The data_type entity provides the datatype value that is desired.
|
+| xpath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## The data_type entity provides the datatype value that is desired.
|
+| xpath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
|
+| value_of | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found.
|
+
+______________
+
+## Specifies the name of the time zone.
|
+| usingnetworktime | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies weather the machine is using network time.
|
+| networktimeserver | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the network time server.
|
+| computersleep | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the computer sleep inactivity timer, or 0 for never.
|
+| displaysleep | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the display sleep inactivity timer, or 0 for never.
|
+| harddisksleep | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the hard disk sleep inactivity timer, or 0 for never.
|
+| wakeonmodem | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the computer will wake up if the modem is accessed.
|
+| wakeonnetworkaccess | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the computer will wake up if the network is accessed.
|
+| restartfreeze | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the computer will restart after freezing.
|
+| allowpowerbuttontosleepcomputer | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the power button can be used to cause the computer to sleep.
|
+| remotelogin | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether remote logins are allowed.
|
+| remoteappleevents | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether remote Apple events are enabled.
|
+| computername | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the computer's name.
|
+| startupdisk | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the startup disk.
|
+| waitforstartupafterpowerfailure | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the number of seconds the computer waits to start up after a power failure.
|
+| disablekeyboardwhenenclosurelockisengaged | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the keyboard is locked when the closure lock is engaged.
|
+| kernelbootarchitecturesetting | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the kernel boot architecture setting.
|
+
+## The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## The actual permission is more restrictive than the expected permission.
|
+| less | The actual permission is less restrictive than the expected permission.
|
+| same | The actual permission is the same as the expected permission.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## The CFString type is used to describe a preference key that has a string value. The OVAL string datatype should be used to represent CFString values.
|
+| CFNumber | The CFNumber type is used to describe a preference key that has a integer or float value. The OVAL int and float datatypes should be used, as appropriate, to represent CFNumber values.
|
+| CFBoolean | The CFBoolean type is used to describe a preference key that has a boolean value. The OVAL boolean datatype should be used to represent CFBoolean values.
|
+| CFDate | The CFDate type is used to describe a preference key that has a date value. The OVAL string datatype should be used to represent CFDate values.
|
+| CFData | The CFData type is used to describe a preference that has a base64-encoded binary value. The OVAL string datatype should be used to represent CFData values.
|
+| CFArray | The CFArray type is used to describe a preference key that has a collection of values. This is represented as multiple value entities.
|
+| CFDictionary | The CFDictionary type is used to describe a preference key that has a collection of key-value pairs. Note that the collection of CFDictionary values is not supported. If an attempt is made to collect a CFDictionary value, an error should be reported.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
diff --git a/guidelines/oval-schema-documentation/macos-system-characteristics-schema.md b/guidelines/oval-schema-documentation/macos-system-characteristics-schema.md
new file mode 100644
index 0000000..9fcfde2
--- /dev/null
+++ b/guidelines/oval-schema-documentation/macos-system-characteristics-schema.md
@@ -0,0 +1,598 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: MacOS System Characteristics
+* Version: 5.11.1:1.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the MacOS specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+The MacOS System Characteristics Schema was initially developed by The Center for Internet Security. Many thanks to their contributions to OVAL and the security community.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## The user associated with the information collected.
|
+| password | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Obfuscated (*****) or encrypted password for this user.
|
+| uid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
|
+| gid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Group ID of this account.
|
+| realname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||User's real name, aka gecos field of /etc/passwd.
|
+| home_dir | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The home directory for this user account.
|
+| login_shell | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The login shell for this user account.
|
+
+______________
+
+## Specifies the right_name in which the item is specified.
|
+| xpath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
|
+| value_of | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
|
+
+______________
+
+## Specifies the UUID of the volume about which the plist information was retrieved.
|
+| xpath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
|
+| value_of | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
|
+
+______________
+
+## The device entity is a string that represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device.
|
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filepath element specifies the absolute path for a file or directory on the specified device.
|
+| uread | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual user read permission changed from the expected user read permission?
|
+| uwrite | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual user write permission changed from the expected user write permission?
|
+| uexec | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual user exec permission changed from the expected user exec permission?
|
+| gread | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual group read permission changed from the expected group read permission?
|
+| gwrite | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual group write permission changed from the expected group write permission?
|
+| gexec | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual group exec permission changed from the expected group exec permission?
|
+| oread | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+| owrite | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual others write permission changed from the expected others write permission?
|
+| oexec | [macos-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual others exec permission changed from the expected others exec permission?
|
+| user_differs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The actual user of the file/directory.
|
+| expected_user | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The expected user of the file/directory.
|
+| group_differs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The actual group of the file/directory.
|
+| expected_group | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The expected group of the file/directory.
|
+| symlink_differs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The actual symlink of the file/directory.
|
+| expected_symlink | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The expected symlink of the file/directory.
|
+
+______________
+
+## The status of Gatekeeper assessments.
