idnits 2.17.1 draft-haynes-sacm-oval-definitions-model-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 7, 2016) is 2787 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'I-D.draft-haynes-sacm-oval-processing-model' is mentioned on line 1126, but not defined == Missing Reference: 'I-D.draft-cokus-sacm-oval-common-model' is mentioned on line 1577, but not defined Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Security Automation and Continuous Monitoring M. Cokus 3 Internet-Draft D. Haynes 4 Intended status: Informational D. Rothenberg 5 Expires: March 11, 2017 The MITRE Corporation 6 J. Gonzalez 7 Department of Homeland Security 8 September 7, 2016 10 OVAL(R) Definitions Model 11 draft-haynes-sacm-oval-definitions-model-01 13 Abstract 15 This document specifies Version 5.11.1 of the OVAL Definitions Model 16 which defines an extensible framework for making assertions about a 17 system that are based upon a collection of logical statements. Each 18 logical statement defines a specific machine state by identifying the 19 data set on the system to examine and describing the expected state 20 of that system data. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on March 11, 2017. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 58 2. oval_definitions . . . . . . . . . . . . . . . . . . . . . . 4 59 3. DefinitionsType . . . . . . . . . . . . . . . . . . . . . . . 5 60 4. DefinitionType . . . . . . . . . . . . . . . . . . . . . . . 6 61 5. MetadataType . . . . . . . . . . . . . . . . . . . . . . . . 7 62 6. AffectedType . . . . . . . . . . . . . . . . . . . . . . . . 8 63 7. ReferenceType . . . . . . . . . . . . . . . . . . . . . . . . 9 64 8. NotesType . . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 9. CriteriaType . . . . . . . . . . . . . . . . . . . . . . . . 10 66 10. CriterionType . . . . . . . . . . . . . . . . . . . . . . . . 12 67 11. ExtendDefinitionType . . . . . . . . . . . . . . . . . . . . 13 68 12. TestsType . . . . . . . . . . . . . . . . . . . . . . . . . . 14 69 13. TestType . . . . . . . . . . . . . . . . . . . . . . . . . . 15 70 14. ObjectRefType . . . . . . . . . . . . . . . . . . . . . . . . 17 71 15. StateRefType . . . . . . . . . . . . . . . . . . . . . . . . 17 72 16. ObjectsType . . . . . . . . . . . . . . . . . . . . . . . . . 17 73 17. ObjectType . . . . . . . . . . . . . . . . . . . . . . . . . 17 74 18. set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 75 19. filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 76 20. StatesType . . . . . . . . . . . . . . . . . . . . . . . . . 21 77 21. StateType . . . . . . . . . . . . . . . . . . . . . . . . . . 21 78 22. VariablesType . . . . . . . . . . . . . . . . . . . . . . . . 23 79 23. VariableType . . . . . . . . . . . . . . . . . . . . . . . . 23 80 24. external_variable . . . . . . . . . . . . . . . . . . . . . . 25 81 25. PossibleValueType . . . . . . . . . . . . . . . . . . . . . . 25 82 26. PossibleRestrictionType . . . . . . . . . . . . . . . . . . . 26 83 27. RestrictionType . . . . . . . . . . . . . . . . . . . . . . . 26 84 28. constant_variable . . . . . . . . . . . . . . . . . . . . . . 27 85 29. ValueType . . . . . . . . . . . . . . . . . . . . . . . . . . 27 86 30. local_variable . . . . . . . . . . . . . . . . . . . . . . . 27 87 31. ComponentGroup . . . . . . . . . . . . . . . . . . . . . . . 28 88 32. LiteralComponentType . . . . . . . . . . . . . . . . . . . . 29 89 33. ObjectComponentType . . . . . . . . . . . . . . . . . . . . . 30 90 34. VariableComponentType . . . . . . . . . . . . . . . . . . . . 31 91 35. FunctionGroup . . . . . . . . . . . . . . . . . . . . . . . . 32 92 36. ArithmeticFunctionType . . . . . . . . . . . . . . . . . . . 34 93 37. BeginFunctionType . . . . . . . . . . . . . . . . . . . . . . 35 94 38. ConcatFunctionType . . . . . . . . . . . . . . . . . . . . . 35 95 39. CountFunctionType . . . . . . . . . . . . . . . . . . . . . . 36 96 40. EndFunctionType . . . . . . . . . . . . . . . . . . . . . . . 36 97 41. EscapeRegexFunctionType . . . . . . . . . . . . . . . . . . . 37 98 42. SplitFunctionType . . . . . . . . . . . . . . . . . . . . . . 37 99 43. SubstringFunctionType . . . . . . . . . . . . . . . . . . . . 38 100 44. TimeDifferenceFunctionType . . . . . . . . . . . . . . . . . 40 101 45. UniqueFunctionType . . . . . . . . . . . . . . . . . . . . . 41 102 46. RegexCaptureFunctionType . . . . . . . . . . . . . . . . . . 41 103 47. ArithmeticEnumeration . . . . . . . . . . . . . . . . . . . . 42 104 48. DateTimeFormatEnumeration . . . . . . . . . . . . . . . . . . 43 105 49. FilterActionEnumeration . . . . . . . . . . . . . . . . . . . 45 106 50. SetOperatorEnumeration . . . . . . . . . . . . . . . . . . . 45 107 51. EntityAttributeGroup . . . . . . . . . . . . . . . . . . . . 45 108 52. EntitySimpleBaseType . . . . . . . . . . . . . . . . . . . . 47 109 53. EntityComplexBaseType . . . . . . . . . . . . . . . . . . . . 47 110 54. EntityObjectIPAddressType . . . . . . . . . . . . . . . . . . 47 111 55. EntityObjectIPAddressStringType . . . . . . . . . . . . . . . 48 112 56. EntityObjectAnySimpleType . . . . . . . . . . . . . . . . . . 48 113 57. EntityObjectBinaryType . . . . . . . . . . . . . . . . . . . 49 114 58. EntityObjectBoolType . . . . . . . . . . . . . . . . . . . . 49 115 59. EntityObjectFloatType . . . . . . . . . . . . . . . . . . . . 50 116 60. EntityObjectIntType . . . . . . . . . . . . . . . . . . . . . 50 117 61. EntityObjectStringType . . . . . . . . . . . . . . . . . . . 50 118 62. EntityObjectVersionType . . . . . . . . . . . . . . . . . . . 51 119 63. EntityObjectRecordType . . . . . . . . . . . . . . . . . . . 51 120 64. EntityObjectFieldType . . . . . . . . . . . . . . . . . . . . 53 121 65. EntityStateSimpleBaseType . . . . . . . . . . . . . . . . . . 53 122 66. EntityStateComplexBaseType . . . . . . . . . . . . . . . . . 54 123 67. EntityStateIPAddressType . . . . . . . . . . . . . . . . . . 54 124 68. EntityStateIPAddressStringType . . . . . . . . . . . . . . . 55 125 69. EntityStateAnySimpleType . . . . . . . . . . . . . . . . . . 55 126 70. EntityStateBinaryType . . . . . . . . . . . . . . . . . . . . 56 127 71. EntityStateBoolType . . . . . . . . . . . . . . . . . . . . . 56 128 72. EntityStateFloatType . . . . . . . . . . . . . . . . . . . . 57 129 73. EntityStateIntType . . . . . . . . . . . . . . . . . . . . . 57 130 74. EntityStateEVRStringType . . . . . . . . . . . . . . . . . . 57 131 75. EntityStateDebianEVRStringType . . . . . . . . . . . . . . . 58 132 76. EntityStateVersionType . . . . . . . . . . . . . . . . . . . 58 133 77. EntityStateFileSetRevisionType . . . . . . . . . . . . . . . 59 134 78. EntityStateIOSVersionType . . . . . . . . . . . . . . . . . . 59 135 79. EntityStateStringType . . . . . . . . . . . . . . . . . . . . 60 136 80. EntityStateRecordType . . . . . . . . . . . . . . . . . . . . 60 137 81. EntityStateFieldType . . . . . . . . . . . . . . . . . . . . 62 138 82. OVAL Definitions Model Schema . . . . . . . . . . . . . . . . 62 139 83. Intellectual Property Considerations . . . . . . . . . . . . 167 140 84. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 167 141 85. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 167 142 86. Security Considerations . . . . . . . . . . . . . . . . . . . 167 143 87. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 168 144 87.1. -00 to -01 . . . . . . . . . . . . . . . . . . . . . . . 168 146 88. References . . . . . . . . . . . . . . . . . . . . . . . . . 168 147 88.1. Normative References . . . . . . . . . . . . . . . . . . 168 148 88.2. Informative References . . . . . . . . . . . . . . . . . 168 149 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 168 151 1. Introduction 153 The Open Vulnerability and Assessment Language (OVAL) [OVAL-WEBSITE] 154 is an international, information security community effort to 155 standardize how to assess and report upon the machine state of 156 systems. For over ten years, OVAL has been developed in 157 collaboration with any and all interested parties to promote open and 158 publicly available security content and to standardize the 159 representation of this information across the entire spectrum of 160 security tools and services. 162 OVAL provides an established framework for making assertions about a 163 system's state by standardizing the three main steps of the 164 assessment process: representing the current machine state; analyzing 165 the system for the presence of the specified machine state; and 166 representing the results of the assessment which facilitates 167 collaboration and information sharing among the information security 168 community and interoperability among tools. 170 This draft is part of the OVAL contribution to the IETF SACM WG that 171 standardizes the representation used to analyze a system for the 172 presence of a specific machine state. It is intended to serve as a 173 starting point for the endpoint posture assessment data modeling 174 needs of SACM specifically Collection Guidance and Evaluation 175 Guidance. 177 1.1. Requirements Language 179 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 180 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 181 document are to be interpreted as described in RFC 2119 [RFC2119]. 183 2. oval_definitions 185 The oval_definitions type defines the base structure in the OVAL 186 Definitions Model for representing a collection of OVAL Definitions. 187 This container type adds metadata about the origin of the content and 188 allows for a signature. 190 +-------------+--------------------+-------+------------------------+ 191 | Property | Type | Count | Description | 192 +-------------+--------------------+-------+------------------------+ 193 | generator | oval:GeneratorType | 1 | Provides information | 194 | | | | regarding the origin | 195 | | | | of the OVAL Content. | 196 | | | | The timestamp property | 197 | | | | of the generator MUST | 198 | | | | represent the time at | 199 | | | | which the | 200 | | | | oval_definitions was | 201 | | | | created. | 202 | | | | | 203 | definitions | DefinitionsType | 0..1 | Container for OVAL | 204 | | | | Definitions. | 205 | | | | | 206 | tests | TestsType | 0..1 | Container for OVAL | 207 | | | | Tests. | 208 | | | | | 209 | objects | ObjectsType | 0..1 | Container for OVAL | 210 | | | | Objects. | 211 | | | | | 212 | states | StatesType | 0..1 | Container for OVAL | 213 | | | | Tests. | 214 | | | | | 215 | variables | VariablesType | 0..1 | Container for OVAL | 216 | | | | Variables. | 217 | | | | | 218 | signature | ext:Signature | 0..1 | Mechanism to ensure | 219 | | | | the integrity and | 220 | | | | authenticity of the | 221 | | | | content. | 222 +-------------+--------------------+-------+------------------------+ 224 Table 1: oval_definitions Construct 226 3. DefinitionsType 228 The DefinitionsType provides a container for one or more OVAL 229 Definitions. 231 +------------+----------------+-------+-----------------------------+ 232 | Property | Type | Count | Description | 233 +------------+----------------+-------+-----------------------------+ 234 | definition | DefinitionType | 1..* | One or more OVAL | 235 | | | | Definitions. | 236 +------------+----------------+-------+-----------------------------+ 238 Table 2: DefinitionsType Construct 240 4. DefinitionType 242 The DefinitionType defines a single OVAL Definition. An OVAL 243 Definition is the key structure in the OVAL Definition Model. It is 244 a collection of logical statements that combine to make an overall 245 assertion about a system state and metadata about the assertion. 247 +------------+--------------------------+-------+-------------------+ 248 | Property | Type | Count | Description | 249 +------------+--------------------------+-------+-------------------+ 250 | id | oval:DefinitionIDPattern | 1 | The globally | 251 | | | | unique identifier | 252 | | | | of the OVAL | 253 | | | | Definition. | 254 | | | | | 255 | version | unsigned integer | 1 | The version of | 256 | | | | the OVAL | 257 | | | | Definition. | 258 | | | | | 259 | class | oval:ClassEnumeration | 1 | The class of the | 260 | | | | OVAL Definition. | 261 | | | | | 262 | deprecated | boolean | 0..1 | Whether or not | 263 | | | | the OVAL | 264 | | | | Definition has | 265 | | | | been deprecated. | 266 | | | | Default Value: | 267 | | | | 'false'. | 268 | | | | | 269 | metadata | MetadataType | 1 | Container for | 270 | | | | metadata | 271 | | | | associated with | 272 | | | | the OVAL | 273 | | | | Definition. | 274 | | | | Metadata is | 275 | | | | informational | 276 | | | | only and does not | 277 | | | | impact the | 278 | | | | evaluation of the | 279 | | | | OVAL Definition. | 280 | | | | | 281 | notes | NotesType | 0..1 | A container for | 282 | | | | individual notes | 283 | | | | that describe | 284 | | | | some aspect of | 285 | | | | the OVAL | 286 | | | | Definition. | 287 | | | | | 288 | criteria | CriteriaType | 0..1 | A container for | 289 | | | | the logical | 290 | | | | criteria that is | 291 | | | | defined by the | 292 | | | | OVAL Definition. | 293 | | | | All non- | 294 | | | | deprecated OVAL | 295 | | | | Definitions MUST | 296 | | | | contain at least | 297 | | | | one criteria to | 298 | | | | express the | 299 | | | | logical assertion | 300 | | | | being made by the | 301 | | | | OVAL Definition. | 302 | | | | | 303 | signature | ext:Signature | 0..1 | Mechanism to | 304 | | | | ensure the | 305 | | | | integrity and | 306 | | | | authenticity of | 307 | | | | the content. | 308 +------------+--------------------------+-------+-------------------+ 310 Table 3: DefinitionType Construct 312 5. MetadataType 314 The MetadataType is a container for additional metadata that 315 describes an OVAL Definition. 317 +-----------------+---------------+-------+-------------------------+ 318 | Property | Type | Count | Description | 319 +-----------------+---------------+-------+-------------------------+ 320 | title | string | 1 | A short text title for | 321 | | | | the OVAL Definition. | 322 | | | | | 323 | affected | AffectedType | 0..* | A container for the | 324 | | | | list of affected | 325 | | | | platforms by a given | 326 | | | | OVAL Definition. | 327 | | | | | 328 | reference | ReferenceType | 0..* | References allow | 329 | | | | pointers to external | 330 | | | | information about an | 331 | | | | OVAL Definition. | 332 | | | | | 333 | description | string | 1 | A detailed text | 334 | | | | description of the OVAL | 335 | | | | Definition. | 336 | | | | | 337 | extension_point | Any | 0..* | An extension point that | 338 | | | | allows for the | 339 | | | | inclusion of any | 340 | | | | additional metadata | 341 | | | | associated with the | 342 | | | | OVAL Definition. | 343 +-----------------+---------------+-------+-------------------------+ 345 Table 4: MetadataType Construct 347 The extension_point property is not considered a part of the OVAL 348 Language proper, but rather, an extension point that allows 349 organizations to expand the OVAL Language to better suit their needs. 351 6. AffectedType 353 The AffectedType is a container type for the list of affected 354 platforms and products. Note that the absence of a platform or 355 product implies that the OVAL Definition applies to all platforms or 356 products. 358 +----------+------------------------+-------+-----------------------+ 359 | Property | Type | Count | Description | 360 +----------+------------------------+-------+-----------------------+ 361 | family | oval:FamilyEnumeration | 1 | The high-level | 362 | | | | classification of the | 363 | | | | system type. | 364 | | | | | 365 | platform | string | 0..* | The name identifying | 366 | | | | a specific software | 367 | | | | platform. Convention | 368 | | | | is not to spell out | 369 | | | | the names. | 370 | | | | | 371 | product | string | 0..* | The name identifying | 372 | | | | a specific software | 373 | | | | product. Convention | 374 | | | | is to spell out the | 375 | | | | names. | 376 +----------+------------------------+-------+-----------------------+ 378 Table 5: AffectedType Construct 380 7. ReferenceType 382 The ReferenceType is a pointer to an external reference that supports 383 or adds more information to an OVAL Definition. 385 +----------+--------+-------+-----------------------------------+ 386 | Property | Type | Count | Description | 387 +----------+--------+-------+-----------------------------------+ 388 | source | string | 1 | The source of the reference. | 389 | | | | | 390 | ref_id | string | 1 | The identifier for the reference. | 391 | | | | | 392 | ref_url | URI | 0..1 | The URL for the reference. | 393 +----------+--------+-------+-----------------------------------+ 395 Table 6: ReferenceType Construct 397 8. NotesType 399 The NotesType is a container for one or more notes, providing 400 additional information, such as unresolved questions, reasons for 401 specific implementation, or other documentation. 403 +----------+--------+-------+-------------------------+ 404 | Property | Type | Count | Description | 405 +----------+--------+-------+-------------------------+ 406 | note | string | 1..* | One or more text notes. | 407 +----------+--------+-------+-------------------------+ 409 Table 7: NotesType Construct 411 9. CriteriaType 413 The CriteriaType defines the structure of a logical statement that 414 combines other logical statements. This construct is used to combine 415 references to OVAL Tests, OVAL Definitions, and other CriteriaTypes 416 into one logical statement. 418 +------------------+----------------------+-------+-----------------+ 419 | Property | Type | Count | Description | 420 +------------------+----------------------+-------+-----------------+ 421 | operator | oval:OperatorEnumera | 0..1 | The logical | 422 | | tion | | operator that | 423 | | | | is used to | 424 | | | | combine the | 425 | | | | individual | 426 | | | | results of the | 427 | | | | logical | 428 | | | | statements | 429 | | | | defined by the | 430 | | | | criteria, | 431 | | | | criterion, and | 432 | | | | extend_definiti | 433 | | | | on properties. | 434 | | | | Default Value: | 435 | | | | 'AND'. | 436 | | | | | 437 | negate | boolean | 0..1 | Specifies | 438 | | | | whether or not | 439 | | | | the evaluation | 440 | | | | result of the | 441 | | | | CriteriaType | 442 | | | | should be | 443 | | | | negated. | 444 | | | | Default Value: | 445 | | | | 'false'. | 446 | | | | | 447 | comment | oval:NonEmptyStringT | 0..1 | A short | 448 | | ype | | description of | 449 | | | | the criteria. | 450 | | | | | 451 | criteria | CriteriaType | 0..* | A collection of | 452 | | | | logical | 453 | | | | statements that | 454 | | | | will be | 455 | | | | combined | 456 | | | | according to | 457 | | | | the operator | 458 | | | | property. At | 459 | | | | least one | 460 | | | | criteria, | 461 | | | | criterion, or e | 462 | | | | xtend_definitio | 463 | | | | n MUST be | 464 | | | | present. | 465 | | | | | 466 | criterion | CriterionType | 0..* | A logical | 467 | | | | statement that | 468 | | | | references an | 469 | | | | OVAL Test and | 470 | | | | will be | 471 | | | | combined | 472 | | | | according to | 473 | | | | the operator | 474 | | | | property. At | 475 | | | | least one | 476 | | | | criteria, | 477 | | | | criterion, or e | 478 | | | | xtend_definitio | 479 | | | | n MUST be | 480 | | | | present. | 481 | | | | | 482 | extend_definitio | ExtendDefinitionType | 0..* | A logical | 483 | n | | | statement that | 484 | | | | references an | 485 | | | | OVAL Definition | 486 | | | | and will be | 487 | | | | combined | 488 | | | | according to | 489 | | | | the operator | 490 | | | | property. At | 491 | | | | least one | 492 | | | | criteria, | 493 | | | | criterion, or e | 494 | | | | xtend_definitio | 495 | | | | n MUST be | 496 | | | | present. | 497 | | | | | 498 | applicability_ch | boolean | 0..1 | A boolean flag | 499 | eck | | | that when | 500 | | | | 'true' | 501 | | | | indicates that | 502 | | | | the criteria is | 503 | | | | being used to | 504 | | | | determine | 505 | | | | whether the | 506 | | | | OVAL Definition | 507 | | | | applies to a | 508 | | | | given system. | 509 | | | | No additional | 510 | | | | meaning is | 511 | | | | assumed when | 512 | | | | 'false'. | 513 +------------------+----------------------+-------+-----------------+ 515 Table 8: CriteriaType Construct 517 10. CriterionType 519 The CriterionType is a logical statement that references an OVAL 520 Test. 522 +--------------------+-----------------------+-------+--------------+ 523 | Property | Type | Count | Description | 524 +--------------------+-----------------------+-------+--------------+ 525 | test_ref | oval:TestIDPattern | 1 | The globally | 526 | | | | unique | 527 | | | | identifier | 528 | | | | of an OVAL | 529 | | | | Test | 530 | | | | contained in | 531 | | | | the OVAL | 532 | | | | Definitions. | 533 | | | | | 534 | negate | boolean | 0..1 | Specifies | 535 | | | | whether or | 536 | | | | not the | 537 | | | | evaluation | 538 | | | | result of | 539 | | | | the OVAL | 540 | | | | Test, | 541 | | | | referenced | 542 | | | | by the | 543 | | | | test_ref | 544 | | | | property, | 545 | | | | should be | 546 | | | | negated. | 547 | | | | Default | 548 | | | | Value: | 549 | | | | 'false'. | 550 | | | | | 551 | comment | oval:NonEmptyStringTy | 0..1 | A short | 552 | | pe | | description | 553 | | | | of the | 554 | | | | criterion. | 555 | | | | | 556 | applicability_chec | boolean | 0..1 | A boolean | 557 | k | | | flag that | 558 | | | | when 'true' | 559 | | | | indicates | 560 | | | | that the | 561 | | | | criterion is | 562 | | | | being used | 563 | | | | to determine | 564 | | | | whether the | 565 | | | | OVAL | 566 | | | | Definition | 567 | | | | applies to a | 568 | | | | given | 569 | | | | system. No | 570 | | | | additional | 571 | | | | meaning is | 572 | | | | assumed when | 573 | | | | 'false'. | 574 +--------------------+-----------------------+-------+--------------+ 576 Table 9: CriterionType Construct 578 11. ExtendDefinitionType 580 The ExtendDefinitionType is a logical statement that references 581 another OVAL Definition. 583 +------------------+-----------------------+-------+----------------+ 584 | Property | Type | Count | Description | 585 +------------------+-----------------------+-------+----------------+ 586 | definition_ref | oval:DefinitionIDPatt | 1 | The globally | 587 | | ern | | unique | 588 | | | | identifier of | 589 | | | | an OVAL | 590 | | | | Definition | 591 | | | | contained in | 592 | | | | the OVAL | 593 | | | | Definitions. | 594 | | | | | 595 | negate | boolean | 0..1 | Specifies | 596 | | | | whether or not | 597 | | | | the evaluation | 598 | | | | result of the | 599 | | | | OVAL | 600 | | | | Definition, | 601 | | | | referenced by | 602 | | | | the | 603 | | | | definition_ref | 604 | | | | property, | 605 | | | | should be | 606 | | | | negated. | 607 | | | | Default Value: | 608 | | | | 'false'. | 609 | | | | | 610 | comment | oval:NonEmptyStringTy | 0..1 | A short | 611 | | pe | | description of | 612 | | | | the extended | 613 | | | | OVAL | 614 | | | | Definition. | 615 | | | | | 616 | applicability_ch | boolean | 0..1 | A boolean flag | 617 | eck | | | that when | 618 | | | | 'true' | 619 | | | | indicates that | 620 | | | | the ExtendDefi | 621 | | | | nition is | 622 | | | | being used to | 623 | | | | determine | 624 | | | | whether the | 625 | | | | OVAL | 626 | | | | Definition | 627 | | | | applies to a | 628 | | | | given system. | 629 | | | | No additional | 630 | | | | meaning is | 631 | | | | assumed when | 632 | | | | 'false'. | 633 +------------------+-----------------------+-------+----------------+ 635 Table 10: ExtendDefinitionType Construct 637 12. TestsType 639 The TestsType provides a container for one or more OVAL Tests. 641 +----------+----------+-------+-------------------------+ 642 | Property | Type | Count | Description | 643 +----------+----------+-------+-------------------------+ 644 | test | TestType | 1..* | One or more OVAL Tests. | 645 +----------+----------+-------+-------------------------+ 647 Table 11: TestsType Construct 649 13. TestType 651 The TestType is an abstract OVAL Test that defines the common 652 properties associated with all OVAL Tests. The TestType provides an 653 extension point for concrete OVAL Tests, which define platform- 654 specific capabilities in OVAL Component Models. An OVAL Test defines 655 the relationship between an OVAL Object and zero or more OVAL States, 656 specifying exactly how many OVAL Items must exist on the system and 657 how many of those OVAL Items must satisfy the set of referenced OVAL 658 States. 660 +--------------+----------------------+-------+---------------------+ 661 | Property | Type | Count | Description | 662 +--------------+----------------------+-------+---------------------+ 663 | id | oval:TestIDPattern | 1 | The globally unique | 664 | | | | identifier of an | 665 | | | | OVAL Test. | 666 | | | | | 667 | version | unsigned int | 1 | The version of the | 668 | | | | unique OVAL Test. | 669 | | | | | 670 | check_existe | oval:ExistenceEnumer | 0..1 | Specifies how many | 671 | nce | ation | | OVAL Items must | 672 | | | | exist, on the | 673 | | | | system, in order | 674 | | | | for the OVAL Test | 675 | | | | to evaluate to | 676 | | | | 'true'. Default | 677 | | | | Value: 'at_least_on | 678 | | | | e_exists'. | 679 | | | | | 680 | check | oval:CheckEnumeratio | 1 | Specifies how many | 681 | | n | | of the collected | 682 | | | | OVAL Items must | 683 | | | | satisfy the | 684 | | | | requirements | 685 | | | | specified by the | 686 | | | | OVAL State(s) in | 687 | | | | order for the OVAL | 688 | | | | Test to evaluate to | 689 | | | | 'true'. | 690 | | | | | 691 | state_operat | oval:OperatorEnumera | 0..1 | Specifies how to | 692 | or | tion | | logically combine | 693 | | | | the OVAL States | 694 | | | | referenced in the | 695 | | | | OVAL Test. Default | 696 | | | | Value: 'AND'. | 697 | | | | | 698 | comment | oval:NonEmptyStringT | 1 | A short description | 699 | | ype | | of the OVAL Test. | 700 | | | | This value SHOULD | 701 | | | | describe the intent | 702 | | | | of the OVAL Test | 703 | | | | including the | 704 | | | | system information | 705 | | | | that is examined | 706 | | | | and the expected | 707 | | | | state of that | 708 | | | | information. | 709 | | | | | 710 | deprecated | boolean | 0..1 | Whether or not the | 711 | | | | OVAL Test has been | 712 | | | | deprecated. A | 713 | | | | deprecated OVAL | 714 | | | | Test is one that | 715 | | | | should no longer be | 716 | | | | referenced by new | 717 | | | | OVAL Content. | 718 | | | | Default Value: | 719 | | | | 'false'. | 720 | | | | | 721 | notes | NotesType | 0..1 | A container for | 722 | | | | individual notes | 723 | | | | that describe some | 724 | | | | aspect of the OVAL | 725 | | | | Test. | 726 | | | | | 727 | signature | ext:Signature | 0..1 | Mechanism to ensure | 728 | | | | the integrity and | 729 | | | | authenticity of the | 730 | | | | content. | 731 +--------------+----------------------+-------+---------------------+ 733 Table 12: TestType Construct 735 14. ObjectRefType 737 The ObjectRefType provides to an existing OVAL Object. 