OVALProject · wmunyan · Aug 11, 2016 · Aug 11, 2016 · Aug 11, 2016
diff --git a/resources/x-docker-schema/docker-oval-proposal-form.txt b/resources/x-docker-schema/docker-oval-proposal-form.txt
@@ -0,0 +1,199 @@
+--------------------------------------------------------------------------------
+OVAL Proposal Form
+--------------------------------------------------------------------------------
+The OVAL Proposal Form is used by members of the community to prepare proposals 
+for migration into an official release of OVAL. The form will be critical in 
+helping the members of the community understand, review, and vet proposals.
+
+Once an OVAL Proposal Form is submitted to the oval-developer-list, the OVAL 
+Moderator will review and verify the proposal for completeness at which point 
+it will be ready for community review and discussion. 
+
+When a new proposal is introduced to the community, the OVAL Moderator will 
+work with the OVAL Board to determine the impact of the proposal. If the 
+proposal is deemed a high impact change, it must be developed in the OVAL 
+Sandbox which will require the completion of this form as well as an OVAL 
+Board vote before it is migrated into an official release. More information 
+about the OVAL Board Voting Process can be found at [1]. If the proposal is 
+deemed a low impact change, the proposed change can be made directly to an 
+official OVAL release.
+
+Please direct any questions or concerns to MITRE at oval@mitre.org.
+
+--------------------------------------------------------------------------------
+Steps to Take
+--------------------------------------------------------------------------------
+1) Review the OVAL Language Sandbox page [2] and the Requesting Changes to the 
+OVAL Language page [3].
+
+2) Complete the form provided below.
+
+3) Email the completed form to the oval-developer-list at 
+oval-developer-list@lists.mitre.org with a subject of 
+"FOR REVIEW: <Proposal Name> Proposal Form".
+
+4) Revise the proposal, as needed, based on community discussion and feedback.
+
+--------------------------------------------------------------------------------
+Contact Information
+--------------------------------------------------------------------------------
+1) Name: William Munyan (Bill)
+2) Email Address: william.munyan@cisecurity.org
+3) Phone Number (optional):
+
+--------------------------------------------------------------------------------
+Introduction to Proposal
+--------------------------------------------------------------------------------
+1) What is the new capability?
+
+The OVAL schemas for Docker provide a standards-based capability to check configurations
+related to a Docker installation and/or containers and images installed in a Docker 
+infrastructure.
+
+2) Why is the new capability needed?
+
+The Docker OVAL schemas are needed to provide a standards-based capability 
+to check Docker installation configuration as well as configuration of installed 
+containers or images.  
+
+3) What is the version of the targeted official OVAL release?
+
+The targeted OVAL version for this proposal is OVAL 5.12.
+
+--------------------------------------------------------------------------------
+Benefits of Proposal
+--------------------------------------------------------------------------------
+1) How does the proposal relate to existing OVAL use cases [4]?
+The tests provide capabilities to express and assess Docker configuration for the 
+following OVAL use cases: 
+
+* Configuration Management
+
+2) What does this proposal enable that cannot currently be accomplished in the 
+OVAL Language?
+
+The OVAL Language does not currently include any Docker-specific schemas.  
+
+The proposed Docker schema provides the ability to check:
+* Installed version information
+* Currently executing process information for those processes executing within 
+  a Docker container/image (similar to the Unix schema's process58_test)
+* Information regarding a Docker installation, such as numbers of running containers, 
+  total number of containers, backing filesystems and backing architectures
+* Inspection information for any installed container or image
+* Container process information, such as time when a container was created, container 
+  up-time, status and size
+
+3) What alternative approaches for supporting these use cases were considered 
+and why is this one the best?
+
+We do not believe there are other alternative methods for interrogating or assessing 
+Docker.  Most output from Docker commands is rendered as JSON, for which no OVAL 
+constructs currently exist.
+
+--------------------------------------------------------------------------------
+Impacts of Proposal
+--------------------------------------------------------------------------------
+1) Which existing OVAL schemas are affected by this proposal?  
+
+None.
+
+2) Does the proposal break backward compatibility with previous versions?  
+Please see OVAL Versioning Policy [5] for more information.
+
+This proposal does not break backward compatibility.  
+
+2) How will the proposed changes impact OVAL content authors?
+
+This will provide OVAL content authors with the ability to create new 
+content based on the new tests.  We have created proof-of-concept OVAL 
+definitions demonstrating the ability to automate useful compliance checks.  
+
+3) How will the proposed changes impact OVAL content consumers?