|
+| unlabeled | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||The path to an unsigned application folder to which Gatekeeper has granted execute permission.
|
+
+______________
+
+## This is the name of the communicating program.
|
+| local_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
|
+| local_full_address | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
|
+| local_port | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this item.
|
+| foreign_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
|
+| foreign_full_address | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
|
+| foreign_port | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the process ID of the process. The process in question is that of the program communicating on the network.
|
+| protocol | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the transport-layer protocol, in lowercase: tcp or udp.
|
+| user_id | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
|
+
+______________
+
+## This is the transport-layer protocol, in lowercase: tcp or udp.
|
+| local_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
|
+| local_port | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this item.
|
+| local_full_address | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
|
+| program_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the name of the communicating program.
|
+| foreign_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
|
+| foreign_port | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
|
+| foreign_full_address | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the process ID of the process. The process in question is that of the program communicating on the network.
|
+| user_id | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
|
+
+______________
+
+## Specifies the filepath of the keychain.
|
+| lock_on_sleep | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies the whether the keychain is configured to lock on sleep.
|
+| timeout | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The inactivity timeout (in seconds) for the keychain, or 0 if there is no timeout.
|
+
+______________
+
+## Specifies the name of the agent/daemon.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the process ID of the daemon (if any).
|
+| status | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the last exit code of the daemon (if any), or if $lt; 0, indicates the negative of the signal that interrupted processing. For example, a value of -15 would indicate that the job was terminated via a SIGTERM.
|
+
+______________
+
+## A nvram variabl.
|
+| nvram_value | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the value of the associated nvram variable.
|
+
+______________
+
+## The preference key to check.
|
+| app_id | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
|
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist).
|
+| instance | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file.
|
+| type | [macos-sc:EntityItemPlistTypeType](#EntityItemPlistTypeType) (0..1) |
+||The type of the preference key.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value of the preference key.
|
+
+______________
+
+## The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
|
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The absolute path to a plist file (e.g. /Library/Preferences/com.apple.TimeMachine.plist).
|
+| xpath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity.
|
+| value_of | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
|
+
+______________
+
+## Maximum number of characters allowed in a password.
|
+| maxFailedLoginAttempts | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Maximum number of failed logins before the account is locked.
|
+| minChars | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Minimum number of characters allowed in a password.
|
+| passwordCannotBeName | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password is allowed to be the same as the username or not.
|
+| requiresAlpha | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password must contain an alphabetical character or not.
|
+| requiresNumeric | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password must contain an numeric character or not.
|
+
+______________
+
+## The target_user element specifies the user whose password policy information was collected. If xsi:nil="true", the item specifies the global policy.
|
+| username | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The username element specifies the username of the authenticator.
|
+| userpass | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The userpass element specifies the password of the authenticator as specified by the username element.
|
+| directory_node | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The directory_node element specifies the directory node that the password policy information was collected from.
|
+| maxChars | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Maximum number of characters allowed in a password.
|
+| maxFailedLoginAttempts | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Maximum number of failed logins before the account is locked.
|
+| minChars | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Minimum number of characters allowed in a password.
|
+| passwordCannotBeName | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password is allowed to be the same as the username or not.
|
+| requiresAlpha | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password must contain an alphabetical character or not.
|
+| requiresNumeric | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password must contain an numeric character or not.
|
+| maxMinutesUntilChangePassword | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Maximum number of minutes until the password must be changed.
|
+| minMinutesUntilChangePassword | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Minimum number of minutes between password changes.
|
+| requiresMixedCase | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password must contain upper and lower case characters or not.
|
+| requiresSymbol | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Defines if the password must contain a symbol character or not.
|
+| minutesUntilFailedLoginReset | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Number of minutes after login has been disabled due to too many failed login attempts to wait before reenabling login.
|
+| usingHistory | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||0 = user can reuse the current pass-word, 1 = user cannot reuse the current password, 2-15 = user cannot reuse the last n passwords.
|
+| canModifyPasswordforSelf | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If true, the user can change the password.
|
+| usingExpirationDate | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Date for the password to expire, format is: mm/dd/yyyy. NOTE: The pwpolicy command returns the year as a two digit value, but OVAL uses four digit years; the pwpolicy value is converted to an OVAL compatible value.
|
+| hardExpireDateGMT | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Date for the user's account to be disabled, format is: mm/dd/yyyy. NOTE: The pwpolicy command returns the year as a two digit value, but OVAL uses four digit years; the pwpolicy value is converted to an OVAL compatible value.
|
+| maxMinutesUntilDisabled | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||If true, the user will be prompted for a new password at the next authentication.
|
+| notGuessablePattern | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The maximum amount of cpu time (in seconds) to be used by each process.
|
+| cpu_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||cpu hard limit.
|
+| filesize_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The largest size (in bytes) file that may be created.
|
+| filesize_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||filesize hard limit.
|
+| data_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.
|
+| data_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||data hard limit.
|
+| stack_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The maximum size (in bytes) of the stack segment for a process; this defines how far a program's stack segment may be extended. Stack extension is performed automatically by the system.