739 +------------+----------------------+-------+-----------------------+ 740 | Property | Type | Count | Description | 741 +------------+----------------------+-------+-----------------------+ 742 | object_ref | oval:ObjectIDPattern | 1 | A reference to an | 743 | | | | existing OVAL Object. | 744 +------------+----------------------+-------+-----------------------+ 746 Table 13: ObjectRefType Construct 748 15. StateRefType 750 The StateRefType provides to an existing OVAL State. 752 +-----------+---------------------+-------+-------------------------+ 753 | Property | Type | Count | Description | 754 +-----------+---------------------+-------+-------------------------+ 755 | state_ref | oval:StateIDPattern | 1 | A reference to an | 756 | | | | existing OVAL State. | 757 +-----------+---------------------+-------+-------------------------+ 759 Table 14: StateRefType Construct 761 16. ObjectsType 763 The ObjectsType provides a container for one or more OVAL Objects. 765 +----------+------------+-------+-------------------------------+ 766 | Property | Type | Count | Description | 767 +----------+------------+-------+-------------------------------+ 768 | object | ObjectType | 1..* | A collection of OVAL Objects. | 769 +----------+------------+-------+-------------------------------+ 771 Table 15: ObjectsType Construct 773 17. ObjectType 775 The ObjectType is an abstract OVAL Object that defines the common 776 properties associated with all OVAL Objects. The ObjectType provides 777 an extension point for normal or "concrete" OVAL Objects, which 778 define platform-specific capabilities, in the OVAL Component Models. 779 A concrete OVAL Object MUST define sufficient entities to allow a 780 user to identify a unique an item to be collected. 782 A concrete OVAL Object may define a set of 0 or more OVAL Behaviors. 783 OVAL Behaviors define an action that can further specify the set of 784 OVAL Items that match an OVAL Object. OVAL Behaviors may depend on 785 other OVAL Behaviors or may be independent of other OVAL Behaviors. 786 In addition, OVAL Behaviors are specific to OVAL Objects and are 787 defined in the OVAL Component Models. 789 +------------+-------------------------+-------+--------------------+ 790 | Property | Type | Count | Description | 791 +------------+-------------------------+-------+--------------------+ 792 | id | oval:ObjectIDPattern | 1 | The globally | 793 | | | | unique identifier | 794 | | | | of an OVAL Object | 795 | | | | contained in the | 796 | | | | OVAL Definitions. | 797 | | | | | 798 | version | unsigned int | 1 | The version of the | 799 | | | | globally unique | 800 | | | | OVAL Object | 801 | | | | referenced by the | 802 | | | | id property. | 803 | | | | | 804 | comment | oval:NonEmptyStringType | 1 | A short | 805 | | | | description of the | 806 | | | | OVAL Object. | 807 | | | | | 808 | deprecated | boolean | 0..1 | Whether or not the | 809 | | | | OVAL Object has | 810 | | | | been deprecated. | 811 | | | | Default Value: | 812 | | | | 'false'. | 813 | | | | | 814 | notes | NotesType | 0..1 | A container for | 815 | | | | individual notes | 816 | | | | that describe some | 817 | | | | aspect of the OVAL | 818 | | | | Object. | 819 | | | | | 820 | signature | ext:Signature | 0..1 | Mechanism to | 821 | | | | ensure the | 822 | | | | integrity and | 823 | | | | authenticity of | 824 | | | | the content. | 825 +------------+-------------------------+-------+--------------------+ 827 Table 16: ObjectType Construct 829 18. set 831 The set construct enables the expression of complex OVAL Objects that 832 are the result of logically combining and filtering the OVAL Items 833 that are identified by one or more other OVAL Objects. A set can 834 consist of either one or two nested sets or one or two references to 835 other OVAL Objects and a collection of OVAL Filters. 837 +-----------------+----------------------+-------+------------------+ 838 | Property | Type | Count | Description | 839 +-----------------+----------------------+-------+------------------+ 840 | set_operator | SetOperatorEnumerati | 0..1 | Specifies the | 841 | | on | | set operation to | 842 | | | | use when | 843 | | | | combining | 844 | | | | subsets. Default | 845 | | | | Value: 'UNION'. | 846 | | | | | 847 | set | set | 0..2 | Allowed nested | 848 | | | | sets. | 849 | | | | | 850 | object_referenc | oval:ObjectIDPattern | 0..2 | A reference to | 851 | e | | | an OVAL Object | 852 | | | | based upon its | 853 | | | | ID. An | 854 | | | | object_reference | 855 | | | | indicates that | 856 | | | | any OVAL Items | 857 | | | | identified by | 858 | | | | the referenced | 859 | | | | OVAL Object are | 860 | | | | included in the | 861 | | | | set. The | 862 | | | | referenced OVAL | 863 | | | | Object MUST be | 864 | | | | contained within | 865 | | | | the current | 866 | | | | instance of the | 867 | | | | OVAL Definitions | 868 | | | | Model and MUST | 869 | | | | be of the same | 870 | | | | type as the OVAL | 871 | | | | Object that is | 872 | | | | referencing it. | 873 | | | | | 874 | filter | filter | 0..n | Defines one or | 875 | | | | more filters to | 876 | | | | apply to | 877 | | | | combined data. | 878 +-----------------+----------------------+-------+------------------+ 880 Table 17: set Construct 882 19. filter 884 The filter construct allows the explicit inclusion or exclusion of 885 OVAL Items from a collection of OVAL Items based upon one an OVAL 886 State. 888 +----------+-------------------------+-------+----------------------+ 889 | Property | Type | Count | Description | 890 +----------+-------------------------+-------+----------------------+ 891 | action | FilterActionEnumeration | 0..1 | Defines the type of | 892 | | | | filter. Default | 893 | | | | Value: 'exclude'. | 894 | | | | | 895 | value | oval:StateIDPattern | 1 | A reference to an | 896 | | | | OVAL State that | 897 | | | | defines how the data | 898 | | | | should be filtered. | 899 | | | | The referenced OVAL | 900 | | | | State MUST be | 901 | | | | contained within the | 902 | | | | current instance of | 903 | | | | the OVAL Definitions | 904 | | | | Model and MUST be of | 905 | | | | the same type as the | 906 | | | | OVAL Object that is | 907 | | | | referencing it. | 908 +----------+-------------------------+-------+----------------------+ 910 Table 18: filter Construct 912 20. StatesType 914 The StatesType provides a container for one or more OVAL States. 916 +----------+-----------+-------+------------------------------+ 917 | Property | Type | Count | Description | 918 +----------+-----------+-------+------------------------------+ 919 | state | StateType | 1..* | A collection of OVAL States. | 920 +----------+-----------+-------+------------------------------+ 922 Table 19: StatesType Construct 924 21. StateType 926 The StateType is an abstract OVAL State that defines the common 927 properties associated with all OVAL States. The StateType provides 928 an extension point for concrete OVAL States, which define platform- 929 specific capabilities in the OVAL Component Models. The StateType is 930 extended by concrete OVAL States in order to define platform specific 931 capabilities. Each concrete OVAL State is comprised of a set of 932 entities that describe a specific system state. 934 +------------+--------------------------+-------+-------------------+ 935 | Property | Type | Count | Description | 936 +------------+--------------------------+-------+-------------------+ 937 | id | oval:StateIDPattern | 1 | The globally | 938 | | | | unique identifier | 939 | | | | of an OVAL State | 940 | | | | contained in the | 941 | | | | OVAL Definitions. | 942 | | | | | 943 | version | unsigned int | 1 | The version of | 944 | | | | the globally | 945 | | | | unique OVAL State | 946 | | | | referenced by the | 947 | | | | id property. | 948 | | | | | 949 | operator | oval:OperatorEnumeration | 0..1 | The value to be | 950 | | | | used as the | 951 | | | | operator for the | 952 | | | | OVAL State, in | 953 | | | | order to know how | 954 | | | | to combine the | 955 | | | | set of entities | 956 | | | | defined within | 957 | | | | the concrete OVAL | 958 | | | | State. Default | 959 | | | | Value: 'AND'. | 960 | | | | | 961 | comment | oval:NonEmptyStringType | 1 | A short | 962 | | | | description of | 963 | | | | the OVAL State. | 964 | | | | | 965 | deprecated | boolean | 0..1 | Whether or not | 966 | | | | the OVAL Object | 967 | | | | has been | 968 | | | | deprecated. | 969 | | | | Default Value: | 970 | | | | 'false'. | 971 | | | | | 972 | notes | NotesType | 0..1 | A container for | 973 | | | | individual notes | 974 | | | | that describe | 975 | | | | some aspect of | 976 | | | | the OVAL State. | 977 | | | | | 978 | signature | ext:Signature | 0..1 | Mechanism to | 979 | | | | ensure the | 980 | | | | integrity and | 981 | | | | authenticity of | 982 | | | | the content. | 983 +------------+--------------------------+-------+-------------------+ 985 Table 20: ObjectType Construct 987 22. VariablesType 989 The VariablesType provides a container for one or more OVAL 990 Variables. 992 +----------+--------------+-------+------------------------------+ 993 | Property | Type | Count | Description | 994 +----------+--------------+-------+------------------------------+ 995 | variable | VariableType | 1..* | A collection of OVAL States. | 996 +----------+--------------+-------+------------------------------+ 998 Table 21: VariablesType Construct 1000 23. VariableType 1002 The VariableType is an abstract OVAL Variable that defines the common 1003 properties associated with all OVAL Variables defined in the OVAL 1004 Definition Model. The VariableType provides an extension point for 1005 concrete OVAL Variables. Concrete OVAL Variables extend this type to 1006 provide specific details. 1008 Each concrete OVAL Variable has a collection of values. This 1009 collection of values may be the empty set. The proper handling of an 1010 empty collection of values for a given variable is left to the 1011 context in which the OVAL Variable is used. In some contexts an 1012 empty collection of values will be an error, and in other contexts an 1013 empty collection of values will be needed for proper evaluation. 1014 This context sensitive behavior is defined in [I-D.draft-haynes-sacm- 1015 oval-processing-model]. All OVAL Variable values MUST conform to the 1016 datatype specified by the datatype property. 1018 +-----------+-------------------------------+-------+---------------+ 1019 | Property | Type | Count | Description | 1020 +-----------+-------------------------------+-------+---------------+ 1021 | id | oval:VariableIDPattern | 1 | The globally | 1022 | | | | unique | 1023 | | | | identifier of | 1024 | | | | an OVAL | 1025 | | | | Variable | 1026 | | | | contained in | 1027 | | | | the OVAL | 1028 | | | | Definitions. | 1029 | | | | | 1030 | version | unsigned int | 1 | The version | 1031 | | | | of the | 1032 | | | | globally | 1033 | | | | unique OVAL | 1034 | | | | Variable | 1035 | | | | referenced by | 1036 | | | | the id | 1037 | | | | property. | 1038 | | | | | 1039 | datatype | oval:SimpleDatatypeEnumeratio | 1 | The datatype | 1040 | | n | | of the | 1041 | | | | value(s) in | 1042 | | | | the OVAL | 1043 | | | | Variable. The | 1044 | | | | 'record' | 1045 | | | | datatype is | 1046 | | | | not supported | 1047 | | | | in OVAL | 1048 | | | | Variables. | 1049 | | | | | 1050 | comment | oval:NonEmptyStringType | 1 | The | 1051 | | | | documentation | 1052 | | | | associated | 1053 | | | | with the OVAL | 1054 | | | | Variable | 1055 | | | | instance. | 1056 | | | | | 1057 | deprecate | boolean | 0..1 | Whether or | 1058 | d | | | not the OVAL | 1059 | | | | Variable has | 1060 | | | | been | 1061 | | | | deprecated. | 1062 | | | | Default | 1063 | | | | Value: | 1064 | | | | 'false'. | 1065 | | | | | 1066 | signature | ext:Signature | 0..1 | Mechanism to | 1067 | | | | ensure the | 1068 | | | | integrity and | 1069 | | | | authenticity | 1070 | | | | of the | 1071 | | | | content. | 1072 +-----------+-------------------------------+-------+---------------+ 1073 Table 22: VariableType Construct 1075 24. external_variable 1077 The external_variable is an extension of the VariableType and 1078 provides a way of defining variables whose values come from a source 1079 outside of the OVAL Definition. 1081 An external_variable can have any number of possible_value and/or 1082 possible_restriction elements in any order. 1084 +--------------------+------------------------+-------+-------------+ 1085 | Property | Type | Count | Description | 1086 +--------------------+------------------------+-------+-------------+ 1087 | possible_value | PossibleValueType | 0..* | Defines one | 1088 | | | | acceptable | 1089 | | | | value for | 1090 | | | | an external | 1091 | | | | variable. | 1092 | | | | | 1093 | possible_restricti | PossibleRestrictionTyp | 0..* | Defines a | 1094 | on | e | | range of | 1095 | | | | acceptable | 1096 | | | | values for | 1097 | | | | an external | 1098 | | | | variable. | 1099 +--------------------+------------------------+-------+-------------+ 1101 Table 23: external_variable Construct 1103 25. PossibleValueType 1105 The PossibleValueType provides a way to explicitly state an 1106 acceptable value for an external variable. 1108 +----------+--------+-------+---------------------------------------+ 1109 | Property | Type | Count | Description | 1110 +----------+--------+-------+---------------------------------------+ 1111 | hint | string | 1 | A short description that describes | 1112 | | | | the allowed value. | 1113 | | | | | 1114 | value | string | 1 | An acceptable value for the external | 1115 | | | | variable. | 1116 +----------+--------+-------+---------------------------------------+ 1118 Table 24: PossibleValueType Construct 1120 26. PossibleRestrictionType 1122 The PossibleRestrictionType provides a way to explicitly list a range 1123 of acceptable values for an external variable. The operation 1124 attribute may be used to combine multiple restriction elements using 1125 a specified operation. See the Operator Enumeration Evaluation 1126 section in [I-D.draft-haynes-sacm-oval-processing-model] for more 1127 information on how to combine the individual results. 1129 +-------------+----------------------+-------+----------------------+ 1130 | Property | Type | Count | Description | 1131 +-------------+----------------------+-------+----------------------+ 1132 | restriction | RestrictionType | 1..* | The restriction that | 1133 | | | | is being applied. | 1134 | | | | | 1135 | operation | OperationEnumeration | 1 | The operation to be | 1136 | | | | applied to the | 1137 | | | | restriction. Default | 1138 | | | | Value: 'AND'. | 1139 | | | | | 1140 | hint | string | 1 | A short description | 1141 | | | | that describes the | 1142 | | | | allowed value. | 1143 +-------------+----------------------+-------+----------------------+ 1145 Table 25: PossibleRestrictionType Construct 1147 27. RestrictionType 1149 The RestrictionType defines how to describe a restriction for an 1150 external variable. 1152 +-----------+----------------------+-------+------------------------+ 1153 | Property | Type | Count | Description | 1154 +-----------+----------------------+-------+------------------------+ 1155 | operation | OperationEnumeration | 1 | The operation to be | 1156 | | | | applied to the | 1157 | | | | restriction. Default | 1158 | | | | Value: 'AND'. | 1159 | | | | | 1160 | value | string | 1 | An acceptable value | 1161 | | | | for the external | 1162 | | | | variable. | 1163 +-----------+----------------------+-------+------------------------+ 1165 Table 26: RestrictionType Construct 1167 28. constant_variable 1169 The constant_variable extends the VariableType and provides a way of 1170 defining variables whose value is immutable. 1172 +----------+-----------+-------+------------------------------------+ 1173 | Property | Type | Count | Description | 1174 +----------+-----------+-------+------------------------------------+ 1175 | value | ValueType | 1..* | Defines a value represented by the | 1176 | | | | OVAL Variable. | 1177 +----------+-----------+-------+------------------------------------+ 1179 Table 27: constant_variable Construct 1181 29. ValueType 1183 The ValueType element defines a variable value. 1185 +----------+--------+-------+---------------------------------------+ 1186 | Property | Type | Count | Description | 1187 +----------+--------+-------+---------------------------------------+ 1188 | value | string | 0..* | Allows any simple type to be used as | 1189 | | | | a value. If no value is specified the | 1190 | | | | value is considered to be the empty | 1191 | | | | string. | 1192 +----------+--------+-------+---------------------------------------+ 1194 Table 28: ValueType Construct 1196 30. local_variable 1198 The local_variable is an extension of the VariableType and provides a 1199 way of defining variables whose value is determined by another local 1200 OVAL Construct. The value of this variable is determined at 1201 evaluation time. 1203 A local_variable can be constructed from a single component or via 1204 complex functions to manipulate the referenced components. 1206 +------------+-----------------+-------+----------------------------+ 1207 | Property | Type | Count | Description | 1208 +------------+-----------------+-------+----------------------------+ 1209 | components | ComponentsGroup | 1..* | The collection of | 1210 | | | | ComponentGroup constructs | 1211 | | | | to be evaluated in the | 1212 | | | | local_variable. | 1213 +------------+-----------------+-------+----------------------------+ 1215 Table 29: local_variable Construct 1217 31. ComponentGroup 1219 The ComponentGroup defines a set of constructs that can be used 1220 within a local_variable or OVAL Function. When defining a 1221 local_variable or OVAL Function, one or more of these constructs 1222 maybe used to specify the desired collection of values for the OVAL 1223 Variable. 1225 +--------------------+-----------------------+-------+--------------+ 1226 | Property | Type | Count | Description | 1227 +--------------------+-----------------------+-------+--------------+ 1228 | object_component | ObjectComponentType | 0..* | A component | 1229 | | | | of an OVAL | 1230 | | | | Variable | 1231 | | | | whose value | 1232 | | | | comes from | 1233 | | | | an OVAL | 1234 | | | | Object. | 1235 | | | | | 1236 | variable_component | VariableComponentType | 0..* | A component | 1237 | | | | of an OVAL | 1238 | | | | Variable | 1239 | | | | whose value | 1240 | | | | comes from | 1241 | | | | another OVAL | 1242 | | | | Variable. | 1243 | | | | | 1244 | literal_component | LiteralComponentType | 0..* | A component | 1245 | | | | of an OVAL | 1246 | | | | Variable | 1247 | | | | whose value | 1248 | | | | is a literal | 1249 | | | | value. | 1250 | | | | | 1251 | functions | FunctionGroup | 0..* | One or more | 1252 | | | | of a set of | 1253 | | | | functions | 1254 | | | | that act | 1255 | | | | upon one or | 1256 | | | | more | 1257 | | | | components | 1258 | | | | of an OVAL | 1259 | | | | Variable. | 1260 +--------------------+-----------------------+-------+--------------+ 1262 Table 30: ComponentGroup Construct 1264 32. LiteralComponentType 1266 The LiteralComponentType defines the way to provide an immutable 1267 value to a local_variable. 1269 +----------+--------------------------------+-------+---------------+ 1270 | Property | Type | Count | Description | 1271 +----------+--------------------------------+-------+---------------+ 1272 | datatype | oval:SimpleDatatypeEnumeration | 0..1 | Defines the | 1273 | | | | datatype. | 1274 | | | | Default | 1275 | | | | Value: | 1276 | | | | 'string'. | 1277 | | | | | 1278 | value | string | 0..1 | The value of | 1279 | | | | the literal | 1280 | | | | component. If | 1281 | | | | no value is | 1282 | | | | specified the | 1283 | | | | value is | 1284 | | | | considered to | 1285 | | | | be the empty | 1286 | | | | string. | 1287 +----------+--------------------------------+-------+---------------+ 1289 Table 31: LiteralComponentType Construct 1291 33. ObjectComponentType 1293 The ObjectComponentType defines the mechanism for retrieving OVAL 1294 Item Entity values, specified by an OVAL Object, to provide one or 1295 more values to a component of a local_variable or OVAL Function. 1297 +--------------+-------------------------+-------+------------------+ 1298 | Property | Type | Count | Description | 1299 +--------------+-------------------------+-------+------------------+ 1300 | object_ref | oval:ObjectIDPattern | 1 | Specifies the | 1301 | | | | identifier for | 1302 | | | | the OVAL Object | 1303 | | | | which the | 1304 | | | | component | 1305 | | | | refers. | 1306 | | | | | 1307 | item_field | oval:NonEmptyStringType | 1 | The name of the | 1308 | | | | OVAL Item Entity | 1309 | | | | to use for the | 1310 | | | | value(s) of the | 1311 | | | | OVAL Variable. | 1312 | | | | | 1313 | record_field | oval:NonEmptyStringType | 0..1 | Allows the | 1314 | | | | retrieval of a | 1315 | | | | specified OVAL | 1316 | | | | field to be | 1317 | | | | retrieved from | 1318 | | | | an OVAL Item | 1319 | | | | Entity that has | 1320 | | | | a datatype of | 1321 | | | | 'record'. | 1322 +--------------+-------------------------+-------+------------------+ 1324 Table 32: ObjectComponentType Construct 1326 34. VariableComponentType 1328 The VariableComponentType defines the way to specify that the 1329 value(s) of another OVAL Variable should be used as the value(s) for 1330 a component of a local_variable or OVAL Function. 1332 A variable component is a component that resolves to the value(s) 1333 associated with the referenced OVAL Variable. 1335 +----------+------------------------+-------+-----------------------+ 1336 | Property | Type | Count | Description | 1337 +----------+------------------------+-------+-----------------------+ 1338 | var_ref | oval:VariableIDPattern | 1 | Specifies the | 1339 | | | | Identifier for the | 1340 | | | | OVAL Variable to | 1341 | | | | which the component | 1342 | | | | refers. The var_ref | 1343 | | | | property MUST refer | 1344 | | | | to an existing OVAL | 1345 | | | | Variable. Care must | 1346 | | | | be taken to ensure | 1347 | | | | that the referenced | 1348 | | | | OVAL Variable does | 1349 | | | | not result in a | 1350 | | | | circular reference as | 1351 | | | | it could result in an | 1352 | | | | infinite loop when | 1353 | | | | evaluated. | 1354 +----------+------------------------+-------+-----------------------+ 1356 Table 33: VariableComponentType Construct 1358 35. FunctionGroup 1360 The FunctionGroup defines the possible OVAL Functions for use in OVAL 1361 Content to manipulate collected data. OVAL Functions can be nested 1362 within one another to achieve the case where one needs to perform 1363 multiple functions on a collection of values. 1365 +----------------+----------------------------+-------+-------------+ 1366 | Property | Type | Count | Description | 1367 +----------------+----------------------------+-------+-------------+ 1368 | arithmetic | ArithmeticFunctionType | 0..1 | A function | 1369 | | | | for | 1370 | | | | performing | 1371 | | | | basic math | 1372 | | | | on numbers. | 1373 | | | | | 1374 | begin | BeginFunctionType | 0..1 | A function | 1375 | | | | that | 1376 | | | | ensures | 1377 | | | | that a | 1378 | | | | collected | 1379 | | | | string | 1380 | | | | starts with | 1381 | | | | a specified | 1382 | | | | string. | 1383 | | | | | 1384 | concat | ConcatFunctionType | 0..1 | A function | 1385 | | | | that | 1386 | | | | combines | 1387 | | | | multiple | 1388 | | | | strings. | 1389 | | | | | 1390 | end | EndFunctionType | 0..1 | A function | 1391 | | | | that | 1392 | | | | determines | 1393 | | | | whether a | 1394 | | | | collected | 1395 | | | | string ends | 1396 | | | | with a | 1397 | | | | specified | 1398 | | | | string or | 1399 | | | | not. | 1400 | | | | | 1401 | escape_regex | EscapeRegexFunctionType | 0..1 | A function | 1402 | | | | that | 1403 | | | | escapes all | 1404 | | | | of the | 1405 | | | | reserved | 1406 | | | | regular | 1407 | | | | expression | 1408 | | | | characters | 1409 | | | | in a | 1410 | | | | string. | 1411 | | | | | 1412 | split | SplitFunctionType | 0..1 | A function | 1413 | | | | that splits | 1414 | | | | a string | 1415 | | | | into parts, | 1416 | | | | using a | 1417 | | | | delimeter. | 1418 | | | | | 1419 | substring | SubstringFunctionType | 0..1 | A function | 1420 | | | | that | 1421 | | | | creates a | 1422 | | | | substring | 1423 | | | | from a | 1424 | | | | value. | 1425 | | | | | 1426 | time_differenc | TimeDifferenceFunctionType | 0..1 | A function | 1427 | e | | | that | 1428 | | | | calculates | 1429 | | | | the | 1430 | | | | difference | 1431 | | | | between two | 1432 | | | | times. | 1433 | | | | | 1434 | unique | UniqueFunctionType | 0..1 | A function | 1435 | | | | that takes | 1436 | | | | one or more | 1437 | | | | components | 1438 | | | | and removes | 1439 | | | | any | 1440 | | | | duplicate | 1441 | | | | value from | 1442 | | | | the set of | 1443 | | | | components. | 1444 | | | | | 1445 | regex_capture | RegexCaptureFunctionType | 0..1 | A function | 1446 | | | | that uses a | 1447 | | | | regular | 1448 | | | | expression | 1449 | | | | to capture | 1450 | | | | a substring | 1451 | | | | of a | 1452 | | | | collected | 1453 | | | | string | 1454 | | | | value. | 1455 +----------------+----------------------------+-------+-------------+ 1457 Table 34: FunctionGroup Construct 1459 36. ArithmeticFunctionType 1461 The ArithmeticFunctionType defines a function that calculates a 1462 given, simple mathematic operation between two or more values. This 1463 function applies the specified mathematical operation on two or more 1464 integer or float values. The result of this operation is a single 1465 integer or float value, unless any of the sub-components resolve to 1466 multiple values, in which case the result will be an array of values, 1467 corresponding to the arithmetic operation applied to the Cartesian 1468 product of the values. 