File finding and Access Denied in ovaldi

Help
2012-08-10
2013-06-12
  • Bill Lutton
    Bill Lutton
    2012-08-10

    Hi there,

    I'm curious about ovaldi's behavior collecting obj:1 and obj:5 in the example run below from my Win7/64 box.
    Is it correct that the Access Denied error should cause no items to be collected for those objects?

    Thanks in advance,
    Bill L.

    PS: I had to edit/remove a bunch of xmlns attributes in order to get this posted - sorry.

    Administrator console output

    D:\ovaldi-5.10.1.1-x64>ovaldi -p -m -s -o win_file_test-datastream-1.xml
    ----------------------------------------------------
    OVAL Definition Interpreter
    Version: 5.10.1 Build: 1
    Build date: Jan 27 2012 20:00:45
    Copyright (c) 2002-2012 - The MITRE Corporation
    ----------------------------------------------------
    Start Time: Fri Aug 10 09:25:11 2012
     ** parsing win_file_test-datastream-1.xml file.
        - validating xml schema.
     ** checking schema version
         - Schema version - 5.8
    2012-08-10T09:25:12 : DEBUG : The directives file does not exist! directives.xml
    2012-08-10T09:25:12 : DEBUG : Unable to load directives configuration file.  Using default directives.
     ** skipping Schematron validation
     ** creating a new OVAL System Characteristics file.
     ** gathering data for the OVAL definitions.
    2012-08-10T09:25:12 : DEBUG : Collecting object id: oval:nist.validation:obj:1
    2012-08-10T09:25:46 : DEBUG : Error while collecting data for object: oval:nist.validation:obj:1 (FileProbe) Unable to open a handle to the file 'C:\Windows\CSC\v2.0.6\namespace': Access is denied.
    2012-08-10T09:25:46 : DEBUG : Collecting object id: oval:nist.validation:obj:2
    2012-08-10T09:25:46 : DEBUG : Collecting object id: oval:nist.validation:obj:3
    2012-08-10T09:25:46 : DEBUG : Collecting object id: oval:nist.validation:obj:4
    2012-08-10T09:25:46 : DEBUG : Collecting object id: oval:nist.validation:obj:5
    2012-08-10T09:26:21 : DEBUG : Error while collecting data for object: oval:nist.validation:obj:5 (FileProbe) Unable to open a handle to the file 'C:\Windows\CSC\v2.0.6\namespace': Access is denied.
     ** saving data model to system-characteristics.xml.
     ** running the OVAL Definition analysis.
    2012-08-10T09:26:21 : DEBUG : Analyzing definition: oval:nist.validation:def:1
     ** applying directives to OVAL results.
     ** OVAL definition results.
        OVAL Id                                 Result
        -------------------------------------------------------
        oval:nist.validation:def:1              error
        -------------------------------------------------------
     ** finished evaluating OVAL definitions.
     ** saving OVAL results to results.xml.
     ** skipping OVAL Results xsl
    ----------------------------------------------------
    