|
+| stack_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||stack hard limit.
|
+| core_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The largest size (in bytes) core file that may be created.
|
+| core_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||core hard limit.
|
+| rss_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The maximum size (in bytes) to which a process's resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.
|
+| rss_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||rss hard limit.
|
+| memlock_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The maximum size (in bytes) which a process may lock into memory using the mlock(2) function.
|
+| memlock_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||memlock hard limit.
|
+| maxproc_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The maximum number of simultaneous processes for this user id.
|
+| maxproc_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||maxproc hard limit.
|
+| maxfiles_current | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||The maximum number of open files for this process.
|
+| maxfiles_max | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||maxfiles hard limit.
|
+
+______________
+
+## Specifies whether automatic checking is enabled (true).
|
+| software_title | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||Specifies the title string for an available (not installed) software update.
|
+
+______________
+
+## Specifies the data type that was used in collection.
|
+| xpath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
|
+| value_of | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
|
+
+______________
+
+## Specifies the name of the current time zone.
|
+| usingnetworktime | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies wither the machine is using network time.
|
+| networktimeserver | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the network time server.
|
+| computersleep | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||Specifies the computer sleep inactivity timer, or 0 for never.
|
+| displaysleep | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||Specifies the display sleep inactivity timer, or 0 for never.
|
+| harddisksleep | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||Specifies the hard disk sleep inactivity timer, or 0 for never.
|
+| wakeonmodem | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether the computer will wake up if the modem is accessed.
|
+| wakeonnetworkaccess | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether the computer will wake up if the network is accessed.
|
+| restartfreeze | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether the computer will restart after freezing.
|
+| restartpowerfailure | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether the computer will restart after a power failure.
|
+| allowpowerbuttontosleepcomputer | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether the power button can be used to cause the computer to sleep.
|
+| remotelogin | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether remote logins are allowed.
|
+| remoteappleevents | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether remote Apple events are enabled.
|
+| computername | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the computer's name.
|
+| localsubnetname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the name of the local subnet.
|
+| startupdisk | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the startup disks.
|
+| waitforstartupafterpowerfailure | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (1..1) |
+||Specifies the number of seconds the computer waits to start up after a power failure.
|
+| disablekeyboardwhenenclosurelockisengaged | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (1..1) |
+||Specifies whether the keyboard is locked when the closure lock is engaged.
|
+| kernelbootarchitecturesetting | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the kernel boot architecture setting.
|
+
+## The empty string value is permitted here to allow for detailed error reporting.
|
+
+## The actual permission is more restrictive than the expected permission.
|
+| less | The actual permission is less restrictive than the expected permission.
|
+| same | The actual permission is the same as the expected permission.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## The CFString type is used to describe a preference key that has a string value. The OVAL string datatype should be used to represent CFString values.
|
+| CFNumber | The CFNumber type is used to describe a preference key that has a integer or float value. The OVAL int and float datatypes should be used, as appropriate, to represent CFNumber values.
|
+| CFBoolean | The CFBoolean type is used to describe a preference key that has a boolean value. The OVAL boolean datatype should be used to represent CFBoolean values.
|
+| CFDate | The CFDate type is used to describe a preference key that has a date value. The OVAL string datatype should be used to represent CFDate values.
|
+| CFData | The CFData type is used to describe a preference key that has a base64-encoded binary value. The OVAL string datatype should be used to represent CFData values.
|
+| CFArray | The CFArray type is used to describe a preference key that has a collection of values. This is represented as multiple value entities.
|
+| CFDictionary | The CFDictionary type is used to describe a preference key that has a collection of key-value pairs. Note that the collection of CFDictionary values is not supported. If an attempt is made to collect a CFDictionary value, an error should be reported.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
diff --git a/guidelines/oval-schema-documentation/netconf-definitions-schema.md b/guidelines/oval-schema-documentation/netconf-definitions-schema.md
new file mode 100644
index 0000000..2248dd7
--- /dev/null
+++ b/guidelines/oval-schema-documentation/netconf-definitions-schema.md
@@ -0,0 +1,57 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: NETCONF Definitions
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the NETCONF (RFC 6241) protocol-specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here
+
+This schema was originally developed by David Solin at jOVAL.org. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+## Test Listing
+
+ *[ config_test ](#config_test)
+
+______________
+
+## entity in the urn:ietf:params:xml:ns:netconf:base:1.0 XML namespace, with arbitrary (i.e., vendor-specific) child nodes.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| xpath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < config_state >
+
+The config_state element defines the different information that can be used to evaluate the result of a specific config xpath evaluation. This includes the xpath used and the value of this xpath.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| xpath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
|
+| value_of | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found.
|
+
diff --git a/guidelines/oval-schema-documentation/netconf-system-characteristics-schema.md b/guidelines/oval-schema-documentation/netconf-system-characteristics-schema.md
new file mode 100644
index 0000000..54f4cbc
--- /dev/null
+++ b/guidelines/oval-schema-documentation/netconf-system-characteristics-schema.md
@@ -0,0 +1,25 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: NETCONF System Characteristics
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+This document outlines the items of the OVAL System Characteristics XML schema that are composed of NETCONF (RFC 6241) protocol-specific tests. Each item is an extention of a basic System Characteristics item defined in the core System Characteristics XML schema.