1470 In the case of mixed integers and floats, the result will be a float 1471 value. 1473 +--------------------+---------------------+-------+----------------+ 1474 | Property | Type | Count | Description | 1475 +--------------------+---------------------+-------+----------------+ 1476 | arithmetic_operati | ArithmeticEnumerati | 1 | The operation | 1477 | on | on | | to perform. | 1478 | | | | | 1479 | values | ComponentGroup | 2..* | Any type from | 1480 | | | | the ComponentG | 1481 | | | | roup. | 1482 +--------------------+---------------------+-------+----------------+ 1484 Table 35: ArithmeticFunctionType Construct 1486 37. BeginFunctionType 1488 The BeginFunctionType defines a function that ensures that the 1489 specified values start with a specified character or string. This 1490 function operates on a single sub-component of datatype string and 1491 ensures that the specified value(s) start with the characters 1492 specified in the character property. When a value does not start 1493 with the specified characters, the function will prepend add the 1494 complete set of characters from the character property to the string. 1495 Otherwise, the string value will remain unchanged. 1497 +-----------+----------------+-------+------------------------------+ 1498 | Property | Type | Count | Description | 1499 +-----------+----------------+-------+------------------------------+ 1500 | character | string | 1 | The character or string to | 1501 | | | | use for the function. | 1502 | | | | | 1503 | value | ComponentGroup | 1 | Any type from the | 1504 | | | | ComponentGroup. | 1505 +-----------+----------------+-------+------------------------------+ 1507 Table 36: BeginFunctionType Construct 1509 38. ConcatFunctionType 1511 The ConcatFunctionType defines a function that concatenates the 1512 values specified together into a single string value. This function 1513 combines the values of two or more sub-components into a single 1514 string value. The function combines the sub-component values in the 1515 order that they are specified. That is, the first sub-component 1516 specified will always be at the beginning of the newly created string 1517 value and the last sub-component will always be at the end of the 1518 newly created string value. 1520 +----------+----------------+-------+-------------------------------+ 1521 | Property | Type | Count | Description | 1522 +----------+----------------+-------+-------------------------------+ 1523 | values | ComponentGroup | 2..* | Any type from the | 1524 | | | | ComponentGroup. | 1525 +----------+----------------+-------+-------------------------------+ 1527 Table 37: ConcatFunctionType Construct 1529 39. CountFunctionType 1531 The CountFunctionType defines a function that counts the values 1532 represented by one or more components as an integer. This function 1533 determines the total number of values referenced by all of the 1534 specified sub-components. 1536 +----------+----------------+-------+-------------------------------+ 1537 | Property | Type | Count | Description | 1538 +----------+----------------+-------+-------------------------------+ 1539 | values | ComponentGroup | 1..* | Any type from the | 1540 | | | | ComponentGroup. | 1541 +----------+----------------+-------+-------------------------------+ 1543 Table 38: CountFunctionType Construct 1545 40. EndFunctionType 1547 The EndFunctionType defines a function that ensures that the 1548 specified values end with a specified character or string. This 1549 function operates on a single sub-component of datatype string and 1550 ensures that the specified value(s) end with the characters specified 1551 in the character property. When a value does not end with the 1552 specified characters, the function will add the complete set of 1553 characters from the character property to the end of the string. 1554 Otherwise, the string value will remain unchanged. 1556 +-----------+----------------+-------+------------------------------+ 1557 | Property | Type | Count | Description | 1558 +-----------+----------------+-------+------------------------------+ 1559 | character | string | 1 | The character or string to | 1560 | | | | use for the function. | 1561 | | | | | 1562 | value | ComponentGroup | 1 | Any type from the | 1563 | | | | ComponentGroup. | 1564 +-----------+----------------+-------+------------------------------+ 1566 Table 39: EndFunctionType Construct 1568 41. EscapeRegexFunctionType 1570 The EscapeRegexFunctionType defines a function that escapes all of 1571 the regular expression reserved characters in a given string. This 1572 function operates on a single sub-component, escaping reserved 1573 regular expression characters for each sub-component value. The set 1574 of metacharacters, in the Perl 5 regular expression syntax, which 1575 must be escaped for this purpose is as follows, enclosed by single 1576 quotes: '^$\.[](){}*+?|'. Please see the Regular Expression Support 1577 section in [I-D.draft-cokus-sacm-oval-common-model] for more 1578 information on the Perl 5 regular expression syntax that is supported 1579 in the OVAL Language. 1581 +----------+----------------+-------+-------------------------------+ 1582 | Property | Type | Count | Description | 1583 +----------+----------------+-------+-------------------------------+ 1584 | value | ComponentGroup | 1 | Any type from the | 1585 | | | | ComponentGroup. | 1586 +----------+----------------+-------+-------------------------------+ 1588 Table 40: EscapeRegexFunctionType Construct 1590 42. SplitFunctionType 1592 The SplitFunctionType defines a function that splits a string value 1593 into multiple values, based on a specified delimiter. This function 1594 operates on a single sub-component and results in an array of values, 1595 where each values is the splitting the subject string using the 1596 specified delimiter. 1598 If the sub-component being split includes a string that either begins 1599 with or ends with the delimiter, there will be an empty string value 1600 included either at the beginning or end, respectively. 1602 If multiple instances of the delimiter appear consecutively, each 1603 instance will result in an additional empty string value. 1605 If the delimiter is not found in the subject string, the entire 1606 subject string will be included in the result. 1608 +-----------+----------------+-------+------------------------------+ 1609 | Property | Type | Count | Description | 1610 +-----------+----------------+-------+------------------------------+ 1611 | delimiter | string | 1 | The string to use as a | 1612 | | | | delimiter. | 1613 | | | | | 1614 | value | ComponentGroup | 1 | Any type from the | 1615 | | | | ComponentGroup. | 1616 +-----------+----------------+-------+------------------------------+ 1618 Table 41: SplitFunctionType Construct 1620 43. SubstringFunctionType 1622 The SubstringFunctionType defines a function that takes a string 1623 value and produces a value that contains a portion of the original 1624 string. 1626 +------------------+----------------+-------+-----------------------+ 1627 | Property | Type | Count | Description | 1628 +------------------+----------------+-------+-----------------------+ 1629 | substring_start | int | 1 | The starting index to | 1630 | | | | use for the | 1631 | | | | substring. This | 1632 | | | | property is 1-based, | 1633 | | | | meaning that a value | 1634 | | | | of 1 represents the | 1635 | | | | first character of | 1636 | | | | the subject string. A | 1637 | | | | value less than 1 is | 1638 | | | | also interpreted as | 1639 | | | | the first character | 1640 | | | | in the subject | 1641 | | | | string. If the | 1642 | | | | substring_start | 1643 | | | | property exceeds the | 1644 | | | | length of the subject | 1645 | | | | string an error MUST | 1646 | | | | be reported. | 1647 | | | | | 1648 | substring_length | int | 1 | Represents the length | 1649 | | | | of the substring to | 1650 | | | | be taken from the | 1651 | | | | source string, | 1652 | | | | including the | 1653 | | | | starting character. | 1654 | | | | Any substring_length | 1655 | | | | that exceeds the | 1656 | | | | length of the string | 1657 | | | | or is negative | 1658 | | | | indicates to include | 1659 | | | | all characters from | 1660 | | | | the starting | 1661 | | | | character until the | 1662 | | | | end of the source | 1663 | | | | string. | 1664 | | | | | 1665 | value | ComponentGroup | 1 | Any type from the | 1666 | | | | ComponentGroup. | 1667 +------------------+----------------+-------+-----------------------+ 1669 Table 42: SubstringFunctionType Construct 1671 44. TimeDifferenceFunctionType 1673 The TimeDifferenceFunctionType defines a function that produces a 1674 value containing the difference in seconds between two date-time 1675 values. If a single sub-component is specified, then the time 1676 difference is between the specified date-time and the current date- 1677 time. The current time is the time at which the function is 1678 evaluated. If two sub-components are specified, then the difference 1679 is that between the two specified date-times. 1681 +----------+---------------------------+-------+--------------------+ 1682 | Property | Type | Count | Description | 1683 +----------+---------------------------+-------+--------------------+ 1684 | format_1 | DateTimeFormatEnumeration | 0..1 | The format for the | 1685 | | | | first date-time | 1686 | | | | value specified. | 1687 | | | | Note: If | 1688 | | | | specifying a | 1689 | | | | single value, use | 1690 | | | | format_1 to | 1691 | | | | specify the | 1692 | | | | implied current | 1693 | | | | date-time. Default | 1694 | | | | Value: | 1695 | | | | 'year_month_day'. | 1696 | | | | | 1697 | format_2 | DateTimeFormatEnumeration | 0..1 | The format for the | 1698 | | | | second date-time | 1699 | | | | value specified. | 1700 | | | | Note: If | 1701 | | | | specifying a | 1702 | | | | single value, use | 1703 | | | | format_2 to | 1704 | | | | specify the | 1705 | | | | value's format, as | 1706 | | | | format_1 is used | 1707 | | | | for the implied | 1708 | | | | current date-time. | 1709 | | | | Default Value: | 1710 | | | | 'year_month_day'. | 1711 | | | | | 1712 | value | ComponentGroup | 1..2 | Any type from the | 1713 | | | | ComponentGroup. | 1714 +----------+---------------------------+-------+--------------------+ 1716 Table 43: TimeDifferenceFunctionType Construct 1718 If a sub-component value does not conform to the format specified in 1719 the DateTimeFormatEnumeration an error MUST be reported. 1721 The datatype associated with the sub-components MUST be 'string' or 1722 'int' depending on which date time format is specified. The result 1723 of this function is always an integer. The following table states 1724 which datatype MUST be used with which format from the 1725 DateTimeFormatEnumeration. 1727 +---------------------+-------------+ 1728 | Value | Description | 1729 +---------------------+-------------+ 1730 | year_month_day | string | 1731 | | | 1732 | month_day_year | string | 1733 | | | 1734 | day_month_year | string | 1735 | | | 1736 | win_filetime | int | 1737 | | | 1738 | seconds_since_epoch | int | 1739 +---------------------+-------------+ 1741 Table 44: DateTimeFormat Datatype Enumeration Table 1743 45. UniqueFunctionType 1745 The UniqueFunctionType defines a function that removes any duplicate 1746 value from the set of values represented by one or more components. 1747 This function takes one or more sub-components and removes any 1748 duplicate values across the sub-components. A duplicate value is 1749 defined as any value that is equal to another value when compared as 1750 a string value. 1752 +----------+----------------+-------+-------------------------------+ 1753 | Property | Type | Count | Description | 1754 +----------+----------------+-------+-------------------------------+ 1755 | values | ComponentGroup | 1..* | Any type from the | 1756 | | | | ComponentGroup | 1757 +----------+----------------+-------+-------------------------------+ 1759 Table 45: UniqueFunctionType Construct 1761 46. RegexCaptureFunctionType 1763 The RegexCaptureFunctionType defines a function operating on a single 1764 component, which extracts a substring from each of its values. 1766 The pattern property specifies a regular expression, which SHOULD 1767 contain a single capturing sub-pattern (using parentheses). If the 1768 regular expression contains multiple capturing sub-patterns, only the 1769 first capture is used. If there are no capturing sub-patterns, the 1770 result for each target string MUST be the empty string. Otherwise, 1771 if the regular expression could match the target string in more than 1772 one place, only the first match (and its first capture) is used. If 1773 no matches are found in a target string, the result for that target 1774 MUST be the empty string. 1776 Note that a quantified capturing sub-pattern does not produce 1777 multiple substrings. Standard regular expression semantics are such 1778 that if a capturing sub-pattern is required to match multiple times 1779 in order for the overall regular expression to match, the capture 1780 produced is the last substring to have matched the sub-pattern. 1782 If any of the Perl 5 regular expression syntax metacharacters are to 1783 be used literally, then they must be escaped. The set of 1784 metacharacters which must be escaped for this purpose is as follows, 1785 enclosed by single quotes: '^$\.[](){}*+?|'. Please see the Regular 1786 Expression Support section in [I-D.draft-cokus-sacm-oval-common- 1787 model] for more information on the Perl 5 regular expression syntax 1788 that is supported in the OVAL Language. 1790 +----------+----------------+-------+-------------------------------+ 1791 | Property | Type | Count | Description | 1792 +----------+----------------+-------+-------------------------------+ 1793 | pattern | string | 1 | The string to use as a | 1794 | | | | regular expression pattern. | 1795 | | | | | 1796 | value | ComponentGroup | 1 | Any type from the | 1797 | | | | ComponentGroup. | 1798 +----------+----------------+-------+-------------------------------+ 1800 Table 46: RegexCaptureFunctionType Construct 1802 47. ArithmeticEnumeration 1804 The ArithmeticEnumeration defines an enumeration for the possible 1805 values for the arithmetic function. 1807 +----------+---------------------------+ 1808 | Value | Description | 1809 +----------+---------------------------+ 1810 | add | Indicates addition. | 1811 | | | 1812 | multiply | Indicates multiplication. | 1813 +----------+---------------------------+ 1815 Table 47: Arithmetic Enumeration 1817 48. DateTimeFormatEnumeration 1819 The DateTimeFormatEnumeration defines an enumeration for the possible 1820 values for the date-time values. 1822 +---------------------+---------------------------------------+ 1823 | Value | Description | 1824 +---------------------+---------------------------------------+ 1825 | year_month_day | This value indicates a format that | 1826 | | follows the following patterns: | 1827 | | | 1828 | | o yyyymmdd | 1829 | | o yyyymmddThhmmss | 1830 | | o yyyy/mm/dd hh:mm:ss | 1831 | | o yyyy/mm/dd | 1832 | | o yyyy-mm-dd hh:mm:ss | 1833 | | o yyyy-mm-dd | 1834 +---------------------+---------------------------------------+ 1835 | month_day_year | This value indicates a format that | 1836 | | follows the following patterns: | 1837 | | | 1838 | | o mm/dd/yyyy hh:mm:ss | 1839 | | o mm/dd/yyyy | 1840 | | o mm-dd-yyyy hh:mm:ss | 1841 | | o mm-dd-yyyy | 1842 | | o NameOfMonth, dd yyyy hh:mm:ss | 1843 | | o NameOfMonth, dd yyyy | 1844 | | o AbreviatedNameOfMonth, | 1845 | | dd yyyy hh:mm:ss | 1846 | | o AbreviatedNameOfMonth, dd yyyy | 1847 +---------------------+---------------------------------------+ 1848 | day_month_year | This value indicates a format that | 1849 | | follows the following patterns: | 1850 | | | 1851 | | o dd/mm/yyyy hh:mm:ss | 1852 | | o dd/mm/yyyy | 1853 | | o dd-mm-yyyy hh:mm:ss | 1854 | | o dd-mm-yyyy | 1855 +---------------------+---------------------------------------+ 1856 | win_filetime | This value indicates a date-time that | 1857 | | follows the windows file time | 1858 | | format [WIN-FILETIME]. | 1859 +---------------------+---------------------------------------+ 1860 | seconds_since_epoch | This value indicates a date-time that | 1861 | | represents the time in seconds since | 1862 | | the UNIX Epoch. The UNIX epoch is the | 1863 | | time 00:00:00 UTC on January 1, 1970. | 1864 +---------------------+---------------------------------------+ 1866 Figure 1: DateTimeFormat Enumeration 1868 49. FilterActionEnumeration 1870 The FilterActionEnumeration defines an enumeration for the possible 1871 values for filtering a set of items. 1873 +---------+---------------------------------------------------------+ 1874 | Value | Description | 1875 +---------+---------------------------------------------------------+ 1876 | include | A value that indicates to include matching items from | 1877 | | the set. | 1878 | | | 1879 | exclude | A value that indicates to exclude matching items from | 1880 | | the set. | 1881 +---------+---------------------------------------------------------+ 1883 Table 48: FilterAction Enumeration 1885 50. SetOperatorEnumeration 1887 The SetOperatorEnumeration defines an enumeration for the possible 1888 values defining a set. 1890 +--------------+----------------------------------------------------+ 1891 | Value | Description | 1892 +--------------+----------------------------------------------------+ 1893 | COMPLEMENT | A value that indicates to include only the | 1894 | | elements from the first set that are not found in | 1895 | | the second. | 1896 | | | 1897 | INTERSECTION | A value that indicates to include all of the | 1898 | | values common to both sets. | 1899 | | | 1900 | UNION | A value that indicates to include all values found | 1901 | | in either of the sets. | 1902 +--------------+----------------------------------------------------+ 1904 Table 49: SetOperator Enumeration 1906 51. EntityAttributeGroup 1908 The EntityAttributeGroup defines a set of attributes that are common 1909 to all OVAL Object and OVAL State entities. 1911 Some OVAL Entities provide additional restrictions on these 1912 attributes and their allowed values. 1914 +-----------+---------------------------+-------+-------------------+ 1915 | Property | Type | Count | Description | 1916 +-----------+---------------------------+-------+-------------------+ 1917 | datatype | oval:DatatypeEnumeration | 0..1 | The datatype for | 1918 | | | | the entity. | 1919 | | | | Default Value: | 1920 | | | | 'string'. | 1921 | | | | | 1922 | operation | oval:OperationEnumeration | 0..1 | The operation | 1923 | | | | that is to be | 1924 | | | | performed on the | 1925 | | | | entity. Default | 1926 | | | | Value: 'equals'. | 1927 | | | | | 1928 | mask | boolean | 0..1 | Tells the data | 1929 | | | | collection that | 1930 | | | | this entity | 1931 | | | | contains | 1932 | | | | sensitive data. | 1933 | | | | Data marked with | 1934 | | | | mask='true' | 1935 | | | | should be used | 1936 | | | | only in the | 1937 | | | | evaluation, and | 1938 | | | | not be included | 1939 | | | | in the results. | 1940 | | | | Default Value: | 1941 | | | | 'false'. | 1942 | | | | | 1943 | var_ref | oval:VariableIDPattern | 0..1 | Points to a | 1944 | | | | variable | 1945 | | | | Identifier within | 1946 | | | | the OVAL document | 1947 | | | | which should be | 1948 | | | | used to calculate | 1949 | | | | the entity's | 1950 | | | | value. | 1951 | | | | | 1952 | var_check | oval:CheckEnumeration | 0..1 | Directs how to | 1953 | | | | either collect | 1954 | | | | data or evaluate | 1955 | | | | state for the | 1956 | | | | entity. | 1957 +-----------+---------------------------+-------+-------------------+ 1959 Table 50: EntityAttributeGroup 1961 52. EntitySimpleBaseType 1963 The EntitySimpleBaseType is an abstract type that defines a base type 1964 for all simple entities. Entities represent the individual 1965 properties for OVAL Objects and OVAL States. 1967 +------------+----------------------+-------+-----------------------+ 1968 | Property | Type | Count | Description | 1969 +------------+----------------------+-------+-----------------------+ 1970 | attributes | EntityAttributeGroup | 1 | The standard | 1971 | | | | attributes available | 1972 | | | | to all entities. | 1973 | | | | | 1974 | value | String | 0..1 | The value of the | 1975 | | | | entity. An empty | 1976 | | | | string value MUST be | 1977 | | | | used when referencing | 1978 | | | | an OVAL Variable. | 1979 +------------+----------------------+-------+-----------------------+ 1981 Table 51: EntitySimpleBaseType Construct 1983 53. EntityComplexBaseType 1985 The EntityComplexBaseType is an abstract type that defines a base 1986 type for all complex entities. Entities represent the individual 1987 properties for OVAL Objects and OVAL States. 1989 +------------+----------------------+-------+-----------------------+ 1990 | Property | Type | Count | Description | 1991 +------------+----------------------+-------+-----------------------+ 1992 | attributes | EntityAttributeGroup | 1 | The standard | 1993 | | | | attributes available | 1994 | | | | to all entities. | 1995 +------------+----------------------+-------+-----------------------+ 1997 Table 52: EntityComplexBaseType Construct 1999 54. EntityObjectIPAddressType 2001 The EntityObjectIPAddressType extends the EntitySimpleBaseType and 2002 describes an IPv4 or IPv6 IP address. 2004 +----------+-----------------+-------+------------------+ 2005 | Property | Type | Count | Description | 2006 | | | | | 2007 +----------+-----------------+-------+------------------+ 2008 | datatype | oval: | 1 | Possible | 2009 | | SimpleDatatype | | values: | 2010 | | Enumeration | | | 2011 | | | | o 'ipv4_address' | 2012 | | | | o 'ipv6_address' | 2013 | | | | | 2014 | | | | Also allows an | 2015 | | | | empty string | 2016 | | | | value. | 2017 +----------+-----------------+-------+------------------+ 2019 Figure 2: EntityObjectIPAddressType Construct 2021 55. EntityObjectIPAddressStringType 2023 The EntityObjectIPAddressStringType extends the EntitySimpleBaseType 2024 and describes an IPv4 or IPv6 IP address or a string representation 2025 of the address. 2027 +----------+-----------------+-------+------------------+ 2028 | Property | Type | Count | Description | 2029 | | | | | 2030 +----------+-----------------+-------+------------------+ 2031 | datatype | oval: | 1 | Possible | 2032 | | SimpleDatatype | | values: | 2033 | | Enumeration | | | 2034 | | | | o 'ipv4_address' | 2035 | | | | o 'ipv6_address' | 2036 | | | | o 'string' | 2037 | | | | | 2038 | | | | Also allows an | 2039 | | | | empty string | 2040 | | | | value. | 2041 +----------+-----------------+-------+------------------+ 2043 Figure 3: EntityObjectIPAddressStringType Construct 2045 56. EntityObjectAnySimpleType 2047 The EntityObjectAnySimpleType extends the EntitySimpleBaseType and 2048 describes any simple data. 2050 +----------+--------------------------------+-------+---------------+ 2051 | Property | Type | Count | Description | 2052 +----------+--------------------------------+-------+---------------+ 2053 | datatype | oval:SimpleDatatypeEnumeration | 1 | Any simple | 2054 | | | | datatype. | 2055 | | | | Also allows | 2056 | | | | an empty | 2057 | | | | string value. | 2058 +----------+--------------------------------+-------+---------------+ 2060 Table 53: EntityObjectAnySimpleType Construct 2062 57. EntityObjectBinaryType 2064 The EntityObjectBinaryType extends the EntitySimpleBaseType and 2065 describes any simple binary data. 2067 +----------+--------------------------------+-------+---------------+ 2068 | Property | Type | Count | Description | 2069 +----------+--------------------------------+-------+---------------+ 2070 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2071 | | | | fixed as | 2072 | | | | 'binary'. | 2073 | | | | Also allows | 2074 | | | | an empty | 2075 | | | | string value. | 2076 +----------+--------------------------------+-------+---------------+ 2078 Table 54: EntityObjectBinaryType Construct 2080 58. EntityObjectBoolType 2082 The EntityObjectBoolType extends the EntitySimpleBaseType and 2083 describes any simple boolean data. 2085 +----------+--------------------------------+-------+---------------+ 2086 | Property | Type | Count | Description | 2087 +----------+--------------------------------+-------+---------------+ 2088 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2089 | | | | fixed as | 2090 | | | | 'boolean'. | 2091 | | | | Also allows | 2092 | | | | an empty | 2093 | | | | string value. | 2094 +----------+--------------------------------+-------+---------------+ 2096 Table 55: EntityObjectBoolType Construct 2098 59. EntityObjectFloatType 2100 The EntityObjectFloatType extends the EntitySimpleBaseType and 2101 describes any simple float data. 2103 +----------+--------------------------------+-------+---------------+ 2104 | Property | Type | Count | Description | 2105 +----------+--------------------------------+-------+---------------+ 2106 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2107 | | | | fixed as | 2108 | | | | 'float'. Also | 2109 | | | | allows an | 2110 | | | | empty string | 2111 | | | | value. | 2112 +----------+--------------------------------+-------+---------------+ 2114 Table 56: EntityObjectFloatType Construct 2116 60. EntityObjectIntType 2118 The EntityObjectIntType extends the EntitySimpleBaseType and 2119 describes any simple integer data. 2121 +----------+--------------------------------+-------+---------------+ 2122 | Property | Type | Count | Description | 2123 +----------+--------------------------------+-------+---------------+ 2124 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2125 | | | | fixed as | 2126 | | | | 'int'. Also | 2127 | | | | allows an | 2128 | | | | empty string | 2129 | | | | value. | 2130 +----------+--------------------------------+-------+---------------+ 2132 Table 57: EntityObjectIntType Construct 2134 61. EntityObjectStringType 2136 The EntityObjectStringType extends the EntitySimpleBaseType and 2137 describes any simple string data. 2139 +----------+--------------------------------+-------+---------------+ 2140 | Property | Type | Count | Description | 2141 +----------+--------------------------------+-------+---------------+ 2142 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2143 | | | | fixed as | 2144 | | | | 'string'. | 2145 | | | | Also allows | 2146 | | | | an empty | 2147 | | | | string value. | 2148 +----------+--------------------------------+-------+---------------+ 2150 Table 58: EntityObjectStringType Construct 2152 62. EntityObjectVersionType 2154 The EntityObjectVersionType extends the EntitySimpleBaseType and 2155 describes any simple version data. 2157 +----------+--------------------------------+-------+---------------+ 2158 | Property | Type | Count | Description | 2159 +----------+--------------------------------+-------+---------------+ 2160 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2161 | | | | fixed as | 2162 | | | | 'version'. | 2163 | | | | Also allows | 2164 | | | | an empty | 2165 | | | | string value. | 2166 +----------+--------------------------------+-------+---------------+ 2168 Table 59: EntityObjectVersionType Construct 2170 63. EntityObjectRecordType 2172 The EntityObjectRecordType extends the EntityComplexBaseType and 2173 allows assertions to be made on entities with uniquely named fields. 