    win_file_test-datastream-1.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <oval_definitions  >
      <generator>
        <oval:product_name>NIST Validation Content Generation Script</oval:product_name>
        <oval:product_version>1.0</oval:product_version>
        <oval:schema_version>5.8</oval:schema_version>
        <oval:timestamp>2011-09-23T21:03:55-04:00</oval:timestamp>
      </generator>
      <definitions>
        <definition class='compliance' id='oval:nist.validation:def:1' version='1'>
          <metadata>
            <title>Test that the check_existence property is properly supported using the specified value</title>
            <description>Make sure that the value specified, for the check_existence property, is properly supported for the win-def:file_test.</description>
            <expected_results>
              <result configuration='1'>PASS</result>
            </expected_results>
          </metadata>
          <criteria>
            <criterion comment='Test to see that every file item exists for the specified object.' negate='false' test_ref='oval:nist.validation:tst:1'/>
          </criteria>
        </definition>
      </definitions>
      <tests>
        <file_test check='all' check_existence='all_exist' comment='Test to see that every file item exists for the specified object.' id='oval:nist.validation:tst:1' version='1' xmlns='oval-definitions-5#windows'>
          <object object_ref='oval:nist.validation:obj:1'/>
        </file_test>
      </tests>
      <objects>
        <file_object id='oval:nist.validation:obj:1' version='1' xmlns='oval-definitions-5#windows'>
          <filepath operation='pattern match'>^[Cc]:\\scap_validation_content\\e\\.*.txt</filepath>
        </file_object>
        <file_object id='oval:nist.validation:obj:2' version='1' xmlns='oval-definitions-5#windows'>
          <path operation='equals'>C:\scap_validation_content\ne</path>
          <filename operation='pattern match'>.*.txt</filename>
        </file_object>
        <file_object id='oval:nist.validation:obj:3' version='1' xmlns='oval-definitions-5#windows'>
          <filepath operation='equals'>C:\scap_validation_content\e\1.txt</filepath>
        </file_object>
        <file_object id='oval:nist.validation:obj:4' version='1' xmlns='oval-definitions-5#windows'>
            <filepath operation='equals'>C:\scap_validation_content\e\Skeleton.exe</filepath>
          <!--<path operation="case insensitive equals">c:\scap_validation_content\e</path>
          <filename operation="case insensitive equals">Skeleton.exe</filename>-->
        </file_object>
        <file_object id='oval:nist.validation:obj:5' version='1' xmlns='oval-definitions-5#windows'>
          <filepath operation='pattern match'>^[Cc]:\\scap_validation_content\\.*\\Skeleton\.exe$</filepath>
        </file_object>
      </objects>
      <states>
        <file_state id='oval:nist.validation:ste:1' version='1' xmlns='oval-definitions-5#windows'>
          <path datatype='string' operation='equals'>C:\scap_validation_content\e\</path>
        </file_state>
      </states>
    </oval_definitions>
    