+
+This schema was originally developed by David Solin at jOVAL.org. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < config_item >
+
+This item stores results from checking the contents of an xml configuration.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| xpath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
|
+| value_of | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
|
+
diff --git a/guidelines/oval-schema-documentation/oval-common-schema.md b/guidelines/oval-schema-documentation/oval-common-schema.md
new file mode 100644
index 0000000..c831248
--- /dev/null
+++ b/guidelines/oval-schema-documentation/oval-common-schema.md
@@ -0,0 +1,493 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Core Common
+* Version: 5.11.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the common types that are shared across the different schemas within Open Vulnerability and Assessment Language (OVAL). Each type is described in detail and should provide the information necessary to understand what each represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these type is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < deprecated_info >
+
+The deprecated_info element is used in documenting deprecation information for items in the OVAL Language. It is declared globally as it can be found in any of the OVAL schemas and is used as part of the appinfo documentation and therefore it is not an element that can be declared locally and based off a global type..
+
+[oval:DeprecatedInfoType](oval-common-schema.md#DeprecatedInfoType)
+
+## < element_mapping >
+
+The element_mapping element is used in documenting which tests, objects, states, and system characteristic items are associated with each other. It provides a way to explicitly and programatically associate the test, object, state, and item definitions.
+
+[oval:ElementMapType](oval-common-schema.md#ElementMapType)
+
+## < notes >
+
+Element for containing notes; can be replaced using a substitution group.
+
+[oval:NotesType](oval-common-schema.md#NotesType)
+
+## == ElementMapType ==
+
+The ElementMapType is used to document the association between OVAL test, object, state, and item entities.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| test | [oval:ElementMapItemType](oval-common-schema.md#ElementMapItemType) (1..1) |
+||The local name of an OVAL test.
|
+| object | [oval:ElementMapItemType](oval-common-schema.md#ElementMapItemType) (0..1) |
+||The local name of an OVAL object.
|
+| state | [oval:ElementMapItemType](oval-common-schema.md#ElementMapItemType) (0..1) |
+||The local name of an OVAL state.
|
+| item | [oval:ElementMapItemType](oval-common-schema.md#ElementMapItemType) (0..1) |
+||The local name of an OVAL item.
|
+
+## == ElementMapItemType ==
+
+Defines a reference to an OVAL entity using the schema namespace and element name.
+
+#### Attributes:
+
+* **target_namespace** xsd:anyURI (optional)
+The target_namespace attributes indicates what XML namespace the element belongs to. If not present, the namespace is that of the document in which the ElementMapItemType instance element appears.
+
+**Simple Content:** xsd:NCName
+
+## == DeprecatedInfoType ==
+
+The DeprecatedInfoType complex type defines a structure that will be used to flag schema-defined constructs as deprecated. It holds information related to the version of OVAL when the construct was deprecated along with a reason and comment.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| version | n/a (1..1) |
+||The required version child element details the version of OVAL in which the construct became deprecated.
|
+| reason | xsd:string (1..1) |
+||The required reason child element is used to provide an explanation as to why an item was deprecated and to direct a reader to possible alternative structures within OVAL.
|
+| comment | xsd:string (0..1) |
+||The optional comment child element is used to supply additional information regarding the element's deprecated status.
|
+
+______________
+
+## == GeneratorType ==
+
+The GeneratorType complex type defines an element that is used to hold information about when a particular OVAL document was compiled, what version of the schema was used, what tool compiled the document, and what version of that tool was used.
+
+Additional generator information is also allowed although it is not part of the official OVAL Schema. Individual organizations can place generator information that they feel are important and these will be skipped during the validation. All OVAL really cares about is that the stated generator information is there.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| product_name | xsd:string (0..1) |
+||The optional product_name specifies the name of the application used to generate the file. Product names SHOULD be expressed as CPE Names according to the Common Platform Enumeration: Name Matching Specification Version 2.3.
|
+| product_version | xsd:string (0..1) |
+||The optional product_version specifies the version of the application used to generate the file.
|
+| schema_version | [oval:SchemaVersionType](oval-common-schema.md#SchemaVersionType) (1..unbounded) |
+||The required schema_version specifies the version of the OVAL Schema that the document has been written in and that should be used for validation. The versions for both the Core and any platform extensions used should be declared in separate schema_version elements.
|
+| timestamp | xsd:dateTime (1..1) |
+||The required timestamp specifies when the particular OVAL document was compiled. The format for the timestamp is yyyy-mm-ddThh:mm:ss. Note that the timestamp element does not specify when a definition (or set of definitions) was created or modified but rather when the actual XML document that contains the definition was created. For example, the document might have pulled a bunch of existing OVAL Definitions together, each of the definitions having been created at some point in the past. The timestamp in this case would be when the combined document was created.
|
+| xsd:any | n/a (0..unbounded) |
+||The Asset Identification specification (http://scap.nist.gov/specifications/ai/) provides a standardized way of reporting asset information across different organizations.