2174 It is intended to be used to assess the results of things such as SQL 2175 statements and similar data. 2177 +-----------+---------------------------------+-------+-------------+ 2178 | Property | Type | Count | Description | 2179 +-----------+---------------------------------+-------+-------------+ 2180 | datatype | oval:ComplexDatatypeEnumeration | 1 | This value | 2181 | | | | is fixed as | 2182 | | | | 'record'. | 2183 | | | | | 2184 | operation | oval:OperationEnumeration | 0..1 | This value | 2185 | | | | is fixed as | 2186 | | | | 'equals'. | 2187 | | | | | 2188 | mask | boolean | 0..1 | Tells the | 2189 | | | | data | 2190 | | | | collection | 2191 | | | | that this | 2192 | | | | entity | 2193 | | | | contains | 2194 | | | | sensitive | 2195 | | | | data. Data | 2196 | | | | marked with | 2197 | | | | mask='true' | 2198 | | | | should be | 2199 | | | | used only | 2200 | | | | in the | 2201 | | | | evaluation, | 2202 | | | | and not be | 2203 | | | | included in | 2204 | | | | the | 2205 | | | | results. | 2206 | | | | Note that | 2207 | | | | when the | 2208 | | | | mask | 2209 | | | | property is | 2210 | | | | set to | 2211 | | | | 'true', all | 2212 | | | | child field | 2213 | | | | elements | 2214 | | | | must be | 2215 | | | | masked | 2216 | | | | regardless | 2217 | | | | of the | 2218 | | | | child | 2219 | | | | field's | 2220 | | | | mask | 2221 | | | | attribute | 2222 | | | | value. | 2223 | | | | Default | 2224 | | | | Value: | 2225 | | | | 'false'. | 2226 | | | | | 2227 | var_ref | oval:VariableIDPattern | 0..1 | Use of this | 2228 | | | | property is | 2229 | | | | prohibited. | 2230 | | | | | 2231 | var_check | oval:CheckEnumeration | 0..1 | Use of this | 2232 | | | | property is | 2233 | | | | prohibited. | 2234 +-----------+---------------------------------+-------+-------------+ 2235 Table 60: EntityObjectRecordType Construct 2237 64. EntityObjectFieldType 2239 The EntityObjectFieldType defines an entity type that captures the 2240 details of a single field for a record. 2242 +------------+----------------------+-------+-----------------------+ 2243 | Property | Type | Count | Description | 2244 +------------+----------------------+-------+-----------------------+ 2245 | attributes | EntityAttributeGroup | 1 | The standard | 2246 | | | | attributes available | 2247 | | | | to all entities. | 2248 | | | | | 2249 | name | string | 1 | The name of the | 2250 | | | | field. Names MUST be | 2251 | | | | all lower case | 2252 | | | | characters in the | 2253 | | | | range of a-z. Names | 2254 | | | | MUST be unique within | 2255 | | | | a record. | 2256 | | | | | 2257 | value | string | 0..1 | The value of the | 2258 | | | | field. An empty | 2259 | | | | string value MUST be | 2260 | | | | used when referencing | 2261 | | | | an OVAL Variable. | 2262 +------------+----------------------+-------+-----------------------+ 2264 Table 61: EntityObjectFieldType Construct 2266 65. EntityStateSimpleBaseType 2268 The EntityStateSimpleBaseType extends the EntitySimpleBaseType and 2269 defines a simple base type for OVAL States. 2271 +--------------+-----------------------+-------+--------------------+ 2272 | Property | Type | Count | Description | 2273 +--------------+-----------------------+-------+--------------------+ 2274 | entity_check | oval:CheckEnumeration | 0..1 | Defines how to | 2275 | | | | handle multiple | 2276 | | | | item entities with | 2277 | | | | the same name. | 2278 | | | | Default Value: | 2279 | | | | 'all'. | 2280 | | | | | 2281 | value | string | 0..1 | The value of the | 2282 | | | | entity. An empty | 2283 | | | | string value MUST | 2284 | | | | be used when | 2285 | | | | referencing an | 2286 | | | | OVAL Variable. | 2287 +--------------+-----------------------+-------+--------------------+ 2289 Table 62: EntityStateSimpleBaseType Construct 2291 66. EntityStateComplexBaseType 2293 The EntityStateComplexBaseType extends the EntityComplexBaseType 2294 defines a complex base type for OVAL States. 2296 +--------------+-----------------------+-------+--------------------+ 2297 | Property | Type | Count | Description | 2298 +--------------+-----------------------+-------+--------------------+ 2299 | entity_check | oval:CheckEnumeration | 0..1 | Defines how to | 2300 | | | | handle multiple | 2301 | | | | item entities with | 2302 | | | | the same name. | 2303 | | | | Default Value: | 2304 | | | | 'all'. | 2305 +--------------+-----------------------+-------+--------------------+ 2307 Table 63: EntityStateComplexBaseType Construct 2309 67. EntityStateIPAddressType 2311 The EntityStateIPAddressType extends the EntityStateSimpleBaseType 2312 and describes an IPv4 or IPv6 IP address. 2314 +----------+-----------------+-------+------------------+ 2315 | Property | Type | Count | Description | 2316 | | | | | 2317 +----------+-----------------+-------+------------------+ 2318 | datatype | oval: | 1 | Possible | 2319 | | SimpleDatatype | | values: | 2320 | | Enumeration | | | 2321 | | | | o 'ipv4_address' | 2322 | | | | o 'ipv6_address' | 2323 | | | | | 2324 | | | | Also allows an | 2325 | | | | empty string | 2326 | | | | value. | 2327 +----------+-----------------+-------+------------------+ 2329 Figure 4: EntityStateIPAddressType Construct 2331 68. EntityStateIPAddressStringType 2333 The EntityStateIPAddressStringType extends the 2334 EntityStateSimpleBaseType and describes an IPv4 or IPv6 IP address or 2335 a string representation of the address. 2337 +----------+-----------------+-------+------------------+ 2338 | Property | Type | Count | Description | 2339 | | | | | 2340 +----------+-----------------+-------+------------------+ 2341 | datatype | oval: | 1 | Possible | 2342 | | SimpleDatatype | | values: | 2343 | | Enumeration | | | 2344 | | | | o 'ipv4_address' | 2345 | | | | o 'ipv6_address' | 2346 | | | | o 'string' | 2347 | | | | | 2348 | | | | Also allows an | 2349 | | | | empty string | 2350 | | | | value. | 2351 +----------+-----------------+-------+------------------+ 2353 Figure 5: EntityStateIPAddressStringType Construct 2355 69. EntityStateAnySimpleType 2357 The EntityStateAnySimpleType extends the EntityStateSimpleBaseType 2358 and describes any simple data. 2360 +----------+--------------------------------+-------+---------------+ 2361 | Property | Type | Count | Description | 2362 +----------+--------------------------------+-------+---------------+ 2363 | datatype | oval:SimpleDatatypeEnumeration | 1 | Any simple | 2364 | | | | datatype. | 2365 | | | | Also allows | 2366 | | | | an empty | 2367 | | | | string value. | 2368 +----------+--------------------------------+-------+---------------+ 2370 Table 64: EntityStateAnySimpleType Construct 2372 70. EntityStateBinaryType 2374 The EntityStateBinaryType extends the EntityStateSimpleBaseType and 2375 describes any simple binary data. 2377 +----------+--------------------------------+-------+---------------+ 2378 | Property | Type | Count | Description | 2379 +----------+--------------------------------+-------+---------------+ 2380 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2381 | | | | fixed as | 2382 | | | | 'binary'. | 2383 | | | | Also allows | 2384 | | | | an empty | 2385 | | | | string value. | 2386 +----------+--------------------------------+-------+---------------+ 2388 Table 65: EntityStateBinaryType Construct 2390 71. EntityStateBoolType 2392 The EntityStateBoolType extends the EntityStateSimpleBaseType and 2393 describes any simple boolean data. 2395 +----------+--------------------------------+-------+---------------+ 2396 | Property | Type | Count | Description | 2397 +----------+--------------------------------+-------+---------------+ 2398 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2399 | | | | fixed as | 2400 | | | | 'boolean'. | 2401 | | | | Also allows | 2402 | | | | an empty | 2403 | | | | string value. | 2404 +----------+--------------------------------+-------+---------------+ 2406 Table 66: EntityStateBoolType Construct 2408 72. EntityStateFloatType 2410 The EntityStateFloatType extends the EntityStateSimpleBaseType and 2411 describes any simple float data. 2413 +----------+--------------------------------+-------+---------------+ 2414 | Property | Type | Count | Description | 2415 +----------+--------------------------------+-------+---------------+ 2416 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2417 | | | | fixed as | 2418 | | | | 'float'. Also | 2419 | | | | allows an | 2420 | | | | empty string | 2421 | | | | value. | 2422 +----------+--------------------------------+-------+---------------+ 2424 Table 67: EntityStateFloatType Construct 2426 73. EntityStateIntType 2428 The EntityStateIntType extends the EntityStateSimpleBaseType and 2429 describes any simple integer data. 2431 +----------+--------------------------------+-------+---------------+ 2432 | Property | Type | Count | Description | 2433 +----------+--------------------------------+-------+---------------+ 2434 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2435 | | | | fixed as | 2436 | | | | 'int'. Also | 2437 | | | | allows an | 2438 | | | | empty string | 2439 | | | | value. | 2440 +----------+--------------------------------+-------+---------------+ 2442 Table 68: EntityStateIntType Construct 2444 74. EntityStateEVRStringType 2446 The EntityStateEVRStringType extends the EntityStateSimpleBaseType 2447 and describes an EPOCH:VERSION-RELEASE string data. 2449 +----------+--------------------------------+-------+---------------+ 2450 | Property | Type | Count | Description | 2451 +----------+--------------------------------+-------+---------------+ 2452 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2453 | | | | fixed as | 2454 | | | | 'evr_string'. | 2455 | | | | Also allows | 2456 | | | | an empty | 2457 | | | | string value. | 2458 +----------+--------------------------------+-------+---------------+ 2460 Table 69: EntityStateEVRStringType Construct 2462 75. EntityStateDebianEVRStringType 2464 The EntityStateDebianEVRStringType extends the 2465 EntityStateSimpleBaseType and describes an EPOCH:UPSTREAM_VERSION- 2466 DEBIAN_REVISION string data for a Debian package. 2468 +---------+----------------------------+-------+--------------------+ 2469 | Propert | Type | Count | Description | 2470 | y | | | | 2471 +---------+----------------------------+-------+--------------------+ 2472 | datatyp | oval:SimpleDatatypeEnumera | 1 | This value is | 2473 | e | tion | | fixed as 'debian_e | 2474 | | | | vr_string'. Also | 2475 | | | | allows an empty | 2476 | | | | string value. | 2477 +---------+----------------------------+-------+--------------------+ 2479 Table 70: EntityStateDebianEVRStringType Construct 2481 76. EntityStateVersionType 2483 The EntityStateVersionType extends the EntityStateSimpleBaseType and 2484 describes a version string data. 2486 +----------+--------------------------------+-------+---------------+ 2487 | Property | Type | Count | Description | 2488 +----------+--------------------------------+-------+---------------+ 2489 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2490 | | | | fixed as | 2491 | | | | 'version'. | 2492 | | | | Also allows | 2493 | | | | an empty | 2494 | | | | string value. | 2495 +----------+--------------------------------+-------+---------------+ 2497 Table 71: EntityStateVersionType Construct 2499 77. EntityStateFileSetRevisionType 2501 The EntityStateFileSetRevisionType extends the 2502 EntityStateSimpleBaseType and describes a file set revision string 2503 data. 2505 +---------+----------------------------+-------+--------------------+ 2506 | Propert | Type | Count | Description | 2507 | y | | | | 2508 +---------+----------------------------+-------+--------------------+ 2509 | datatyp | oval:SimpleDatatypeEnumera | 1 | This value is | 2510 | e | tion | | fixed as 'fileset_ | 2511 | | | | revision'. Also | 2512 | | | | allows an empty | 2513 | | | | string value. | 2514 +---------+----------------------------+-------+--------------------+ 2516 Table 72: EntityStateFileSetRevisionType Construct 2518 78. EntityStateIOSVersionType 2520 The EntityStateIOSVersionType extends the EntityStateSimpleBaseType 2521 and describes a Cisco IOS version string data. 2523 +----------+-----------------+-------+------------------+ 2524 | Property | Type | Count | Description | 2525 | | | | | 2526 +----------+-----------------+-------+------------------+ 2527 | datatype | oval: | 1 | Possible | 2528 | | SimpleDatatype | | values: | 2529 | | Enumeration | | | 2530 | | | | o 'ios_version' | 2531 | | | | o 'string' | 2532 | | | | | 2533 | | | | The string | 2534 | | | | type is an | 2535 | | | | option in | 2536 | | | | order to allow | 2537 | | | | use of regular | 2538 | | | | expressions. | 2539 +----------+-----------------+-------+------------------+ 2541 Figure 6: EntityStateIOSVersionType Construct 2543 79. EntityStateStringType 2545 The EntityStateStringType extends the EntitySimpleBaseType and 2546 describes any simple string data. 2548 +----------+--------------------------------+-------+---------------+ 2549 | Property | Type | Count | Description | 2550 +----------+--------------------------------+-------+---------------+ 2551 | datatype | oval:SimpleDatatypeEnumeration | 1 | This value is | 2552 | | | | fixed as | 2553 | | | | 'string'. | 2554 | | | | Also allows | 2555 | | | | an empty | 2556 | | | | string value. | 2557 +----------+--------------------------------+-------+---------------+ 2559 Table 73: EntityStateStringType Construct 2561 80. EntityStateRecordType 2563 The EntityStateRecordType extends the EntityStateComplexBaseType and 2564 allows assertions to be made on entities with uniquely named fields. 2565 It is intended to be used to assess the results of things such as SQL 2566 statements and similar data. 2568 +-----------+---------------------------------+-------+-------------+ 2569 | Property | Type | Count | Description | 2570 +-----------+---------------------------------+-------+-------------+ 2571 | datatype | oval:ComplexDatatypeEnumeration | 1 | This value | 2572 | | | | is fixed as | 2573 | | | | 'record'. | 2574 | | | | | 2575 | operation | oval:OperationEnumeration | 0..1 | This value | 2576 | | | | is fixed as | 2577 | | | | 'equals'. | 2578 | | | | | 2579 | mask | boolean | 0..1 | Tells the | 2580 | | | | data | 2581 | | | | collection | 2582 | | | | that this | 2583 | | | | entity | 2584 | | | | contains | 2585 | | | | sensitive | 2586 | | | | data. Data | 2587 | | | | marked with | 2588 | | | | mask='true' | 2589 | | | | should be | 2590 | | | | used only | 2591 | | | | in the | 2592 | | | | evaluation, | 2593 | | | | and not be | 2594 | | | | included in | 2595 | | | | the | 2596 | | | | results. | 2597 | | | | Note that | 2598 | | | | when the | 2599 | | | | mask | 2600 | | | | property is | 2601 | | | | set to | 2602 | | | | 'true', all | 2603 | | | | child field | 2604 | | | | elements | 2605 | | | | must be | 2606 | | | | masked | 2607 | | | | regardless | 2608 | | | | of the | 2609 | | | | child | 2610 | | | | field's | 2611 | | | | mask | 2612 | | | | attribute | 2613 | | | | value. | 2614 | | | | Default | 2615 | | | | Value: | 2616 | | | | 'false'. | 2617 | | | | | 2618 | var_ref | oval:VariableIDPattern | 0..1 | Use of this | 2619 | | | | property is | 2620 | | | | prohibited. | 2621 | | | | | 2622 | var_check | oval:CheckEnumeration | 0..1 | Use of this | 2623 | | | | property is | 2624 | | | | prohibited. | 2625 +-----------+---------------------------------+-------+-------------+ 2627 Table 74: EntityStateRecordType Construct 2629 81. EntityStateFieldType 2631 The EntityStateFieldType defines an entity type that captures the 2632 details of a single field for a record. 2634 +------------+----------------------+-------+-----------------------+ 2635 | Property | Type | Count | Description | 2636 +------------+----------------------+-------+-----------------------+ 2637 | attributes | EntityAttributeGroup | 1 | The standard | 2638 | | | | attributes available | 2639 | | | | to all entities. | 2640 | | | | | 2641 | name | string | 1 | The name of the | 2642 | | | | field. Names MUST be | 2643 | | | | all lower case | 2644 | | | | characters in the | 2645 | | | | range of a-z. Names | 2646 | | | | MUST be unique within | 2647 | | | | a record. | 2648 | | | | | 2649 | value | string | 0..1 | The value of the | 2650 | | | | field. An empty | 2651 | | | | string value MUST be | 2652 | | | | used when referencing | 2653 | | | | an OVAL Variable. | 2654 +------------+----------------------+-------+-----------------------+ 2656 Table 75: EntityStateFieldType Construct 2658 82. OVAL Definitions Model Schema 2660 The following XML Schema implements the OVAL Definitions Model. 2662 2663 2673 2676 2679 2680 The following is a 2681 description of the elements, types, and 2682 attributes that compose the core schema for 2683 encoding Open Vulnerability and Assessment 2684 Language (OVAL) Definitions. Some of the 2685 objects defined here are extended and 2686 enhanced by individual component schemas, 2687 which are described in separate documents. 2688 Each of the elements, types, and attributes 2689 that make up the Core Definition Schema are 2690 described in detail and should provide the 2691 information necessary to understand what 2692 each represents. This document is intended 2693 for developers and assumes some familiarity 2694 with XML. A high level description of the 2695 interaction between these objects is not 2696 outlined here. 2697 2698 Core Definition 2699 5.11.1 2700 4/22/2015 09:00:00 AM 2701 Copyright (C) 2010 United States Government. 2702 All Rights Reserved. 2703 2706 2709 2710 2711 2712 2713 2714 2715 2716 The oval_definitions 2717 element is the root of an OVAL Definition 2718 Document. Its purpose is to bind together 2719 the major sections of a document - 2720 generator, definitions, tests, objects, 2721 states, and variables - which are the 2722 children of the root 2723 element. 2724 2725 2726 2728 A valid OVAL Definition document 2733 must contain at least one 2734 definitions, tests, objects, states, 2735 or variables element. The optional 2736 definitions, tests, objects, states, 2737 and variables sections define the 2738 specific characteristics that should 2739 be evaluated on a system to 2740 determine the truth values of the 2741 OVAL Definition Document. To be 2742 valid though, at least one 2743 definitions, tests, objects, states, 2744 or variables element must be 2745 present. 2746 2747 2748 2749 2750 2751 2752 2754 2755 The required 2756 generator section provides 2757 information about when the 2758 definition file was compiled and 2759 under what 2760 version. 2761 2763 2764 2767 2768 The optional 2769 definitions section contains 1 or 2770 more 2771 definitions. 2772 2773 2774 2777 2778 The optional tests 2779 section contains 1 or more 2780 tests. 2781 2782 2783 2786 2787 The optional 2788 objects section contains 1 or more 2789 objects. 2790 2791 2792 2795 2796 The optional states 2797 section contains 1 or more 2798 states. 2799 2800 2801 2804 2805 The optional 2806 variables section contains 1 or more 2807 variables. 2808 2809 2810 2812 2813 The optional 2814 Signature element allows an XML 2815 Signature as defined by the W3C to 2816 be attached to the document. This 2817 allows authentication and data 2818 integrity to be provided to the 2819 user. Enveloped signatures are 2820 supported. More information about 2821 the official W3C Recommendation 2822 regarding XML digital signatures can 2823 be found at 2824 http://www.w3.org/TR/xmldsig-core/. 2825 2826 2827 2828 2829 2830 2831 2832 Enforce uniqueness 2833 amongst the ids differentiating the 2834 individual definition 2835 elements. 2836 2837 2839 2840 2841 2842 2843 Enforce uniqueness 2844 amongst the ids differentiating the 2845 individual test 2846 elements. 2847 2848 2849 2850 2851 2852 2853 Enforce uniqueness 2854 amongst the ids differentiating the 2855 individual object 2856 elements. 2857 2858 2859 2860 2861 2862 2863 Enforce uniqueness 2864 amongst the ids differentiating the 2865 individual state 2866 elements. 2867 2868 2869 2870 2871 2872 2873 Enforce uniqueness 2874 amongst the ids differentiating the 2875 individual variable 2876 elements. 2877 2878 2879 2880 2881 2883 2884 Requires each 2885 definition reference to refer to a valid 2886 definition id. 2887 2888 2889 2890 2891 2893 2894 Requires each test 2895 reference to refer to a valid test 2896 id. 2897 2898 2899 2900 2901 2903 2904 Requires each object 2905 reference to refer to a valid object 2906 id. 2908 2909 2910 2911 2912 2914 2915 Requires each state 2916 reference to refer to a valid state 2917 id. 2918 2919 2920 2921 2922 2924 2925 Requires each variable 2926 reference to refer to a valid variable 2927 id. 2928 2929 2930 2931 2932 2934 2935 Require each object 2936 reference in a set element to refer to a 2937 valid object id. 2938 2939 2941 2942 2943 2945 2946 Require each filter in 2947 a set element to refer to a valid state 2948 id. 2949 2950 2951 2952 2953 2954 2956 2957 The notes element is a 2958 container for one or more note child 2959 elements. It exists for 2960 backwards-compatibility purposes, for the 2961 pre-5.11.0 oval-def:NotesType, which has 2962 been replaced by the oval:notes element in 2963 5.11.1. 2964 2965 2966 5.11.1 2967 Replaced by the oval:notes 2968 element. 2969 This object has been 2970 deprecated and may be removed in a 2971 future version of the 2972 language. 2973 2974 2975 2976 DEPRECATED 2977 ELEMENT: parent ID: 2979 2981 2982 2983 2984 2985 2986 2987 2988 2989 2992 2993 2994 2995 2996 2997 2998 2999 3000 3006 3007 3008 3009 3010 3011 The DefinitionsType 3012 complex type is a container for one or 3013 more definition elements. Each definition 3014 element describes a single OVAL 3015 Definition. Please refer to the 3016 description of the DefinitionType for more 3017 information about an individual 3018 definition. 3019 3020 3021 3023 3024 3025 3027 3028 The definition element 3029 represents the globally defined element of 3030 type DefinitionType. For more information 3031 please see the documentation on the 3032 DefinitionType. 3033 3034 3035 3036 3037 The DefinitionType 3038 defines a single OVAL Definition. A 3039 definition is the key structure in OVAL. 3040 It is analogous to the logical sentence or 3041 proposition: if a computer's state matches 3042 the configuration parameters laid out in 3043 the criteria, then that computer exhibits 3044 the state described. The DefinitionType 3045 contains a section for various metadata 3046 related elements that describe the 3047 definition. This includes a description, 3048 version, affected system types, and 3049 reference information. The notes section 3050 of a definition should be used to hold 3051 information that might be helpful to 3052 someone examining the technical aspects of 3053 the definition. For example, why certain 3054 tests have been included in the criteria, 3055 or maybe a link to where further 3056 information can be found. The 3057 DefinitionType also (unless the definition 3058 is deprecated) contains a criteria child 3059 element that joins individual tests 3060 together with a logical operator to 3061 specify the specific computer state being 3062 described. 3063 The required id attribute 3064 is the OVAL-ID of the Definition. The form 3065 of an OVAL-ID must follow the specific 3066 format described by the 3067 oval:DefinitionIDPattern. The required 3068 version attribute holds the current 3069 version of the definition. Versions are 3070 integers, starting at 1 and incrementing 3071 every time a definition is modified. The 3072 required class attribute indicates the 3073 specific class to which the definition 3074 belongs. The class gives a hint to a user 3075 so they can know what the definition 3076 writer is trying to say. See the 3077 definition of oval-def:ClassEnumeration 3078 for more information about the different 3079 valid classes. The optional deprecated 3080 attribute signifies that an id is no 3081 longer to be used or referenced but the 3082 information has been kept around for 3083 historic purposes. 3084 When the deprecated 3085 attribute is set to true, the definition 3086 is considered to be deprecated. The 3087 criteria child element of a deprecated 3088 definition is optional. If a deprecated 3089 definition does not contain a criteria 3090 child element, the definition must 3091 evaluate to "not evaluated". If a 3092 deprecated definition contains a criteria 3093 child element, an interpreter should 3094 evaluate the definition as if it were not 3095 deprecated, but an interpreter may 3096 evaluate the definition to "not 3097 evaluated". 3098 3099 3101 3106 A 3107 valid OVAL Definition must contain a 3108 criteria unless the definition is a 3109 deprecated definition. 3110 3111 3112 3113 3114 3115 3117 3119 3120 3121 Each affected 3122 element must have a unique family 3123 attribute value. 