Thanks for your help. I can see that becoming "fluent" in this is going to take some time, but it certainly looks worth doing.
Tim On 8/15/19 8:58 PM, Jan Cerny wrote: > Hi, > > On Tue, Aug 13, 2019 at 4:53 AM Tim Burress <t...@variosecure.net> wrote: >> >> Hello, >> >> I'm trying to learn my way around SCAP just now, with the main focus >> right now on scans of Linux-based systems using oscap and the related >> tools. I'm hitting a bit of a wall when it comes to writing OVAL content >> and just wondered if someone could point me to resources that unpack >> things from the perspective of someone accustomed to writing software in >> "normal" programming languages? > > I'm not aware of any comprehensive book about that. > > The official website can be a good start: > - https://oval.mitre.org/ > > We have created a tutorial for Red Hat Summit about ComplianceAsCode, > which also mentions OVAL: > - > https://github.com/RedHatDemos/SecurityDemos/tree/master/2019Labs/CustomSecurityContent/documentation > >> >> Some more-or-less specific questions: >> >> o In an object definition like this (condensed from OVAL found in SSG, >> where B is a local variable containing a set of file paths): >> >> <ind:textfilecontent54_object id="A" version="1"> >> <ind:filepath var_ref="B" var_check="at least one" /> >> <ind:pattern operation="pattern match">^0$</ind:pattern> >> <ind:instance datatype="int">1</ind:instance> >> </ind:textfilecontent54_object> >> >> what is the function of var_check="at least one"? I assume that this is >> a condition being applied to the value of the variable B, saying that it >> must have at least one member, but what happens if the variable B is an >> empty set? > > When var_check is set to "at least one" it means that for a file to be > matched its file path must be equal to at least one of the members of > variable B. > > If the variable B is an empty set, the object will be evaluated as > "does not exist". > > var_check is described here: > https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html > - search for var_check in section > EntityAttributeGroup. > >> >> o Basic question: is the order in which entities appear in a file of >> OVAL content irrelevant? Given that they are all tagged with types and >> ID strings it seems like this would be the case, but OVAL is a new world >> where many things are not what they seem, so I thought I would check. > > The order of objects, states, variables etc. is irrelevant. For > example, it doesn't matter if object id=1 is defined before or after > object id=2. > > However, the order of different child elements matters. For example, > within <ind:textfilecontent54_object> element the <ind:filepath> > element must always be before <ind:pattern> element. OpenSCAP will > tell you if you put elements in a wrong order, because it performs XML > validation each time. > >> >> o Is there a tool that allows you to debug OVAL at runtime? That is, >> much like any other debugger, to set breakpoints and examine the values >> of objects/variables/etc at runtime? > > We don't have any tool. We usually run OpenSCAP with --verbose, or we > generate the XML results and we analyse the results. > >> >> o Is there a document/book/tutorial that guides a person through >> creating complex OVAL rules (preferably on Linux systems)? Most of the >> examples I've found on the web are of the very simple "Hello World" >> variety, so lead to more questions than they answer. Something that >> walks through even just how to *think* about solving problems in OVAL >> would be helpful at this point. > > I also wish there was something like that. Try to get inspired by the > existing rules in SSG. If you have any further question, feel free to > ask here anytime. > > Regards > > >> >> Thanks! >> >> >> >> _______________________________________________ >> Open-scap-list mailing list >> Open-scap-list@redhat.com >> https://www.redhat.com/mailman/listinfo/open-scap-list > > > _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