Asset Identification elements can hold data useful for identifying what tool, what version of that tool was used, and identify other assets used to compile an OVAL document, such as persons or organizations.
To support greater interoperability, an ai:assets element describing assets used to produce an OVAL document may appear at this point in an OVAL document.
|
+
+## == SchemaVersionType ==
+
+The core version MUST match on all platform schema versions.
+
+#### Attributes:
+
+* **platform** xsd:anyURI (optional)
+The platform attribute is available to indicate the URI of the target namespace for any platform extension being included. This platform attribute is to be omitted when specifying the core schema version.
+
+**Simple Content:** [oval:SchemaVersionPattern](oval-common-schema.md#SchemaVersionPattern)
+
+## == MessageType ==
+
+The MessageType complex type defines the structure for which messages are relayed from the data collection engine. Each message is a text string that has an associated level attribute identifying the type of message being sent. These messages could be error messages, warning messages, debug messages, etc. How the messages are used by tools and whether or not they are displayed to the user is up to the specific implementation. Please refer to the description of the MessageLevelEnumeration for more information about each type of message.
+
+#### Attributes:
+
+* **level** [oval:MessageLevelEnumeration](oval-common-schema.md#MessageLevelEnumeration) (optional -- default='info')
+
+**Simple Content:** xsd:string
+
+## == NotesType ==
+
+The NotesType complex type is a container for one or more note child elements. Each note contains some information about the definition or tests that it references. A note may record an unresolved question about the definition or test or present the reason as to why a particular approach was taken.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| note | xsd:string (0..unbounded) |
+|||
+
+______________
+
+## -- CheckEnumeration --
+
+The CheckEnumeration simple type defines acceptable check values, which are used to determine the final result of something based on the results of individual components. When used to define the relationship between objects and states, each check value defines how many of the matching objects (items except those with a status of does not exist) must satisfy the given state for the test to return true. When used to define the relationship between instances of a given entity, the different check values defines how many instances must be true for the entity to return true. When used to define the relationship between entities and multiple variable values, each check value defines how many variable values must be true for the entity to return true.
+
+| Value | Description |
+| ----- | ----------- |
+| all | A value of 'all' means that a final result of true is given if all the individual results under consideration are true.
|
+| at least one | A value of 'at least one' means that a final result of true is given if at least one of the individual results under consideration is true.
|
+| ~~none exist~~ | ~~A value of 'none exists' means that a test evaluates to true if no matching object exists that satisfy the data requirements.
~~> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the 'none satisfy' value. In version 5.3 of the OVAL Language, the checking of existence and state were separated into two distinct checks CheckEnumeration (state) and ExistenceEnumeration (existence). Since CheckEnumeration is now used to specify how many objects should satisfy a given state for a test to return true, and no longer used for specifying how many objects must exist for a test to return true, a value of 'none exist' is no longer needed. See the 'none satisfy' value.
**Comment:** This value has been deprecated and will be removed in version 6.0 of the language.
|
+| none satisfy | A value of 'none satisfy' means that a final result of true is given if none the individual results under consideration are true.
|
+| only one | A value of 'only one' means that a final result of true is given if one and only one of the individual results under consideration are true.
|
+
+Below are some tables that outline how each check attribute effects evaluation. The far left column identifies the check attribute in question. The middle column specifies the different combinations of individual results that the check attribute may bind together. (T=true, F=false, E=error, U=unknown, NE=not evaluated, NA=not applicable) For example, a 1+ under T means that one or more individual results are true, while a 0 under U means that zero individual results are unknown. The last column specifies what the final result would be according to each combination of individual results. Note that if the individual test is negated, then a true result is false and a false result is true, all other results stay as is.
+```
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0 | 0 | 0 | 0 | 0+ || True
+ || 0+ | 1+ | 0+ | 0+ | 0+ | 0+ || False
+ ALL || 0+ | 0 | 1+ | 0+ | 0+ | 0+ || Error
+ || 0+ | 0 | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0+ | 0 | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+
+```
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || True
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || False
+ AT LEAST ONE || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+
+```
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1 | 0+ | 0 | 0 | 0 | 0+ || True
+ || 2+ | 0+ | 0+ | 0+ | 0+ | 0+ || ** False **
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || ** False **
+ ONLY ONE ||0,1 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ ||0,1 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ ||0,1 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+
+```
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || True
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || False
+ NONE SATISFY || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+## -- ClassEnumeration --
+
+The ClassEnumeration simple type defines the different classes of definitions. Each class defines a certain intent regarding how an OVAL Definition is written and what that definition is describing. The specified class gives a hint about the definition so a user can know what the definition writer is trying to say. Note that the class does not make a statement about whether a true result is good or bad as this depends on the use of an OVAL Definition. These classes are also used to group definitions by the type of system state they are describing. For example, this allows users to find all the vulnerability (or patch, or inventory, etc) definitions.
