Replies: 5 comments 22 replies
-
We've previously had discussions around making the applicability_check attribute of criteria/criterion/extend_definition consequential to the evaluation. For the use-case you're describing, however, I've thought the XCCDF platform checks should suffice, since they can be used to gate whether OVAL checks should be evaluated on a target machine. |
Beta Was this translation helpful? Give feedback.
-
Well, the state is definitely not ideal: OpenSCAP/openscap#273. I would prefer a better not applicable/not implemented/not available states bubbling up from OVAL into XCCDF and better handling of these instead of having the same logic duplicated in OVAL. |
Beta Was this translation helpful? Give feedback.
-
I know I'm not at CIS anymore and they've pretty much abandoned any new
implementation of SCAP/OVAL development, but wanted to offer my 2 cents of
historical context. Back in the day, CIS-CAT implemented and proposed an
OVAL extension for "shellcommand", but the proposal to add that to the
official OVAL language was denied. We moved forward with implementing SCE
to get around that, although probably left in the shellcommand stuff
because it was already there. Unfortunately that opened Pandora's box for
CIS to abandon OVAL, drop all the people that had any OVAL experience or
advocated for it, and implement benchmarks using more and more SCE-based
checks.
I am sure there's probably some mailing list archives *somewhere* where the
discussions around the shellcommand_test could be found.
As a side note, I'd like to try and stay involved in the community here,
but obviously don't have a tool I can test any of these new proposals on,
but am really happy to see all the activity and renewed interest in the
next iterations of SCAP/XCCDF/OVAL. Thanks for not purging me from the
mailing list :)
Cheers,
-Bill M.
…On Thu, Oct 3, 2024 at 8:38 PM Jack Vander Pol ***@***.***> wrote:
@solind <https://github.com/solind>, interesting to learn about SCE,
especially after being shared a CIS benchmark that had their own
commandshell OVAL test in it, which was also digitally signed. The fact
that we independently came up with essentially the same thing means
SCAP/OVAL definitely needs something like it, one way or another.
I was hoping to have more of an official proposal, with more sample
content, results and a demo build of SCC to share this week, but should
have something by next week. As FYI, the shellcommand test actually
supports more than just a single command, anything you could pass into the
shell interpreter, and we are expecting essentially shell scripts quite
frequently, along with single commands, depending on what is needed. We
bounced around several ideas on what the OVAL test name should be, and are
open to suggestions.
—
Reply to this email directly, view it on GitHub
<#170 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB7K53CD3C72RE237O4WFZ3ZZXPRXAVCNFSM6AAAAABPJT6UYGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOBTHA3DAMY>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
-
So my takeaway so far from this discussion is that OVAL lacks the ability to have conditional tests, but the general consensus seems to be that they are not needed, and there are ways to cobble around this limitation. If there isn't enough interest in improving OVAL with this feature, we can call this discussion closed. If I have misinterpreted the general consensus, please correct me, or add a proposal on how to improve OVAL. |
Beta Was this translation helpful? Give feedback.
-
Closing this discussion for OVAL 6.0, we can revisit if/when OVAL 7.0 is created. |
Beta Was this translation helpful? Give feedback.
-
@OVAL-Community/oval-board-members
We've had on occasion the need to exclude performing a certain test, because it may error out on that system (or for various other reasons). Something like
If
Run some cmdlet test that we know is installed on domain controllers
else
Run some other test that we know works for non-domain controllers
We currently have this 'working' by other means with all criteria AND/OR, but we have had to change some error/warnings to just debug when we come across a cmdlet that isn't installed and returns error, as all tests are run on all systems regardless.
This could be implemented like the XCCDF platform specification, or a true IF/ELSEIF/ELSE scenario.
I'll admit I haven't put enough thought into this to make a full proposal and realize the consequences, but I suspect that I can't be the only person to dream of being able to do an IF in OVAL?
IF there was a time (pun intended), OVAL 6 is it. This is our one and only chance.
IF you agree, and would like to see it happen, share your thoughts, proposals, etc...
Beta Was this translation helpful? Give feedback.
All reactions