3124 3125 3126 3127 3128 3129 3131 3134 3135 3138 3140 3142 3145 3146 3147 3148 The MetadataType complex 3149 type contains all the metadata available 3150 to an OVAL Definition. This metadata is 3151 for informational purposes only and is not 3152 part of the criteria used to evaluate 3153 machine state. The required title child 3154 element holds a short string that is used 3155 to quickly identify the definition to a 3156 human user. The affected metadata item 3157 contains information about the system(s) 3158 for which the definition has been written. 3159 Remember that this is just metadata and 3160 not part of the criteria. Please refer to 3161 the AffectedType description for more 3162 information. The required description 3163 element contains a textual description of 3164 the configuration state being addressed by 3165 the OVAL Definition. In the case of a 3166 definition from the vulnerability class, 3167 the reference is usually the Common 3168 Vulnerability and Exposures (CVE) 3169 Identifier, and this description field 3170 corresponds with the CVE 3171 description. 3172 Additional metadata is 3173 also allowed although it is not part of 3174 the official OVAL Schema. Individual 3175 organizations can place metadata items 3176 that they feel are important and these 3177 will be skipped during the validation. All 3178 OVAL really cares about is that the stated 3179 metadata items are 3180 there. 3181 3182 3183 3184 3187 3188 3189 Each affected 3190 platform element must have a unique 3191 value. 3192 3193 3194 3195 3196 3197 3198 Each affected 3199 product element must have a unique 3200 value. 3201 3202 3203 3204 3205 3206 3209 3211 3213 3222 3223 3224 3225 3226 Each OVAL Definition is 3227 written to evaluate a certain type of 3228 system(s). The family, platform(s), and 3229 product(s) of this target are described by 3230 the AffectedType whose main purpose is to 3231 provide hints for tools using OVAL 3232 Definitions. For instance, to help a 3233 reporting tool only use Windows 3234 definitions, or to preselect only Red Hat 3235 definitions to be evaluated. Note, the 3236 inclusion of a particular platform or 3237 product does not mean the definition is 3238 physically checking for the existence of 3239 the platform or product. For the actual 3240 test to be performed, the correct test 3241 must still be included in the definition's 3242 criteria section. 3243 The AffectedType complex 3244 type details the specific system, 3245 application, subsystem, library, etc. for 3246 which a definition has been written. If a 3247 definition is not tied to a specific 3248 product, then this element should not be 3249 included. The absence of the platform or 3250 product element can be thought of as 3251 definition applying to all platforms or 3252 products. The inclusion of a particular 3253 platform or product does not mean the 3254 definition is physically checking for the 3255 existence of the platform or product. For 3256 the actual test to be performed, the 3257 correct test must still be included in the 3258 definition's criteria section. To increase 3259 the utility of this element, care should 3260 be taken when assigning and using strings 3261 for product names. The schema places no 3262 restrictions on the values that can be 3263 assigned, potentially leading to many 3264 different representations of the same 3265 value. For example, 'Internet Explorer' 3266 and 'IE' might be used to refer to the 3267 same product. The current convention is to 3268 fully spell out all terms, and avoid the 3269 use of abbreviations at all 3270 costs. 3271 Please note that the 3272 AffectedType will change in future 3273 versions of OVAL in order to support the 3274 Common Platform Enumeration 3275 (CPE). 3276 3277 3278 3281 3284 3285 3288 3289 3290 3291 The ReferenceType complex 3292 type links the OVAL Definition to a 3293 definitive external reference. For 3294 example, CVE Identifiers are used for 3295 referencing vulnerabilities. The intended 3296 purpose for this reference is to link the 3297 definition to a variety of other sources 3298 that address the same issue being 3299 specified by the OVAL 3300 Definition. 3301 The required source 3302 attribute specifies where the reference is 3303 coming from. In other words, it identifies 3304 the reference repository being used. The 3305 required ref_id attribute is the external 3306 id of the reference. The optional ref_url 3307 attribute is the URL to the 3308 reference. 3309 3310 3312 3314 3316 3317 3318 3319 The CriteriaType complex 3320 type describes a container for a set of 3321 sub criteria, criteria, criterion, or 3322 extend_definition elements allowing 3323 complex logical trees to be constructed. 3324 Each referenced test is represented by a 3325 criterion element. Please refer to the 3326 description of the CriterionType for more 3327 information about and individual criterion 3328 element. The optional extend_definition 3329 element allows existing definitions to be 3330 included in the criteria. Refer to the 3331 description of the ExtendDefinitionType 3332 for more information. 3333 The required operator 3334 attribute provides the logical operator 3335 that binds the different statements inside 3336 a criteria together. The optional negate 3337 attribute signifies that the result of the 3338 criteria as a whole should be negated 3339 during analysis. For example, consider a 3340 criteria that evaluates to TRUE if certain 3341 software is installed. By negating this 3342 test, it now evaluates to TRUE if the 3343 software is NOT installed. The optional 3344 comment attribute provides a short 3345 description of the 3346 criteria. 3347 The optional 3348 applicability_check attribute provides a 3349 Boolean flag that when true indicates that 3350 the criteria is being used to determine 3351 whether the OVAL Definition applies to a 3352 given system. 3353 3354 3356 3358 3360 3362 3363 3365 3368 3371 3374 3375 3376 3377 The CriterionType complex 3378 type identifies a specific test to be 3379 included in the definition's 3380 criteria. 3381 The required test_ref 3382 attribute is the actual id of the test 3383 being referenced. The optional negate 3384 attribute signifies that the result of an 3385 individual test should be negated during 3386 analysis. For example, consider a test 3387 that evaluates to TRUE if a specific patch 3388 is installed. By negating this test, it 3389 now evaluates to TRUE if the patch is NOT 3390 installed. The optional comment attribute 3391 provides a short description of the 3392 specified test and should mirror the 3393 comment attribute of the actual 3394 test. 3395 The optional 3396 applicability_check attribute provides a 3397 Boolean flag that when true indicates that 3398 the criterion is being used to determine 3399 whether the OVAL Definition applies to a 3400 given system. 3401 3402 3404 3406 3409 3412 3413 3414 3415 The ExtendDefinitionType 3416 complex type allows existing definitions 3417 to be extended by another definition. This 3418 works by evaluating the extended 3419 definition and then using the result 3420 within the logical context of the 3421 extending definition. 3422 The required 3423 definition_ref attribute is the actual id 3424 of the definition being extended. The 3425 optional negate attribute signifies that 3426 the result of an extended definition 3427 should be negated during analysis. For 3428 example, consider a definition that 3429 evaluates TRUE if certainsoftware is 3430 installed. By negating the definition, it 3431 now evaluates to TRUE if the software is 3432 NOT installed. The optional comment 3433 attribute provides a short description of 3434 the specified definition and should mirror 3435 the title metadata of the extended 3436 definition. 3438 The optional 3439 applicability_check attribute provides a 3440 Boolean flag that when true indicates that 3441 the extend_definition is being used to 3442 determine whether the OVAL Definition 3443 applies to a given 3444 system. 3445 3446 3448 3451 3454 3457 3458 3459 3460 3461 3462 3463 The TestsType complex 3464 type is a container for one or more test 3465 child elements. Each test element 3466 describes a single OVAL Test. Please refer 3467 to the description of the TestType for 3468 more information about an individual 3469 test. 3470 3471 3472 3474 3475 3476 3478 3479 The test element is an 3480 abstract element that is meant to be 3481 extended (via substitution groups) by the 3482 individual tests found in the component 3483 schemas. An OVAL Test is used to compare 3484 an object(s) against a defined state. An 3485 actual test element is not valid. The use 3486 of this abstract class simplifies the OVAL 3487 schema by allowing individual tests to 3488 inherit the optional notes child element, 3489 and the id and comment attributes from the 3490 base TestType. Please refer to the 3491 description of the TestType complex type 3492 for more information. 3493 3494 3495 3496 3497 The base type of every 3498 test includes an optional notes element 3499 and several attributes. The notes section 3500 of a test should be used to hold 3501 information that might be helpful to 3502 someone examining the technical aspects of 3503 the test. For example, why certain values 3504 have been used by the test, or maybe a 3505 link to where further information can be 3506 found. Please refer to the description of 3507 the NotesType complex type for more 3508 information about the notes element. The 3509 required comment attribute provides a 3510 short description of the test. The 3511 optional deprecated attribute signifies 3512 that an id is no longer to be used or 3513 referenced but the information has been 3514 kept around for historic 3515 purposes. 3516 The required id attribute 3517 uniquely identifies each test, and must 3518 conform to the format specified by the 3519 TestIdPattern simple type. The required 3520 version attribute holds the current 3521 version of the test. Versions are 3522 integers, starting at 1 and incrementing 3523 every time a test is 3524 modified. 3525 The optional 3526 check_existence attribute specifies how 3527 many items in the set defined by the OVAL 3528 Object must exist for the test to evaluate 3529 to true. The default value for this 3530 attribute is 'at_least_one_exists' 3531 indicating that by default the test may 3532 evaluate to true if at least one item 3533 defined by the OVAL Object exists on the 3534 system. For example, if a value of 3535 'all_exist' is given, every item defined 3536 by the OVAL Object must exist on the 3537 system for the test to evaluate to true. 3538 If the OVAL Object uses a variable 3539 reference, then every value of that 3540 variable must exist. Note that a pattern 3541 match defines a unique set of matching 3542 items found on a system. So when 3543 check_existence = 'all_exist' and a regex 3544 matches anything on a system the test will 3545 evaluate to true (since all matching 3546 objects on the system were found on the 3547 system). When check_existence = 3548 'all_exist' and a regex does not match 3549 anything on a system the test will 3550 evaluate to false. 3551 The required check 3552 attribute specifies how many items in the 3553 set defined by the OVAL Object (ignoring 3554 items with a status of Does Not Exist) 3555 must satisfy the state requirements. For 3556 example, should the test check that all 3557 matching files have a specified version or 3558 that at least one file has the specified 3559 version? The valid check values are 3560 explained in the description of the 3561 CheckEnumeration simple type. Note that if 3562 the test does not contain any references 3563 to OVAL States, then the check attribute 3564 has no meaning and can be ignored during 3565 evaluation. 3566 An OVAL Test evaluates to 3567 true if both the check_existence and check 3568 attributes are satisfied during 3569 evaluation. The evaluation result for a 3570 test is determined by first evaluating the 3571 check_existence attribute. If the result 3572 of evaluating the check_existence 3573 attribute is true then the check attribute 3574 is evaluated. An interpreter may choose to 3575 always evaluate both the check_existence 3576 and the check attributes, but once the 3577 check_existence attribute evaluation has 3578 resulted in false the overall test result 3579 after evaluating the check attribute will 3580 not be affected. 3581 The optional 3582 state_operator attribute provides the 3583 logical operator that combines the 3584 evaluation results from each referenced 3585 state on a per item basis. Each matching 3586 item is compared to each referenced state. 3587 The result of comparing each state to a 3588 single item is combined based on the 3589 specified state_operator value to 3590 determine one result for each item. 3591 Finally, the results for each item are 3592 combined based on the specified check 3593 value. Note that if the test does not 3594 contain any references to OVAL States, 3595 then the state_operator attribute has no 3596 meaning and can be ignored during 3597 evaluation. Referencing multiple states in 3598 one test allows ranges of possible values 3599 to be expressed. For example, one state 3600 can check that a value greater than 8 is 3601 found and another state can check that a 3602 value of less than 16 is found. In this 3603 example the referenced states are combined 3604 with a state_operator = 'AND' indicating 3605 that the conditions of all referenced 3606 states must be satisfied and that the 3607 value must be between 8 AND 16. The valid 3608 state_operation values are explained in 3609 the description of the OperatorEnumeration 3610 simple type. 3611 3612 3613 3616 - No 3619 state should be referenced when 3620 check_existence has a value of 3621 'none_exist'. 3622 3623 3624 3625 3626 3627 3629 3631 3632 3634 3636 3639 3641 3644 3647 3650 3651 3652 3653 The ObjectRefType complex 3654 type defines an object reference to be 3655 used by OVAL Tests that are defined in the 3656 component schemas. The required object_ref 3657 attribute specifies the id of the OVAL 3658 Object being 3659 referenced. 3660 3661 3663 3664 3665 3666 The StateRefType complex 3667 type defines a state reference to be used 3668 by OVAL Tests that are defined in the 3669 component schemas. The required state_ref 3670 attribute specifies the id of the OVAL 3671 State being 3672 referenced. 3673 3674 3676 3677 3678 3679 3680 3681 3682 The ObjectsType complex 3683 type is a container for one or more object 3684 child elements. Each object element 3685 provides details that define a unique set 3686 of matching items to be used by an OVAL 3687 Test. Please refer to the description of 3688 the object element for more information 3689 about an individual 3690 object. 3691 3692 3693 3695 3696 3697 3699 3700 The object element is an 3701 abstract element that is meant to be 3702 extended (via substitution groups) by the 3703 objects found in the component schemas. An 3704 actual object element is not valid. The 3705 use of this abstract element simplifies 3706 the OVAL schema by allowing individual 3707 objects to inherit any common elements and 3708 attributes from the base ObjectType. 3709 Please refer to the description of the 3710 ObjectType complex type for more 3711 information. 3712 An object is used to 3713 identify a set of items to collect. The 3714 author of a schema object must define 3715 sufficient object entities to allow a user 3716 to identify a unique item to be 3717 collected. 3718 A simple object typically 3719 results in a single file, process, etc 3720 being identified. But through the use of 3721 pattern matches, sets, and variables, 3722 multiple matching items can be identified. 3723 The set of items matching the object can 3724 then be used by an OVAL test and compared 3725 against an OVAL state. 3727 3728 3729 3730 3731 The base type of every 3732 object includes an optional notes element. 3733 The notes element of an object should be 3734 used to hold information that might be 3735 helpful to someone examining the technical 3736 aspects of the object. For example, why 3737 certain values have been used, or maybe a 3738 link to where further information can be 3739 found. Please refer to the description of 3740 the NotesType complex type for more 3741 information about the notes 3742 element. 3743 The required id attribute 3744 uniquely identifies each object, and must 3745 conform to the format specified by the 3746 ObjectIdPattern simple type. The required 3747 version attribute holds the current 3748 version of the object element. Versions 3749 are integers, starting at 1 and 3750 incrementing every time an object is 3751 modified. The optional comment attribute 3752 provides a short description of the 3753 object. The optional deprecated attribute 3754 signifies that an id is no longer to be 3755 used or referenced but the information has 3756 been kept around for historic 3757 purposes. 3758 3759 3760 3762 3764 3765 3767 3769 3772 3776 3777 3778 3779 The set element enables 3780 complex objects to be described. It is a 3781 recursive element in that each set element 3782 can contain additional set elements as 3783 children. Each set element defines 3784 characteristics that produce a matching 3785 unique set of items. This set of items is 3786 defined by one or two references to OVAL 3787 Objects that provide the criteria needed 3788 to collect a set of system items. These 3789 items can have one or more filters applied 3790 to allow a subset of those items to be 3791 specifically included or excluded from the 3792 overall set of items. 3793 The set element's 3794 object_reference refers to an existing 3795 OVAL Object. The set element's filter 3796 element provides a reference to an 3797 existing OVAL State and includes an 3798 optional action attribute. The filter's 3799 action attribute allows the author to 3800 specify whether matching items should be 3801 included or excluded from the overall set. 3802 The default filter action is to exclude 3803 all matching items. In other words, the 3804 filter can be thought of filtering items 3805 out by default. 3806 Each filter is applied to 3807 the items identified by each OVAL Object 3808 before the set_operator is applied. For 3809 example, if an object_reference points to 3810 an OVAL Object that identifies every file 3811 in a certain directory, a filter might be 3812 set up to limit the object set to only 3813 those files with a size less than 10 KB. 3814 If multiple filters are provided, then 3815 each filter is applied to the set of items 3816 identified by the OVAL Object. Care must 3817 be taken to ensure that conflicting 3818 filters are not applied. It is possible to 3819 exclude all items with a size of 10 KB and 3820 then include only items with a size of 10 3821 KB. This example would result in the empty 3822 set. 3823 The required set_operator 3824 attribute defines how different child sets 3825 are combined to form the overall unique 3826 set of objects. For example, does one take 3827 the union of different sets or the 3828 intersection? For a description of the 3829 valid values please refer to the 3830 SetOperatorEnumeration simple 3831 type. 3832 3833 3834 3838 - Each object referenced by the 3844 set must be of the same type as 3845 parent object 3846 3847 3852 - Each 3858 object referenced by the set must be 3859 of the same type as parent 3860 object 3861 3862 3867 - Each 3873 object referenced by the set must be 3874 of the same type as parent 3875 object 3876 3877 3878 3879 3880 3881 3882 3883 3885 3886 3887 3890 3892 3893 3894 3897 3898 3899 3900 3901 The filter element 3902 provides a reference to an existing OVAL 3903 State and includes an optional action 3904 attribute. The action attribute is used to 3905 specify whether items that match the 3906 referenced OVAL State will be included in 3907 the resulting set or excluded from the 3908 resulting set. 3909 3910 3911 3912 3913 3916 3917 3918 3919 3921 3922 3923 3924 3925 3926 The StatesType complex 3927 type is a container for one or more state 3928 child elements. Each state provides 3929 details about specific characteristics 3930 that can be used during an evaluation of 3931 an object. Please refer to the description 3932 of the state element for more information 3933 about an individual 3934 state. 3935 3936 3937 3939 3940 3941 3943 3944 The state element is an 3945 abstract element that is meant to be 3946 extended (via substitution groups) by the 3947 states found in the component schemas. An 3948 actual state element is not valid. The use 3949 of this abstract class simplifies the OVAL 3950 schema by allowing individual states to 3951 inherit the optional notes child element, 3952 and the id and operator attributes from 3953 the base StateType. Please refer to the 3954 description of the StateType complex type 3955 for more information. 3956 An OVAL State is a 3957 collection of one or more characteristics 3958 pertaining to a specific object type. The 3959 OVAL State is used by an OVAL Test to 3960 determine if a unique set of items 3961 identified on a system meet certain 3962 characteristics. 3963 3964 3965 3966 3967 The base type of every 3968 state includes an optional notes element 3969 and two attributes. The notes section of a 3970 state should be used to hold information 3971 that might be helpful to someone examining 3972 the technical aspects of the state. For 3973 example, why certain values have been used 3974 by the state, or maybe a link to where 3975 further information can be found. Please 3976 refer to the description of the NotesType 3977 complex type for more information about 3978 the notes element. 3979 The required id attribute 3980 uniquely identifies each state, and must 3981 conform to the format specified by the 3982 StateIdPattern simple type. The required 3983 version attribute holds the current 3984 version of the state. Versions are 3985 integers, starting at 1 and incrementing 3986 every time a state is modified. The 3987 required operator attribute provides the 3988 logical operator that binds the different 3989 characteristics inside a state together. 3990 The optional comment attribute provides a 3991 short description of the state. The 3992 optional deprecated attribute signifies 3993 that an id is no longer to be used or 3994 referenced but the information has been 3995 kept around for historic 3996 purposes. 3997 When evaluating a 3998 particular state against an object, one 3999 should evaluate each individual entity 4000 separately. The individual results are 4001 then combined by the operator to produce 4002 an overall result. This process holds true 4003 even when there are multiple instances of 4004 the same entity. Evaluate each instance 4005 separately, taking the entity check 4006 attribute into account, and then combine 4007 everything using the 4008 operator. 4009 4010 4011 4013 4015 4016 4018 4020 4023 4026 4029 4030 4031 4032 4033 4034 4035 The VariablesType complex 4036 type is a container for one or more 4037 variable child elements. Each variable 4038 element is a way to define one or more 4039 values to be obtained at the time a 4040 definition is 4041 evaluated. 4042 4043 4044 4046 4047 4048 4050 4051 The variable element is 4052 an abstract element that is meant to be 4053 extended (via substitution groups) by the 4054 different types of variables. An actual 4055 variable element is not valid. The 4056 different variable types describe 4057 different sources for obtaining a value(s) 4058 for the variable. There are currently 4059 three types of variables; local, external, 4060 and constant. Please refer to the 4061 description of each one for more specific 4062 information. The value(s) of a variable is 4063 treated as if it were inserted where 4064 referenced. One of the main benefits of 4065 variables is that they allow tests to 4066 evaluate user-defined policy. For example, 4067 an OVAL Test might check to see if a 4068 password is at least a certain number of 4069 characters long, but this number depends 4070 upon the individual policy of the user. To 4071 solve this, the test for password length 4072 can be written to refer to a variable 4073 element that defines the 4074 length. 4075 If a variable defines a 4076 collection of values, any entity that 4077 references the variable will evaluate to 4078 true depending on the value of the 4079 var_check attribute. For example, if an 4080 entity 'size' with an operation of 'less 4081 than' references a variable that returns 4082 five different integers, and the var_check 4083 attribute has a value of 'all', then the 4084 'size' entity returns true only if the 4085 actual size is less than each of the five 4086 integers defined by the variable. If a 4087 variable does not return any value, then 4088 an error should be reported during OVAL 4089 analysis. 4090 4091 4092 4093 4094 The VariableType complex 4095 type defines attributes associated with 4096 each OVAL Variable. The required id 4097 attribute uniquely identifies each 4098 variable, and must conform to the format 4099 specified by the VariableIDPattern simple 4100 type. The required version attribute holds 4101 the current version of the variable. 4102 Versions are integers, starting at 1 and 4103 incrementing every time a variable is 4104 modified. The required comment attribute 4105 provides a short description of the 4106 variable. The optional deprecated 4107 attribute signifies that an id is no 4108 longer to be used or referenced but the 4109 information has been kept around for 4110 historic purposes. 4111 The required datatype 4112 attribute specifies the type of value 4113 being defined. The set of values 4114 identified by a variable must comply with 4115 the specified datatype, otherwise an error 4116 should be reported. Please see the 4117 DatatypeEnumeration for details about each 4118 valid datatype. For example, if the 4119 datatype of the variable is specified as 4120 boolean then the value(s) returned by the 4121 component / function should be "true", 4122 "false", "1", or "0". 4123 Note that the 'record' 4124 datatype is not permitted on variables. 4125 The notes section of a variable should be 4126 used to hold information that might be 4127 helpful to someone examining the technical 4128 aspects of the variable. Please refer to 4129 the description of the NotesType complex 4130 type for more information about the notes 4131 element. 4132 4133 4134 4136 4138 4139 4141 4143 4145 4146 Note that the 'record' 4147 datatype is not permitted on 4148 variables. 