Filter by service_name in xinetd test in unix does not work

Help
2013-07-08
2013-07-15
  • Alejandro Galindo

    Hello everyone,

    I write you to comment a question about a test that I am creating now. I am trying to check if a system with SUSE 11 installed has the sshd service disable using TCP protocol. To do this, my test contains the following xinetd_object and xinetd_state:

    <unix-def:xinetd_object id="oval:suse:obj:5" version="1" comment="sshd service">
      <unix-def:protocol>tcp</unix-def:protocol>
      <unix-def:service_name>sshd</unix-def:service_name>
    </unix-def:xinetd_object>
    
    <unix-def:xinetd_state id="oval:suse:ste:5" version="1" comment="Disabled service">
      <unix-def:disabled datatype="boolean">true</unix-def:disabled>
    </unix-def:xinetd_state>
    

    When I evaluate the OVAL definition with ovaldi (OVAL interpreter), the result is always true, that is, the sshd service is disable or not running. But I can verify with the command "netstat -tulpn" that sshd service is running and listening in port 22 (TCP).

    Can someone throw some light on this issue? Is my OVAL definition written incorrectly?

    Thanks,

    Alejandro Galindo.

     
  • Danny Haynes

    Danny Haynes - 2013-07-08

    Hi Alejandro,

    Can you please attach your OVAL Results document?

    Thanks,

    Danny

     
  • Michael Chisholm

    I think you may not be judging ovaldi's correctness correctly. The xinetd test checks the configuration of xinetd, which is done via config files. You can start up any service you want, directly or in some way other than xinetd, and the 'netstat' tool will pick it up, but that has no bearing on its configuration in xinetd.

    To tell whether ovaldi is doing the right thing on your system, check the xinetd config files: /etc/xinetd.conf and /etc/xinetd.d/*. You can also run 'man xinetd.conf' to get more info about xinetd config files. If it's not doing the right thing, let us know.

    If you aren't interested in xinetd specifically, you might try the runlevel test, which tests service configuration at particular runlevels. There's also a inetlisteningservers test in the linux schema, which checks existing network connections/server sockets.

    You might think about what it means for a service to be "disabled" on your system, and use that to decide which test is most suited to the purpose. If none are, you're welcome to suggest new tests on the OVAL developer list [1].

    Andy

    1. http://oval.mitre.org/community/registration.html
     
  • Alejandro Galindo

    Thank you very much for your help. Xinetd was not really what I needed to check if a service is enabled. Finally, I have used the inetlisteningservers test. The content of my OVAL definition file is the following:

    <?xml version="1.0" encoding="UTF-8"?>
    <oval_definitions
        xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
        xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
        xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"
        xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd
                            http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd
                            http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd">
    
      <generator>
        <oval:product_name>Enhanced SCAP Content Editor (eSCAPe)</oval:product_name>
        <oval:product_version>1.2.2</oval:product_version>
        <oval:schema_version>5.10</oval:schema_version>
        <oval:timestamp>2013-05-29T05:37:56</oval:timestamp>
      </generator>
    
      <definitions>
        <definition id="oval:suse:def:5" version="1" class="compliance">
          <metadata>
            <title>Telnet service should be disabled</title>
            <affected family="unix">
              <platform>openSUSE 10.2</platform>
              <platform>openSUSE Factory</platform>
              <platform>SUSE Linux 10.0</platform>
              <platform>SUSE Linux 10.1</platform>
              <platform>SUSE Linux Desktop 1.0</platform>
              <platform>SUSE Linux Enterprise Desktop 10</platform>
              <platform>SUSE Linux Enterprise Server 10</platform>
              <platform>SUSE Linux Enterprise Server 9</platform>
              <platform>SUSE Linux Professional 9.3</platform>
            </affected>
            <description>Check if telnet service is disabled</description>
          </metadata>
          <criteria operator="AND">
            <criterion test_ref="oval:suse:tst:5" comment="Check if telnet service is stopped" />
          </criteria>
        </definition>
      </definitions>
    
      <tests>
        <unix-def:runlevel_test id="oval:suse:tst:5" version="1" check_existence="none_exist" check="all" comment="Is telnet service stopped?">
          <unix-def:object object_ref="oval:suse:obj:5" />
        </unix-def:runlevel_test>
      </tests>
    
      <objects>
        <unix-def:runlevel_object id="oval:suse:obj:5" version="1" comment="Telnet service">
          <unix-def:service_name>telnet</unix-def:service_name>
          <unix-def:runlevel>^([0-6sS])$</unix-def:runlevel>
        </unix-def:runlevel_object>
      </objects>    
    
    </oval_definitions>
    

    Regards,

    Alejandro.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks