Changes in the 1-2.0.3.0-Errata [since version 1-2.0.3.0 Final Release] Release date: 12/07/2015 1. Corrected the expected result for the XCCDF:rules xccdf_gov.nist_rule_user_test-34 and xccdf_gov.nist_rule_user_test-36 on Windows XP, Vista, and 7 only on Configuration 2. Expected results list: XCCDF rule ID | Expected result Config 1 | Expected result Config 2 xccdf_gov.nist_rule_user_test-34 | Pass | Pass xccdf_gov.nist_rule_user_test-36 | Pass | Pass Updated files: - win_user_test\catalog.xml for Windows discrete data stream - win_user_test\docs\Validation Content - User Test.xls - catalog.xml for Windows consolidated data stream ############################################################################### ############################################################################### ############################################################################### Changes in the 1-2.0.3.0 Final Release [since version 1-2.0.3.0 rc1] Release date: 03/09/2015 1. [Issue #280] Possible conflict between check_existence = 'at_least_one_exists' and check='none exist' Fix: the following values check_existence = 'at_least_one_exists' and check='none exist' were changed to check_existence = 'none_exist' and check='none exist' to match the constructs used in Tier III repository. 2. Updated the timestamp and data streams version to 1-2.0.3.0 Changes in the 1-2.0.3.0 Release Candidate 1 [since version 1-2.0.2.0] Release date: 02/03/2015 1. [Issue #260] Incorrect comments for multiple registry_registry, win_regkey_effective_rights_test, and win_regkey_effective_rights_53_test tests Fix: - updated metadata associated with windows registry test. - updated metadata associated with windows regkeyeffectiverights test. - updated metadata associated with windows regkeyeffectiverights53 test. 2. [Issue #261] Clarification about expected results when assessing the benchmark with id="xccdf_gov.nist_benchmark_r1200-2" Fix: - updated the rules for benchmark with id="xccdf_gov.nist_benchmark_r1200-2" and - added clarification about the expected results when scanning this benchmark. 3. [Issue #264] Discrepancy between the "Validation Content - User Test.xls" and OVAL tst:10 for the user_test Description: According to the "Validation Content - User Test.xls", the test "oval:nist.validation.winUser:tst:10" supposed to verify if the tested product properly supports the check_existance property with value = only_one_exist. But, the tst:10 has check_existence="at_least_one_exists". Fix: - updated check_existance property for the tst:10 and change the referenced object to obj:1. 4. [Issue #263] The OVAL win_user tests don't have comments and expected results (metadata element) Fix: - added comments and expected results for all the user_test tests. - changed the expected result for following rules 38-43 to "notselected". 5. [Issue #255] Improvements to process58_test\oval:nist.validation.unixProcess58:tst:103 Description: the test oval:nist.validation.unixProcess58:tst:103 works as expected, but the pattern match used by its state (oval:nist.validation.unixProcess58:ste:83) was improved by removing the capturing group. The capturing group is not necessary to perform the test. Fix: - removed the capturing group for the OVAL state oval:nist.validation.unixProcess58:ste:83. 6. [Issue #159] Some win_sid_sid_test and win_sid_test tests have incorrect metadata (title, description, comments) Fix: updated the metadata for the affected entities. 7. [Issue #265] The rules xccdf_gov.nist_rule_xccdf_gov.nist.validation.winSidSid_rule_10 and 16 are selected in the discrete data stream (win_sid_sid_test-datastream.xml), but they are not selected in the combined data stream for Windows. Fix: - enabled the rules rule_10 and 16 in the profile 1 of the consolidated data stream - updated the referenced OVAL definitions (oval:nist.validation.winSidSid:def:10 and oval:nist.validation.winSidSid:def:16) to match the settings specified in the Validation Content - SID SID Test.xls. 8. [Issue #262] Possible mismatched results for oval:nist.validation.winSid:tst:5 and oval:nist.validation.winSid:tst:11 Enhancements: - updated the tests oval:nist.validation.winSid:tst:5 and oval:nist.validation.winSid:tst:11 to return the expected results for standalone or domain machines. 9. [Issue #266] The oval:nist.validation.r1900:def:2 returns "true" if IE 11 is installed. Fix: - replaced version "11.0.0.0" to "110.0.0.0" for oval:nist.validation.r1900:tst:2. 10. Some of the expected results for USGCB-Major-Version-2.0.0.0\IE7 content were not correct. Fix: - updated the expected results for multiple rules (USGCB-expected-results\USGCB-Major-Version-2.0.0.0\IE7\catalog-ie7.xml) 11.