+
+No impact to current OVAL content consumers.  These changes will provide 
+an opportunity to use OVAL to create configuration management/assessment 
+content for Docker.
+
+4) How will the proposed changes impact existing OVAL content?
+
+No impact.
+
+5) How will the proposed changes impact existing OVAL implementations?
+
+The impact will depend on whether the existing OVAL implementations need to 
+implement Docker-specific schema features.  In many cases it will not be 
+necessary.
+
+6) Are there any concerns regarding this proposal (e.g., undocumented APIs, 
+etc.)? If so, are there any mitigating factors?  
+
+As Docker is a rapidly evolving technology, the only concerns are that when 
+updated versions of Docker are released, commands, command options, and/or 
+APIs may change.  These changes could have an impact on implementations of 
+the Docker schema.
+
+--------------------------------------------------------------------------------
+Technical Review
+--------------------------------------------------------------------------------
+1) Do the schema changes follow the accepted naming and design conventions?
+
+Yes.
+
+2) Do the schema changes satisfy the requirements specified in the Requesting 
+Changes to the OVAL Language page [3]?
+
+Yes.
+
+3) Do the schema changes align with the targeted official release (e.g., changes 
+that break backward compatibility should not target a minor release)? Please 
+see the OVAL Versioning Policy [5] for more information.
+
+Yes.
+
+4) Have the new capabilities been successfully implemented and tested with sample 
+content?
+
+Yes.
+
+--------------------------------------------------------------------------------
+Resource Information
+--------------------------------------------------------------------------------
+1) Provide URLs for relevant OVAL Sandbox Issues:
+
+N/A
+
+2) Provide URLs for OVAL Sandbox schemas that exemplify the proposed changes:
+
+https://raw.githubusercontent.com/OVALProject/Sandbox/master/x-docker-system-characteristics-schema.xsd
+
+https://raw.githubusercontent.com/OVALProject/Sandbox/master/x-docker-definitions-schema.xsd
+
+3) Provide URLs for the location of sample OVAL Definitions, 
+OVAL System Characteristics, and OVAL Results that exemplify the proposed 
+changes:
+
+Sample OVAL Definitions:
+https://github.com/OVALProject/Sandbox/blob/master/resources/x-docker-schema/sample-docker-oval-definitions.xml
+
+Sample OVAL Results including System Characteristics:
+https://github.com/OVALProject/Sandbox/blob/master/resources/x-docker-schema/sample-docker-oval-results.xml
+
+4) Provide URLs for products or tools that implement the proposed changes:
+
+N/A
+
+5) Provide URLs to any other resources that may be relevant to reviewing and 
+verifying the proposal:
+
+N/A
+
+--------------------------------------------------------------------------------
+References
+--------------------------------------------------------------------------------
+[1] http://oval.mitre.org/community/board/voting.html
+[2] http://oval.mitre.org/language/sandbox.html
+[3] http://oval.mitre.org/language/about/change_requests.html
+[4] http://oval.mitre.org/adoption/usecasesguide.html
+[5] http://oval.mitre.org/language/about/versioning.html
+
diff --git a/resources/x-docker-schema/sample-docker-oval-definitions.xml b/resources/x-docker-schema/sample-docker-oval-definitions.xml
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_definitions xsi:schemaLocation="
+    http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-definitions-schema.xsd     
+    http://oval.mitre.org/XMLSchema/oval-definitions-5#unix http://oval.mitre.org/language/version5.11/ovaldefinition/complete/unix-definitions-schema.xsd    
+    http://oval.mitre.org/XMLSchema/oval-definitions-5#independent http://oval.mitre.org/language/version5.11/ovaldefinition/complete/independent-definitions-schema.xsd
+    http://oval.mitre.org/XMLSchema/oval-definitions-5#x-docker x-docker-definitions-schema.xsd     
+    http://oval.mitre.org/XMLSchema/oval-definitions-5#cmd x-shellcommand-schema.xsd     " xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:docker="http://oval.mitre.org/XMLSchema/oval-definitions-5#x-docker" xmlns:cmd="http://oval.mitre.org/XMLSchema/oval-definitions-5#cmd">
+    <generator>
+        <oval:schema_version>5.11</oval:schema_version>
+        <oval:timestamp>2009-01-12T10:41:00-05:00</oval:timestamp>
+        <terms_of_use>Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the license described in terms.txt.</terms_of_use>
+    </generator>
+
+    <definitions>
+        <definition id="oval:org.cisecurity.docker:def:1" version="1" class="compliance">
+            <metadata>
+                <title>Docker Version</title>
