists, I'd like to suggest a "count" function be added to provide this capability."
For more information regarding this proposal, please see the following link.
http://making-security-measurable.1364806.n2.nabble.com/Item-Counting-UNCLASSIFIED-tp5488303.html
|
|
Follow-ups:
Date Added: 2010-09-02 18:51:41
For clarification purposes, in the documentation for this function, we will want to say that the function can count the number of values (rather than items) in a variable as using the term items may be confusing.
Date Added: 2011-05-13 11:15:38
Fixed in version 5.10 Draft 1.
|
|
|
27593
|
add support for a unique function |
Closed |
2010-09-02 |
Fixed |
|
Priority:
High
| Category:
n/a
| Date Closed:
2011-05-13 11:15:14
|
|
Details:
Request from Brady Alleman:
>>>Thinking about this further, could a "unique" function also be added?
>>>This would remove duplicate items, to allow counting only unique items.
>>So here what you want to do is if you used the split function with
>>delimiter = "-" and input string = "---", which would return four empty
>>string values, you would like to have a unique function that would return
>>only one empty string value.
>Yes.
>Another example: If the input string values are
>("A", "B", "C", "C", "D", "D", "D") the output string values will be
>("A", "B", "C", "D").
For more information regarding this proposal, please see the following link.
http://making-security-measurable.1364806.n2.nabble.com/Item-Counting-UNCLASSIFIED-tp5488303.html
|
|
Follow-ups:
Date Added: 2011-05-13 11:15:14
Added Unique and Count functions. Fixed in version 5.10 Draft 1.
|
|
|
28566
|
macos-def:inetlisteningservers_object does not uniquely identify an item |
Closed |
2010-11-30 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-05-13 11:11:47
|
|
Details:
The macos-def:inetlisteningservers_object does not uniquely identify an item because multiple instances of a listening application can run on different addresses, ports, and protocols resulting in multiple items with the same program name. As a result, to uniquely identify an item, a new test will need to be created.
Also, this was previously an issue with the linux-def:inetlisteningservers_object and the original post can be seen at the following link.
http://making-security-measurable.1364806.n2.nabble.com/inetd-and-inetlisteningservers-test-td22762.html
|
|
Follow-ups:
Date Added: 2010-12-01 14:57:44
The documentation associated with this test should also be updated because 'netstat -tuwlnpe' with root privileges does not appear to retrieve all of the information, required for the test, on Mac OS such as program name, process id, and user id.
netstat man page
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/netstat.1.html
Looking into this quickly 'lsof -i -P -n' provides this information.
lsof man page
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/lsof.8.html
We need to further investigate this issue in order to determine what the best method for collecting this information is.
Date Added: 2011-05-13 11:11:47
Fixed in version 5.10 Draft 1.
|
|
|
28740
|
deprecate the unix-def:sccs_test |
Closed |
2010-12-20 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-04-12 17:20:11
|
|
Details:
We should look into the possibility of deprecating the unix-def:sccs_test.
|
|
Follow-ups:
Date Added: 2011-04-12 17:20:11
This item was deprecated in draft 1 of version 5.10.
|
|
|
28917
|
determine if additional information should be collected in the macos-def:accountinfo_test |
Closed |
2011-01-12 |
Rejected |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-18 18:51:21
|
|
Details:
The current documentation for the macos-def:accountinfo_test states that:
"We may need/want to add in data elements for things like authentication_authority, generateduid, mcx_settings (restricted account settings)"
I am removing this from the documentation and adding a tracker so it can be determined if this information is necessary.
|
|
Follow-ups:
Date Added: 2011-07-18 18:51:21
The issue of whether or not we need to add the above entities to the accountinfo_test was raised over the oval-developer-list in the following oval-developer-list post.
http://making-security-measurable.1364806.n2.nabble.com/Is-There-a-Need-for-Additional-macos-def-accountinfo-test-Entities-td6153511.html
Due to a lack of community interest, in adding these entities, it appears that these entities are not needed in OVAL. As a result, we have decided not to include them in OVAL 5.10 release and we will close out this tracker item.
|
|
|
29010
|
consider the outstanding issues associated with the mask attribute |
Closed |
2011-01-24 |
Fixed |
|
Priority:
High
| Category:
n/a
| Date Closed:
2011-07-25 14:32:44
|
|
Details:
The primary issues with the mask attribute are:
- The OVAL System Characteristics Schema has a misplaced Schematron rule. This rule MUST be moved to the OVAL Results Schema.
- There is no documentation to explain how to handle conflicting mask attribute settings. Conflicting settings can occur across object and state definitions and when two objects identify the same item.
- The source OVAL Definitions document MUST be modified in order to properly implement support for the mask attribute. The current documentation for the mask attribute states that, "If the mask attribute is set to 'true', then the value of this field, along with the operation used, should not appear in the results file." On many entities both the operation and datatype are required. Removing them will result in invalid XML.
- The mask attribute defines capabilities that overlap with OVAL Results Directives. If the directives indicate that the source definitions should be excluded then there is no need to alter the source definitions as the mask attribute documentation dictates. excluding source definitions obviates this portion of the mask attribute capability. Secondly, if the directives specify a content level of "thin", system characteristics data is excluded as well as any details of the evaluation. "thin" content obviates the evaluation process and value hiding capabilities of the mask attribute.