    =========== system-characteristics.xml  ==================

    <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
    <oval_system_characteristics >
      <generator>
        <oval:product_name>cpe:/a:mitre:ovaldi:5.10.1.1</oval:product_name>
        <oval:product_version>5.10.1 Build: 1</oval:product_version>
        <oval:schema_version>5.10.1</oval:schema_version>
        <oval:timestamp>2012-08-10T09:25:12</oval:timestamp>
        <vendor>The MITRE Corporation</vendor>
      </generator>
      <system_info>
        <os_name>unknown Professional Service Pack 1</os_name>
        <os_version>6.1.7601</os_version>
        <architecture>AMD64</architecture>
        <primary_host_name>work2</primary_host_name>
        <interfaces>
          <interface>
            <interface_name>Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller</interface_name>
            <ip_address>192.168.1.132</ip_address>
            <mac_address>20-CF-30-00-71-40</mac_address>
          </interface>
          <interface>
            <interface_name>Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64</interface_name>
            <ip_address>172.16.97.200</ip_address>
            <mac_address>00-05-9A-3C-7A-00</mac_address>
          </interface>
          <interface>
            <interface_name>VMware Virtual Ethernet Adapter for VMnet1</interface_name>
            <ip_address>169.254.70.11</ip_address>
            <mac_address>00-50-56-C0-00-01</mac_address>
          </interface>
          <interface>
            <interface_name>VMware Virtual Ethernet Adapter for VMnet8</interface_name>
            <ip_address>192.168.204.1</ip_address>
            <mac_address>00-50-56-C0-00-08</mac_address>
          </interface>
        </interfaces>
      </system_info>
      <collected_objects>
        <object flag="error" id="oval:nist.validation:obj:1" version="1">
          <oval-sc:message level="fatal">(FileProbe) Unable to open a handle to the file 'C:\Windows\CSC\v2.0.6\namespace': Access is denied.</oval-sc:message>
        </object>
        <object flag="does not exist" id="oval:nist.validation:obj:2" version="1">
          <reference item_ref="1"/>
        </object>
        <object flag="complete" id="oval:nist.validation:obj:3" version="1">
          <reference item_ref="2"/>
        </object>
        <object flag="complete" id="oval:nist.validation:obj:4" version="1">
          <reference item_ref="3"/>
        </object>
        <object flag="error" id="oval:nist.validation:obj:5" version="1">
          <oval-sc:message level="fatal">(FileProbe) Unable to open a handle to the file 'C:\Windows\CSC\v2.0.6\namespace': Access is denied.</oval-sc:message>
        </object>
      </collected_objects>
      <system_data>
        <file_item id="1" status="does not exist" xmlns="oval-system-characteristics-5#windows">
          <path status="does not exist">C:\scap_validation_content\ne</path>
        </file_item>
        <file_item id="2" xmlns="oval-system-characteristics-5#windows">
          <oval-sc:message>(FileProbe) Unable to get ms_checksum information for the file: 'C:\scap_validation_content\e\1.txt'</oval-sc:message>
          <oval-sc:message>(FileProbe) No version information available for the file: 'C:\scap_validation_content\e\1.txt'</oval-sc:message>
          <filepath>C:\scap_validation_content\e\1.txt</filepath>
          <path>C:\scap_validation_content\e</path>
          <filename>1.txt</filename>
          <owner>BUILTIN\Administrators</owner>
          <size datatype="int">0</size>
          <a_time datatype="int">129890858491771804</a_time>
          <c_time datatype="int">129890858491771804</c_time>
          <m_time datatype="int">129890858491771804</m_time>
          <ms_checksum status="error"></ms_checksum>
          <version datatype="version" status="does not exist"></version>
          <type>FILE_TYPE_DISK</type>
          <development_class status="does not exist"></development_class>
          <company status="does not exist"></company>
          <internal_name status="does not exist"></internal_name>
          <language status="does not exist"></language>
          <original_filename status="does not exist"></original_filename>
          <product_name status="does not exist"></product_name>
          <product_version datatype="version" status="does not exist"></product_version>
        </file_item>
        <file_item id="3" xmlns="oval-system-characteristics-5#windows">
          <filepath>C:\scap_validation_content\e\Skeleton.exe</filepath>
          <path>C:\scap_validation_content\e</path>
          <filename>Skeleton.exe</filename>
          <owner>BUILTIN\Administrators</owner>
          <size datatype="int">9728</size>
          <a_time datatype="int">129538475400000000</a_time>
          <c_time datatype="int">129890858491811806</c_time>
          <m_time datatype="int">129538475400000000</m_time>
          <ms_checksum>17712</ms_checksum>
          <version datatype="version">1.0.0.1</version>
          <type>FILE_TYPE_DISK</type>
          <development_class>srv03_gdr</development_class>
          <company>G2, Inc</company>
          <internal_name>Skeleton.exe</internal_name>
          <language status="not collected"></language>
          <original_filename>Skeleton.exe</original_filename>
          <product_name>SCAP Validation Test Files</product_name>
          <product_version datatype="version">1.0.0.0</product_version>
        </file_item>
      </system_data>
    </oval_system_characteristics>
    

    directory listing

     Directory of c:\scap_validation_content
    08/10/2012  09:24 AM    <DIR>          .
    08/10/2012  09:24 AM    <DIR>          ..
    08/10/2012  09:24 AM    <DIR>          e
                   0 File(s)              0 bytes
     Directory of c:\scap_validation_content\e
    08/10/2012  09:24 AM    <DIR>          .
    08/10/2012  09:24 AM    <DIR>          ..
    08/10/2012  09:24 AM                 0 1.txt
    08/10/2012  09:24 AM                 0 2.txt
    06/29/2011  12:59 PM             9,728 Skeleton.exe
                   3 File(s)          9,728 bytes
    
