From scapafterhours at gmail.com Thu Aug 20 11:33:46 2015 Content-Type: multipart/mixed; boundary="===============7861373174517843894==" MIME-Version: 1.0 From: Jeffrey Blank To: scap-security-guide at lists.fedorahosted.org Subject: Re: help with OVAL transforms Date: Sun, 21 Apr 2013 22:39:12 -0400 Message-ID: In-Reply-To: 5171BE08.9020402@redhat.com --===============7861373174517843894== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Rule selection specified by a Profile overrides selection specified in the Rule itself. Any Rules which are not explicitly marked as "selected=3Dfalse" will be evaluated. Thus, our convention is to mark all Rules as "selected=3Dfalse" in the actu= al Rule attribute, because we wish to have Profile-driven evaluation. (And all of our Profiles only ever feature "selected=3Dtrue".) Please see page 20 of http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf Note there that the default is "true" for selection in a Rule. So, if we weren't intentionally de-selecting each Rule using its attribute (selected=3Dfalse), even in a Profile-driven evaluation (which did not include the Rule!) it would default to true and be evaluated. Yes, this would be quite unexpected. This is explained by the fact that the earlier versions of XCCDF has no Profiles. The thought (at that time, from what I can infer) is that end-users would receive a body of XCCDF and then select/de-select (using tooling) what they wanted (and save the resulting XCCDF content as their own). But that is not the way it turned out. The way it turned out was that widespread authoring/modification of XCCDF never really occurred, and instead XCCDF really only took hold as a means of expressing a small number of government security baselines (all of which were expressed as Profiles, rarely modified, due to the inadequacy or lack of adoption of any tooling for authoring). So I hardly blame you for being confused. The decision tree for XCCDF evaluation is vastly more complicated than needed for any use case I've ever seen (or could practically imagine). On Fri, Apr 19, 2013 at 5:58 PM, Shawn Wells wrote: > I've been going through the OVAL code and have stumped myself. The > partition_for_* rules are enabled in the XCCDF profiles, yet somehow is > marked as selected=3Dfalse in the final output: > > $ grep -rin partition_for_tmp input/profiles/ > input/profiles/usgcb-rhel6-**server.xml:5: > 259: > 