[Issue #274] The oval:nist.validation.unixUname:ste:66 was inadvertently removed from oval:nist.validation.unixUname:tst:52 of the consolidated DS. Fix: - added oval:nist.validation.unixUname:ste:66 to the test oval:nist.validation.unixUname:tst:52 and bumped the version to 3. - updated the version of oval:nist.validation.unixUname:tst:3 to 3 to match the version from the discrete data stream. 12.[Issue #275] The state's (oval:nist.validation.unixUname:ste:53) value don't match the Excel spreadsheet: The value specified in Validation_Content - Uname test.xls is "X86_64", but the state's value is "x86_64". Fix: - replaced "x86_64" with "X86_64" for oval:nist.validation.unixUname:ste:53 13.[Issue #271] According to the OVAL Windows definition schema, the user_state\group property should be identified as following: "In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". The following tests\states don't have the local group in format \: - oval:nist.validation.winUser:tst:33\oval:nist.validation.winUser:ste:33 - oval:nist.validation.winUser:tst:35\oval:nist.validation.winUser:ste:35 Affected rules for configuration 1: xccdf_gov.nist_rule_user_test-33 and xccdf_gov.nist_rule_user_test-35 Fix: - added the computer name to the group property for the states 33 and 35. Note: ovaldi 5.10.1 Build: 7 does not include the computer name result for the collected items (https://sourceforge.net/p/ovaldi/bugs/262/) 14. [Issue #261] Clarification about expected results when assessing the benchmark with id="xccdf_gov.nist_benchmark_r1800-2" Fix: updated the rules for benchmark with id="xccdf_gov.nist_benchmark_r1800-2" and added clarification about the expected results when scanning this benchmark. 15. [Issue #260] Missing catalogs with expected results for R1200 and R1800 data streams Fix: Added catalog.xml files with expected results for r1200-datastream.xml and r1800-ocil-datastream.xml data streams. 16. [Issue #247] The expected results included in the metadata element of the OVAL textFileContent test might be incorrect for configuration 3. The textFileContent definitions include an expected results for configuration 3 which does not exists for this test. Fix: removed configuration 3 from the expected results included in the OVAL definitions and make sure they match the Excel spreadsheet. 17. [Issue #246] Possible issue with the following filehash tests: 41, 42, 51, and 52. These four tests are using case sensitive comparison in the content (all the letters in the expected md5 are in lower case format), but the specification allows for upper case characters for MD5 property. Fix: - updated the following tests to correct a possible issue with case sensitivity for hash value: oval:nist.validation.filehash:tst:41 oval:nist.validation.filehash:tst:42 oval:nist.validation.filehash:tst:45 oval:nist.validation.filehash:tst:51 oval:nist.validation.filehash:tst:52 oval:nist.validation.filehash:tst:55 oval:nist.validation.linux_filehash:tst:41 oval:nist.validation.linux_filehash:tst:42 oval:nist.validation.linux_filehash:tst:45 oval:nist.validation.linux_filehash:tst:51 oval:nist.validation.linux_filehash:tst:52 oval:nist.validation.linux_filehash:tst:55 18. [Issue #266] Enhanced the following filehash tests to use upper and lower case values. oval:nist.validation.filehash:tst:43 oval:nist.validation.filehash:tst:44 oval:nist.validation.filehash:tst:53 oval:nist.validation.filehash:tst:54 oval:nist.validation.linux_filehash:tst:43 oval:nist.validation.linux_filehash:tst:44 oval:nist.validation.linux_filehash:tst:53 oval:nist.validation.linux_filehash:tst:54 19. [Issue #54] Updated the readme.txt file for the independent tests to specify the applicability platform. 20. [Issue #92] Incorrect title and description for environmentvariable_test and environmentvariable58_test: tst:11 to tst:20. Fix: - updated the title and descriptions for the affected rules and tests. 21. [Issue #269] Missing configuration script for Process58 test on RHEL Fix: - updated the 'Configuration' workbook of the “Validation Content - Unix Process58 Test.xls” with the required configuration. - created a configuration script to set the priority for the process with PID 1 to 15. 