Hello Pravin,
thank you for checking with us (I have merged former Gautam's
reply here too to have all the facts together).
----- Original Message -----
From: "S, Gautam" <gautams(a)hpe.com>
To: open-scap-list(a)redhat.com
Sent: Monday, April 4, 2016 11:00:10 AM
Subject: Re: [Open-scap] Template for file pattern match
Hi Pravin,
FWIW regarding the question of OVAL template for regex match - we track
it under:
[1]
https://github.com/OpenSCAP/scap-security-guide/issues/1083
This was something I also wondered about. However, there are some
subtle
aspects that might affect this which I learned once I gave it a shot.
1) Not all pattern matches are same. Some search whether a pattern exists in
a file, some check for the absence, some check for the first match only,
some for all matches, some checks will involve external variables passed in
as well. At the very least, you will need </path/to/file>,<regex to
find>,<check_existence>,<instance> for basic ones.
2) You will have to keep the title, description and comments extremely
generic or else update them individually and they are generated. I found
this to be a huge deterrent to making everything into a template.
There's this count_oval_objects.py utility:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/utils/...
from which output, when run, is clear the <textfilecontent54_object> is clearly the
most used OVAL template e.g. for RHEL/6 content (I would assume the result will be the
same for different products too).
But like Gautam already clarified above, from the SSG experience there would
be very small count of cases where the basic <ind:filepath> regex OVAL template
would be sufficient. IOW if you would have a look at those existing OVAL checks already
using <ind:textfilecontent54_object> often the final form of the OVAL ends up in
the state where:
* it's necessary to reference some external_variable,
* it's necessary to have more rules (more objects),
* it's necessary to have more states,
* it's necessary to reference some OVAL rule dependency,
* it's necessary for the regex to search the last occurrence of somestring in file etc
etc.
This is not to say the OVAL <ind:textfilecontent54_object> template wouldn't be
useful
for SSG. But there are these corner cases / additional requirements listed above,
often leading to state when new <ind:textfilecontent54_object> OVAL check is
written
from scratch, rather than from template.
The current state being in [1] we are discussing the possible form of such a template --
facing the need quickly to write dozen of simple OVAL checks checking some regex
in some file, OVAL template might seem handy. But the expectation is to have the
templated
OVAL checks stable / unmodified across the SSG releases (so one day we could replace
all those checks currently present in the repository with their dynamic [re]generation
during the SSG package build). On the other hand, any corner case (external_variable,
dependency on another OVAL etc) is diverging from common template (assuming very basic
simple template). And therefore diverging from above approach (since in the moment
the developer would end up writing such OVAL check from scratch just because the template
is too simple and could not help them to speed up the OVAL checks development, I am
not completely convinced it's worthy to investing the time into the design of such
a template and MAINLY into investing the time into keeping such a template in working
state).
So I would say / IMHO the next step WRT to [1] would be to use the already included
"count_oval_objects.py" utility and determine how many (in % compared to the
whole count of <ind:textfilecontent54_object> OVAL checks already implemented
for that product) of the <ind:textfilecontent54_object> OVAL checks have the
simplest
form, and how many (again in % compared to already having
<ind:txtfilecontent54_object>
OVAL checks for that product) is derived from the basic form due some reason (some
corner case).
Once we know this information, we can proceed further (if just to implement basic OVAL
template, or have more templates for each of the subtle different cases [depending
on another OVAL, using external variable etc.]).
Hope this helps.
Thank you && Regards, Jan
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
P.S.: There's SCAP Security Guide (SCAP content) dedicated mailing list too -->
Cc'ed it too (so people can react to the topic).
Thank you.
Regards,
Gautam.
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
---
>
> Hi All,
>
> I tried searching the ssg project for a template that could find a pattern in a given
file. I feel this would be one of
> the most used templates where we need to find if a file contains an expression. This
would be used for audit rules, sshd
> configuration, password complexity configuration, password aging configuration, login
configuration and probably many
> others. We could create a CSV as below:
>
>
> </path/to/file>,<regex to find>
>
>
> Is someone working on it or have it or any idea how to do it?
>
>
> Thanks and regards,
>
> Pravin Goyal
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/open-scap-list
>