-
Notifications
You must be signed in to change notification settings - Fork 705
Writing OVAL Content
Understanding the following conventions will make it easier to navigate the SCAP-Security-Guide repository and author SCAP content.
- OVAL definitions are written as source OVAL pseudo-XML files using a shorthand syntax. This shorthand syntax is unique to ComplianceAsCode.
- Each source OVAL file defines one vulnerability assessment definition. (A definition of one vulnerability can test multiple criteria.)
- OVAL files are either located in the
oval
subdirectory of the rule's directory. - source OVAL files are transformed into OVAL XML files during the project's build process.
-
source OVAL files applicable to a single version of software are named accordingly, e.g.
fedora.xml
,rhel7.xml
. -
source OVAL files applicable to a multiple versions of software have the
shared.xml
filename.
- Navigate to the rule directory for which the OVAL definition will be authored.
- Choose the most appropriate stub template - all OVALs have a definition and at least one test. You can find examples of OVALs in
oval
subdirectories of rule directories. - Decide the name/id of the definition following the suggested
id
convention in the template'sdefinition
tag. - Copy the example you have chosen in the first step to the
oval
subdirectory and name it according to whether it is shared across different products or versions. - Edit the source OVAL file, and make sure that you don't forget to replace the
definition
tag'sid
attribute.
Example (Linux)
# Navigate to the SSG source OVAL directory
cd RHEL/7/input/oval/
# Choose templates/template_package_removed as most appropriate template
# Decide the name of OVAL definition will be "package_ntpdate_removed"
# Copy the stub template file to
cp templates/template_package_removed ./package_ntpdate_removed.xml
# Edit the SSG source OVAL XML file definition tag's id attribute to have name "package_ntpdate_removed.xml"
(NOTE: If you authoring a test applicable to more than one software package or version thereof, navigate instead /shared/oval
.)
TBD
Most developers these days author code interactively. The Python script, testcheck.py
, provides all the necessary transformations to test an OVAL definition in isolation during authorship. (testcheck.py
is conveniently located in all software_name/version/input/oval/
directories.)
testcheck.py
will build the final OVAL XML definition file, place it somewhere under a /tmp/$$
directory, and use OpenSCAP to evaluate the system against the definition.
If the OVAL definition requires some OVAL variable (e.g. if there's <external_variable ... /> element defined within that oval check), testcheck.py
will printout if the OVAL definition expects a variable. Define an appropriately named environmental value before running testcheck.py
.
Example (Linux)
./testoval.py package_ntpdate_removed.xml
Example with OVAL variable (Linux)
export var_password_pam_dcredit=3
./testoval.py accounts_password_pam_dcredit.xml