Hello Pravin,
thank you for checking with us (I have merged former Gautam's reply here too to have all the facts together).
----- Original Message -----
From: "S, Gautam" gautams@hpe.com To: open-scap-list@redhat.com Sent: Monday, April 4, 2016 11:00:10 AM Subject: Re: [Open-scap] Template for file pattern match
Hi Pravin,
FWIW regarding the question of OVAL template for regex match - we track it under: [1] https://github.com/OpenSCAP/scap-security-guide/issues/1083
This was something I also wondered about. However, there are some subtle aspects that might affect this which I learned once I gave it a shot.
- Not all pattern matches are same. Some search whether a pattern exists in
a file, some check for the absence, some check for the first match only, some for all matches, some checks will involve external variables passed in as well. At the very least, you will need </path/to/file>,<regex to find>,<check_existence>,<instance> for basic ones.
- You will have to keep the title, description and comments extremely
generic or else update them individually and they are generated. I found this to be a huge deterrent to making everything into a template.
There's this count_oval_objects.py utility: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/utils/cou...
from which output, when run, is clear the <textfilecontent54_object> is clearly the most used OVAL template e.g. for RHEL/6 content (I would assume the result will be the same for different products too).
But like Gautam already clarified above, from the SSG experience there would be very small count of cases where the basic ind:filepath regex OVAL template would be sufficient. IOW if you would have a look at those existing OVAL checks already using ind:textfilecontent54_object often the final form of the OVAL ends up in the state where: * it's necessary to reference some external_variable, * it's necessary to have more rules (more objects), * it's necessary to have more states, * it's necessary to reference some OVAL rule dependency, * it's necessary for the regex to search the last occurrence of somestring in file etc etc.
This is not to say the OVAL ind:textfilecontent54_object template wouldn't be useful for SSG. But there are these corner cases / additional requirements listed above, often leading to state when new ind:textfilecontent54_object OVAL check is written from scratch, rather than from template.
The current state being in [1] we are discussing the possible form of such a template -- facing the need quickly to write dozen of simple OVAL checks checking some regex in some file, OVAL template might seem handy. But the expectation is to have the templated OVAL checks stable / unmodified across the SSG releases (so one day we could replace all those checks currently present in the repository with their dynamic [re]generation during the SSG package build). On the other hand, any corner case (external_variable, dependency on another OVAL etc) is diverging from common template (assuming very basic simple template). And therefore diverging from above approach (since in the moment the developer would end up writing such OVAL check from scratch just because the template is too simple and could not help them to speed up the OVAL checks development, I am not completely convinced it's worthy to investing the time into the design of such a template and MAINLY into investing the time into keeping such a template in working state).
So I would say / IMHO the next step WRT to [1] would be to use the already included "count_oval_objects.py" utility and determine how many (in % compared to the whole count of ind:textfilecontent54_object OVAL checks already implemented for that product) of the ind:textfilecontent54_object OVAL checks have the simplest form, and how many (again in % compared to already having ind:txtfilecontent54_object OVAL checks for that product) is derived from the basic form due some reason (some corner case).
Once we know this information, we can proceed further (if just to implement basic OVAL template, or have more templates for each of the subtle different cases [depending on another OVAL, using external variable etc.]).
Hope this helps.
Thank you && Regards, Jan -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
P.S.: There's SCAP Security Guide (SCAP content) dedicated mailing list too --> Cc'ed it too (so people can react to the topic).
Thank you.
Regards, Gautam.
Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
---
Hi All,
I tried searching the ssg project for a template that could find a pattern in a given file. I feel this would be one of the most used templates where we need to find if a file contains an expression. This would be used for audit rules, sshd configuration, password complexity configuration, password aging configuration, login configuration and probably many others. We could create a CSV as below:
</path/to/file>,<regex to find>
Is someone working on it or have it or any idea how to do it?
Thanks and regards,
Pravin Goyal
Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
scap-security-guide@lists.fedorahosted.org