4149 4150 4151 4154 4157 4158 4160 4161 The external_variable 4162 element extends the VariableType and 4163 defines a variable with some external 4164 source. The actual value(s) for the 4165 variable is not provided within the OVAL 4166 file, but rather it is retrieved during 4167 the evaluation of the OVAL Definition from 4168 an external source. An unbounded set of 4169 possible-value and possible_restriction 4170 child elements can be specified that 4171 together specify the list of all possible 4172 values that an external source is allowed 4173 to supply for the external variable. In 4174 other words, the value assigned by an 4175 external source must match one of the 4176 possible_value or possible_restriction 4177 elements specified. Each possible_value 4178 element contains a single value that could 4179 be assigned to the given external_variable 4180 while each possible_restriction element 4181 outlines a range of possible values. Note 4182 that it is not necessary to declare a 4183 variable's possible values, but the option 4184 is available if desired. If no possible 4185 child elements are specified, then the 4186 valid values are only bound to the 4187 specified datatype of the external 4188 variable. Please refer to the description 4189 of the PossibleValueType and 4190 PossibleRestrictionType complex types for 4191 more information. 4192 4193 4194 4195 4197 4199 4201 4205 4206 4207 4208 4210 4211 4212 4213 The PossibleValueType 4214 complex type is used to outline a single 4215 expected value of an external variable. 4216 The required hint attribute gives a short 4217 description of what the value means or 4218 represents. 4219 4220 4221 4222 4224 4225 4226 4227 4228 4229 The 4230 PossibleRestrictionType complex type 4231 outlines a range of possible expected 4232 value of an external variable. Each 4233 possible_restriction element contains an 4234 unbounded list of child restriction 4235 elements that each specify a range that an 4236 actual value may fall in. For example, a 4237 restriction element may specify that a 4238 value must be less than 10. When multiple 4239 restriction elements are present, a valid 4240 possible value's evaluation is based on 4241 the operator attribute. The operator 4242 attribute is set to AND by default. Other 4243 valid operation values are explained in 4244 the description of the OperatorEnumeration 4245 simple type. One can think of the 4246 possible_value and possible_restriction 4247 elements as an OR'd list of possible 4248 values, with the restriction elements as 4249 using the selected operation to evaluate 4250 its own list of value descriptions. Please 4251 refer to the description of the 4252 RestrictionType complex type for more 4253 information. The required hint attribute 4254 gives a short description of what the 4255 value means or 4256 represents. 4257 4258 4259 4262 4263 4266 4268 4269 4270 4271 The RestrictionType 4272 complex type outlines a restriction that 4273 is placed on expected values for an 4274 external variable. For example, a possible 4275 value may be restricted to a integer less 4276 than 10. Please refer to the 4277 operationEnumeration simple type for a 4278 description of the valid operations. The 4279 required hint attribute gives a short 4280 description of what the value means or 4281 represents. 4282 4283 4284 4285 4288 4289 4290 4291 4293 4294 The constant_variable 4295 element extends the VariableType and 4296 defines a variable with a constant 4297 value(s). Each constant_variable defines 4298 either a single value or a collection of 4299 values to be used throughout the 4300 evaluation of the OVAL Definition File in 4301 which it has been defined. Constant 4302 variables cannot be over-ridden by an 4303 external source. The actual value of a 4304 constant variable is defined by the 4305 required value child element. A collection 4306 of values can be specified by including 4307 multiple instances of the value element. 4308 Please refer to the description of the 4309 ValueType complex type for more 4310 information. 4311 4312 4313 4314 4316 4317 4321 4322 4323 4324 4325 4326 4327 4328 The ValueType complex 4329 type holds the actual value of the 4330 variable when dealing with a constant 4331 variable. This value should be used by all 4332 tests that reference this variable. The 4333 value cannot be over-ridden by an external 4334 source. 4335 4336 4337 4338 4339 4340 4342 4343 The local_variable 4344 element extends the VariableType and 4345 defines a variable with some local source. 4346 The actual value(s) for the variable is 4347 not provided in the OVAL Definition 4348 document but rather it is retrieved during 4349 the evaluation of the OVAL Definition. 4350 Each local variable is defined by either a 4351 single component or a complex function, 4352 meaning that a value can be as simple as a 4353 literal string or as complex as multiple 4354 registry keys concatenated together. Note 4355 that if an individual component is used 4356 and it returns a collection of values, 4357 then there will be multiple values 4358 associated with the local_variable. For 4359 example, if an object_component is used 4360 and it references a file object that 4361 identifies a set of 5 files, then the 4362 local variable would evaluate to a 4363 collection of those 5 values. Please refer 4364 to the description of the ComponentGroup 4365 for more information. 4366 4367 4368 4369 4371 4372 4374 4375 4376 4377 4378 4379 4380 4381 Any value that is pulled 4382 directly off the local system is defined 4383 by the basic component element. For 4384 example, the name of a user or the value 4385 of a registry key. Please refer to the 4386 definition of the ObjectComponentType for 4387 more information. A value can also be 4388 obtained from another variable. The 4389 variable element identifies a variable id 4390 to pull a value(s) from. Please refer to 4391 the definition of the 4392 VariableComponentType for more 4393 information. Literal values can also be 4394 specified. 4395 4396 4397 4399 4401 4403 4404 4405 4406 4407 4408 The LiteralComponentType 4409 complex type defines a literal value to be 4410 used as a component. The optional datatype 4411 attribute defines the type of data 4412 expected. The default datatype is 4413 'string'. 4414 4415 4417 4419 - The 4423 'record' datatype is prohibited on 4424 variables. 4425 4426 4489 4490 4491 4492 4493 4494 4497 4499 4500 4501 4502 4503 The ObjectComponentType 4504 complex type defines a specific value or 4505 set of values on the local system to 4506 obtain. 4507 The required object_ref 4508 attribute provides a reference to an 4509 existing OVAL Object declaration. The 4510 referenced OVAL Object specifies a set of 4511 OVAL Items to collect. Note that an OVAL 4512 Object might identify 0, 1, or many OVAL 4513 Items on a system. If no items are found 4514 on the system then an error should be 4515 reported when determining the value of an 4516 ObjectComponentType. If 1 or more OVAL 4517 Items are found then each OVAL Item will 4518 be considered and the ObjectComponentType 4519 may have one or more 4520 values. 4521 The required item_field 4522 attribute specifies the name of the entity 4523 whose value will be retrieved from each 4524 OVAL Item collected by the referenced OVAL 4525 Object. For example, if the object_ref 4526 references a win-def:file_object, the 4527 item_field may specify the 'version' 4528 entity as the field to use as the value of 4529 the ObjectComponentType. Note that an OVAL 4530 Item may have 0, 1, or many entities whose 4531 name matches the specified item_field 4532 value. If an entity is not found with a 4533 name that matches the value of the 4534 item_field an error should be reported 4535 when determining the value of an 4536 ObjectComponentType. If 1 or more matching 4537 entities are found in a single OVAL Item 4538 the value of the ObjectComponentType is 4539 the list of the values from each of the 4540 matching entities. 4541 The optional record_field 4542 attribute specifies the name of a field in 4543 a record entity in an OVAL Item. The 4544 record_field attribute allows the value of 4545 a specific field to be retrieved from an 4546 entity with a datatype of 'record'. If a 4547 field with a matching name attribute value 4548 is not found in the referenced OVAL Item 4549 entity an error should be reported when 4550 determining the value of the 4551 ObjectComponentType. 4552 4553 4555 4558 4561 4562 4563 4564 The VariableComponentType 4565 complex type defines a specific value 4566 obtained by looking at the value of 4567 another OVAL Variable. The required 4568 var_ref attribute provides a reference to 4569 the variable. One must make sure that the 4570 variable reference does not point to the 4571 parent variable that uses this component 4572 to avoid a race 4573 condition. 4574 4575 4578 4579 4580 4581 Complex functions have 4582 been defined that help determine how to 4583 manipulate specific values. These 4584 functions can be nested together to form 4585 complex statements. Each function is 4586 designed to work on a specific type of 4587 data. If the data being worked on is not 4588 of the correct type, a cast should be 4589 attempted before reporting an error. For 4590 example, if a concat function includes a 4591 registry component that returns an 4592 integer, then the integer should be cast 4593 as a string in order to work with the 4594 concat function. Note that if the 4595 operation being applied to the variable by 4596 the calling entity is "pattern match", 4597 then all the functions are performed 4598 before the regular expression is 4599 evaluated. In short, the variable would 4600 produce a value as normal and then any 4601 pattern match operation would be 4602 performed. It is also important to note 4603 that when using these functions with 4604 sub-components that return a collection of 4605 values that the operation will be 4606 performed on the Cartesian product of the 4607 components and the result is also a 4608 collection of values. For example, assume 4609 a local_variable specifies the arithmetic 4610 function with an arithmetic_operation of 4611 "add" and has two sub-components under 4612 this function: the first component returns 4613 "1" and "2", and the second component 4614 returns "3" and "4" and "5". The 4615 local_variable element would be evaluated 4616 to have a collection of six values: 1+3, 4617 1+4, 1+5, 2+3, 2+4, and 2+5. Please refer 4618 to the description of a specific function 4619 for more details about 4620 it. 4621 4622 4623 4625 4627 4629 4631 4633 4635 4637 4639 4641 4644 4646 4648 4649 4650 4651 4652 The arithmetic function 4653 takes two or more integer or float 4654 components and performs a basic 4655 mathematical function on them. The result 4656 of this function is a single integer or 4657 float unless one of the components returns 4658 a collection of values. In this case the 4659 specified arithmetic function would be 4660 performed multiple times and the end 4661 result would also be a collection of 4662 values for the local variable. For example 4663 assume a local_variable specifies the 4664 arithmetic function with an 4665 arithmetic_operation of "add" and has two 4666 sub-components under this function: the 4667 first component returns "1" and "2", and 4668 the second component returns "3" and "4" 4669 and "5". The local_variable element would 4670 be evaluated to be a collection of six 4671 values: 1+3, 1+4, 1+5, 2+3, 2+4, and 4672 2+5. 4673 Note that if both an 4674 integer and float components are used then 4675 the result is a float. 4676 4677 4679 4682 A literal_component used by an 4685 arithmetic function must have a 4686 datatype of float or 4687 int. 4688 4689 4692 4694 The variable referenced by the 4702 arithmetic function must have a 4703 datatype of float or 4704 int. 4705 4706 4707 4708 4709 4711 4712 4713 4716 4717 4718 4719 The begin function takes 4720 a single string component and defines a 4721 character (or string) that the component 4722 string should start with. The character 4723 attribute defines the specific character 4724 (or string). The character (or string) is 4725 only added to the component string if the 4726 component string does not already start 4727 with the specified character (or string). 4728 If the component string does not start 4729 with the specified character (or string) 4730 the entire character (or string) will be 4731 prepended to the component 4732 string.. 4733 4734 4736 4739 A literal_component used by the 4742 begin function must have a datatype 4743 of string. 4744 4745 4748 4750 The variable referenced by the 4755 begin function must have a datatype 4756 of string. 4757 4758 4759 4760 4761 4762 4763 4764 4766 4767 4768 4769 The concat function takes 4770 two or more components and concatenates 4771 them together to form a single string. The 4772 first component makes up the beginning of 4773 the resulting string and any following 4774 components are added to the end it. If one 4775 of the components returns multiple values 4776 then the concat function would be 4777 performed multiple times and the end 4778 result would be a collection of values for 4779 the local variable. For example assume a 4780 local variable has two sub-components: a 4781 basic component element returns the values 4782 "abc" and "def", and a literal component 4783 element that has a value of "xyz". The 4784 local_variable element would evaluate to a 4785 collection of two values, "abcxyz" and 4786 "defxyz". If one of the components does 4787 not exist, then the result of the concat 4788 operation should be does not 4789 exist. 4790 4791 Below is a chart 4792 that specifies how to classify the flag 4793 status of a variable using the concat 4794 function during evaluation when multiple 4795 components are supplied. Both the object 4796 and variable component are indirectly 4797 associated with collected objects in a 4798 system characteristics file. These 4799 objects could have been completely 4800 collected from the system, or there 4801 might have been some type of error that 4802 led to the object not being collected, 4803 or maybe only a part of the object set 4804 was collected. This flag status is 4805 important as OVAL Objects or OVAL States 4806 that are working with a variable 4807 (through the var_ref attribute on an 4808 entity) can use this information to 4809 report more accurate results. For 4810 example, an OVAL Test with a check 4811 attribute of 'at least one' that 4812 specifies an object with a variable 4813 reference, might be able to produce a 4814 valid result based on an incomplete 4815 object set as long as one of the objects 4816 in the set is 4817 true. 4818 4819 || num of components with flag || 4820 || || resulting flag is 4821 || E | C | I | DNE | NC | NA || 4822 ----||-----------------------------------||------------------ 4823 || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || Error 4824 || 0 | 1+ | 0 | 0 | 0 | 0 || Complete 4825 || 0 | 0+ | 1+ | 0 | 0 | 0 || Incomplete 4826 || 0 | 0+ | 0+ | 1+ | 0 | 0 || Does Not Exist 4827 || 0 | 0+ | 0+ | 0+ | 1+ | 0 || Not Collected 4828 || 0 | 0+ | 0+ | 0+ | 0+ | 1+ || Not Applicable 4829 ----||-----------------------------------||------------------ 4830 4831 4833 4836 A literal_component used by the 4839 concat function must have a datatype 4840 of string. 4841 4842 4845 4847 The variable referenced by the 4852 concat function must have a datatype 4853 of string. 4854 4855 4856 4857 4858 4860 4861 4862 4863 4864 4865 The end function takes a 4866 single string component and defines a 4867 character (or string) that the component 4868 string should end with. The character 4869 attribute defines the specific character 4870 (or string). The character (or string) is 4871 only added to the component string if the 4872 component string does not already end with 4873 the specified character (or string). If 4874 the desired end character is a string, 4875 then the entire end string must exist at 4876 the end if the component string. If the 4877 entire end string is not present then the 4878 entire end string is appended to the 4879 component string. 4880 4881 4883 4885 A literal_component used by the end 4888 function must have a datatype of 4889 string. 4890 4891 4893 4895 The variable referenced by the end 4900 function must have a datatype of 4901 string. 4902 4903 4904 4905 4906 4907 4908 4909 4911 4912 4913 4914 The escape_regex function 4915 takes a single string component and 4916 escapes all of the regular expression 4917 characters. If the string sub-component 4918 contains multiple values, then the 4919 escape_regex function will be applied to 4920 each individual value and return a 4921 multiple-valued result. For example, the 4922 string '(\.test_string*)?' will evaluate 4923 to '\(\\\.test_string\*\)\?'. The purpose 4924 for this is that many times, a component 4925 used in pattern match needs to be treated 4926 as a literal string and not a regular 4927 expression. For example, assume a basic 4928 component element that identifies a file 4929 path that is held in the Windows registry. 4930 This path is a string that might contain 4931 regular expression characters. These 4932 characters are likely not intended to be 4933 treated as regular expression characters 4934 and need to be escaped. This function 4935 allows a definition writer to mark convert 4936 the values of components to regular 4937 expression format. 4938 Note that when using 4939 regular expressions, OVAL supports a 4940 common subset of the regular expression 4941 character classes, operations, expressions 4942 and other lexical tokens defined within 4943 Perl 5's regular expression specification. 4944 The set of Perl metacharacters which must 4945 be escaped by this function is as follows, 4946 enclosed by single quotes: 4947 '^$\.[](){}*+?|'. For more information on 4948 the supported regular expression syntax in 4949 OVAL see: 4950 http://oval.mitre.org/language/ 4951 about/re_support_5.6.html. 4952 4953 4955 4958 A literal_component used by the 4961 escape_regex function must have a 4962 datatype of string. 4963 4964 4967 4969 The variable referenced by the 4974 escape_regex function must have a 4975 datatype of string. 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 4986 The split function takes 4987 a single string component and turns it 4988 into a collection of values based on a 4989 delimiter string. For example, assume that 4990 a basic component element returns the 4991 value "a-b-c-d" to the split function with 4992 the delimiter set to "-". The 4993 local_variable element would be evaluated 4994 to have four values "a", "b", "c", and 4995 "d". If the basic component returns a 4996 value that begins, or ends, with a 4997 delimiter, the local_variable element 4998 would contain empty string values at the 4999 beginning, or end, of the collection of 5000 values returned for that string component. 5001 For example, if the delimiter is "-", and 5002 the basic component element returns the 5003 value "-a-a-", the local_variable element 5004 would evaluate to a collection of four 5005 values "", "a", "a", and "". Likewise, if 5006 the basic component element returns a 5007 value that contains adjacent delimiters 5008 such as "---", the local_variable element 5009 would evaluate to a collection of four 5010 values "", "", "", and "". Lastly, if the 5011 basic component element used by the split 5012 function returnsa collection of values, 5013 then the split function is performed 5014 multiple times, and all of the results, 5015 from each of the split functions, are 5016 returned. 5017 5018 5020 5023 A literal_component used by the 5026 split function must have a datatype 5027 of string. 5029 5030 5033 5035 The variable referenced by the 5041 split function must have a datatype 5042 of string. 5043 5044 5045 5046 5047 5048 5049 5050 5052 5053 5054 5055 The substring function 5056 takes a single string component and 5057 produces a single value that contains a 5058 portion of the original string. The 5059 substring_start attribute defines the 5060 starting position in the original string. 5061 To include the first character of the 5062 string, the start position would be 1. A 5063 value less than 1 also means that the 5064 start position would be 1. If the 5065 substring_start attribute has value 5066 greater than the length of the original 5067 string an error should be reported. The 5068 substring_length attribute defines how 5069 many characters after, and including, the 5070 starting character to include. A 5071 substring_length value greater than the 5072 actual length of the string, or a negative 5073 value, means to include all of the 5074 characters after the starting character. 5075 For example, assume a basic component 5076 element that returns the value "abcdefg" 5077 with a substring_start value of 3 and a 5078 substring_length value of 2. The 5079 local_variable element would evaluate to 5080 have a single value of "cd". If the string 5081 component used by the substring function 5082 returns a collection of values, then the 5083 substring operation is performed multiple 5084 times and results in a collection of 5085 values for the 5086 component. 5087 5088 5090 5093 A literal_component used by the 5096 substring function must have a 5097 datatype of string. 5098 5099 5102 5104 The variable referenced by the 5109 substring function must have a 5110 datatype of string. 5111 5112 5113 5114 5115 5116 5117 5118 5120 5122 5123 5125 5126 The time_difference 5127 function calculates the difference in 5128 seconds between date-time values. If one 5129 component is specified, the values of that 5130 component are subtracted from the current 5131 time (UTC). The current time is the time 5132 at which the function is evaluated. If two 5133 components are specified, the value of the 5134 second component is subtracted from the 5135 value of the first component. If the 5136 component(s) contain a collection of 5137 values, the operation is performed 5138 multiple times on the Cartesian product of 5139 the component(s) and the result is also a 5140 collection of time difference values. For 5141 example, assume a local_variable specifies 5142 the time_difference function and has two 5143 sub-components under this function: the 5144 first component returns "04/02/2009" and 5145 "04/03/2009", and the second component 5146 returns "02/02/2005" and "02/03/2005" and 5147 "02/04/2005". The local_variable element 5148 would evaluate to a collection of six 5149 values: (ToSeconds("04/02/2009") - 5150 ToSeconds("02/02/2005")), 5151 (ToSeconds("04/02/2009") - 5152 ToSeconds("02/03/2005")), 5153 (ToSeconds("04/02/2009") - 5154 ToSeconds("02/04/2005")), 5155 (ToSeconds("04/03/2009") - 5156 ToSeconds("02/02/2005")), 5157 (ToSeconds("04/03/2009") - 5158 ToSeconds("02/03/2005")), and 5159 (ToSeconds("04/03/2009") - 5160 ToSeconds("02/04/2005")). 5161 The date-time format of 5162 each component is determined by the two 5163 format attributes. The format1 attribute 5164 applies to the first component, and the 5165 format2 attribute applies to the second 5166 component. Valid values for the attributes 5167 are 'win_filetime', 'seconds_since_epoch', 5168 'day_month_year', 'year_month_day', and 5169 'month_day_year'. Please see the 5170 DateTimeFormatEnumeration for more 5171 information about each of these values. If 5172 an input value is not understood, the 5173 result is an error. If only one input is 5174 specified, specify the format with the 5175 format2 attribute, as the first input is 5176 considered to be the implied 'current 5177 time' input. 5178 Note that the datatype 5179 associated with the components should be 5180 'string' or 'int' depending on which date 5181 time format is specified. The result of 5182 this function though is always an 5183 integer. 5184 5185 5187 5190 A literal_component used by the 5195 time_difference function must have a 5196 datatype of string or 5197 int. 5198 5199 5202 5204 The variable referenced by the 5212 time_difference function must have a 5213 datatype of string or 5214 int. 5215 5216 5217 5218 5219 5220 5222 5223 5226 5229 5230 5231 5232 The regex_capture 5233 function captures a single substring from 5234 a single string component. If the string 5235 sub-component contains multiple values, 5236 then the regex_capture function will 5237 extract a substring from each value. The 5238 'pattern' attribute provides a regular 5239 expression that should contain a single 5240 subexpression (using parentheses). For 5241 example, the pattern ^abc(.*)xyz$ would 5242 capture a substring from each of the 5243 string component's values if the value 5244 starts with abc and ends with xyz. In this 5245 case the subexpression would be all the 5246 characters that exist in between the abc 5247 and the xyz. Note that subexpressions 5248 match the longest possible 5249 substrings. 5250 If the regular expression 5251 contains multiple capturing sub-patterns, 5252 only the first capture is used. If there 5253 are no capturing sub-patterns, the result 5254 for each target string must be the empty 5255 string. Otherwise, if the regular 5256 expression could match the target string 5257 in more than one place, only the first 5258 match (and its first capture) is used. If 5259 no matches are found in a target string, 5260 the result for that target must be the 5261 empty string. 5262 Note that a quantified 5263 capturing sub-pattern does not produce 5264 multiple substrings. Standard regular 5265 expression semantics are such that if a 5266 capturing sub-pattern is required to match 5267 multiple times in order for the overall 5268 regular expression to match, the capture 5269 produced is the last substring to have 5270 matched the 5271 sub-pattern. 5272 Note that when using 5273 regular expressions, OVAL supports a 5274 common subset of the regular expression 5275 character classes, operations, expressions 5276 and other lexical tokens defined within 5277 Perl 5's regular expression specification. 5278 If any of the Perl metacharacters are to 5279 be used literally, then they must be 5280 escaped. The set of metacharacters which 5281 must be escaped for this purpose is as 5282 follows, enclosed by single quotes: 5283 '^$\.[](){}*+?|'. For more information on 5284 the supported regular expression syntax in 5285 OVAL see: 5286 http://oval.mitre.org/language/ 5287 about/re_support_5.6.html. 5288 5289 5291 5294 A literal_component used by the 5297 regex_capture function must have a 5298 datatype of string. 