720: > 1400: > > In the ssg-rhel6-xccdf.xml file, the OVAL points to oval:ssg:2741: > > > And when I check for that in ssg-rhel6-oval.xml, it doesn't exist: > $ grep -in oval:ssg:2741 output/ssg-rhel6-oval.xml > (no return) > > When I load up ssg-rhel6-oval.xml and look for the rule, it's actually > oval:ssg:def:841: > > > Ensure /tmp Located On Separate Partition > > I started to play with relabelids.py and only made things worse. > Jeff/Dave, any chance you could take a look at this? > > ______________________________**_________________ > scap-security-guide mailing list > scap-security-guide(a)lists.**fedorahosted.org > https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guide > --===============7861373174517843894== Content-Type: text/html MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.html" PGRpdiBkaXI9Imx0ciI+UnVsZSBzZWxlY3Rpb24gc3BlY2lmaWVkIGJ5IGEgUHJvZmlsZSBvdmVy cmlkZXMgc2VsZWN0aW9uIHNwZWNpZmllZCBpbiB0aGUgUnVsZSBpdHNlbGYuPGRpdj5BbnkgUnVs ZXMgd2hpY2ggYXJlIG5vdCBleHBsaWNpdGx5IG1hcmtlZCBhcyAmcXVvdDtzZWxlY3RlZD1mYWxz ZSZxdW90OyB3aWxsIGJlIGV2YWx1YXRlZC48YnI+PC9kaXY+PGRpdj48YnI+PGRpdiBzdHlsZT4K VGh1cywgb3VyIGNvbnZlbnRpb24gaXMgdG8gbWFyayBhbGwgUnVsZXMgYXMgJnF1b3Q7c2VsZWN0 ZWQ9ZmFsc2UmcXVvdDsgaW4gdGhlIGFjdHVhbCBSdWxlIGF0dHJpYnV0ZSwgYmVjYXVzZSB3ZSB3 aXNoIHRvIGhhdmUgUHJvZmlsZS1kcml2ZW4gZXZhbHVhdGlvbi4goChBbmQgYWxsIG9mIG91ciBQ cm9maWxlcyBvbmx5IGV2ZXIgZmVhdHVyZSAmcXVvdDtzZWxlY3RlZD10cnVlJnF1b3Q7Lik8L2Rp dj4KPGRpdiBzdHlsZT48YnI+PC9kaXY+PGRpdiBzdHlsZT5QbGVhc2Ugc2VlIHBhZ2UgMjAgb2ag PGEgaHJlZj0iaHR0cDovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL25pc3Rpci9pcjcyNzUt cmV2NC9OSVNUSVItNzI3NXI0LnBkZiI+aHR0cDovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25z L25pc3Rpci9pcjcyNzUtcmV2NC9OSVNUSVItNzI3NXI0LnBkZjwvYT48L2Rpdj48ZGl2IHN0eWxl Pgo8YnI+PC9kaXY+PGRpdiBzdHlsZT5Ob3RlIHRoZXJlIHRoYXQgdGhlIGRlZmF1bHQgaXMgJnF1 b3Q7dHJ1ZSZxdW90OyBmb3Igc2VsZWN0aW9uIGluIGEgUnVsZS4goFNvLCBpZiB3ZSB3ZXJlbiYj Mzk7dCBpbnRlbnRpb25hbGx5IGRlLXNlbGVjdGluZyBlYWNoIFJ1bGUgdXNpbmcgaXRzIGF0dHJp YnV0ZSAoc2VsZWN0ZWQ9ZmFsc2UpLCBldmVuIGluIGEgUHJvZmlsZS1kcml2ZW4gZXZhbHVhdGlv biAod2hpY2ggZGlkIG5vdCBpbmNsdWRlIHRoZSBSdWxlISkgaXQgd291bGQgZGVmYXVsdCB0byB0 cnVlIGFuZCBiZSBldmFsdWF0ZWQuIFllcywgdGhpcyB3b3VsZCBiZSBxdWl0ZSB1bmV4cGVjdGVk LiCgVGhpcyBpcyBleHBsYWluZWQgYnkgdGhlIGZhY3QgdGhhdCB0aGUgZWFybGllciB2ZXJzaW9u cyBvZiBYQ0NERiBoYXMgbm8gUHJvZmlsZXMuIFRoZSB0aG91Z2h0IChhdCB0aGF0IHRpbWUsIGZy