Please see the following oval-developer-list post for additional information.
http://making-security-measurable.1364806.n2.nabble.com/mask-attribute-handling-tp5940155p5940155.html
The issues with the mask attribute were discussed at the March 2011 Developer Days event. Here is a link the slides and the minutes from that discussion:
SLIDES:
http://oval.mitre.org/community/docs/OVAL_Slides_Spring_2011_Dev_Days.zip
MINUTES:
http://oval.mitre.org/community/docs/OVAL_Spring_2011_Developer_Days_Minutes.pdf
|
|
Follow-ups:
Date Added: 2011-06-30 14:14:09
Added text to address the issue of conflicting mask attributes. The text now reads as follows:
"It is possible for masking conflicts to occur where one entity has mask set to true and another entity has mask set to false. A conflict will occur when the mask attribute is set differently on an OVAL Object and matching OVAL State or when two OVAL Objects identify the same OVAL Item(s). When such a conflict occurs the result is always to mask the entity."
Date Added: 2011-06-30 19:30:43
The misplaced Schematron rule referenced above has been moved to the results schema. This change and and the documentation clarification for proper handling of conflicts will be included in draft 3 of version 5.10.
Date Added: 2011-07-14 14:00:04
In order to address the fact that as currently defined, the mask attribute requires modification to the source OVAL Definitions document we should alter the schema documentation and remove the statement requiring modification of source OVAL Definitions. In fact, this may really be a simple wording issue. The wording can be clarified to state the following:
"...If the mask attribute is set to 'true', then the value of this field, along with the operation used, should not appear in the results section of an OVAL Results document. Note that this value would appear in the copy of the system characteristics contained in the results file. In this case, the results file should make use of the corresponding mask attribute in the system characteristics schema and should be set to true and the value should be omitted. In addition to the value being omitted from the copy of the system characteristics file...."
This rewording specifically removes "the copy of the definition file should also omit the value and operation used for testing".
With the above change the major deficiencies in the definition of the mask attribute will be resolved.
Date Added: 2011-07-14 14:47:23
The removal of documentation requiring the altering of the source OVAL Definitions will be included in version 5.10 release candidate 1.
|
|
|
29318
|
remove the documentation mentioning the service_name entity in the sol-def:smf_object |
Closed |
2011-02-25 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-05-13 11:12:58
|
|
Details:
Please see the following oval-developer-list discussion for additional information.
http://making-security-measurable.1364806.n2.nabble.com/service-name-entity-in-smf-object-td6058033.html
|
|
Follow-ups:
Date Added: 2011-05-13 11:12:58
Fixed in version 5.10 Draft 1.
|
|
|
29338
|
further discuss and specify the variable_instance attribute |
Closed |
2011-03-03 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-01 11:17:47
|
|
Details:
The variable_instance attribute is an underspecified feature in the OVAL Language. We should further discuss and specify this feature.
The following issues need to be considered:
- the documentation says a "set of variable values" What constitutes a set?
-
|
|
Follow-ups:
Date Added: 2011-06-29 19:31:13
Removed "set", "array" other mismatched terms. Harmonized the schema documentation.
Date Added: 2011-06-30 19:45:31
This change will be included in draft 3 of version 5.10.
|
|
|
29491
|
clarify unix-def:runlevel_test documentation |
Closed |
2011-03-16 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:12:38
|
|
Details:
We need to clarify the unix-def:runlevel_test documentation.
|
|
Follow-ups:
Date Added: 2011-05-11 17:25:00
Please see the following oval-developer-list post for additional information.
http://making-security-measurable.1364806.n2.nabble.com/Clarifying-the-unix-def-runlevel-test-Documentation-td6261603.html
Date Added: 2011-06-10 18:03:56
This change will be included in draft 2 of version 5.10.
|
|
|
29708
|
add an enumeration value for MySQL to the various EngineType enumerations associated with the sql57_test |
Closed |
2011-03-28 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-01 11:17:39
|
|
Details:
We need to add an enumeration value for MySQL to the various EngineType enumerations associated with the sql57_test.
|
|
Follow-ups:
Date Added: 2011-06-28 12:45:10
This change will be added to draft 3 of version 5.10.
|
|
|
29779
|
add new entities to the macos-def:pwpolicy59_state and macos-sc:pwpolicy59_item |
Closed |
2011-03-31 |
Fixed |
|
Priority:
High
| Category:
n/a
| Date Closed:
2011-06-14 15:16:51
|
|
Details:
We need to add support for the following entities in the the macos-def:pwpolicy59_state and macos-sc:pwpolicy59_item:
maxMinutesUntilChangePassword
minMinutesUntilChangePassword
requiresMixedCase
requiresSymbol
minutesUntilFailedLoginReset
|
|
Follow-ups:
Date Added: 2011-06-07 15:08:13
I can't find anything in Apple's documentation on pwpolicy referring to the
minMinutesUntilChangePassword
requiresMixedCase
requiresSymbol
minutesUntilFailedLoginReset
values. They may exist, but the man pages do not list them as known policies. And searching Apple's developer library returns no results.
