On Tuesday, November 13, 2012 09:37:07 AM Steve Grubb wrote:
For anything with name=value, we normally use the textfilecontent54
which we
can define a regex to pick out the items of interest. However, with a
language, you have multiple ways of expressing the same idea. for example,
if (foo() > 500)
and
uid = foo();
if (uid > 500)
and
start = 500;
uid = foo();
if (uid > start)
do the same thing. Then throw in comments and indentation and it you have
lots of possibilities. This is also not considering whether the code
actually meets the intent or allows unintended functionality (exploits).
The only thing I can think of, using what's currently available in SCAP is
to use filehash58 and call it a day. This has the drawback of notifying the
admin that the hash doesn't match instead of a useful, actionable, message.
They will be left wondering why the hash doesn't match and what they can do
to fix it.
And then if the javascript was found to have a vulnerability in it and it got
fixed or perhaps updated to allow smartcard functionality or something...now
the hash doesn't match. The old vulnerable hash will be forever encoded into
guidance with almost no way to get a standards body to change it.
With name = value, the vulnerability would likely be in the compiled code and
the compliance check would pass. In this case the settings are verifiably
correct because the config file is not changed and part of the compliance check
usually involves running the OVAL content the Red Hat security response team
generates which checks the rpm version.
-Steve
This is not going to help security. This should be a lesson to
anyone
wanting to adopt a languge for system configuration and policy decision.