22. [Issue #244] Multiple DSes points to draft schema (scap-source-data-stream_1.2-draft.xsd) for the xsi:schemaLocation Fix: - updated the following files to use scap-source-data-stream_1.2.xsd schema: - unix_runlevel_test-datastream.xml - unix_inetd_test-datastream.xml - linux_ind_file_hash_test-datastream.xml - unix_shadow_test-datastream.xml - linux_ind_text_file_content_test-datastream.xml 23. [Issue #245] The values for the expected_results\result element of the oval:nist.validation.filehash:def:8 do not match the values from the catalog.xml. Affected data stream: Windows-datastream.xml Fix: - updated the expected results for the OVAL definition with id="oval:nist.validation.filehash:def:8" to match the values from the catalog.xml. Note: This was just a documentation update and it does not modify the effective results. 23. [Issue #275] Possible issue with xccdf_gov.nist_rule_xccdf_gov.nist.validation.variable_rule_10 The oval:nist.validation.variable:def:10 may be evaluated to false if the boolean value of "true" is changed to "1" when the data set is created. Fix: - updated the oval:nist.validation.variable:obj:1 to prevent this possible issue. 24. [Issue #276] The @style attribute is set to "SCAP_1.1" instead "SCAP_1.0" (affected file: r1100-xccdf.xml) Fix: - changed the value of @style attribute to "SCAP_1.0". 25. [Issue #278] The following tests were changed to "notselected": fileauditedpermissions_test fileeffectiverights_test regkeyeffectiverights_test Note: these tests were deprecated in OVAL 5.3 and are not used in tier III or IV content. ############################################################################### ############################################################################### ############################################################################### Changes in the 1-2.0.2.0 Final Release [since version 1-2.0.2.0-rc1 - 02/10/2013] Release date: 03/11/2014 1. [Issue #232] The Linux partition test does not support /dev/vda devices Fix: updated oval:nist.validation.linuxPartition:tst:35 to support /dev/vda devices. 2. [Issue #238] The spreadsheet expect results for the following commented rules xccdf_gov.nist_rule_user_test-38 to 43. Fix: Changed the expected result in spreadsheet to N/A. 3. [Issue #245] Incorrect value for oval:nist.validation.winProcess58:ste:58 and ste:64 The property current_dir is defined as “The current_dir entity represents the current path to the executable file for the process.”. The path to smss.exe is c:\Windows\System32. Fix for oval:nist.validation.winProcess58:ste:58: replaced: "c:\wInDoWs\" with: "c:\wInDoWs" Fix for oval:nist.validation.winProcess58:ste:64: replaced: "c:\wInDoWs\" with: "c:\wInDoWs\SyStEm32" 4. [Issue #246] The xccdf_gov.nist_rule_serelabelprivilege-with-equals-operation-111 is missing xccdf:platform element The following rule needs the "#platform_not_winxp" platform check added since this user right doesn't exist on Windows XP: xccdf_gov.nist_rule_serelabelprivilege-with-equals-operation-111 The platform was available in the discrete data stream (win_access_token_test-datastream.xml), but not in the consolidated DS for Windows. Fix: added "#platform_not_winxp" to the affected rule in the consolidated DS for Windows. 5. [Issue #247] Configuration guidance for xccdf_gov.nist_rule_xccdf_gov.nist.validation.winUserSid_rule_15 If more than one user account is disabled, then this rule will fail (and not match the expect result). It passes if only one user account is disabled. Fix: Updated configuration section from “Validation Content - User SID Test.xls” to specify that only one account must be disabled. 6. [Issue #248] Possible side effects when "Bypass Traverse Checking" does not include "Everyone" This might have bad implications on XP (causes WMI and DCOM issues, "Network Connections" becomes blank, etc.). Fix: added the "Everyone" group to the user right SeChangeNotifyPrivilege for: user_rightspolicy_config_1.inf, user_rightspolicy_config_2.inf, and user_rightspolicy_config_3.inf 7. [Issue #167] HKCU\System is not available as default on Windows XP. According to Microsoft article http://support.microsoft.com/kb/310595, the HKCU\System is not available as default on Windows XP systems. Affected tests: win_regkey_effective_rights_53_test and win_regkey_effective_rights_test (oval:nist.validation.winRegistryEffectiveRights53:tst:21 and oval:nist.validation.winRegistryEffectiveRights:tst:21) Fix: updated the OVAL objects: oval:nist.validation.winRegistryEffectiveRights53:obj:4 and oval:nist.validation.winRegistryEffectiveRights:obj:4 to use "HKEY_CURRENT_USER\Software" instead "HKEY_CURRENT_USER\System" 8. [Issue #243] Case sensitivity issues with win_file_auditedpermissons test The collections for this content is done using a path with a lower-case path component, but state comparisons for expect the path to be treated as a case-sensitive string and match with an upper-case path component. Fix: updated objects oval:nist.validation.winFileAuditPermission:obj:1 through 5 to use an upper-case letter "C" for the path. 9. [Issue #243] Case sensitivity issues with win_file_test The documentation (Validation Content - File Test.xls) for this test specifies a lower-case letter "c" for the paths, but the content uses an upper-case letter "C". Fix: updated the documentation to match the content. 