Date Added: 2011-06-07 18:20:16
Running
pwpolicy -n /Local/Default -getglobalpolicy
on my local Mac running OS X 10.6.7 returns:
usingHistory=0
canModifyPasswordforSelf=1
usingExpirationDate=0
usingHardExpirationDate=0
requiresAlpha=0
requiresNumeric=0
expirationDateGMT=12/31/69
hardExpireDateGMT=12/31/69
maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0
maxMinutesOfNonUse=0
maxFailedLoginAttempts=0
minChars=0
maxChars=0
passwordCannotBeName=0
requiresMixedCase=0
requiresSymbol=0
newPasswordRequired=0
minutesUntilFailedLoginReset=0
notGuessablePattern=0
Should all of these values be captured?
Date Added: 2011-06-08 13:48:43
Yes. Capture all of the above values.
Date Added: 2011-06-08 18:21:23
NOTE: The element entity names are in lower camelcase. This should be changed to all lowercase as per OVAL convention at some point.
Date Added: 2011-06-10 17:57:38
This change will be included in draft 2 of version 5.10.
|
|
|
29911
|
add FileBehaviors to the selinuxsecuritycontext_object |
Closed |
2011-04-05 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:15:49
|
|
Details:
We need to add support for FileBehaviors in the selinuxsecuritycontext_object. We should do a quick check to make sure that we have not forgotten to include FileBehaviors on any other objects that require it.
|
|
Follow-ups:
Date Added: 2011-05-13 15:46:26
Is it acceptable to use the ind-def:FileBehaviors? This would require importing the ind-def schema. Something that the other component schemas do not do. Is there a design decision for the component schemas not to import other component schemas?
Date Added: 2011-05-16 13:27:24
As per Jon Baker: No. The component schemas are to be kept independent of each other. The "independent" schema is considered a component schema and therefore should not be imported by other component schemas. FileBehaviors may be revisited in the future to move it to the oval-definitions schema so that the component schemas can import it in accordance with our design rules.
FileBehaviors added to linux-def schema.
Date Added: 2011-06-10 18:01:49
This change will be included in draft 2 of version 5.10.
|
|
|
29912
|
fix the inconsistent documentation regarding the status of entities where xsi:nil="true" |
Closed |
2011-04-05 |
Fixed |
|
Priority:
Medium High
| Category:
n/a
| Date Closed:
2011-07-01 11:17:46
|
|
Details:
There are quite a few places in the various component definitions schemas where we say:
"If the xsi:nil attribute is set to true, the <entity_name> element should not be collected or used in analysis."
This contradicts the documentation associated with the "does not exist" StatusEnumeration value in the oval-system-characteristics-schema which states:
"A status of 'does not exist' says that the item or specific piece of information does not exist and therefore has not been collected. This status assumes that an attempt was made to collect the information, but the information just does't exist. This can happen when a certain entity is only pertinent to particular instances, or when xsi:nil is used to refer to a higher level object."
We should remove this contradictory documentation from the "does not exist" StatusEnumeration value and any other places where it is present.
|
|
Follow-ups:
Date Added: 2011-06-30 19:45:15
This change will be included in draft 3 of version 5.10.
|
|
|
30013
|
discuss and clarify the documentation changes made to oval-sc:ObjectType (tracker items 24219 and 24220) during the OVAL 5.7 release |
Closed |
2011-04-11 |
Fixed |
|
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2011-08-17 12:40:51
|
|
Details:
There have been ambiguity issues raised over the oval-developer-list regarding the documentation changes made to oval-sc:ObjectType (tracker items 24219 and 24220) during the OVAL 5.7 release. We should discuss these issues and determine the best way forward. For more information, please see the following oval-developer-list posts.
http://making-security-measurable.1364806.n2.nabble.com/ItemType-documentation-ambiguity-td6064514.html
http://making-security-measurable.1364806.n2.nabble.com/Re-ItemType-documentation-ambiguity-td6262760.html
|
|
Follow-ups:
Date Added: 2011-07-19 03:25:45
The ItemType documentation has been re-factored for improved readability and documentation has been added to explicitly state that the use of partial matches, when an OVAL Item does not exist, is completely optional.
This change will appear in the release candidate of OVAL 5.10.
|
|
|
30045
|
schematron rule prevents the use of an empty value in the user_id and group_id entities |
Closed |
2011-04-13 |
Fixed |
|
Priority:
Medium High
| Category:
n/a
| Date Closed:
2011-06-14 15:13:46
|
|
Details:
In the unix-def:file_state, we have the following documentation for the group_id and user_id entities.
"The group_id entity represents the group owner of a file, by group number. To test for a file with no group assigned to it, this entity would be used with an empty value."
"The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file. To test for a file with no user assigned to it, this entity would be used with an empty value."
Specifically, the documentation states that if a content author wants to test for a file with no user/group assigned to it, they should use an empty value. Unfortunately, this is not allowed due to the following schematron rule in oval-def:EntityAttributeGroup.
<sch:pattern id="oval-def_definition_entity_type_check_rules">
<sch:rule context="oval-def:objects/*/*[not(@xsi:nil=true()) and
not(@var_ref) and @datatype='int']|
oval-def:states/*/*[not(@xsi:nil=true()) and
not(@var_ref) and @datatype='int']">
<sch:assert test="(not(contains(.,'.'))) and (number(.) = floor(.))">
<sch:value-of select="../@id"/> - The datatype for the
<sch:value-of select="name()"/> entity is 'int' but the value is
not an integer.
</sch:assert>
<!-- Must test for decimal point because number(x.0) = floor(x.0) is
true -->
</sch:rule>
</sch:pattern>
We need to either allow for the use of an empty value in these entities or remove the documentation that says content authors can use an empty value.
|
|
Follow-ups:
Date Added: 2011-06-01 15:29:58
I made the two elements nillable.
Date Added: 2011-06-10 12:01:53
The elements will not be nillable. The final change was to simply remove the confusing documentation that said, "To test for a file with no group assigned to it, this entity would be used with an empty value." A file will always have a group_id and user_id.
This change will be included in draft 2 of version 5.10
|
|
|
30046
|
we need to document the unix-def:password_object, unix-def:password_state, and unix-sc:password_item constructs |
Closed |
2011-04-13 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:13:57
|
|
Details:
We need to document the unix-def:password_object, unix-def:password_state, and unix-sc:password_item constructs. Many of the entities are missing documentation.
|
|
Follow-ups:
Date Added: 2011-05-18 15:12:19
The current documentation says "A password object consists of a single username entity that identifies the user whose passwords are to be evaluated."
Notice the use of "passwords" plural. I don't see how a user can have multiple passwords, nor does the reference probe appear to support multiple passwords for a user.
There may be multiple users evaluated/queried, but each gets only one password - as far as I can tell.
Date Added: 2011-06-10 17:59:29
unix-def:password_object, unix-def:password_state, and
unix-sc:password_item have been documented.
This change will be included in draft 2 of version 5.10.
|
|
|
30138
|
the datatype of the user_id entity in the linux-def:iflisteners_test and the linux-sc:iflisteners_item should be an int |
Closed |
2011-04-21 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-01 11:17:44
|
|
Details:
The datatype of the user_id entity in the linux-def:iflisteners_test and the linux-sc:iflisteners_item should be an int because the user_id is an integer value. Changing the datatype from string to int would break backwards compatibility. This should be considered under the Exceptions clause of the OVAL Language Versioning Methodology.
|
|
Follow-ups:
Date Added: 2011-06-16 21:39:26
This topic was raised on the developer list and the schema was changed.
This change was made for draft 3 of version 5.10.
|
|
|
30301
|
add support for a test that can collect the last login time of a user - similar to the lastlog command on unix |
Closed |
2011-04-28 |
Fixed |
|
Priority:
Medium High
| Category:
n/a
| Date Closed:
2011-07-25 14:32:43
|
|
Details:
There was a request for a test that can collect the last login time of a user on a system. On Linux, we can do this using lastlog. We need to consider whether or not a similar test is needed for other platforms.
Please see the following oval-developer-list post for more information.
http://making-security-measurable.1364806.n2.nabble.com/How-to-check-for-users-not-logged-in-for-x-amount-of-time-tp6245621p6245621.html
|
|
Follow-ups:
Date Added: 2011-07-19 20:14:52
added last_logon entity to win-def:user_state and win-sc:user_item
added last_logon entity to unix-def:password_state and unix-sc:password_item
This change will be included in version 5.10 release candidate 1.
|
|
|
30362
|
update the tables in the EntityStateRoutingTableFlagsType and the EntityItemRoutingTableFlagsType documentation |
Closed |
2011-05-04 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-01 11:17:48
|
|
Details:
We should update the tables in the EntityStateRoutingTableFlagsType and
EntityItemRoutingTableFlagsType documentation according to the changes described in the oval-developer-list post.
http://making-security-measurable.1364806.n2.nabble.com/Routing-collector-flags-for-AIX-tp6328235p6328235.html
|
|
Follow-ups:
Date Added: 2011-06-30 19:53:08
Table modified as suggested.
See https://computing.llnl.gov/tutorials/performance_tools/man/netstat.txt for AIX routing table flag codes.
Date Added: 2011-06-30 19:59:29
This change will be included in draft 3 of version 5.10.
|
|
|
30364
|
change the unix-def:sysctl_item/value entity such that it has a maxOccurs='unbounded' |
Closed |
2011-05-04 |
Fixed |
|
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2011-06-14 15:14:51
|
|
Details:
We need to change the unix-def:sysctl_item/value entity such that it has a maxOccurs='unbounded' because it is possible for a kernel parameter to have more than one value. Please see the following oval-developer-list post for additional information.
http://making-security-measurable.1364806.n2.nabble.com/Sysctl-test-for-Linux-OSX-tp6327887p6327887.html
|
|
Follow-ups:
Date Added: 2011-06-10 18:00:58
This change will be included in draft 2 of version 5.10.
|
|
|
30410
|
allow for the filepath entity in the sol-def:packagecheck_object, sol-def:packagecheck_state, and sol-sc:packagecheck_item to refer to directories |
Closed |
2011-05-05 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:13:28
|
|
Details:
The current documentation for the filepath entity in the sol-def:packagecheck_object, sol-def:packagecheck_state, and sol-sc:packagecheck_item only allows for the specification of absolute paths to files (i.e. non-directories). However, the pkgchk can also check directories. As a result, we should remove the filepath entity documentation that restricts it to only allow for the specification of absolute paths to files.
|
|
Follow-ups:
Date Added: 2011-06-09 17:36:32
Added path & filename elements.