+                <description>Docker Version</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Test if a docker version with a hive is supported." test_ref="oval:org.cisecurity.docker:tst:1"/>
+            </criteria>
+        </definition>
+        <definition id="oval:org.cisecurity.docker:def:2" version="1" class="compliance">
+            <metadata>
+                <title>Docker Inspect</title>
+                <description>Docker Inspect</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Docker inspect test" test_ref="oval:org.cisecurity.docker:tst:2"/>
+            </criteria>
+        </definition>
+        <definition id="oval:org.cisecurity.docker:def:3" version="1" class="compliance">
+            <metadata>
+                <title>Docker Info</title>
+                <description>Docker Info</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Docker Info test" test_ref="oval:org.cisecurity.docker:tst:3"/>
+            </criteria>
+        </definition>
+        <definition id="oval:org.cisecurity.docker:def:4" version="1" class="compliance">
+            <metadata>
+                <title>Docker Keyed Info</title>
+                <description>Docker Keyed Info</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Docker Keyed Info test" test_ref="oval:org.cisecurity.docker:tst:4"/>
+            </criteria>
+        </definition>
+        <definition id="oval:org.cisecurity.docker:def:5" version="1" class="compliance">
+            <metadata>
+                <title>Docker Process</title>
+                <description>Docker Process</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Docker Process test" test_ref="oval:org.cisecurity.docker:tst:5"/>
+            </criteria>
+        </definition>
+        <definition id="oval:org.cisecurity.docker:def:6" version="1" class="compliance">
+            <metadata>
+                <title>Docker Process</title>
+                <description>Docker Process</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Docker Process test" test_ref="oval:org.cisecurity.docker:tst:6"/>
+            </criteria>
+        </definition>
+        <definition id="oval:org.cisecurity.docker:def:10" version="1" class="compliance">
+            <metadata>
+                <title>Docker Exec PS</title>
+                <description>Docker Exec PS</description>
+            </metadata>
+            <criteria>
+                <criterion comment="Docker Exec PS" test_ref="oval:org.cisecurity.docker:tst:10"/>
+            </criteria>
+        </definition>
+    </definitions>
+
+    <tests>
+        <docker:version_test id="oval:org.cisecurity.docker:tst:1" version="1" comment="Docker Version Test" check_existence="at_least_one_exists" check="all">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:1"/>
+            <docker:state state_ref="oval:org.cisecurity.docker:ste:1"/>
+        </docker:version_test>
+        <docker:inspect_test id="oval:org.cisecurity.docker:tst:2" version="1" comment="Docker Inspect Test" check_existence="at_least_one_exists" check="all">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:2"/>
+            <docker:state state_ref="oval:org.cisecurity.docker:ste:2"/>
+        </docker:inspect_test>
+        <docker:info_test id="oval:org.cisecurity.docker:tst:3" version="1" comment="Docker Info Test" check_existence="at_least_one_exists" check="all">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:3"/>
+            <docker:state state_ref="oval:org.cisecurity.docker:ste:3"/>
+        </docker:info_test>
+        <docker:keyedinfo_test id="oval:org.cisecurity.docker:tst:4" version="1" comment="Docker Keyed Info Test" check_existence="at_least_one_exists" check="all">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:4"/>
+            <docker:state state_ref="oval:org.cisecurity.docker:ste:4"/>
+        </docker:keyedinfo_test>
+        <docker:process_test id="oval:org.cisecurity.docker:tst:5" version="1" comment="Docker Process Test" check_existence="at_least_one_exists" check="at least one">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:5"/>
+            <docker:state state_ref="oval:org.cisecurity.docker:ste:5"/>
+        </docker:process_test>
+        <docker:process_test id="oval:org.cisecurity.docker:tst:6" version="1" comment="Docker Process Test" check_existence="none_exist" check="at least one">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:6"/>
+        </docker:process_test>
+        <docker:execps_test id="oval:org.cisecurity.docker:tst:10" version="1" comment="Docker Exec PS Test" check_existence="at_least_one_exists" check="at least one">
+            <docker:object object_ref="oval:org.cisecurity.docker:obj:10"/>
+            <docker:state state_ref="oval:org.cisecurity.docker:ste:10"/>
+        </docker:execps_test>
+    </tests>
+    <objects>
+        <docker:version_object id="oval:org.cisecurity.docker:obj:1" version="1" comment="..."/>