10. Improved installation instructions for the cmdlet test (win_cmdlet_test\docs\README.txt). 11. [Issue #251] Inconsistent result for winCmdlet_test def:120 Fix: updated the oval:nist.validation.winCmdlet:obj:6 to select the 'length' object. 12. [Issue #217] The space_left entity should record the free blocks in fs (f_bfree) instead free blocks avail to non-superuser (f_bavail) Fix: updated the following OVAL tests to support both values (f_bfree and f_bavail): - oval:nist.validation.linuxPartition:tst:95 - oval:nist.validation.linuxPartition:tst:99 - oval:nist.validation.linuxPartition:tst:102 13. Updated "Validation Content - Ind Environment Variable 58 Test.xls" and catalog.xml (discrete version) to include the expected results for a remote scanner. 14. [Issue #252] The expected result included in metadata section of oval:nist.validation.winFile:def:7 is incorrect. Fix: corrected the expected result for oval:nist.validation.winFile:def:7 (OVAL metadata section only). Note: the expected result from the catalog.xml and spreadsheet was correct. 15. [Issue #252] Some of the expected results from metadata section of the OVAL definitions for access_token_test don't match the spreadsheet. Fix: updated the results from OVAL definitions to match the spreadsheet. 16. [Issue #183] Duplicate IDs used in multiple data streams: r500-datastream.xml,r700-datastream.xml, and r800-datastream.xml - runlevel_object Fix: updated the R500 and R700 data streams to use unique IDs. 17. [Issue #233] The expected results for R1100 SCAP 1.0 data stream don't match the actual results. Fix:- updated the XCCDF and OVAL content to match the expected results from the spreadsheet and catalog.xml. - created a new catalog.xml file - updated the spreadsheet ############################################################################### ############################################################################### ############################################################################### Changes in the 1-2.0.2.0-rc1 release [since version 1-2.0.1.0 - 08/07/2013] Release date: 02/10/2014 1. [Issue #118] Incorrect pattern match in OVAL state oval:nist.validation.xmlFileContent:ste:23 The oval:nist.validation.xmlFileContent:ste:23 uses “\i” (XML shorthand character classes) which is not supported by Perl regular expressions. Fix: corrected the pattern match for oval:nist.validation.xmlFileContent:ste:23 replaced "C:\scap_validation_content\ind_xml\\e" with "C:\scap_validation_content\\ind_xml\\e" 2. [Issue #119] Incorrect pattern match in OVAL state oval:nist.validation.linux_xmlFileContent:ste:23 The oval:nist.validation.linux_xmlFileContent:ste:23 uses “\i” (XML shorthand character classes) which is not supported by Perl regular expressions. Fix: corrected the pattern match for oval:nist.validation.xmlFileContent:ste:23: replaced "/\scap_validation_content/\ind_xml/e" with "/\scap_validation_content/\\ind_xml/e" 3. [Issue #120] Incorrect pattern match in OVAL state oval:nist.validation.xmlFileContent:ste:14 The oval:nist.validation.xmlFileContent:ste:14 uses “\i” (XML shorthand character classes) which is not supported by Perl regular expressions. Fix: corrected oval:nist.validation.xmlFileContent:ste:14 regex: replaced "C:\scap_validation_content\ind_xml\\e\\\d\.xml" with "C:\scap_validation_content\\ind_xml\\e\\\d\.xml" 4. [Issue #121] Incorrect pattern match in OVAL state oval:nist.validation.linux_xmlFileContent:ste:14 The oval:nist.validation.linux_xmlFileContent:ste:14 uses “\i” (XML shorthand character classes) which is not supported by Perl regular expressions. Fix: corrected oval:nist.validation.xmlFileContent:ste:23 regex: replaced "/\scap_validation_content/\ind_xml/e/\d\.xml" with "/\scap_validation_content/\\ind_xml/e/\d\.xml" 5. [Issue #122] Unknown result for xccdf_gov.nist.validation.winCmdlet_rule_13 and xccdf_gov.nist.validation.winCmdlet_rule_18 Fix: unselected the following rules: xccdf_gov.nist.validation.winCmdlet_rule_13 and xccdf_gov.nist.validation.winCmdlet_rule_18 The OVAL specification does not clearly specify how to process the entity_check="none exist". Please see: http://making-security-measurable.1364806.n2.nabble.com/OVAL-state-evaluation-with-entity-check-quot-none-exist-quot-tc7580011.html 