+
+| Value | Description |
+| ----- | ----------- |
+| compliance | A compliance definition describes the state of a machine as it complies with a specific policy. A definition of this class will evaluate to true when the system is found to be compliant with the stated policy. Another way of thinking about this is that a compliance definition is stating "the system is compliant if ...".
|
+| inventory | An inventory definition describes whether a specific piece of software is installed on the system. A definition of this class will evaluate to true when the specified software is found on the system. Another way of thinking about this is that an inventory definition is stating "the software is installed if ...".
|
+| miscellaneous | The 'miscellaneous' class is used to identify definitions that do not fall into any of the other defined classes.
|
+| patch | A patch definition details the machine state of whether a patch executable should be installed. A definition of this class will evaluate to true when the specified patch is missing from the system. Another way of thinking about this is that a patch definition is stating "the patch should be installed if ...". Note that word SHOULD is intended to mean more than just CAN the patch executable be installed. In other words, if a more recent patch is already installed then the specified patch might not need to be installed.
|
+| vulnerability | A vulnerability definition describes the conditions under which a machine is vulnerable. A definition of this class will evaluate to true when the system is found to be vulnerable with the stated issue. Another way of thinking about this is that a vulnerability definition is stating "the system is vulnerable if ...".
|
+
+## -- SimpleDatatypeEnumeration --
+
+The SimpleDatatypeEnumeration simple type defines the legal datatypes that are used to describe the values of individual entities that can be represented in a XML string field. The value may have structure and a pattern, but it is represented as string content.
+
+| Value | Description |
+| ----- | ----------- |
+| binary | The binary datatype is used to represent hex-encoded data that is in raw (non-printable) form. This datatype conforms to the W3C Recommendation for binary data meaning that each binary octet is encoded as a character tuple, consisting of two hexadecimal digits {[0-9a-fA-F]} representing the octet code. Expected operations within OVAL for binary values are 'equals' and 'not equal'.
|
+| boolean | The boolean datatype represents standard boolean data, either true or false. This datatype conforms to the W3C Recommendation for boolean data meaning that the following literals are legal values: {true, false, 1, 0}. Expected operations within OVAL for boolean values are 'equals' and 'not equal'.
|
+| evr_string | The evr_string datatype represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function. Expected operations within OVAL for evr_string values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
|
+| debian_evr_string | The debian_evr_string datatype represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Comparisons involving this datatype should follow the algorithm outlined in Chapter 5 of the "Debian Policy Manual" (https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version). Note that a null epoch is equivalent to a value of '0'. An implementation of this is the cmpversions() function in dpkg's enquiry.c. Expected operations within OVAL for debian_evr_string values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
|
+| fileset_revision | The fileset_revision datatype represents the version string related to filesets in HP-UX. An example would be 'A.03.61.00'. For more information, see the HP-UX "Software Distributor Administration Guide" (http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01919399/c01919399.pdf). Expected operations within OVAL for fileset_version values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
|
+| float | The float datatype describes standard float data. This datatype conforms to the W3C Recommendation for float data meaning it is patterned after the IEEE single-precision 32-bit floating point type. The format consists of a decimal followed, optionally, by the character 'E' or 'e', followed by an integer exponent. The special values positive and negative infinity and not-a-number have are represented by INF, -INF and NaN, respectively. Expected operations within OVAL for float values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
|
+| ios_version | The ios_version datatype describes Cisco IOS Train strings. These are in essence version strings for IOS. Please refer to Cisco's IOS Reference Guide for information on how to compare different Trains as they follow a very specific pattern. Expected operations within OVAL for ios_version values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
|
+| int | The int datatype describes standard integer data. This datatype conforms to the W3C Recommendation for integer data which follows the standard mathematical concept of the integer numbers. (no decimal point and infinite range) Expected operations within OVAL for int values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', 'bitwise and', and 'bitwise or'.
|
+| ipv4_address | The ipv4_address datatype represents IPv4 addresses and IPv4 address prefixes. Its value space consists of the set of ordered pairs of integers where the first element of each pair is in the range [0,2^32) (the representable range of a 32-bit unsigned int), and the second is in the range [0,32]. The first element is an address, and the second is a prefix length.
The lexical space is dotted-quad CIDR-like notation ('a.b.c.d' where 'a', 'b', 'c', and 'd' are integers from 0-255), optionally followed by a slash ('/') and either a prefix length (an integer from 0-32) or a netmask represented in the dotted-quad notation described previously. Examples of legal values are '192.0.2.0', '192.0.2.0/32', and '192.0.2.0/255.255.255.255'. Additionally, leading zeros are permitted such that '192.0.2.0' is equal to '192.000.002.000'. If a prefix length is not specified, it is implicitly equal to 32.
The expected operations within OVAL for ipv4_address values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', 'subset of', and 'superset of'. All operations are defined in terms of the value space. Let A and B be ipv4_address values (i.e. ordered pairs from the value space). The following definitions assume that bits outside the prefix have been zeroed out. By zeroing the low order bits, they are effectively ignored for all operations. Implementations of the following operations MUST behave as if this has been done.
The following defines how to perform each operation for the ipv4_address datatype. Let P_addr mean the first element of ordered pair P and P_prefix mean the second element.
equals: A equals B if and only if A_addr == B_addr and A_prefix == B_prefix.
not equal: A is not equal to B if and only if they don't satisfy the criteria for operator "equals".
greater than: A is greater than B if and only if A_prefix == B_prefix and A_addr > B_addr. If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
greater than or equal: A is greater than or equal to B if and only if A_prefix == B_prefix and they satisfy either the criteria for operators "equal" or "greater than". If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
less than: A is less than B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than or equal". If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
less than or equal: A is less than or equal to B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than". If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
subset of: A is a subset of B if and only if every IPv4 address in subnet A is present in subnet B. In other words, A_prefix >= B_prefix and the high B_prefix bits of A_addr and B_addr are equal.
superset of: A is a superset of B if and only if B is a subset of A.
|
+| ipv6_address | The ipv6_address datatype represents IPv6 addresses and IPv6 address prefixes. Its value space consists of the set of ordered pairs of integers where the first element of each pair is in the range [0,2^128) (the representable range of a 128-bit unsigned int), and the second is in the range [0,128]. The first element is an address, and the second is a prefix length.
The lexical space is CIDR notation given in IETF specification RFC 4291 for textual representations of IPv6 addresses and IPv6 address prefixes (see sections 2.2 and 2.3). If a prefix-length is not specified, it is implicitly equal to 128.
The expected operations within OVAL for ipv6_address values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', 'subset of', and 'superset of'. All operations are defined in terms of the value space. Let A and B be ipv6_address values (i.e. ordered pairs from the value space). The following definitions assume that bits outside the prefix have been zeroed out. By zeroing the low order bits, they are effectively ignored for all operations. Implementations of the following operations MUST behave as if this has been done.
The following defines how to perform each operation for the ipv6_address datatype. Let P_addr mean the first element of ordered pair P and P_prefix mean the second element.
equals: A equals B if and only if A_addr == B_addr and A_prefix == B_prefix.
not equal: A is not equal to B if and only if they don't satisfy the criteria for operator "equals".
greater than: A is greater than B if and only if A_prefix == B_prefix and A_addr > B_addr. If A_prefix != B_prefix, an error MUST be reported.
greater than or equal: A is greater than or equal to B if and only if A_prefix == B_prefix and they satisfy either the criteria for operators "equal" or "greater than". If A_prefix != B_prefix, an error MUST be reported.
less than: A is less than B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than or equal". If A_prefix != B_prefix, an error MUST be reported.
less than or equal: A is less than or equal to B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than". If A_prefix != B_prefix, an error MUST be reported.
subset of: A is a subset of B if and only if every IPv6 address in subnet A is present in subnet B. In other words, A_prefix >= B_prefix and the high B_prefix bits of A_addr and B_addr are equal.
superset of: A is a superset of B if and only if B is a subset of A.
|
+| string | The string datatype describes standard string data. This datatype conforms to the W3C Recommendation for string data. Expected operations within OVAL for string values are 'equals', 'not equal', 'case insensitive equals', 'case insensitive not equal', 'pattern match'.
|
+| version | The version datatype represents a value that is a hierarchical list of non-negative integers separated by a single character delimiter. Note that any non-number character can be used as a delimiter and that different characters can be used within the same version string. So '#.#-#' is the same as '#.#.#' or '#c#c#' where '#' is any non-negative integer. Expected operations within OVAL for version values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
For example '#.#.#' or '#-#-#-#' where the numbers to the left are more significant than the numbers to the right. When performing an 'equals' operation on a version datatype, you should first check the left most number for equality. If that fails, then the values are not equal. If it succeeds, then check the second left most number for equality. Continue checking the numbers from left to right until the last number has been checked. If, after testing all the previous numbers, the last number is equal then the two versions are equal. When performing other operations, such as 'less than', 'less than or equal', 'greater than, or 'greater than or equal', similar logic as above is used. Start with the left most number and move from left to right. For each number, check if it is less than the number you are testing against. If it is, then the version in question is less than the version you are testing against. If the number is equal, then move to check the next number to the right. For example, to test if 5.7.23 is less than or equal to 5.8.0 you first compare 5 to 5. They are equal so you move on to compare 7 to 8. 7 is less than 8 so the entire test succeeds and 5.7.23 is 'less than or equal' to 5.8.0. The difference between the 'less than' and 'less than or equal' operations is how the last number is handled. If the last number is reached, the check should use the given operation (either 'less than' and 'less than or equal') to test the number. For example, to test if 4.23.6 is greater than 4.23.6 you first compare 4 to 4. They are equal so you move on to compare 23 to 23. They are equal so you move on to compare 6 to 6. This is the last number in the version and since 6 is not greater than 6, the entire test fails and 4.23.6 is not greater than 4.23.6.