+        <docker:inspect_object id="oval:org.cisecurity.docker:obj:2" version="1" comment="...">
+            <docker:container_or_image var_ref="oval:org.cisecurity.docker:var:1"/>
+            <docker:inspect_property>MOUNTS</docker:inspect_property>
+        </docker:inspect_object>
+        <docker:info_object id="oval:org.cisecurity.docker:obj:3" version="1" comment="..."/>
+        <docker:keyedinfo_object id="oval:org.cisecurity.docker:obj:4" version="1" comment="...">
+            <docker:key>STORAGE_DRIVER</docker:key>
+        </docker:keyedinfo_object>
+        <docker:process_object id="oval:org.cisecurity.docker:obj:5" version="1" comment="...">
+            <docker:container_id operation="pattern match">.*</docker:container_id>
+        </docker:process_object>
+        <docker:process_object id="oval:org.cisecurity.docker:obj:6" version="1" comment="...">
+            <docker:container_id>NO CONTAINER</docker:container_id>
+        </docker:process_object>
+        <docker:execps_object id="oval:org.cisecurity.docker:obj:10" version="1" comment="...">
+            <docker:container_or_image>4cd4e0cccf3a</docker:container_or_image>
+            <docker:command_line operation="pattern match">^nginx.*$</docker:command_line>
+            <docker:pid datatype="int" operation="greater than">0</docker:pid>
+        </docker:execps_object>
+        <docker:process_object id="oval:org.cisecurity.docker:obj:999" version="1" comment="...">
+            <docker:container_id operation="pattern match">.*</docker:container_id>
+            <filter action="include">oval:org.cisecurity.docker:ste:999</filter>
+        </docker:process_object>
+        <ind:textfilecontent54_object id="oval:org.cisecurity.docker:obj:998" version="1" comment="...">
+            <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
+            <ind:pattern operation="pattern match">^log_file\s*=\s*([/a-zA-Z\s]+\.log)</ind:pattern>
+            <ind:instance datatype="int">1</ind:instance>
+        </ind:textfilecontent54_object>
+    </objects>
+    <states>
+        <docker:version_state id="oval:org.cisecurity.docker:ste:1" version="1" comment="...">
+            <docker:client_version datatype="version">1.11.0</docker:client_version>
+            <docker:server_version datatype="version">1.11.0</docker:server_version>
+        </docker:version_state>
+        <docker:inspect_state id="oval:org.cisecurity.docker:ste:2" version="1" comment="...">
+            <docker:inspect_property_values datatype="record">
+                <field entity_check="at least one" name="source">/some/content</field>
+            </docker:inspect_property_values>
+        </docker:inspect_state>
+        <docker:info_state id="oval:org.cisecurity.docker:ste:3" version="1" comment="...">
+            <docker:container_count datatype="int">2</docker:container_count>
+            <docker:storage_driver>aufs</docker:storage_driver>
+            <docker:operating_system>Ubuntu 15.10</docker:operating_system>
+            <docker:docker_root_dir>/var/lib/docker</docker:docker_root_dir>
+        </docker:info_state>
+        <docker:keyedinfo_state id="oval:org.cisecurity.docker:ste:4" version="1" comment="...">
+            <docker:key>STORAGE_DRIVER</docker:key>
+            <docker:value datatype="string">aufs</docker:value>
+            <docker:subvalues datatype="record">
+                <field name="backing filesystem">extfs</field>
+            </docker:subvalues>
+        </docker:keyedinfo_state>
+        <docker:process_state id="oval:org.cisecurity.docker:ste:5" version="1" comment="...">
+            <docker:container_id>4cd4e0cccf3a</docker:container_id>
+            <docker:port entity_check="at least one">80/tcp</docker:port>
+        </docker:process_state>
+        <docker:execps_state id="oval:org.cisecurity.docker:ste:10" version="1" comment="...">
+            <docker:container_or_image>4cd4e0cccf3a</docker:container_or_image>
+            <docker:ppid datatype="int">1</docker:ppid>
+        </docker:execps_state>
+        <docker:process_state id="oval:org.cisecurity.docker:ste:999" version="1" comment="...">
+            <docker:status>running</docker:status>
+        </docker:process_state>
+    </states>
+
+    <variables>
+        <local_variable id="oval:org.cisecurity.docker:var:1" version="1" datatype="string" comment="Currently running containers">
+            <object_component object_ref="oval:org.cisecurity.docker:obj:999" item_field="container_id"/>
+        </local_variable>
+        <local_variable id="oval:org.cisecurity.docker:var:3" version="1" datatype="string" comment="Path to auditd logs">
+            <object_component object_ref="oval:org.cisecurity.docker:obj:998" item_field="subexpression"/>
+        </local_variable>
+    </variables>
+</oval_definitions>