     
  • Danny Haynes
    Danny Haynes
    2012-08-13

    Hi Bill,

    Sorry, but, I am going to dive into the weeds a bit on this one.  I think the reason that you are getting "access denied" errors is a combination of how the OVAL Interpreter evaluates regular expressions and the permissions of the files mentioned in the error message.  When the OVAL Interpreter evaluates a regular expression for files and registry keys, it will first check to see if the regular expression is anchored (i.e. starts with "^" and ends with "$").  If it isn't anchored, it will need to examine all files on the system and evaluate the regular expression against each file.  If it is anchored, it will try to optimize the search by checking for a constant portion (i.e. a part of the path that doesn't contain regular expression metacharacters).  For example, "C:\Windows\System32" would be the constant portion of the regular expression "^C:\Windows\System32\somefile+$" and that is where the OVAL Interpreter would start its search.  Both of the objects that are giving you errors use the regular expression "^:\\scap_validation_content\\…".  When the OVAL Interpreter attempts to find a constant portion, it does not find one because the brackets around "" represent regular expression metacharacters.  As a result, the OVAL Interpreter needs to examine all of the files on the system and evaluate the regular expression against them.  In doing so, when it attempts to collect the files in "C:\Windows\CSC\v.2.0.6", it is being denied access, due to the permissions on your system, causing the OVAL Interpreter to report the error message that you are seeing.  For what it's worth, I can't access that directory on my system either.  I am not sure really what it is for.  In any case, to test this theory, if you change your regular expression to "^C:\\scap_validation_content\\…" it should work because it will find the constant portion "C:\scap_validation_content\e" or "C:\scap_validation_content" and will not need to examine all of the files on the system and as a result not see the file that you were getting access denied error messages.

    Thanks,

    Danny

     
  • Bill Lutton
    Bill Lutton
    2012-08-13

    Thanks for your reply, Danny.  It makes clear why we are hitting that directory (and how to change the file object if it were mine to change).  However, given the file_objects and filesystem state as is, my question is two-fold.  Is it correct behavior in general for an access_denied error to abort the items collection and in particular is it correct behavior to abort item collection when the access_denied occurs for an item that doesn't match the (anchored but non-constant path prefix) regex given?
    Thanks,
    Bill L.

     
  • Danny Haynes
    Danny Haynes
    2012-08-14

    Hi Bill,

    To answer your specific questions, the OVAL Language Specification does not specify one way or another as to how you should proceed (e.g. abort vs. continue), with item collection, after an error has been encountered.  This is left as an implementation decision for the tool developer. 

    The two major requirements are that a tool reports:

    1) A flag="error" for the object, in the collected_objects section (if applicable), when an error that prevents the collection of items for the object.

    2) A status="error" for the item or specific item entity when an error occurs preventing the collection of the item or any of its entities.

    Please see "Section 5.2 Producing OVAL System Characteristics" of the OVAL Language Specification for more information.  The specification can be found at the following link.

    http://oval.mitre.org/language/version5.10.1/OVAL_Language_Specification_01-20-2012.pdf

    In the OVAL Interpreter, we try to follow these guidelines with regards to error handling.

    http://sourceforge.net/apps/mediawiki/ovaldi/index.php?title=Probe_Development#Error_Handling

    Please note that not all probes will necessarily follow these guidelines because some probes existed before we wrote them and may not have been updated yet to align with them.

    With that said, you could argue that a more elegant approach would be to continue collecting items since the file encountered doesn't match the regular expression.  However, since we develop the OVAL Interpreter as a reference implementation for the community, we feel that capabilities like this are outside the scope of our work.  It also leaves vendors with the opportunity to innovate and distinguish their products from other products.

    I hope this helps and let me know if you have any other questions.

    Thanks,

    Danny