6. [Issue #123] The xccdf_gov.nist.validation.winWmi_rule_4 is not selected The xccdf_gov.nist.validation.winWmi_rule_4 tests the check_existance="NONE_EXIST" and it should be selected. Known issues: ovaldi 5.10.1.5 does not support the tst:4 Please see: http://sourceforge.net/p/ovaldi/bugs/237/ http://making-security-measurable.1364806.n2.nabble.com/Possible-ovaldi-bug-in-check-check-existence-evaluation-tc7579424.html Fix: selected the rule ccdf_gov.nist.validation.winWmi_rule_4 7. [Issue #124] Unknown result for xccdf_gov.nist.validation.winWmi_rule_18 Fix: unselected the following rule: xccdf_gov.nist.validation.winWmi_rule_18 The OVAL specification does not clearly specify how to process the entity_check="none exist". Please see: http://making-security-measurable.1364806.n2.nabble.com/OVAL-state-evaluation-with-entity-check-quot-none-exist-quot-tc7580011.html 8. [Issue #125] Incorrect state value for rule_15 listed in "Validation Content - WMI 57Test.xls" The "Validation Content - WMI 57Test.xls" has the following state value for tst:15: "Workstation, Client" This is just a text issue, it does not affect the result of the test since the state has the correct value of "Workstation, Workstation". Fix: corrected the state value in the worksheet to "Workstation, Workstation". 9. [Issue #126] The xccdf_gov.nist.validation.winWmi_rule_13\tst:13 does not return the expected result The xccdf_gov.nist.validation.winWmi_rule_13\tst:13 is being evaluated to FALSE instead PASS because check_existance="AT_LEAST_ONE_EXIST" and check="all". Fix: changed the check="all" to check="none exist" 10.[Issue #127] Possible issue with oval:nist.validation.winProcess58:obj:6 (operation="equals") The obj:6 uses SYSTEMROOT that might be a problem if the environmentvariable SystemRoot is not all upper case. Fix: changed operation to "pattern match" for oval:nist.validation.winProcess58:obj:6 because the OVAL 5.3 : environmentvariable_object does not support 'case insensitive equals' operation for the 'name' property. 11.[Issue #128] Incorrect expected result for rule_61 listed in "Validation Content -Unix_Xinetd Test.xls" The tst:61 lists an expected value of "PASS" instead "FAIL". The expected value in the catalog.xml is correct. Fix: changed the expected value for rule_61 to FAIL in the "Validation Content -Unix_Xinetd Test.xls" 12.[Issue #129] Incorrect file name ..\consolidated\RHEL\documents\Validation Content - Linux_File_Hash_Test.xls The correct name is "Validation Content - Linux Ind File Hash Test.xls" Fix: renamed "Validation Content - Linux_File_Hash_Test.xls" to "Validation Content - Linux Ind File Hash Test.xls" 13.[Issue #130] The file paths from "Validation Content - Linux Ind File Hash Test.xls" don't match the actual test. The spreadsheet lists the path "/scap_validation_content/e/" instead "/scap_validation_content/ind_file_hash/..". Fix: - replaced /scap_validation_content/e with /scap_validation_content/ind_file_hash/e - replaced /scap_validation_content/1e with /scap_validation_content/ind_file_hash/1e 14.[Issue #131] Incorrect configuration settings for "Validation Content -Ind XML Test.xls" and "Validation Content - Linux Ind XML Test.xls" The configuration settings for "Validation Content -Ind XML Test.xls" and "Validation Content - Linux Ind XML Test.xls" do not match the tests. This is an informational issue only affecting the configuration worksheet from the spreadsheet. The configuration scripts should automatically create the required files, and the test results are not affected. Fix: updated configuration worksheet to match the tests. 15.[Issue #132] Incorrect "signature_keyid" for the rpm package "readahead" listed in "Validation Content - Rpminfo_Test.xls" The "signature_keyid" for the rpm package "readahead" is incorrect in the spreadsheet and it will be corrected in the next version. This is an informational issue only affecting the configuration worksheet from the spreadsheet. Fix: changed "signature_keyid" to "5326810137017186" 16.[Issue #133] Incorrect group_id and user_id for Skeleton2 and Skeleton3 listed in "Validation Content -Unix_File Test.xls" The Skeleton2.sh & Skeleton3.sh had a user ID & group ID of 0 instead of the config spreadsheet specified 5000 and 500. This is an informational issue only affecting the configuration worksheet from the spreadsheet. Fix: changed the group_id and user_id to n/a 17.[Issue #133:Incorrect value for oval:nist.validation.winProcess58:ste:58 and oval:nist.validation.winProcess58:ste:64 - The value for oval:nist.validation.winProcess58:ste:58 is incorrect because: - ste value is resolved to "C:\Windows\SyStEm32" - and the current_dir entity to "C:\Windows\" - Related to the issue above: The actual result pass does not match the expected result of fail for item:xccdf_gov.nist_rule_xccdf_gov.nist.validation.winProcess58_rule_83 Fix: changed the value for ste:58 and ste:64 to c:\wInDoWs 18.[Issue #28] r2200-datastream.xml fails schema validation with Oxygen (Schematron errors for ocil_test) Fix: changed the OVAL schema from 5.3 to 5.10. 19.[Issue #135] Incorrect object used by oval:nist.validation.winWmi57:tst:62 The oval:nist.validation.winWmi57:tst:62 supposed to test the pattern match operation for the wql entity, but it uses an object that does not exists. Fix: changed the object to oval:nist.validation.winWmi57:obj:3 and the state to oval:nist.validation.winWmi57:ste:73. 20.[Issue #136] Incorrect object used by oval:nist.validation.winWmi:tst:62 The oval:nist.validation.winWmi:tst:62 supposed to test the pattern match operation for the wql entity, but it uses an object that does not exists. Fix: changed the object to oval:nist.validation.winWmi:obj:3 and the state to oval:nist.validation.winWmi:ste:55. 21.Improved the following tests & states to aligned with the tested operation: - oval:nist.validation.winWmi57:tst:55 - case insensitive equals - oval:nist.validation.winWmi57:tst:58 - equals - oval:nist.validation.winWmi57:tst:61 - case insensitive not equal 22.Improved the following tests & states to aligned with the tested operation: - oval:nist.validation.winWmi:tst:55 - case insensitive equals - oval:nist.validation.winWmi:tst:58 - equals - oval:nist.validation.winWmi:tst:61 - case insensitive not equal 23.[Issue #137] Some winfile tests might fail if the system's time zone is not set to EST or EDT Fix: updated the configuration instructions. 24.[Issue #138] Incorrect results for the winfile tst:53 to 57 on Windows XP The results for the following rules don't match the expected results because the owner of the Skeleton.exe is not 'BUILTIN\Administrators': The actual result fail does not match the expected result of pass for item:xccdf_gov.nist.validation.winFile_rule_53 The actual result pass does not match the expected result of fail for item:xccdf_gov.nist.validation.winFile_rule_56 The actual result fail does not match the expected result of pass for item:xccdf_gov.nist.validation.winFile_rule_57 The actual result pass does not match the expected result of fail for item:xccdf_gov.nist.validation.winFile_rule_54 The actual result fail does not match the expected result of pass for item:xccdf_gov.nist.validation.winFile_rule_55 Fix: updated tests 53 to 57. 25.Deleted win_file_config2.py because win_file_test requires only one configuration. 26.Removed references to Python 2.7 from the readme_lab.txt and readme_public.txt files. 27.Changed the ID od the consolidated DS from:"xccdf_gov.nist_benchmark_xccdf_gov.nist.validation.environmentvariable58_benchmark_environmentvariable58" to "xccdf_gov.nist_benchmark_SCAP-Validation-Consolidated-Benchmark" 28.[Issue #139] The following tests run only on Windows Vista or later: - xccdf_gov.nist_rule_secreatesymboliclinkprivilege-with-equals-operation-8 - xccdf_gov.nist_rule_seincreaseworkingsetprivilege-with-equals-operation-15 - xccdf_gov.nist_rule_serelabelprivilege-with-equals-operation-21 - xccdf_gov.nist_rule_setimezoneprivilege-with-equals-operation-32 - xccdf_gov.nist_rule_setrustedcredmanaccessnameright-with-equals-operation-45 The following privileges are not defined on XP (see http://msdn.microsoft.com/en-us/library/windows/desktop/ee695867%28v=vs.85%29.aspx): - SeCreateSymbolicLinkPrivilege - SeIncreaseWorkingSetPrivilege - SereLabelPrivilege - SeTimezonePrivilege - SeTrustedCredManAccessPrivilege (setrustedcredmanaccessnameright in OVAL) Fix: Added cpe-lang:platform-specification for the affected rules: - xccdf_gov.nist_rule_secreatesymboliclinkprivilege-with-equals-operation-8 - xccdf_gov.nist_rule_seincreaseworkingsetprivilege-with-equals-operation-15 - xccdf_gov.nist_rule_serelabelprivilege-with-equals-operation-21 - xccdf_gov.nist_rule_setimezoneprivilege-with-equals-operation-32 - xccdf_gov.nist_rule_setrustedcredmanaccessnameright-with-equals-operation-45 - xccdfgov.nist_rule_secreatesymboliclinkprivilege-with-equals-operation-143 - xccdfgov.nist_rule_secreatesymboliclinkprivilege-with-equals-operation-98 - xccdfgov.nist_rule_secreatesymboliclinkprivilege-with-equals-operation-53 - xccdfgov.nist_rule_seincreaseworkingsetprivilege-with-equals-operation-150 - xccdfgov.nist_rule_seincreaseworkingsetprivilege-with-equals-operation-60 - xccdfgov.nist_rule_seincreaseworkingsetprivilege-with-equals-operation-105 - xccdfgov.nist_rule_serelabelprivilege-with-equals-operation-156 - xccdfgov.nist_rule_serelabelprivilege-with-equals-operation-66 - xccdfgov.nist_rule_serelabelprivilege-with-equals-operation-111 - xccdfgov.nist_rule_setimezoneprivilege-with-equals-operation-122 - xccdfgov.nist_rule_setimezoneprivilege-with-equals-operation-77 - xccdfgov.nist_rule_setimezoneprivilege-with-equals-operation-167 - xccdfgov.nist_rule_setrustedcredmanaccessnameright-with-equals-operation-180 - xccdfgov.nist_rule_setrustedcredmanaccessnameright-with-equals-operation-135 - xccdfgov.nist_rule_setrustedcredmanaccessnameright-with-equals-operation-90 On Windows XP these rules will return: notapplicable. Also, updated the catalog.xml files and added a separate configuration section for Windows XP. 29.win_file_effective_rights_test: corrected the expected result for oval:nist.validation.winFileEffectiveRights:def:92 from UNKNOWN to FAIL on all 3 configurations. The incorrect result was listed only in the Validation Content - File Effective Rights.xls. The catalog.xml had the correct result. 30.win_file_audit_permissions_53_test\Validation Content - File Audited Permissions 53.xls Corrected the OVAL IDs (the IDs numbers restart at 184.) 31.win_file_audit_permissions_test\Validation Content - File Audited Permissions.xls Corrected the OVAL IDs (the IDs numbers restart at 184.) 32.Added configuration information for the win_user_test in readme.txt and "Validation Content - User Test.xls" computer name = TESTMACHINE 33.[Issue #161]: Corrected the expected result for (win_file_test) def:7 in the spreadsheet. 33.[Issue #162]: Incorrect result for oval:nist.validation.filehash:def:2 and oval:nist.validation.linux_filehash:def:2 - Corrected the expected results in the spreadsheet for configuration 2 and in the OVAL definition. 34. Corrected the expected results for xccdf_gov.nist.validation.winRegistryEffectiveRights_rule_21 and xccdf_gov.nist.validation.winRegistryEffectiveRights53_rule_21 on Windows XP. 35. [Issue #186]: Updated the pattern match for oval:nist.validation.winAccessToken:obj:4 and oval:nist.validation.winAccessToken:ste:94 to comply with OVAL specification. (http://making-security-measurable.1364806.n2.nabble.com/Windows-local-vs-built-in-accounts-tt7579309.html#a7579310) - oval:nist.validation.winAccessToken:obj:4: replaced "\\Guest$" with "[Gg][Uu][Ee][Ss][Tt]$" - oval:nist.validation.winAccessToken:ste:94: replaced: "\\Guest" with "[Gg][Uu][Ee][Ss][Tt]$" 36. [Issue #187]: Incorrect operation for the datatype string used by SCAP.2000.5 XCCDF component SCAP.T.2000.5. The content has a string with a “greater than or equal” to attached to it. This content is invalid. Fix: Corrected the operation for the affected XCCDF values. 37. [Issue #192]: enhancements for unixProcess58 test related to selinux_domain_label entity Fix: - changed the value for oval:nist.validation.unixProcess58:ste:128 from "unconfined.*t" to "^iNiT_t$" - changed the value for oval:nist.validation.unixProcess58:ste:124 from "unconfined_t" to "iNiT_t" - added @entity_check='all' for the states which test the selinux_domain_label value 38. [Issue #210]: Incorrect expected result for def:38 listed in "Validation Content - Audit Event Policy.xls" for configuration 3 The tst:38 lists an expected value of "PASS" instead "FAIL". The expected value in the catalog.xml is correct. Fix: changed the expected value for def:38 to FAIL in the "Validation Content - Audit Event Policy.xls" 39. [Issue #214\#190]: The check_existance value from spreadsheet don't match the XML content for winRegistryEffectiveRights53:tst:7 Fix: - changed the value for check_existance for tst:7 from "only_one_exists" to "any_exist". - updated the expected result value from catalog.xml (from FAIL to PASS). 40. [Issue #213]: The audit subcategory "Detailed File Share" is not available on Windows Vista Fix: Added cpe-lang:platform-specification for the affected rules: - xccdf_gov.nist_rule_detailed-file-share-with-equals-operation-101 - xccdf_gov.nist_rule_detailed-file-share-with-equals-operation-102 - xccdf_gov.nist_rule_detailed-file-share-with-equals-operation-103 - xccdf_gov.nist_rule_detailed-file-share-with-equals-operation-104 41. [Issue #169]: Incorrect comment for oval:nist.validation.winRegistry:tst:20 Fix: Corrected the comment. 42. [Issue #215] Improve configuration scripts to eliminate manual steps. There are commands specific for each Windows platform that needs to be executed. For instance: lockout_policy_set.exe does not work on all the platforms. Fix: improved config[1-8].bat to minimize manual configuration steps. 