Date Added: 2011-06-10 12:32:14
Reverted that change to allow a choice between path+filename and filepath. In this case the change will be to simply remove the documentation that said a directory cannot be expressed in the filepath entity.
The revised documentation now says, "The filepath element specifies the absolute path for a file or directory in the specified package."
This change will be available in draft 2 of version 5.10
|
|
|
30485
|
add enumeration values to the linux-def:EntityStateFileSystemTypeType and linux-sc:EntityItemFileSystemTypeType enumerations |
Closed |
2011-05-10 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:12:49
|
|
Details:
We should add the enumeration values, present in the Linux man page filesystem(5), to the linux-def:EntityStateFileSystemTypeType and linux-sc:EntityItemFileSystemTypeType enumerations.
|
|
Follow-ups:
Date Added: 2011-05-26 20:12:23
We should consider removing the enumeration restriction and allowing any string value for the filesystem type.
Please see the following oval-developer-list for additional information.
http://making-security-measurable.1364806.n2.nabble.com/Partition-test-more-questions-tp6348424p6355894.html
Date Added: 2011-05-31 18:29:02
Removed the enumeration thus making the Type a restriction of StringType with an empty restriction element.
Date Added: 2011-06-01 16:31:26
Removed the FileSystemType altogether and changed to StringType.
Date Added: 2011-06-10 18:03:17
This change will be included in draft 2 of version 5.10.
|
|
|
30857
|
clarify set operators' documentation |
Closed |
2011-05-26 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-07-01 11:17:40
|
|
Details:
We should clarify the set operators' documentation so that it is clear that the result of applying all of the operators will be a unique set of OVAL Items (i.e. no duplicate OVAL Items).
Please see the following oval-developer-list post for additional information.
http://making-security-measurable.1364806.n2.nabble.com/Gconf-test-tp6407354p6407562.html
|
|
Follow-ups:
Date Added: 2011-06-24 18:05:29
Note: I did not add any documentation clarifying what "duplicate" or "unique" mean. There was some discussion in the thread of what these terms mean and how they are calculated.
Date Added: 2011-06-28 12:45:33
This change will be added to draft 3 of version 5.10.
|
|
|
30893
|
we need to document the result of evaluating a deprecated definition |
Closed |
2011-06-02 |
Fixed |
|
Priority:
Medium High
| Category:
n/a
| Date Closed:
2011-07-01 11:17:38
|
|
Details:
If a definition is deprecated, it is possible that it may not contain a criteria construct. Deprecated definitions should evaluate to a result of 'not evaluated'. We should add documentation to specify this.
|
|
Follow-ups:
Date Added: 2011-06-27 16:02:06
“When the deprecated attribute is set to true, the definition is considered to be deprecated. The criteria child element of a deprecated definition is optional. If a deprecated definition does not contain a criteria child element, the definition must evaluate to "not evaluated". If a deprecated definition contains a criteria child element, an interpreter should evaluate the definition as if it were not deprecated, but an interpreter may evaluate the definition to "not evaluated".”
Jon
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: bakerj@mitre.org
Date Added: 2011-06-28 12:44:21
This change will be added to draft 3 of version 5.10.
|
|
|
30926
|
investigate the current state of implementing the operations for the fileset_revision datatype |
Closed |
2011-06-06 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-25 14:32:41
|
|
Details:
The documentation for the fileset_revision datatype says:
"As far as implementing operations, right now there is a IP licensing issue being discussed on our ability to publicize the method to do this; however, the HP-UX team is willing to discuss how to implement this with anyone who would like to do it while we are waiting for the IP licensing issue to be resolved."
Is this still the case? We should investigate this further to see if any progress has been made in this area.
|
|
Follow-ups:
Date Added: 2011-07-15 16:18:13
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02023876/c02023876.pdf
"Software Distributor Administration Guide"
Page 19-20 presents the following example:
"HPUX11i-TCOE B.11.23.0512
HP-UX Technical Computing Operating Environment Component
The above revision string represents the following:
B.11.23 = HP-UX 11i v2
0512 = December 2005 Update Release"
Page 48 provides the best guidance: "The <op> (relational operator) component performs individual comparisons on dot-separated fields and can be of the form:
=,==,>=,<=,<,>, or!= For example, r>=B.11.11 chooses all revisions greater than or equal to B.11.11.
The system compares each dot-separated field to find matches."
Pages 234 and 244 specify the size of a revision_string, but do not specify any semantics.
Assuming the guidance on page 48 is authoritative, it looks straightforward to implement the comparison operators in OVAL.
Date Added: 2011-07-19 12:55:03
Perhaps a better reference to the manual cited above:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01919399/c01919399.pdf
In the version 5.10 release candidate this reference will be added to the definition of the fileset_revision datatype.
|
|
|
30937
|
allow the filepath entity in the macos-def:diskutil_test to contain a directory |
Closed |
2011-06-07 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-07-01 11:17:36
|
|
Details:
We should allow for the filepath entity to contain a directory because it is possible that the permissions, for a directory, may differ. We just need to remove the documentation that prohibits the specification of a directory in the filepath entity documentation.
|
|
Follow-ups:
Date Added: 2011-06-14 15:23:53
This change will be included in draft 3 of version 5.10.
|
|
|
31008
|
update the linux-def:iflisteners_test such that only applications bound to ethernet interfaces are considered |
Closed |
2011-06-10 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:13:19
|
|
Details:
The linux-def:iflisteners_test does not currently specify what types of interfaces should be supported. Given that ethernet interfaces should cover the majority of the cases, we should update the linux-def:iflisteners_test such that only applications bound to ethernet interfaces are considered.
|
|
Follow-ups:
Date Added: 2011-06-10 18:05:23
This change will be included in draft 2 of version 5.10.
|
|
|
31009
|
add creation_time, dep_enabled, and primary_window_text entities to the win-def:process58_test |
Closed |
2011-06-10 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-06-14 15:17:17
|
|
Details:
We should add the ability to search based on the executable file and primary window text for processes. Since this information is not needed to uniquely identify a process, the primary window text entity should just be added to the win-def:process58_state and win-sc:process_item. The image_path entity is already present. From there, a search based on the image_path or primary_window_text entity can be accomplished by using an OVAL Filter. We should also add support for the collection of the process' creation time as well as whether or not data execution prevention is enabled for the process.
|
|
Follow-ups:
Date Added: 2011-06-10 18:04:39
This change will be included in draft 2 of version 5.10.
|
|
|
31014
|
add support for a win-def:peheader_test |
Closed |
2011-06-10 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-17 12:40:50
|
|
Details:
In order to support the collection of information from a PE file header, we should add a win-def:peheader_test.
|
|
Follow-ups:
Date Added: 2011-06-28 12:42:08
This test was added to draft 2 of version 5.10
|
|
|
31246
|
schematron rules for reporting deprecated constructs should not report errors |
Closed |
2011-07-01 |
Rejected |
|
Priority:
High
| Category:
n/a
| Date Closed:
2011-07-14 15:10:23
|
|
Details:
The schematron rules that check for deprecated constructs are currently reporting errors. For example:
Engine name: ISO Schematron
Severity: error
Description: DEPRECATED TEST: fileauditedpermissions_test ID: oval:sample:tst:1
We should not be reporting errors when a deprecated construct is found because it is still valid to use deprecated constructs in content.
|
|
Follow-ups:
Date Added: 2011-07-14 15:10:23
All Schematron rules for reporting deprecation status use the sch:report construct. Tools may differentiate deprecation statements based upon the use of sch:report. This is documented in the deprecation policy (https://oval.mitre.org/language/about/deprecation.html).
|
|
|
31389
|
deprecate the include_group behavior wherever the resolve_group behavior is deprecated |
Closed |
2011-07-19 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-07-25 14:32:38
|
|
Details:
We deprecated the resolve_group behavior, in many tests, because we wanted to leave the job of resolving the members of groups to tests (sid_object and sid_sid_object) that could do it more efficiently rather than every test that utilized trustee names and SIDs. However, in doing so, we did not deprecate the include_group behavior and it does not make sense without the resolve_group behavior. As a result, we should also deprecate the include_group behavior in these instances and recommend that it be used with the sid_object or sid_sid_object like the resolve_group behavior.
|
|
Follow-ups:
Date Added: 2011-07-20 01:16:21
This change will be included in version 5.10 release candidate 1.
|
|
|
31761
|
allow for the ability to map between the linux-def:rpminfo_test and the linux-def:rpmverifyfile_test and linux-def:rpmverifypackage_test |
Closed |
2011-08-23 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-26 17:07:09
|
|
Details:
Allow for the ability to map between the linux-def:rpminfo_test and the linux-def:rpmverifyfile_test and linux-def:rpmverifypackage_test. For the RHEL 5 USGCB, there is a need to both verify the contents of an rpm as well as check its signature, however, the current version of the linux-def:rpminfo_test and the linux-def:rpmverify_test does not support the ability to map between the two tests. To support this use case, an extended_name entity (name-epoch:version-release.architecture) is needed in the OVAL States and OVAL Items for the linux-def:rpminfo_test, the linux-def:rpmverifyfile_test, and the linux-def:rpmverifypackage_test.
|
|
Follow-ups:
Date Added: 2011-08-24 18:09:11
This change will be available in OVAL 5.10 Release Candidate 2.
|
|
|
31762
|
the name entity in the rpm-based tests does not uniquely identify an rpm on the system |
Closed |
2011-08-23 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-26 17:07:02
|
|
Details:
The name entity in the rpm-based tests does not uniquely identify an rpm on the system. The specification of the name, epoch, version, release, and architecture is needed, in the object, to uniquely identify an rpm on the system. This change should be made to the linux-def:rpmverifyfile_test and the linux-def:rpmverifypackage_test. This change will not be made to the linux-def:rpminfo_test in order to prevent deprecating a large amount of existing content and needing to update the tools that generate this content.
|
|
Follow-ups:
Date Added: 2011-08-24 18:09:54
This change will be available in OVAL 5.10 Release Candidate 2.
|
|
|
31783
|
add documentation specifying the order in which instance values should be assigned for the macos-def:plist510_test |
Closed |
2011-08-25 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-26 17:06:53
|
|
Details:
We should add documentation specifying the order in which instance values should be assigned for the macos-def:plist510_test when multiple instances of a key are discovered. To make it consistent with a content author examining a plist file, the instance values must be assigned using a depth-first approach.
|
|
Follow-ups:
Date Added: 2011-08-26 14:03:57
This change will be available in the OVAL 5.10 Release Candidate 2.