5299 5300 5303 5305 The variable referenced by the 5310 regex_capture function must have a 5311 datatype of string. 5312 5313 5314 5315 5316 5317 5319 5320 5322 5323 5324 5325 The unique function takes 5326 one or more components and removes any 5327 duplicate value from the set of 5328 components. All components used in the 5329 unique function will be treated as 5330 strings. For example, assume that three 5331 components exist, one that contains a 5332 string value of 'foo', and two of which 5333 both resolve to the string value 'bar'. 5334 Applying the unique function to these 5335 three components resolves to a 5336 local_variable with two string values, 5337 'foo' and 'bar'. Additionally, if any of 5338 the components referenced by the unique 5339 function evaluate to a collection of 5340 values, then those values are used in the 5341 unique calculation. For example, assume 5342 that there are two components, one of 5343 which resolves to a single string value, 5344 'foo', the other of which resolves to two 5345 string values, 'foo' and 'bar'. If the 5346 unique function is used to remove 5347 duplicates from these two components, the 5348 function will resolve to a local_variable 5349 that is a collection of two string values, 5350 'foo' and 'bar'. 5351 5352 5353 5354 5355 5356 5357 5358 The count function takes 5359 one or more components and returns the 5360 count of all of the values represented by 5361 the components. For example, assume that 5362 two variables exist, each with a single 5363 value. By applying the count function 5364 against two variable components that 5365 resolve to the two variables, the 5366 resulting local_variable would have a 5367 value of '2'. Additionally, if any of the 5368 components referenced by the count 5369 function evaluate to a collection of 5370 values, then those values are used in the 5371 count calculation. For example, assume 5372 that there are two components, one of 5373 which resolves to a single value, the 5374 other of which resolves to two values. If 5375 the count function is used to provide a 5376 count of these two components, the 5377 function will resolve to a local_variable 5378 with the values '3'. 5379 5380 5381 5382 5383 5384 5385 5386 The glob_to_regex 5387 function takes a single string component 5388 representing shell glob pattern and 5389 produces a single value that corresponds 5390 to result of a conversion of the original 5391 glob pattern into Perl 5's regular 5392 expression pattern. The glob_noescape 5393 attribute defines the way how the 5394 backslash ('\') character should be 5395 interpreted. It defaults to 'false' 5396 meaning backslash should be interpreted as 5397 an escape character (backslash is allowed 5398 to be used as an escape character). If the 5399 glob_noescape attribute would be set to 5400 'true' it instructs the glob_to_regex 5401 function to interpret the backslash ('\') 5402 character as a literal, rather than as an 5403 escape character (backslash is *not* 5404 allowed to be used as an escape 5405 character). Refer to table with examples 5406 below to see the difference how a 5407 different boolean value of the 5408 'glob_noescape' attribute will impact the 5409 output form of the resulting Perl 5's 5410 regular expression produced by 5411 glob_to_regex 5412 function. 5413 Please note the 5414 glob_to_regex function will fail to 5415 perform the conversion and return an error 5416 when the provided string argument (to 5417 represent glob pattern) does not represent 5418 a syntactically correct glob pattern. For 5419 example given the 'a*b?[' as the argument 5420 to be converted, glob_to_regex would 5421 return an error since there's missing the 5422 corresponding closing bracket in the 5423 provided glob pattern 5424 argument. 5425 Also, it is necessary to 5426 mention that the glob_to_regex function 5427 respects the default behaviour for the 5428 input glob pattern and output Perl 5's 5429 regular expression spaces. Namely this 5430 means that: 5431 - glob_to_regex will 5432 respect the UNIX glob behavior when 5433 processing forward slashes, forward slash 5434 should be treated as a path separator and 5435 * or ? shall not match 5436 it, 5437 - glob_to_regex will 5438 rule out matches having special meaning 5439 (for example '.' as a representation of 5440 the current working directory or '..' as a 5441 representation of the parent directory of 5442 the current working 5443 directory, 5444 - glob_to_regex will 5445 rule out files or folders starting with 5446 '.' character (e.g. dotfiles) unless the 5447 respective glob pattern part itself starts 5448 with the '.' 5449 character, 5450 - glob_to_regex will not 5451 perform case-sensitivity transformation 5452 (alphabetical characters will be copied 5453 from input glob pattern space to output 5454 Perl 5's regular expression pattern space 5455 intact). It is kept as a responsibility of 5456 the OVAL content author to provide input 5457 glob pattern argument in such case so the 5458 resulting Perl 5's regular expression 5459 pattern will match the expected pathname 5460 entries according to the case of 5461 preference, 5462 - glob_to_regex will not 5463 perform any possible brace expansion. 5464 Therefore glob patterns like 5465 '{pat,pat,pat}' would be converted into 5466 Perl 5's regular expression syntax in the 5467 original un-expanded form (kept for any 5468 potential subsequent expansion to be 5469 performed by Perl 5's regular expression 5470 engine in the moment of the use of that 5471 resulting regular 5472 expression), 5473 - glob_to_regex will not 5474 perform tilde ('~') character substitution 5475 to user name home directory pathname. The 5476 ('~') character will be passed to Perl 5's 5477 regular expression engine intact. If user 5478 name home directory pathname glob pattern 5479 behaviour is expected, the pathname of the 5480 user name home directory needs to be 5481 specified in the original input glob 5482 pattern already, 5483 - glob_to_regex function 5484 will not perform any custom changes wrt to 5485 the ordering of items (perform any 5486 additional sorting of set of pathnames 5487 represented by the provided glob pattern 5488 argument). 5489 5490 Below are some 5491 examples that outline how the 5492 glob_noescape attribute value affects 5493 the output form of the produced Perl 5494 regular expression. The far left column 5495 identifies the shell glob pattern 5496 provided as the input string component 5497 to the glob_to_regex function. The 5498 middle column specifies the two possible 5499 different boolean values of the 5500 'glob_noescape' attribute that can be 5501 used. Finally the last column depicts 5502 how the output produced by the 5503 glob_to_regex function - the resulting 5504 Perl regular expression would look 5505 like. 5506 5507 || || 5508 input || glob_ || corresponding 5509 shell || noescape || 5510 glob || attribute || Perl 5511 pattern || value || Regular 5512 || || Expression 5513 ------------------||-----------||------------------------------- 5514 '\*' || false || ^\*$ 5515 ||-----------||------------------------------- 5516 '\*' || true || ^\\[^/]*$ 5517 ------------------||-----------||------------------------------- 5518 '\?' || false || ^\?$ 5519 ||-----------||------------------------------- 5520 '\?' || true || ^\\[^./]$ 5521 ------------------||-----------||------------------------------- 5522 '\[hello\]' || false || ^\[hello\]$ 5523 ||-----------||------------------------------- 5524 '\[hello\]' || true || ^\\[hello\\]$ 5525 ------------------||-----------||------------------------------- 5526 '/root/*' || false || ^/root/(?=[^.])[^/]*$ 5527 ||-----------||------------------------------- 5528 '/root/.*' || false || ^/root/\.[^/]*$ 5529 ||-----------||------------------------------- 5530 '/root/x*' || false || ^/root/x[^/]*$ 5531 ||-----------||------------------------------- 5532 '/root/?' || false || ^/root/[^./]$ 5533 ||-----------||------------------------------- 5534 '/root/.?' || false || ^/root/\.[^/]$ 5535 ||-----------||------------------------------- 5536 '/root/x?' || false || ^/root/x[^/]$ 5537 ------------------||-----------||------------------------------- 5538 'list.?' || false || ^list\.[^/]$ 5539 ||-----------||------------------------------- 5540 'list.?' || true || ^list\.[^/]$ 5541 ||-----------||------------------------------- 5542 'project.*' || false || ^project\.[^/]*$ 5543 ||-----------||------------------------------- 5544 'project.*' || true || ^project\.[^/]*$ 5545 ||-----------||------------------------------- 5546 '*old' || false || ^(?=[^.])[^/]*old$ 5547 ||-----------||------------------------------- 5548 '*old' || true || ^(?=[^.])[^/]*old$ 5549 ||-----------||------------------------------- 5550 'type*.[ch]' || false || ^type[^/]*\.[ch]$ 5551 ||-----------||------------------------------- 5552 'type*.[ch]' || true || ^type[^/]*\.[ch]$ 5553 ||-----------||------------------------------- 5554 '*.*' || false || ^(?=[^.])[^/]*\.[^/]*$ 5555 ||-----------||------------------------------- 5556 '*.*' || true || ^(?=[^.])[^/]*\.[^/]*$ 5557 ||-----------||------------------------------- 5558 '*' || false || ^(?=[^.])[^/]*$ 5559 ||-----------||------------------------------- 5560 '*' || true || ^(?=[^.])[^/]*$ 5561 ||-----------||------------------------------- 5562 '?' || false || ^[^./]$ 5563 ||-----------||------------------------------- 5564 '?' || true || ^[^./]$ 5565 ||-----------||------------------------------- 5566 '\*' || false || ^\*$ 5567 ||-----------||------------------------------- 5568 '\*' || true || ^\\[^/]*$ 5569 ||-----------||------------------------------- 5570 '\?' || false || ^\?$ 5571 ||-----------||------------------------------- 5572 '\?' || true || ^\\[^./]$ 5573 ||-----------||------------------------------- 5574 'x[[:digit:]]\*' || false || ^x[[:digit:]]\*$ 5575 ||-----------||------------------------------- 5576 'x[[:digit:]]\*' || true || ^x[[:digit:]]\\[^/]*$ 5577 ||-----------||------------------------------- 5578 '' || false || ^$ 5579 ||-----------||------------------------------- 5580 '' || true || ^$ 5581 ||-----------||------------------------------- 5582 '~/files/*.txt' || false || ^~/files/(?=[^.])[^/]*\.txt$ 5583 ||-----------||------------------------------- 5584 '~/files/*.txt' || true || ^~/files/(?=[^.])[^/]*\.txt$ 5585 ||-----------||------------------------------- 5586 '\' || false || ^\\$ 5587 ||-----------||------------------------------- 5588 '\' || true || ^\\$ 5589 ||-----------||------------------------------- 5590 '[ab' || false || INVALID 5591 ||-----------||------------------------------- 5592 '[ab' || true || INVALID 5593 ||-----------||------------------------------- 5594 '.*.conf' || false || ^\.[^/]*\.conf$ 5595 ||-----------||------------------------------- 5596 '.*.conf' || true || ^\.[^/]*\.conf$ 5597 ||-----------||------------------------------- 5598 'docs/?b' || false || ^docs/[^./]b$ 5599 ||-----------||------------------------------- 5600 'docs/?b' || true || ^docs/[^./]b$ 5601 ||-----------||------------------------------- 5602 'xy/??z' || false || ^xy/[^./][^/]z$ 5603 ||-----------||------------------------------- 5604 'xy/??z' || true || ^xy/[^./][^/]z$ 5605 ---------------------------------------------------------------- 5606 5608 5610 5613 A literal_component used by the 5616 glob_to_regex function must have a 5617 datatype of string. 5618 5619 5622 5624 The variable referenced by the 5629 glob_to_regex function must have a 5630 datatype of string. 5631 5632 5633 5634 5635 5636 5637 5638 5641 5642 5643 5644 5645 5652 5653 5654 5655 5656 5657 The ArithmeticEnumeration 5658 simple type defines basic arithmetic 5659 operations. Currently add and multiply are 5660 defined. 5661 5662 5663 5664 5665 5675 5676 5677 5678 5679 The 5680 DateTimeFormatEnumeration simple type 5681 defines the different date-time formats 5682 that are understood by OVAL. Note that in 5683 some cases there are a few different 5684 possibilities within a given format. Each 5685 of these possibilities is unique though 5686 and can be distinguished from each other. 5687 The different formats are used to clarify 5688 the higher level structure of the 5689 date-time string being 5690 used. 5691 5692 5693 5694 5695 The year_month_day 5696 value specifies date-time strings that 5697 follow the formats: 'yyyymmdd', 5698 'yyyymmddThhmmss', 'yyyy/mm/dd 5699 hh:mm:ss', 'yyyy/mm/dd', 'yyyy-mm-dd 5700 hh:mm:ss', or 5701 'yyyy-mm-dd' 5702 5703 5704 5705 5706 The month_day_year 5707 value specifies date-time strings that 5708 follow the formats: 'mm/dd/yyyy 5709 hh:mm:ss', 'mm/dd/yyyy', 'mm-dd-yyyy 5710 hh:mm:ss', 'mm-dd-yyyy', 'NameOfMonth, 5711 dd yyyy hh:mm:ss' or 'NameOfMonth, dd 5712 yyyy', 'AbreviatedNameOfMonth, dd yyyy 5713 hh:mm:ss', or 'AbreviatedNameOfMonth, 5714 dd yyyy' 5715 5716 5717 5718 5719 The day_month_year 5720 value specifies date-time strings that 5721 follow the formats: 'dd/mm/yyyy 5722 hh:mm:ss', 'dd/mm/yyyy', 'dd-mm-yyyy 5723 hh:mm:ss', or 5724 'dd-mm-yyyy' 5725 5726 5727 5728 5729 The win_filetime 5730 value specifies date-time strings that 5731 follow the windows file time 5732 format. 5733 5734 5735 5736 5737 The 5738 seconds_since_epoch value specifies 5739 date-time values that represent the 5740 time in seconds since the UNIX epoch. 5741 The Unix epoch is the time 00:00:00 5742 UTC on January 1, 5743 1970. 5744 5745 5746 5747 5748 The cim_datetime 5749 model is used by WMI and its value 5750 specifies date-time strings that 5751 follow the format: 5753 'yyyymmddHHMMSS.mmmmmmsUUU', and 5754 alternatively 'yyyy-mm-dd 5755 HH:MM:SS:mmm' only when used in WMI 5756 Query Language 5757 queries. 5758 5759 5760 5761 5762 5763 5764 The 5765 FilterActionEnumeration simple type 5766 defines the different options for 5767 filtering sets of 5768 items. 5769 5770 5771 5772 5773 The exclude value 5774 specifies that all items that match 5775 the filter shall be excluded from set 5776 that the filter is applied 5777 to. 5778 5779 5780 5781 5782 The include value 5783 specifies that only items that match 5784 the filter shall be included in the 5785 set that the filter is applied 5786 to. 5787 5788 5789 5790 5791 5792 5793 The 5794 SetOperatorEnumeration simple type defines 5795 acceptable set operations. Set operations 5796 are used to take multiple different sets 5797 of objects within OVAL and merge them into 5798 a single unique set. The different 5799 operators that guide this merge are 5800 defined below. For each operator, if only 5801 a single object has been supplied, then 5802 the resulting set is simply that complete 5803 object. 5804 5805 Below are some 5806 tables that outline how different flags 5807 are combined with a given set_operator 5808 to return a new flag. These tables are 5809 needed when computing the flag for 5810 collected objects that represent object 5811 sets in an OVAL Definition. The top row 5812 identifies the flag associated with the 5813 first set or object reference. The left 5814 column identifies the flag associated 5815 with the second set or object reference. 5816 The matrix inside the table represent 5817 the resulting flag when the given 5818 set_operator is applied. (E=error, 5819 C=complete, I=incomplete, DNE=does not 5820 exist, NC=not collected, NA=not 5821 applicable) 5822 5823 || || 5824 set_operator is || obj 1 flag || 5825 union || || 5826 || E | C | I | DNE | NC | NA || 5827 -----------------||-----------------------------------|| 5828 E || E | E | E | E | E | E || 5829 obj C || E | C | I | C | I | C || 5830 2 I || E | I | I | I | I | I || 5831 flag DNE || E | C | I | DNE | I | DNE || 5832 NC || E | I | I | I | NC | NC || 5833 NA || E | C | I | DNE | NC | NA || 5834 -----------------||-----------------------------------|| 5835 5836 5837 || || 5838 set_operator is || obj 1 flag || 5839 intersection || || 5840 || E | C | I | DNE | NC | NA || 5841 -----------------||-----------------------------------|| 5842 E || E | E | E | DNE | E | E || 5843 obj C || E | C | I | DNE | NC | C || 5844 2 I || E | I | I | DNE | NC | I || 5845 flag DNE || DNE | DNE | DNE | DNE | DNE | DNE || 5846 NC || E | NC | NC | DNE | NC | NC || 5847 NA || E | C | I | DNE | NC | NA || 5848 -----------------||-----------------------------------|| 5849 5850 5851 || || 5852 set_operator is || obj 1 flag || 5853 complement || || 5854 || E | C | I | DNE | NC | NA || 5855 -----------------||-----------------------------------|| 5856 E || E | E | E | DNE | E | E || 5857 obj C || E | C | I | DNE | NC | E || 5858 2 I || E | E | E | DNE | NC | E || 5859 flag DNE || E | C | I | DNE | NC | E || 5860 NC || E | NC | NC | DNE | NC | E || 5861 NA || E | E | E | E | E | E || 5862 -----------------||-----------------------------------|| 5863 5864 5865 5866 5867 5868 5869 The complement 5870 operator is defined in OVAL as a 5871 relative complement. The resulting 5872 unique set contains everything that 5873 belongs to the first declared set that 5874 is not part of the second declared 5875 set. If A and B are sets (with A being 5876 the first declared set), then the 5877 relative complement is the set of 5878 elements in A, but not in B, with the 5879 duplicates 5880 removed. 5881 5882 5883 5884 5885 The intersection of 5886 two sets in OVAL results in a unique 5887 set that contains everything that 5888 belongs to both sets in the 5889 collection, but nothing else. If A and 5890 B are sets, then the intersection of A 5891 and B contains all the elements of A 5892 that also belong to B, but no other 5893 elements, with the duplicates 5894 removed. 5895 5896 5897 5898 5899 The union of two sets 5900 in OVAL results in a unique set that 5901 contains everything that belongs to 5902 either of the original sets. If A and 5903 B are sets, then the union of A and B 5904 contains all the elements of A and all 5905 elements of B, with the duplicates 5906 removed. 5907 5908 5909 5910 5911 5912 5913 5915 5916 5917 The EntityAttributeGroup 5918 is a collection of attributes that are 5919 common to all entities. This group defines 5920 these attributes and their default values. 5921 Individual entities may limit allowed 5922 values for these attributes, but all 5923 entities will support these 5924 attributes. 5925 5926 5928 5931 5932 5937 5939 - a var_ref has 5941 been supplied for the entity so no 5943 value should be 5944 provided 5946 5955 - inconsistent datatype between the 5956 variable and an associated 5957 var_ref 5958 5959 5962 - 5964 a var_ref has been supplied for the 5965 5966 entity so a var_check should also be 5967 provided 5968 5969 5972 - 5974 a var_check has been supplied for 5975 the 5976 entity so a var_ref must also be 5977 provided 5978 5979 5982 - 5984 a var_ref has been supplied for the 5985 5986 entity so a var_check should also be 5987 provided 5988 5989 5992 - 5995 a var_check has been supplied for 5996 the 5997 entity so a var_ref must also be 5998 provided 5999 6000 6001 6006 - 6014 The use of '' for the 6016 operation attribute of the 6017 6018 entity is not valid given the lack 6019 of a declared datatype (hence a 6020 default datatype of 6021 string). 6022 6023 6028 - 6033 The use of '' for the 6035 operation attribute of the 6036 6037 entity is not valid given a datatype 6038 of binary. 6039 6046 6047 6052 - 6057 The use of '' for the 6059 operation attribute of the 6060 6061 entity is not valid given a datatype 6062 of boolean. 6063 6071 6072 6078 - 6087 The use of '' for the 6089 operation attribute of the 6090 6092 entity is not valid given a datatype 6093 of evr_string. 6094 6101 6102 6111 - 6121 The use of '' for the 6123 operation attribute of the 6124 6125 entity is not valid given a datatype 6126 of debian_evr_string. 6127 6128 6137 - 6146 The use of '' for the 6148 operation attribute of the 6149 6150 entity is not valid given a datatype 6151 of fileset_revision. 6152 6153 6162 - 6171 The use of '' for the 6173 operation attribute of the 6174 6175 entity is not valid given a datatype 6176 of float. 6177 6185 6186 6196 - 6205 The use of '' for the 6207 operation attribute of the 6208 6209 entity is not valid given a datatype 6210 of ios_version. 6211 6212 6217 - 6228 The use of '' for the 6230 operation attribute of the 6231 6232 entity is not valid given a datatype 6233 of int. 6234 6241 6242 6248 - 6259 The use of '' for the 6261 operation attribute of the 6262 6263 entity is not valid given a datatype 6264 of ipv4_address. 6265 6272 6273 6282 - 6293 The use of '' for the 6295 operation attribute of the 6296 6297 entity is not valid given a datatype 6298 of ipv6_address. 6299 6306 6307 6314 - 6322 The use of '' for the 6324 operation attribute of the 6325 6326 entity is not valid given a datatype 6327 of string. 6328 6329 6336 - 6345 The use of '' for the 6347 operation attribute of the 6348 6349 entity is not valid given a datatype 6350 of version. 6351 6352 6356 - 6359 The use of '' for the 6361 operation attribute of the 6362 6363 entity is not valid given a datatype 6364 of record. 6365 6366 6367 6369 6373 - 6375 The use of var_ref is prohibited 6376 when the datatype is 6377 'record'. 6378 6379 6380 6382 6392 - 6396 The datatype for the entity is 'int' 6398 but the value is not an 6399 integer. 6400 6402 6403 6404 6405 6406 6409 6410 The optional datatype 6411 attribute specifies how the given 6412 operation should be applied to the data. 6413 Since we are dealing with XML everything 6414 is technically a string, but often the 6415 value is meant to represent some other 6416 datatype and this affects the way an 6417 operation is performed. For example, 6418 with the statement 'is 123 less than 6419 98'. If the data is treated as integers 6420 the answer is no, but if the data is 6421 treated as strings, then the answer is 6422 yes. Specifying a datatype defines how 6423 the less than operation should be 6424 performed. Another way of thinking of 6425 things is that the datatype attribute 6426 specifies how the data should be cast 6427 before performing the operation (note 6428 that the default datatype is 'string'). 6429 In the previous example, if the datatype 6430 is set to int, then '123' and '98' 6431 should be cast as integers. Another 6432 example is applying the 'equals' 6433 operation to '1.0.0.0' and '1.0'. With 6434 datatype 'string' they are not equal, 6435 with datatype 'version' they are. Note 6436 that there are certain cases where a 6437 cast from one datatype to another is not 6438 possible. If a cast cannot be made, 6439 (trying to cast 'abc' to an integer) 6440 then an error should be reported. For 6441 example, if the datatype is set to 6442 'integer' and the value is the empty 6443 string. There is no way to cast the 6444 empty string (or NULL) to an integer, 6445 and in cases like this an error should 6446 be reported. 6447 6448 6449 6452 6453 The optional operation 6454 attribute determines how the individual 6455 entities should be evaluated (the 6456 default operation is 6457 'equals'). 6458 6459 6460 6462 6463 The optional mask 6464 attribute is used to identify values 6465 that have been hidden for sensitivity 6466 concerns. This is used by the Result 6467 document which uses the System 6468 Characteristics schema to format the 6469 information found on a specific system. 6470 When the mask attribute is set to 'true' 6471 on an OVAL Entity or an OVAL Field, the 6472 corresponding collected value of that 6473 OVAL Entity or OVAL Field MUST NOT be 6474 present in the "results" section of the 6475 OVAL Results document; the 6476 "oval_definitions" section must not be 6477 altered and must be an exact copy of the 6478 definitions evaluated. Values MUST NOT 6479 be masked in OVAL System Characteristics 6480 documents that are not contained within 6481 an OVAL Results document. It is possible 6482 for masking conflicts to occur where one 6483 entity has mask set to true and another 6484 entity has mask set to false. A conflict 6485 will occur when the mask attribute is 6486 set differently on an OVAL Object and 6487 matching OVAL State or when more than 6488 one OVAL Objects identify the same OVAL 6489 Item(s). When such a conflict occurs the 6490 result is always to mask the 6491 entity. 6492 6493 6494 6496 6497 The optional var_ref 6498 attribute refers the value of the 6499 element to a variable element. When 6500 supplied, the value(s) associated with 6501 the OVAL Variable should be used as the 6502 value(s) of the element. If there is an 6503 error computing the value of the 6504 variable, then that error should be 6505 passed up to the element referencing it. 6506 If the variable being referenced does 6507 not have a value (for example, if the 6508 variable pertains to the size of a file, 6509 but the file does not exist) then one of 6510 two results are possible. If the element 6511 is part of an object declaration, then 6512 the object element referencing it is 6513 considered to not exist. If the element 6514 is part of a state declaration, then the 6515 state element referencing it will 6516 evaluate to error. 6517 6518 6519 6521 6522 The optional var_check 6523 attribute specifies how data collection 6524 or state evaluation should proceed when 6525 an element uses a var_ref attribute, and 6526 the associated variable defines more 6527 than one value. For example, if an 6528 object entity 'filename' with an 6529 operation of 'not equal' references a 6530 variable that returns five different 6531 values, and the var_check attribute has 6532 a value of 'all', then an actual file on 6533 the system matches only if the actual 6534 filename does not equal any of the 6535 variable values. As another example, if 6536 a state entity 'size' with an operation 6537 of 'less than' references a variable 6538 that has five different integer values, 6539 and the var_check attribute has a value 6540 of 'all', then the 'size' state entity 6541 evaluates to true only if the 6542 corresponding 'size' item entity is less 6543 than each of the five integers defined 6544 by the variable. If a variable does not 6545 have any value value when referenced by 6546 an OVAL Object the object should be 6547 considered to not exist. If a variable 6548 does not have any value when referenced 6549 by an OVAL State an error should be 6550 reported during OVAL analysis. When an 6551 OVAL State uses a var_ref, if both the 6552 state entity and a corresponding item 6553 entity are collections of values, the 6554 var_check is applied to each value of 6555 the item entity individually, and all 6556 must evaluate to true for the state 6557 entity to evaluate to true. In this 6558 condition, there is no value of 6559 var_check which enables an element-wise 6560 comparison, and so there is no way to 6561 determine whether the two entities are 6562 truly 'equal' in that sense. If var_ref 6563 is present but var_check is not, the 6564 element should be processed as if 6565 var_check has the value 6566 "all". 