43. [Issue #170] win_wua_update_searcher_test does not cover Windows XP and Vista Fix: updated the content to support Windows XP and Vista 32-bit platforms The following tests were updated: - oval:nist.validation.winWuaUpdateSearcher:tst:12 - oval:nist.validation.winWuaUpdateSearcher:tst:15 - oval:nist.validation.winWuaUpdateSearcher:tst:19 - oval:nist.validation.winWuaUpdateSearcher:tst:31 - oval:nist.validation.winWuaUpdateSearcher:tst:32 - oval:nist.validation.winWuaUpdateSearcher:tst:33 - oval:nist.validation.winWuaUpdateSearcher:tst:34 - oval:nist.validation.winWuaUpdateSearcher:tst:37 - oval:nist.validation.winWuaUpdateSearcher:tst:39 44. [Issue #150] The inetd_test is not applicable to RHEL 5 De-selected rules in the profile for the inetd_test and and inetd_test-datastream. 45. [Issue #149] Updated the OVAL schema version to 5.10 for linux_partition_test-datastream.xml and RHEL-datastream.xml 46. [Issue #150] Updated the uname_test to work with any release of RHEL 5 The following tests were updated: - oval:nist.validation.unixUname:tst:31 - oval:nist.validation.unixUname:tst:32 - oval:nist.validation.unixUname:tst:33 - oval:nist.validation.unixUname:tst:34 - oval:nist.validation.unixUname:tst:41 - oval:nist.validation.unixUname:tst:42 - oval:nist.validation.unixUname:tst:43 - oval:nist.validation.unixUname:tst:44 47. Documentation update for Unix file test: correct path for Skeleton.sh in Validation Content -Unix_File Test.xls 48. Removed duplicate *.xls files for RHEL consolidated data stream. These files are still available in the "docs" folder for discrete data streams. 49. [Issue #220] Corrected possible false negative due to mount_options entity for oval:nist.validation.linuxPartition:def:61 and def:63 50. Multiple content enhancements for linuxPartition:def:61 through def:70 related to case sensitive and insensitive operations. 51. [Issue #188] compare.py updates to support missing "notselected" results from ARF reports. 52. Corrected the expected result for oval:nist.validation.linuxPartition:def:13 in "Validation Content - Partition Test.xls" The expected result for def:13 is "PASS". 53. [Issue #217] The space_left entity should record the free blocks in fs (f_bfree) instead free blocks avail to non-superuser (f_bavail) Updated the following OVAL tests: - oval:nist.validation.linuxPartition:tst:95 - oval:nist.validation.linuxPartition:tst:99 - oval:nist.validation.linuxPartition:tst:98 - oval:nist.validation.linuxPartition:tst:100 - oval:nist.validation.linuxPartition:tst:102 54. [Issue #221] Windows configuration scripts for win_user and win_group tests: unable to create user Some of the configuration commands fails because the password does not meet the complexity requirements. Fix: Improved the python scripts for win_group and win_user test to generate complex passwords. 55. [Issue #140] The Validation Test Content requires to be tested on a machine named "TESTMACHINE". This is not suitable for testing multiple products in the same time or having multiple configurations that run simultaneous. Fix: Improved win_user and win_group tests to support the following computer names: TESTMACHINE, TESTMACHINE01 to TESTMACHINE99. 56. [Issue #225] Incorrect result for oval:nist.validation.winWuaUpdateSearcher:tst:40 on XP Fix: updated the pattern match for oval:nist.validation.winWuaUpdateSearcher:ste:40 to "^[^0]+\.$" 57. [Issue #226] linux-ind_environment_variable_test-config1.sh does not work for non-login shell The linux-ind_environment_variable_58_test-config1.sh is affected as well. Fix: Updated the scripts to support non-login shell. 58. [Issue #227] The oval:nist.validation.winSidSid:def:4 from the consolidated DS has the deprecated attribute set to true Fix: removed the deprecated attribute for def:4 59. [Issue #151] unix_inetd XCCDF rules should not be selected Fix: unselected the unix_inetd rules from the discrete data stream. 60. [Issue #228] The linux partition test 35 does not support IDE drives Fix: updated the pattern match for oval:nist.validation.linuxPartition:ste:16 from "/dev/sd[\w]+" to "/dev/[hs]d[\w]+" 61. [Issue #229] The tests oval:nist.validation.winSidSid:tst:4 and 13 return ERROR instead PASS. Fix: updated oval:nist.validation.winSidSid:obj:11 to use a fake trustee_sid which ends in -498 instead: 62. [Issue #231] win_sid_test\obj:5 does not exist because the equals operation for string datatype is case-sensitive Fix: changed operation "equals" to "pattern match" for the oval:nist.validation.winSid:obj:5