Hi all,
I have noticed new rpm_verify.xml check with following commit message:
" the "rpm_verify.xml" check now works but a word of caution: * it creates an approximately 250M results file * it takes a long time to execute on a reasonably powerful system"
It's true that OVAL rpmverify is not used effectively here. You collect all rpmverify items from all packages on a system. This is not very happy solution. ;)
I suggest changing logic of the test. Filter out items you don't need. :)
example: (thnx. to mitr@redhat.com)
<tests> <lin-def:rpmverify_test check_existence="none_exist" id="oval:org.open- scap:tst:1001" version="1" check="all" comment="Files with changed permissions"> <lin-def:object object_ref="oval:org.open-scap:obj:1001"/> </lin-def:rpmverify_test> </tests>
<objects> <lin-def:rpmverify_object id="oval:org.open-scap:obj:1001" version="1" comment="(RPM)Verify all files"> <lin-def:behaviors nodeps="true" nofiles="false" nodigest="true" noscripts="true" nosignature="true" nomd5="true"/> <lin-def:name operation="pattern match">.*</lin-def:name> <lin-def:filepath operation="pattern match">.*</lin-def:filepath> <filter action="include">oval:org.open-scap:ste:1001</filter> </lin-def:rpmverify_object> </objects>
<states> <lin-def:rpmverify_state id="oval:org.open-scap:ste:1001" version="1"> lin-def:mode_differsfail</lin-def:mode_differs> </lin-def:rpmverify_state> </states>
Regards,
Peter.
Ah, indeed. Mirek's original suggestion (sent via OVAL list) also had the filter, but somehow it did not make it into our commit.
I'll check with Michael to see what happened, and then make an update.
Thanks very much for the sharp eye!
On 12/13/2011 08:55 AM, Peter Vrabec wrote:
Hi all,
I have noticed new rpm_verify.xml check with following commit message:
" the "rpm_verify.xml" check now works but a word of caution:
- it creates an approximately 250M results file
- it takes a long time to execute on a reasonably powerful system"
It's true that OVAL rpmverify is not used effectively here. You collect all rpmverify items from all packages on a system. This is not very happy solution. ;)
I suggest changing logic of the test. Filter out items you don't need. :)
example: (thnx. tomitr@redhat.com)
<tests> <lin-def:rpmverify_test check_existence="none_exist" id="oval:org.open- scap:tst:1001" version="1" check="all" comment="Files with changed permissions"> <lin-def:object object_ref="oval:org.open-scap:obj:1001"/> </lin-def:rpmverify_test> </tests>
<objects> <lin-def:rpmverify_object id="oval:org.open-scap:obj:1001" version="1" comment="(RPM)Verify all files"> <lin-def:behaviors nodeps="true" nofiles="false" nodigest="true" noscripts="true" nosignature="true" nomd5="true"/> <lin-def:name operation="pattern match">.*</lin-def:name> <lin-def:filepath operation="pattern match">.*</lin-def:filepath> <filter action="include">oval:org.open-scap:ste:1001</filter> </lin-def:rpmverify_object> </objects>
<states> <lin-def:rpmverify_state id="oval:org.open-scap:ste:1001" version="1"> <lin-def:mode_differs>fail</lin-def:mode_differs> </lin-def:rpmverify_state> </states>
Regards,
Peter. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Peter Vrabec