OVAL-Community
Replies: 7 comments 5 replies
-
|
You were given the opportunity to comment on the proposed deprecated list and it is now too late in the game for us to be making allowance. If a vote is needed I vote no. |
Beta Was this translation helpful? Give feedback.
-
|
I'll second what @snodgrassb said. My only thought, Is there any current publicly available content using these checks that we all missed and didn't know about? |
Beta Was this translation helpful? Give feedback.
-
|
If they are using those, I believe we need some examples how they are using it and get them more involved with the language updates, not that they need to be in the meetings or be part of the board, but at least following the discussions and progress here. I know they had the opportunity to interact before and avoid this situation, but maybe it wasn't clear that this is now the de-facto place for OVAL discussions. |
Beta Was this translation helpful? Give feedback.
-
|
That's a good point about not knowing this is the de-facto place. I only found it due to emailing @vanderpol and him pointing me in the direction of all of this. |
Beta Was this translation helpful? Give feedback.
-
|
FWIW, SECPOD has been on every email correspondence that I've sent out since taking over the board back in August, and in numerous meeting presentations, we have pointed everyone to this forum. They were also on the 09/23/2024 email which had a spreadsheet of tests that are used in publicly available content. I'd like to second @dodys to say we need to see some example content, proving 'current' usage, which is what I was illuding to specifically in my original post. Several tests are obsolete, and others like 'metabase' have never been used to my knowledge, which puts the entire list as suspect. At this point, the tests still function in 5.12, just deprecated. They have been removed from 6.0, and unless we hear very soon from SECPOD, they will remain removed, and can be added back in for OVAL 6.1 IMHO. I'm not opposed to adding tests back, but only those with proven, valid, current content, otherwise it's just like going back to 5.11 all over again. |
Beta Was this translation helpful? Give feedback.
-
|
I'm curious to know, if these are used in Secpod content, why they weren't included in the inventory of tests in use that was provided by @maxullman. |
Beta Was this translation helpful? Give feedback.
-
|
@solind when I generated our list I included the secpod content we run, so I'm guessing those are in bundles we don't use. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for looking into it, the 3 probes that you raised we reviewed them again and are ok with two of them being deprecated since they have been in use in older content (Windows 7 or older).
I do have some confusions around the 3rd test, you mentioned that they were already deprecated in 5.11 https://github.com/OVALProject/Language/blob/5.11.2/docs/solaris-definitions-schema.md I am not sure if we need to look elsewhere. W.r.t the other probes that we are using can you let me know what is the expectation from SecPod? |
Beta Was this translation helpful? Give feedback.
-
|
@Pooja-SecPod thanks for the response, and confirmation that the 2 windows tests are not needed. Our goal with OVAL 6 is to make it as streamlined as possible, with hope for more application developers joining the mix. With regards to the Solaris package tests, I'll blame the flu for my incorrect response :) I forgot that this was an exception to the norm, where a later version didn't deprecate the previous version. Also along those lines, as OVAL 6, likely won't get adopted until 2026 by most vendors, and Solaris 10 goes (finally) EOL in January 2027, I'll still be the question of, should OVAL6 support the solaris 'package' test? For the remaining tests, if you are able to share a small sample definition for each, along with the date that it was last modified, and what OS it's used on, that would be great. We want to have OVAL6 be as capable as possible, while as lightweight as possible as well. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for responding. Yes we would need support for package test since we do have customers who use Solaris 10 and may not migrate to later versions unless it has reached EOL. We would need to continue to flag vulnerability for them till they decide on moving to Solaris 11 or higher. W.r.t the other probes I am attaching a list of samples for the other probes that we requested for continued support. I haven't mentioned any dates separately since the OVAL itself has creation and modification dates. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the confirmation, and sample content @Pooja-SecPod, I think we can bring back the 6 OVAL tests which align with your sample content for OVAL 6.0, and we'll have to discuss with the OVAL board if un-deprecating them in OVAL 5.13 or 5.12.1 is warranted. |
Beta Was this translation helpful? Give feedback.
-
|
FYI, the UNIX interface test was not deprecated, so the only tests to be added back are the AIX interim fix, os_level, and Solaris patch54, package and package511, you can see the pull request for this change at #226 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Email from SECPOD:
Hi All,
I am attaching the list of probes that we are currently using and has been marked as deprecated in 5.12. Please let us know if there are alternatives, if not, can you please retain the same.
Regards
Pooja (SECPOD)
End email from SECPOD:
With regards to the specific tests in question, I do have a few questions to help clarify the need, please see below:
1 Windows: auditeventpolicy_test
Comment: Deprecated without replacement
Feedback: We haven't seen any content using this test since back in the SCAP 1.0 (OVAL 5.3 days), all content for the past decade that we have been using the auditeventsubcategories test. If you have a use case for the old auditeventpolicy test, I'm curious what it is. If you could share some test content that would be great. What Windows OS version(s) are using this content?
Response from SECPOD required.
2 Windows/UNIX interface_test
Comment: Is it deprecated for Unix ? Same probe for Windows is deprecated without any replacement. If we click on Unix link it redirects to Windows documentation. The test is used by us in our unix feed.
Feedback: Both the UNIX and Windows interface tests have been deprecated in 5.12 and removed in 6.0, the documentation cross wiring is a weird issue with readthedocs that I thought I had fixed for all relevant tests with same names from UNIX to Windows, I'll fix the documentation soon. Undeprecate in 5.13 and/or add back to 6.0 if content is still in use.
3 AIX: interim_fix_test
Comment: Deprecated without replacement
Feedback: Undeprecate in 5.13 and/or add back to 6.0 if content is still in use.
4. Windows: metabase_test
Comment: Deprecated without replacement
Feedback: I would like to see some sample content from this test, we created the Windows OVAL 5.12 appcmd and appcmdlistconfig tests in order to adequately test current versions of IIS on Windows. My vague recollection on the metabase test was that it was lacking some details years ago, and potentially linked to an old/obsolete version of IIS, but I might be mistaken. What OS/IIS version is your content checking against? What tool supports metabase?
Response from SECPOD required.
5 AIX: oslevel_test
Comment: Deprecated without replacement
Feedback: Undeprecate in 5.13 and/or add back to 6.0 if content is still in use.
6 Solaris: package511_test
Comment: Deprecated without replacement
Feedback: Undeprecate in 5.13 and/or add back to 6.0 if content is still in use.
7. Solaris: package_test
Comment: Deprecated without replacement
Feedback: Given that this was deprecated in OVAL 5.11, replaced by the package511 test, can old package content be upgraded to package511 test?
Response from SECPOD required.
8 Solaris: patch54_test
Comment: Deprecated without replacement
Feedback: Undeprecate in 5.13 and/or add back to 6.0 if content is still in use.
9. Windows: serviceeffectiverights_test
Comment: Deprecated without replacement
Feedback: Undeprecate in 5.13 and/or add back to 6.0 if content is still in use.
Beta Was this translation helpful? Give feedback.
All reactions