b20gd2hhdCBJIGNhbiBpbmZlcikgaXMgdGhhdCBlbmQtdXNlcnMgd291bGQgcmVjZWl2ZSBhIGJv ZHkgb2YgWENDREYgYW5kIHRoZW4gc2VsZWN0L2RlLXNlbGVjdCAodXNpbmcgdG9vbGluZykgd2hh dCB0aGV5IHdhbnRlZCAoYW5kIHNhdmUgdGhlIHJlc3VsdGluZyBYQ0NERiBjb250ZW50IGFzIHRo ZWlyIG93bikuPC9kaXY+CjxkaXYgc3R5bGU+PGJyPjwvZGl2PjxkaXYgc3R5bGU+QnV0IHRoYXQg aXMgbm90IHRoZSB3YXkgaXQgdHVybmVkIG91dC4goFRoZSB3YXkgaXQgdHVybmVkIG91dCB3YXMg dGhhdCB3aWRlc3ByZWFkIGF1dGhvcmluZy9tb2RpZmljYXRpb24gb2YgWENDREYgbmV2ZXIgcmVh bGx5IG9jY3VycmVkLCBhbmQgaW5zdGVhZCBYQ0NERiByZWFsbHkgb25seSB0b29rIGhvbGQgYXMg YSBtZWFucyBvZiBleHByZXNzaW5nIGEgc21hbGwgbnVtYmVyIG9mIGdvdmVybm1lbnQgc2VjdXJp dHkgYmFzZWxpbmVzIChhbGwgb2Ygd2hpY2ggd2VyZSBleHByZXNzZWQgYXMgUHJvZmlsZXMsIHJh cmVseSBtb2RpZmllZCwgZHVlIHRvIHRoZSBpbmFkZXF1YWN5IG9yIGxhY2sgb2YgYWRvcHRpb24g b2YgYW55IHRvb2xpbmcgZm9yIGF1dGhvcmluZykuPC9kaXY+CjxkaXYgc3R5bGU+PGJyPjwvZGl2 PjxkaXYgc3R5bGU+U28gSSBoYXJkbHkgYmxhbWUgeW91IGZvciBiZWluZyBjb25mdXNlZC4goFRo ZSBkZWNpc2lvbiB0cmVlIGZvciBYQ0NERiBldmFsdWF0aW9uIGlzIHZhc3RseSBtb3JlIGNvbXBs aWNhdGVkIHRoYW4gbmVlZGVkIGZvciBhbnkgdXNlIGNhc2UgSSYjMzk7dmUgZXZlciBzZWVuIChv ciBjb3VsZCBwcmFjdGljYWxseSBpbWFnaW5lKS48L2Rpdj4KPC9kaXY+PC9kaXY+PGRpdiBjbGFz cz0iZ21haWxfZXh0cmEiPjxicj48YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPk9uIEZyaSwg QXByIDE5LCAyMDEzIGF0IDU6NTggUE0sIFNoYXduIFdlbGxzIDxzcGFuIGRpcj0ibHRyIj4mbHQ7 PGEgaHJlZj0ibWFpbHRvOnNoYXduQHJlZGhhdC5jb20iIHRhcmdldD0iX2JsYW5rIj5zaGF3bkBy ZWRoYXQuY29tPC9hPiZndDs8L3NwYW4+IHdyb3RlOjxicj4KPGJsb2NrcXVvdGUgY2xhc3M9Imdt YWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNjY2Mg c29saWQ7cGFkZGluZy1sZWZ0OjFleCI+SSYjMzk7dmUgYmVlbiBnb2luZyB0aHJvdWdoIHRoZSBP VkFMIGNvZGUgYW5kIGhhdmUgc3R1bXBlZCBteXNlbGYuIFRoZSBwYXJ0aXRpb25fZm9yXyogcnVs ZXMgYXJlIGVuYWJsZWQgaW4gdGhlIFhDQ0RGIHByb2ZpbGVzLCB5ZXQgc29tZWhvdyBpcyBtYXJr ZWQgYXMgc2VsZWN0ZWQ9ZmFsc2UgaW4gdGhlIGZpbmFsIG91dHB1dDo8YnI+Cgo8YnI+CiQgZ3Jl cCAtcmluIHBhcnRpdGlvbl9mb3JfdG1wIGlucHV0L3Byb2ZpbGVzLzxicj4KaW5wdXQvcHJvZmls ZXMvdXNnY2ItcmhlbDYtPHU+PC91PnNlcnZlci54bWw6NTombHQ7c2VsZWN0IGlkcmVmPSZxdW90 O3BhcnRpdGlvbl9mb3JfdG1wJnF1b3Q7IHNlbGVjdGVkPSZxdW90O3RydWUmcXVvdDsgLyZndDs8 YnI+CmlucHV0L3Byb2ZpbGVzL2NvbW1vbi54bWw6NDombHQ7PHU+PC91PnNlbGVjdCBpZHJlZj0m cXVvdDtwYXJ0aXRpb25fZm9yX3RtcCZxdW90OyBzZWxlY3RlZD0mcXVvdDt0cnVlJnF1b3Q7LyZn dDs8YnI+Cjxicj4KJCBncmVwIC1yaW4gcGFydGl0aW9uX2Zvcl90bXAgb3V0cHV0L3NzZy1yaGVs Ni14Y2NkZi54bWw8YnI+CjQzOiCgIKAmbHQ7c2VsZWN0IGlkcmVmPSZxdW90O3BhcnRpdGlvbl9m b3JfdG1wJnF1b3Q7IHNlbGVjdGVkPSZxdW90O3RydWUmcXVvdDsvJmd0Ozxicj4KMjU5OiCgIKAm bHQ7c2VsZWN0IGlkcmVmPSZxdW90O3BhcnRpdGlvbl9mb3JfdG1wJnF1b3Q7IHNlbGVjdGVkPSZx dW90O3RydWUmcXVvdDsvJmd0Ozxicj4KNTAwOiCgIKAmbHQ7c2VsZWN0IGlkcmVmPSZxdW90O3Bh cnRpdGlvbl9mb3JfdG1wJnF1b3Q7IHNlbGVjdGVkPSZxdW90O3RydWUmcXVvdDsvJmd0Ozxicj4K NzIwOiCgIKAmbHQ7c2VsZWN0IGlkcmVmPSZxdW90O3BhcnRpdGlvbl9mb3JfdG1wJnF1b3Q7IHNl bGVjdGVkPSZxdW90O3RydWUmcXVvdDsvJmd0Ozxicj4KOTQ2OiCgIKAmbHQ7c2VsZWN0IGlkcmVm PSZxdW90O3BhcnRpdGlvbl9mb3JfdG1wJnF1b3Q7IHNlbGVjdGVkPSZxdW90O3RydWUmcXVvdDsv Jmd0Ozxicj4KMTQwMDogoCCgIKAgoCZsdDtSdWxlIGlkPSZxdW90O3BhcnRpdGlvbl9mb3JfdG1w JnF1b3Q7IHNlbGVjdGVkPSZxdW90O2ZhbHNlJnF1b3Q7IHNldmVyaXR5PSZxdW90O2xvdyZxdW90 OyZndDs8YnI+Cjxicj4KSW4gdGhlIHNzZy1yaGVsNi14Y2NkZi54bWwgZmlsZSwgdGhlIE9WQUwg cG9pbnRzIHRvIG92YWw6c3NnOjI3NDE6PGJyPgombHQ7Y2hlY2stY29udGVudC1yZWYgbmFtZT0m cXVvdDtvdmFsOnNzZzpkZWY6Mjc0MSZxdW90OyBocmVmPSZxdW90O3NzZy1yaGVsNi1vdmFsLnht bCZxdW90Oy8mZ3Q7PGJyPgo8YnI+CkFuZCB3aGVuIEkgY2hlY2sgZm9yIHRoYXQgaW4gc3NnLXJo ZWw2LW92YWwueG1sLCBpdCBkb2VzbiYjMzk7dCBleGlzdDo8YnI+CiQgZ3JlcCAtaW4gb3ZhbDpz c2c6Mjc0MSBvdXRwdXQvc3NnLXJoZWw2LW92YWwueG1sPGJyPgoobm8gcmV0dXJuKTxicj4KPGJy PgpXaGVuIEkgbG9hZCB1cCBzc2ctcmhlbDYtb3ZhbC54bWwgYW5kIGxvb2sgZm9yIHRoZSBydWxl LCBpdCYjMzk7cyBhY3R1YWxseSBvdmFsOnNzZzpkZWY6ODQxOjxicj4KoCCgICZsdDtkZWZpbml0 aW9uIGNsYXNzPSZxdW90O2NvbXBsaWFuY2UmcXVvdDsgaWQ9JnF1b3Q7b3ZhbDpzc2c6ZGVmOjg0 MSZxdW90OyB2ZXJzaW9uPSZxdW90OzEmcXVvdDsmZ3Q7PGJyPgqgIKAgoCAmbHQ7bWV0YWRhdGEm Z3Q7PGJyPgqgIKAgoCCgICZsdDt0aXRsZSZndDtFbnN1cmUgL3RtcCBMb2NhdGVkIE9uIFNlcGFy YXRlIFBhcnRpdGlvbiZsdDsvdGl0bGUmZ3Q7PGJyPgo8YnI+Ckkgc3RhcnRlZCB0byBwbGF5IHdp dGggcmVsYWJlbGlkcy5weSBhbmQgb25seSBtYWRlIHRoaW5ncyB3b3JzZS4gSmVmZi9EYXZlLCBh bnkgY2hhbmNlIHlvdSBjb3VsZCB0YWtlIGEgbG9vayBhdCB0aGlzPzxicj4KPGJyPgpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX188dT48L3U+X19fX19fX19fX19fX19fX188YnI+CnNjYXAt c2VjdXJpdHktZ3VpZGUgbWFpbGluZyBsaXN0PGJyPgo8YSBocmVmPSJtYWlsdG86c2NhcC1zZWN1 cml0eS1ndWlkZUBsaXN0cy5mZWRvcmFob3N0ZWQub3JnIiB0YXJnZXQ9Il9ibGFuayI+c2NhcC1z ZWN1cml0eS1ndWlkZUBsaXN0cy48dT48L3U+ZmVkb3JhaG9zdGVkLm9yZzwvYT48YnI+CjxhIGhy ZWY9Imh0dHBzOi8vbGlzdHMuZmVkb3JhaG9zdGVkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NjYXAt c2VjdXJpdHktZ3VpZGUiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2xpc3RzLmZlZG9yYWhvc3Rl ZC48dT48L3U+b3JnL21haWxtYW4vbGlzdGluZm8vc2NhcC08dT48L3U+c2VjdXJpdHktZ3VpZGU8 L2E+PGJyPgo8L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2Pgo= --===============7861373174517843894==--