|
|
|
31790
|
discuss and address registry and file system redirection on 64-bit windows |
Closed |
2011-08-26 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-08-26 21:57:42
|
|
Details:
Please see the following oval-developer-list posts for additional information.
http://making-security-measurable.1364806.n2.nabble.com/OVAL-Community-Call-Discuss-32-64-Bit-Issues-on-64-bit-Windows-tp6652547p6652547.html
http://making-security-measurable.1364806.n2.nabble.com/Re-OVAL-DISCUSSION-LIST-OVAL-Community-Call-Discuss-32-64-Bit-Issues-on-64-bit-Windows-tp6672063p6672063.html
http://making-security-measurable.1364806.n2.nabble.com/Community-Call-8-10-2011-tp6676791p6676791.html
http://making-security-measurable.1364806.n2.nabble.com/32-64-bit-updated-proposal-tp6716130p6716130.html
http://making-security-measurable.1364806.n2.nabble.com/Fwd-Re-OVAL-DEVELOPER-LIST-32-64-bit-updated-proposal-tp6721038p6721038.html
|
|
Follow-ups:
Date Added: 2011-08-27 00:10:12
This change will be included in version 5.10 RC 2.
|
|
|
31870
|
file behavior documentation clarifications |
Closed |
2011-09-05 |
Fixed |
|
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2011-09-15 01:40:36
|
|
Details:
We need to make the following clarifications to the FileBehaviors documentation:
We need to change all occurrences of "Note that a max-depth other than -1 has to be specified for recursion to take place and for this attribute to mean anything" to "Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything". This is wrong because "-1" means limitless recursion.
We also need to specify which entities we are referring to (e.g. path and filepath) when we say that "Note that this behavior only applies with an equality operation.".
|
|
Follow-ups:
Date Added: 2011-09-08 20:10:48
Please see the following oval-developer-list post for additional information.
http://making-security-measurable.1364806.n2.nabble.com/Version-5-10-Release-Candidate-2-Available-tt6730602.html
Date Added: 2011-09-08 20:30:42
These changes will be available in the final release of OVAL 5.10.
|
|
|
32092
|
document the status to use when the information for an entity is not set |
Closed |
2011-09-12 |
Fixed |
|
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2011-09-12 19:43:09
|
|
Details:
When the information for an entity is not set, the status for that entity should be 'does not exist'.
Please see the following oval-developer-list posts for additional information.
http://making-security-measurable.1364806.n2.nabble.com/Shadow-object-collection-tp6073989p6073989.html
http://making-security-measurable.1364806.n2.nabble.com/Re-Shadow-object-collection-td6243589.html
|
|
Follow-ups:
n/a
|
|
|
32105
|
clarify the documentation around the PSLanguageMode enumeration |
Closed |
2011-09-13 |
Fixed |
|
Priority:
Medium
| Category:
n/a
| Date Closed:
2011-09-15 01:42:00
|
|
Details:
We should specify that people should look at Microsoft's documentation for more information on the PSLanguageMode enumeration. Otherwise, people may think to look in the schemas.
|
|
Follow-ups:
n/a
|
|
|
27913
|
spjobdefinition_object underspecifies the item |
Closed |
2010-10-06 |
Fixed |
|
Priority:
Very Low
| Category:
Definition Schemas
| Date Closed:
2011-07-25 14:32:49
|
|
Details:
spjobdefinition_object underspecifies the SPJobDefinition object it is supposed to capture. Currently, the spjobdefinition_object has a single entity, webappuri. This entity specifies the SPWebApplication, which may contain several SPJobDefinition objects. I recommend adding an additional entity to the spjobdefinition_object to specify some unique attribute of a SPJobDefinition, such as Title.
Sharepoint SDK information:
SPWebApplication.JobDefinitions -> returns SPJobDefinitionCollection
SPWebApplication has a URL, and contains many SPJobDefinition objects
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.spwebapplication.jobdefinitions.aspx
|
|
Follow-ups:
Date Added: 2011-07-14 18:59:29
In version 5.10 the sp-def:spjobdefinition_object will be deprecated and replaced with a sp-def:spjobdefinition510_object. the new object will include the displayname entity to distinguish individual jobs. Note that the test, state, and item associated with spjobdefinitions have also been replaced.
|
|
|
27919
|
spwebapplication_state entity naming inconsistency |
Closed |
2010-10-06 |
Fixed |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-07-25 14:32:48
|
|
Details:
The outboundmailserverinstance entity of the spwebapplication_state is inconsistent with the Sharepoint SDK. The proper entity name is "outboundmailserviceinstance". This error also exists in the spwebapplication_item.
http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.spwebapplication.outboundmailserviceinstance.aspx
|
|
Follow-ups:
Date Added: 2011-05-26 16:15:58
The correction is: server -> service
Date Added: 2011-07-14 18:15:58
For version 5.10 we will add schema documentation noting this naming inconsistency. Renaming the entity would result in the creation of a new version of this test which does not seem to be warranted here.
|
|
|
27922
|
spsite_state has duplicate url entity |
Closed |
2010-10-07 |
Fixed |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-07-25 14:32:47
|
|
Details:
On the spsite_state, the entities <sitecollectionurl> and <url> seem to be redundant. The SPSite object, which refers to a site collection, has a URL that uniquely identifies it. This should not be confused with a SPSiteCollection, which is a collection of all the SPSite objects in the Web application. I recommend removing one of these url entities (also in the item).