6567 6568 6569 6571 6573 6574 The EntitySimpleBaseType 6575 complex type is an abstract type that 6576 defines the default attributes associated 6577 with every simple entity. Entities can be 6578 found in both OVAL Objects and OVAL States 6579 and represent the individual properties 6580 associated with items found on a system. 6581 An example of a single entity would be the 6582 path of a file. Another example would be 6583 the version of the 6584 file. 6585 6586 6587 6588 6590 6591 6592 6594 6596 6597 The EntityComplexBaseType 6598 complex type is an abstract type that 6599 defines the default attributes associated 6600 with every complex entity. Entities can be 6601 found in both OVAL Objects and OVAL States 6602 and represent the individual properties 6603 associated with items found on a system. 6604 An example of a single entity would be the 6605 path of a file. Another example would be 6606 the version of the 6607 file. 6608 6609 6611 6613 6615 6616 The 6617 EntityObjectIPAddressType type is extended 6618 by the entities of an individual OVAL 6619 Object. This type provides uniformity to 6620 each object entity by including the 6621 attributes found in the 6622 EntitySimpleBaseType. This specific type 6623 describes any IPv4/IPv6 address or address 6624 prefix. 6625 6626 6627 6629 6630 6631 6632 6634 6635 6637 6639 6641 6642 6643 6644 6645 6646 6647 6649 6650 The 6651 EntityObjectIPAddressStringType type is 6652 extended by the entities of an individual 6653 OVAL Object. This type provides uniformity 6654 to each object entity by including the 6655 attributes found in the 6656 EntitySimpleBaseType. This specific type 6657 describes any IPv4/IPv6 address, address 6658 prefix, or its string 6659 representation. 6660 6661 6662 6664 6665 6666 6667 6669 6670 6672 6674 6676 6677 6678 6679 6680 6681 6682 6683 6685 6686 The 6687 EntityObjectAnySimpleType type is extended 6688 by the entities of an individual OVAL 6689 Object. This type provides uniformity to 6690 each object entity by including the 6691 attributes found in the 6692 EntitySimpleBaseType. This specific type 6693 describes any simple 6694 data. 6695 6696 6697 6699 6700 6701 6702 6705 6706 6707 6708 6709 6710 The EntityBinaryType type 6711 is extended by the entities of an 6712 individual OVAL Object. This type provides 6713 uniformity to each object entity by 6714 including the attributes found in the 6715 EntitySimpleBaseType. This specific type 6716 describes simple binary data. The empty 6717 string is also allowed when using a 6718 variable reference with an 6719 element. 6720 6721 6722 6724 6725 6728 6729 6732 6733 6734 6735 6736 6737 The EntityBoolType type 6738 is extended by the entities of an 6739 individual OVAL Object. This type provides 6740 uniformity to each object entity by 6741 including the attributes found in the 6742 EntitySimpleBaseType. This specific type 6743 describes simple boolean data. The empty 6744 string is also allowed when using a 6745 variable reference with an 6746 element. 6747 6748 6749 6751 6752 6755 6756 6759 6760 6761 6762 6763 6764 The EntityObjectFloatType 6765 type is extended by the entities of an 6766 individual OVAL Object. This type provides 6767 uniformity to each object entity by 6768 including the attributes found in the 6769 EntitySimpleBaseType. This specific type 6770 describes simple float data. The empty 6771 string is also allowed when using a 6772 variable reference with an 6773 element. 6774 6775 6776 6778 6779 6782 6783 6786 6787 6788 6789 6790 6791 The EntityIntType type is 6792 extended by the entities of an individual 6793 OVAL Object. This type provides uniformity 6794 to each object entity by including the 6795 attributes found in the 6796 EntitySimpleBaseType. This specific type 6797 describes simple integer data. The empty 6798 string is also allowed when using a 6799 variable reference with an 6800 element. 6801 6802 6803 6805 6806 6809 6810 6813 6815 6816 6817 6818 6819 The EntityStringType type 6820 is extended by the entities of an 6821 individual OVAL Object. This type provides 6822 uniformity to each object entity by 6823 including the attributes found in the 6824 EntitySimpleBaseType. This specific type 6825 describes simple string 6826 data. 6827 6828 6829 6831 6832 6833 6834 6837 6838 6839 6840 6841 6842 The 6843 EntityObjectVersionType type is extended 6844 by the entities of an individual OVAL 6845 State. This type provides uniformity to 6846 each state entity by including the 6847 attributes found in the 6848 EntityStateSimpleBaseType. This specific 6849 type describes simple version 6850 data. 6851 6852 6853 6855 6856 6857 6858 6861 6862 6864 6865 6866 6867 The 6868 EntityObjectRecordType defines an entity 6869 that consists of a number of uniquely 6870 named fields. This structure is used for 6871 representing a record from a database 6872 query and other similar structures where 6873 multiple related fields must be 6874 represented at once. Note that for all 6875 entities of this type, the only allowed 6876 datatype is 'record' and the only allowed 6877 operation is 'equals'. During analysis of 6878 a system characteristics item, each field 6879 is analyzed and then the overall result 6880 for elements of this type is computed by 6881 logically anding the results for each 6882 field and then applying the entity_check 6883 attribute. 6884 Note the datatype 6885 attribute must be set to 6886 'record'. 6887 6903 Note the operation 6904 attribute must be set to 6905 'equals'. 6906 Note the var_ref 6907 attribute is not permitted and the 6908 var_check attribute does not 6909 apply. 6910 Note that when the mask 6911 attribute is set to 'true', all child 6912 field elements must be masked regardless 6913 of the child field's mask attribute 6914 value. 6915 6916 6917 6919 6920 6923 6924 6925 6926 6927 6928 6929 The EntityObjectFieldType 6930 defines an element with simple content 6931 that represents a named field in a record 6932 that may contain any number of named 6933 fields. The EntityObjectFieldType is much 6934 like all other entities with one 6935 significant difference, the 6936 EntityObjectFieldType has a name 6937 attribute 6938 The required name 6939 attribute specifies a unique name for the 6940 field. Field names are lowercase and must 6941 be unique within a given parent record 6942 element. When analyzing system 6943 characteristics an error should be 6944 reported for the result of a field that is 6945 present in the OVAL State, but not found 6946 in the system characteristics 6947 Item. 6948 The optional entity_check 6949 attribute specifies how to handle multiple 6950 record fields with the same name in the 6951 OVAL Systems Characteristics file. For 6952 example, while collecting group 6953 information where one field is the 6954 represents the users that are members of 6955 the group. It is very likely that there 6956 will be multiple fields with a name of 6957 'user' associated with the group. If the 6958 OVAL State defines the value of the field 6959 with name equal 'user' to equal 'Fred', 6960 then the entity_check attribute determines 6961 if all values for field entities must be 6962 equal to 'Fred', or at least one value 6963 must be equal to 'Fred', 6964 etc. 6965 Note that when the mask 6966 attribute is set to 'true' on a field's 6967 parent element the field must be masked 6968 regardless of the field's mask attribute 6969 value. 6970 6971 6972 6973 6974 6975 A string restricted 6976 to disallow upper case 6977 characters. 6978 6979 6980 6981 6982 6983 6984 6985 6987 6990 6991 6992 6994 6997 6998 The 6999 EntityStateSimpleBaseType complex type is 7000 an abstract type that extends the 7001 EntitySimpleBaseType and is used by some 7002 entities within an OVAL 7003 State. 7004 The optional 7005 check_existence attribute specifies how to 7006 interpret the status of corresponding item 7007 entities when performing an item-state 7008 comparison. The default value for this 7009 attribute is 'at_least_one_exists' 7010 indicating that by default an item 7011 comparison may evaluate to true only if at 7012 least one corresponding item entity has a 7013 status of 'exists'. For example, if a 7014 value of 'none_exist' is given, then the 7015 comparison can evaluate to true only if 7016 there are one or more corresponding item 7017 entities, each with a status of 'does not 7018 exist'. 7019 The optional entity_check 7020 attribute specifies how to handle multiple 7021 item entities with the same name in the 7022 OVAL Systems Characteristics file. For 7023 example, suppose we are dealing with a 7024 Group Test and an entity in the state is 7025 related to the user. It is very likely 7026 that when the information about the group 7027 is collected off of the system (and 7028 represented in the OVAL System 7029 Characteristics file) that there will be 7030 multiple users associated with the group 7031 (i.e. multiple 'user' item entities 7032 associated with the same 'user' state 7033 entity). If the OVAL State defines the 7034 value of the user entity to equal 'Fred', 7035 then the entity_check attribute determines 7036 if all values for 'user' item entities 7037 must be equal to 'Fred', or at least one 7038 value must be equal to 'Fred', etc. Note 7039 that with the exception of the 7040 'none_satisfy' check value, the 7041 entity_check attribute can only affect the 7042 result of the test if the corresponding 7043 OVAL Item allows more than one occurrence 7044 of the entity (e.g. 'maxOccurs' is some 7045 value greater than 7046 one). 7047 The entity_check and 7048 var_check attributes are considered 7049 together when evaluating a single state 7050 entity. When a variable identifies more 7051 than one value and multiple item entities 7052 with the same name exist, for a single 7053 state entity, a many-to-many comparison 7054 must be conducted. In this situation, 7055 there are many values for the state entity 7056 that must be compared to many item 7057 entities. Each item entity is compared to 7058 the state entity. For each item entity, an 7059 interim result is calculated by using the 7060 var_check attribute to combine the result 7061 of comparing each variable value with a 7062 single system value. Then these interim 7063 results are combined for each system value 7064 using the entity_check 7065 attribute. 7066 7067 7068 7070 7073 7077 7078 7079 7080 7083 7084 The 7085 EntityStateComplexBaseType complex type is 7086 an abstract type that extends the 7087 EntityComplexBaseType and is used by some 7088 entities within an OVAL 7089 State. 7090 The optional 7091 check_existence attribute specifies how to 7092 interpret the status of corresponding item 7093 entities when performing an item-state 7094 comparison. The default value for this 7095 attribute is 'at_least_one_exists' 7096 indicating that by default an item 7097 comparison may evaluate to true only if at 7098 least one corresponding item entity has a 7099 status of 'exists'. For example, if a 7100 value of 'none_exist' is given, then the 7101 comparison can evaluate to true only if 7102 there are one or more corresponding item 7103 entities, each with a status of 'does not 7104 exist'. 7105 The optional entity_check 7106 attribute specifies how to handle multiple 7107 item entities with the same name in the 7108 OVAL Systems Characteristics file. For 7109 example, suppose we are dealing with a 7110 Group Test and an entity in the state is 7111 related to the user. It is very likely 7112 that when the information about the group 7113 is collected off of the system (and 7114 represented in the OVAL System 7115 Characteristics file) that there will be 7116 multiple users associated with the group 7117 (i.e. multiple 'user' item entities 7118 associated with the same 'user' state 7119 entity). If the OVAL State defines the 7120 value of the user entity to equal 'Fred', 7121 then the entity_check attribute determines 7122 if all values for 'user' item entities 7123 must be equal to 'Fred', or at least one 7124 value must be equal to 'Fred', etc. Note 7125 that with the exception of the 7126 'none_satisfy' check value, the 7127 entity_check attribute can only affect the 7128 result of the test if the corresponding 7129 OVAL Item allows more than one occurrence 7130 of the entity (e.g. 'maxOccurs' is some 7131 value greater than 7132 one). 7133 The entity_check and 7134 var_check attributes are considered 7135 together when evaluating a single state 7136 entity. When a variable identifies more 7137 than one value and multiple item entities 7138 with the same name exist, for a single 7139 state entity, a many-to-many comparison 7140 must be conducted. In this situation, 7141 there are many values for the state entity 7142 that must be compared to many item 7143 entities. Each item entity is compared to 7144 the state entity. For each item entity, an 7145 interim result is calculated by using the 7146 var_check attribute to combine the result 7147 of comparing each variable value with a 7148 single system value. Then these interim 7149 results are combined for each system value 7150 using the entity_check 7151 attribute. 7153 7154 7155 7157 7160 7164 7165 7166 7167 7168 7169 The 7170 EntityStateIPAddressType type is extended 7171 by the entities of an individual OVAL 7172 State. This type provides uniformity to 7173 each object entity by including the 7174 attributes found in the 7175 EntityStateSimpleBaseType. This specific 7176 type describes any IPv4/IPv6 address or 7177 address prefix. 7178 7179 7180 7182 7183 7184 7185 7187 7188 7190 7192 7194 7195 7196 7197 7198 7199 7200 7202 7203 The 7204 EntityStateIPAddressStringType type is 7205 extended by the entities of an individual 7206 OVAL State. This type provides uniformity 7207 to each object entity by including the 7208 attributes found in the 7209 EntityStateSimpleBaseType. This specific 7210 type describes any IPv4/IPv6 address, 7211 address prefix, or its string 7212 representation. 7213 7214 7215 7217 7218 7219 7220 7222 7223 7225 7227 7229 7230 7231 7232 7233 7234 7235 7236 7237 7238 The 7239 EntityStateAnySimpleType type is extended 7240 by the entities of an individual OVAL 7241 State. This type provides uniformity to 7242 each state entity by including the 7243 attributes found in the 7244 EntityStateSimpleBaseType. This specific 7245 type describes any simple 7246 data. 7247 7248 7249 7251 7252 7253 7254 7257 7258 7259 7260 7261 7262 The EntityStateBinaryType 7263 type is extended by the entities of an 7264 individual OVAL State. This type provides 7265 uniformity to each state entity by 7266 including the attributes found in the 7267 EntityStateSimpleBaseType. This specific 7268 type describes simple binary data. The 7269 empty string is also allowed when using a 7270 variable reference with an 7271 element. 7272 7273 7274 7276 7277 7280 7281 7284 7285 7286 7287 7288 7289 The EntityStateBoolType 7290 type is extended by the entities of an 7291 individual OVAL State. This type provides 7292 uniformity to each state entity by 7293 including the attributes found in the 7294 EntityStateSimpleBaseType. This specific 7295 type describes simple boolean data. The 7296 empty string is also allowed when using a 7297 variable reference with an 7298 element. 7299 7300 7301 7303 7304 7307 7308 7311 7312 7313 7314 7315 7316 The EntityStateFloatType 7317 type is extended by the entities of an 7318 individual OVAL State. This type provides 7319 uniformity to each state entity by 7320 including the attributes found in the 7321 EntityStateSimpleBaseType. This specific 7322 type describes simple float data. The 7323 empty string is also allowed when using a 7324 variable reference with an 7325 element. 7326 7327 7328 7330 7331 7334 7335 7338 7339 7340 7341 7342 7343 The EntityStateIntType 7344 type is extended by the entities of an 7345 individual OVAL State. This type provides 7346 uniformity to each state entity by 7347 including the attributes found in the 7348 EntityStateSimpleBaseType. This specific 7349 type describes simple integer data. The 7350 empty string is also allowed when using a 7351 variable reference with an 7352 element. 7353 7354 7355 7357 7358 7361 7362 7365 7366 7367 7368 7369 7370 The 7371 EntityStateEVRStringType type is extended 7372 by the entities of an individual OVAL 7373 State. This type provides uniformity to 7374 each state entity by including the 7375 attributes found in the 7376 EntityStateSimpleBaseType. This type 7377 represents the epoch, version, and release 7378 fields, for an RPM package, as a single 7379 version string. It has the form 7380 "EPOCH:VERSION-RELEASE". Note that a null 7381 epoch (or '(none)' as returned by rpm) is 7382 equivalent to '0' and would hence have the 7383 form 0:VERSION-RELEASE. Comparisons 7384 involving this datatype should follow the 7385 algorithm of librpm's rpmvercmp() 7386 function. 7387 7388 7389 7391 7392 7393 7396 7397 7400 7401 7402 7403 7405 7406 The 7407 EntityStateDebianEVRStringType type is 7408 extended by the entities of an individual 7409 OVAL State. This type provides uniformity 7410 to each state entity by including the 7411 attributes found in the 7412 EntityStateSimpleBaseType. This type 7413 represents the epoch, upstream_version, 7414 and debian_revision fields, for a Debian 7415 package, as a single version string. It 7416 has the form 7417 "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". 7418 Note that a null epoch (or '(none)' as 7419 returned by dpkg) is equivalent to '0' and 7420 would hence have the form 7421 0:UPSTREAM_VERSION-DEBIAN_REVISION. 7422 Comparisons involving this datatype should 7423 follow the algorithm outlined in Chapter 5 7424 of the "Debian Policy Manual" 7425 (https://www.debian.org/doc/debian-policy/ 7426 ch-controlfields.html#s-f-Version). 7427 An implementation of this is the 7428 cmpversions() function in dpkg's 7429 enquiry.c. 7430 7431 7432 7434 7435 7436 7439 7440 7444 7445 7446 7447 7448 7449 The 7450 EntityStateVersionType type is extended by 7451 the entities of an individual OVAL State. 7452 This type provides uniformity to each 7453 state entity by including the attributes 7454 found in the EntityStateSimpleBaseType. 7455 This specific type describes simple 7456 version data. 7457 7458 7459 7461 7462 7463 7464 7467 7468 7469 7470 7472 7473 The 7474 EntityStateFileSetRevisionType type is 7475 extended by the entities of an individual 7476 OVAL State. This type provides uniformity 7477 to each state entity by including the 7478 attributes found in the 7479 EntityStateSimpleBaseType. This specific 7480 type represents the version string related 7481 to filesets in HP-UX. 7482 7483 7484 7486 7487 7488 7489 7493 7494 7495 7496 7498 7499 The 7500 EntityStateIOSVersionType type is extended 7501 by the entities of an individual OVAL 7502 State. This type provides uniformity to 7503 each state entity by including the 7504 attributes found in the 7505 EntityStateSimpleBaseType. This specific 7506 type represents the version string related 7507 to CISCO IOS. 7508 7509 7510 7512 7513 7514 7515 7517 7518 7520 7521 7522 7523 'string' is 7524 included to allow for regular 7525 expressions on IOS version 7526 strings. 7527 7528 7529 7530 7531 7532 7533 7534 7535 7536 7537 The EntityStateStringType 7538 type is extended by the entities of an 7539 individual OVAL State. This type provides 7540 uniformity to each state entity by 7541 including the attributes found in the 7542 EntityStateSimpleBaseType. This specific 7543 type describes simple string 7544 data. 7545 7546 7547 7549 7550 7551 7552 7555 7556 7557 7558 7559 7560 The EntityStateRecordType 7561 defines an entity that consists of a 7562 number of uniquely named fields. This 7563 structure is used for representing a 7564 record from a database query and other 7565 similar structures where multiple related 7566 fields must be collected at once. Note 7567 that for all entities of this type, the 7568 only allowed datatype is 'record' and the 7569 only allowed operation is 'equals'. During 7570 analysis of a system characteristics item, 7571 each field is analyzed and then the 7572 overall result for elements of this type 7573 is computed by logically anding the 7574 results for each field and then applying 7575 the entity_check 7576 attribute. 7577 Note the datatype 7578 attribute must be set to 7579 'record'. 7580 7597 Note the operation 7598 attribute must be set to 7599 'equals'. 7600 Note the var_ref 7601 attribute is not permitted and the 7602 var_check attribute does not 7603 apply. 7604 Note that when the mask 7605 attribute is set to 'true', all child 7606 field elements must be masked regardless 7607 of the child field's mask attribute 7608 value. 7609 7610 7611 7613 7614 7617 7618 7619 7620 7621 7622 7623 The EntityStateFieldType 7624 defines an element with simple content 7625 that represents a named field in a record 7626 that may contain any number of named 7627 fields. The EntityStateFieldType is much 7628 like all other entities with one 7629 significant difference, the 7630 EntityStateFieldType has a name 7631 attribute 7632 The required name 7633 attribute specifies a unique name for the 7634 field. Field names are lowercase and must 7635 be unique within a given parent record 7636 element. When analyzing system 7637 characteristics an error should be 7638 reported for the result of a field that is 7639 present in the OVAL State, but not found 7640 in the system characteristics 7641 Item. 7642 The optional entity_check 7643 attribute specifies how to handle multiple 7644 record fields with the same name in the 7645 OVAL Systems Characteristics file. For 7646 example, while collecting group 7647 information where one field is the 7648 represents the users that are members of 7649 the group. It is very likely that there 7650 will be multiple fields with a name of 7651 'user' associated with the group. If the 7652 OVAL State defines the value of the field 7653 with name equal 'user' to equal 'Fred', 7654 then the entity_check attribute determines 7655 if all values for field entities must be 7656 equal to 'Fred', or at least one value 7657 must be equal to 'Fred', 7658 etc. 7659 Note that when the mask 7660 attribute is set to 'true' on a field's 7661 parent element the field must be masked 7662 regardless of the field's mask attribute 7663 value. 7664 7665 7666 7667 7668 7669 A string restricted 7670 to disallow upper case 7671 characters. 7672 7673 7674 7675 7676 7677 7678 7679 7681 7684 7685 7686 7687 7689 83. Intellectual Property Considerations 7691 Copyright (C) 2010 United States Government. All Rights Reserved. 7693 DHS, on behalf of the United States, owns the registered OVAL 7694 trademarks, identifying the OVAL STANDARDS SUITE and any component 7695 part, as that suite has been provided to the IETF Trust. A "(R)" 7696 will be used in conjunction with the first use of any OVAL trademark 7697 in any document or publication in recognition of DHS's trademark 7698 ownership. 7700 84. Acknowledgements 7702 The authors wish to thank DHS for sponsoring the OVAL effort over the 7703 years which has made this work possible. The authors also wish to 7704 thank the original authors of this document Jonathan Baker, Matthew 7705 Hansbury, and Daniel Haynes of the MITRE Corporation as well as the 7706 OVAL Community for its assistance in contributing and reviewing the 7707 original document. The authors would also like to acknowledge Dave 7708 Waltermire of NIST for his contribution to the development of the 7709 original document. 7711 85. IANA Considerations 7713 This memo includes no request to IANA. 7715 86. Security Considerations 7717 While OVAL is just a set of data models and does not directly 7718 introduce security concerns, it does provide a mechanism by which to 7719 represent endpoint posture assessment information. This information 7720 could be extremely valuable to an attacker allowing them to learn 7721 about very sensitive information including, but, not limited to: 7722 security policies, systems on the network, criticality of systems, 7723 software and hardware inventory, patch levels, user accounts and much 7724 more. To address this concern, all endpoint posture assessment 7725 information should be protected while in transit and at rest. 7726 Furthermore, it should only be shared with parties that are 7727 authorized to receive it. 7729 Another possible security concern is due to the fact that content 7730 expressed as OVAL has the ability to impact how a security tool 7731 operates. For example, content may instruct a tool to collect 7732 certain information off a system or may be used to drive follow-up 7733 actions like remediation. As a result, it is important for security 7734 tools to ensure that they are obtaining OVAL content from a trusted 7735 source, that it has not been modified in transit, and that proper 7736 validation is performed in order to ensure it does not contain 7737 malicious data. 7739 87. Change Log 7741 87.1. -00 to -01 7743 There are no textual changes associated with this revision. This 7744 revision simply reflects a resubmission of the document so that it 7745 remains in active status. 7747 88. References 7749 88.1. Normative References 7751 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7752 Requirement Levels", BCP 14, RFC 2119, 7753 DOI 10.17487/RFC2119, March 1997, 7754 . 7756 [WIN-FILETIME] 7757 Microsoft Corporation, "File Times", 2015, 7758 . 7761 88.2. Informative References 7763 [OVAL-WEBSITE] 7764 The MITRE Corporation, "The Open Vulnerability and 7765 Assessment Language", 2015, 7766 . 7768 Authors' Addresses 7770 Michael Cokus 7771 The MITRE Corporation 7772 903 Enterprise Parkway, Suite 200 7773 Hampton, VA 23666 7774 USA 7776 Email: msc@mitre.org 7777 Daniel Haynes 7778 The MITRE Corporation 7779 202 Burlington Road 7780 Bedford, MA 01730 7781 USA 7783 Email: dhaynes@mitre.org 7785 David Rothenberg 7786 The MITRE Corporation 7787 202 Burlington Road 7788 Bedford, MA 01730 7789 USA 7791 Email: drothenberg@mitre.org 7793 Juan Gonzalez 7794 Department of Homeland Security 7795 245 Murray Lane 7796 Washington, DC 20548 7797 USA 7799 Email: juan.gonzalez@dhs.gov