|
|
Follow-ups:
Date Added: 2011-07-14 18:33:36
For version 5.10 we will deprecate the url entity.
|
|
|
28043
|
spantivirussettings_state timeout entity is underspecified |
Closed |
2010-10-15 |
Fixed |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-07-01 11:17:42
|
|
Details:
spantivirussettings_state (and item) <timeout> entity specifies a timeout value, but does not give the units of this value. This should be changed to specify seconds or minutes. Currently the probe returns seconds, but minutes are also accessible from the API.
|
|
Follow-ups:
Date Added: 2011-06-16 21:30:33
This documentation has been updated to indicate that seconds must be reported. This change will be included in draft 3 of version 5.10.
|
|
|
28044
|
spwebapplication_state timeout entity is underspecified |
Closed |
2010-10-15 |
Fixed |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-07-01 11:17:41
|
|
Details:
spwebapplication_state (and item) <timeout> entity specifies a timeout value, but does not give the units of this value. This should be changed to specify seconds or minutes. Currently the probe returns seconds, but minutes are also accessible from the API.
|
|
Follow-ups:
Date Added: 2011-06-16 19:50:27
The documentation has been changed to reflect that seconds must be used. This change will be included in draft 3 of version 5.10
|
|
|
28625
|
spwebapplication_object outboundmailserverinstance entity should be renamed |
Closed |
2010-12-03 |
Fixed |
|
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-07-01 11:17:43
|
|
Details:
The outboundmailserverinstance object entity should be renamed to something like outboundmailserverinstancename, to signify that the element represents a string, as opposed to checking existence or something else.
|
|
Follow-ups:
Date Added: 2011-06-16 19:46:51
Clarified documentation to reflect that this entity is the name of the instance. This change will be included in draft 3 of version 5.10.
|
|
|
29420
|
Add Schematron rule to check datatype for count function |
Closed |
2011-03-11 |
Rejected |
|
Priority:
Medium High
| Category:
Definition Schemas
| Date Closed:
2011-06-09 12:41:22
|
|
Details:
We have added the 'count' function to the 5.10 draft, but probably should add a Schematron rule to capture the following:
* Any local_variable that uses the 'count' function should have its datatype be a int
See the rule for the 'arithmetic' function as an example.
|
|
Follow-ups:
Date Added: 2011-06-01 17:32:12
As far as I can tell, none of the other function elements ensure that their result is placed in the proper type of variable.
I see rules to ensure the items being operated upon are the correct type for the operation, but nothing about the result container.
Should rules be added for ALL of the function types? Or is there a reason the result type is not enforced? Or perhaps I'm missing something?
Date Added: 2011-06-09 12:11:45
After further discussion via email, it has been decided that this rule is not necessary.
|
|
|
30102
|
document usage of Asset Identificaiton (AI) in OVAL |
Closed |
2011-04-19 |
Fixed |
|
Priority:
High
| Category:
System Characteristics Schemas
| Date Closed:
2011-07-01 11:17:45
|
|
Details:
We have identified two locations where an integration with the Asset Identification (AI) spec might make sense:
1. Within the system characteristics file, in the system_info element to identify the asset being analyzed.
2. Within the 'generator' element in oval-definitions, oval-system-characteristics, and oval-results.
As part of March 2011 Developer Days, discussions on this topic were held, and it was decided that the best way to achieve this integration was to add documentation in the form of a comment to the schema/spec that would suggest and show how to do this via the existing 'any' elements.
|
|
Follow-ups:
Date Added: 2011-06-30 16:27:11
Added documentation pointing to the AI spec, noting why AI is useful, and providing guidance on the AI element to use for each case.
Date Added: 2011-06-30 17:36:10
This update will be included in draft 3 of version 5.10.
|
|
|
30418
|
Add 'applicability_check' attribute to Criteria, Criterion, & Extend_Definition. |
Closed |
2011-05-06 |
Fixed |
|
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2011-06-14 15:13:03
|
|
Details:
There is an outstanding request from the community to add an attribute to the Criteria, Criterion, & Extend_Definition constructs that allows explicitly marking a Test as an applicability Test. The following email from Michael Sainsbury explains the detailed request:
http://making-security-measurable.1364806.n2.nabble.com/Proposal-for-extending-Oval-criteria-criterion-and-extend-definition-to-specify-applicabilityChecks-tp6271556p6271556.html
Note that we are only planning on implementing proposal #1 from Michael's email at this point.
|
|
Follow-ups:
Date Added: 2011-06-10 10:30:50
This capability has been added to version 5.10 draft 2.
|
|
|
32445
|
spelling error in linux-def:rpmverify_object and linux-def:rpmverifypackage_object |
Open |
2011-10-28 |
n/a |
|
Priority:
Low
| Category:
Definition Schemas
| Date Closed:
n/a
|
|
Details:
In the linux-definitions-schema.xsd file, linux-def:rpmverify_object and linux-def:rpmverifypackage_object both contain the documentation annotation:
"...element is used by a rpmverity_test...
rpmverity should read as rpmverify, and rpmverifypackage respectively.
|
|
Follow-ups:
n/a
|