Version strings with a different number of components shall be padded with zeros to make them the same size. For example, if the version strings '1.2.3' and '6.7.8.9' are being compared, then the short one should be padded to become '1.2.3.0'.
|
+
+## -- ComplexDatatypeEnumeration --
+
+The ComplexDatatypeEnumeration simple type defines the complex legal datatypes that are supported in OVAL. These datatype describe the values of individual entities where the entity has some complex structure beyond simple string like content.
+
+| Value | Description |
+| ----- | ----------- |
+| record | The record datatype describes an entity with structured set of named fields and values as its content. The only allowed operation within OVAL for record values is 'equals'. Note that the record datatype is not currently allowed when using variables.
|
+
+## -- DatatypeEnumeration --
+
+The DatatypeEnumeration simple type defines the legal datatypes that are used to describe the values of individual entities. A value should be interpreted according to the specified type. This is most important during comparisons. For example, is '21' less than '123'? will evaluate to true if the datatypes are 'int', but will evaluate to 'false' if the datatypes are 'string'. Another example is applying the 'equal' operation to '1.0.0.0' and '1.0'. With datatype 'string' they are not equal, with datatype 'version' they are.
+
+** Union of **[oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) , [oval:ComplexDatatypeEnumeration](oval-common-schema.md#ComplexDatatypeEnumeration)
+## -- ExistenceEnumeration --
+
+The ExistenceEnumeration simple type defines acceptable existence values, which are used to determine a result based on the existence of individual components. The main use for this is for a test regarding the existence of objects on the system. Its secondary use is for a state regarding the existence of entities in corresponding items.
+
+| Value | Description |
+| ----- | ----------- |
+| all_exist | When used in the context of an OVAL state entity's check_existence attribute, a value of 'all_exist' means that every item entity for an object defined by the description exists on the system. When used in the context of an OVAL test's check_existence attribute, this value is equivalent to 'at_least_one_exists' because non-existent items have no impact upon evaluation.
|
+| any_exist | A value of 'any_exist' means that zero or more objects defined by the description exist on the system.
|
+| at_least_one_exists | A value of 'at_least_one_exists' means that at least one object defined by the description exists on the system.
|
+| none_exist | A value of 'none_exist' means that none of the objects defined by the description exist on the system.
|
+| only_one_exists | A value of 'only_one_exists' means that only one object defined by the description exists on the system.
|
+
+Below are some tables that outline how each ExistenceEnumeration value effects evaluation of a given test. Note that this is related to the existence of an object(s) and not the object(s) compliance with a state. The left column identifies the ExistenceEnumeration value in question. The middle column specifies the different combinations of individual item status values that have been found in the system characteristics file related to the given object. (EX=exists, DE=does not exist, ER=error, NC=not collected) For example, a 1+ under EX means that one or more individual item status attributes are set to exists, while a 0 under NC means that zero individual item status attributes are set to not collected. The last column specifies what the result of the existence piece would be according to each combination of individual item status values.
+```
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 1+ | 0 | 0 | 0 || True
+ || 0 | 0 | 0 | 0 || False
+ || 0+ | 1+ | 0+ | 0+ || False
+ all_exist || 0+ | 0 | 1+ | 0+ || Error
+ || 0+ | 0 | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+```
+
+
+```
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 0+ | 0+ | 0 | 0+ || True
+ || 1+ | 0+ | 1+ | 0+ || True
+ || -- | -- | -- | -- || False
+ any_exist || 0 | 0+ | 1+ | 0+ || Error
+ || -- | -- | -- | -- || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+```
+
+
+```
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ || True
+ || 0 | 0+ | 0 | 0 || False
+at_least_one_exists || 0 | 0+ | 1+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+```
+
+
+```
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 0 | 0+ | 0 | 0 || True
+ || 1+ | 0+ | 0+ | 0+ || False
+ none_exist || 0 | 0+ | 1+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+```
+
+
+```
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 1 | 0+ | 0 | 0 || True
+ || 2+ | 0+ | 0+ | 0+ || False
+ || 0 | 0+ | 0 | 0 || False
+ only_one_exists || 0,1 | 0+ | 1+ | 0+ || Error
+ || 0,1 | 0+ | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+```
+
+## -- FamilyEnumeration --
+
+The FamilyEnumeration simple type is a listing of families that OVAL supports at this time. Since new family values can only be added with new version of the schema, the value of 'undefined' is to be used when the desired family is not available. Note that use of the undefined family value does not target all families, rather it means that some family other than one of the defined values is targeted.
+
+| Value | Description |
+| ----- | ----------- |
+| android | The android value describes the Android mobile operating system.
|
+| asa | The asa value describes the Cisco ASA security devices.
|
+| apple_ios | The apple_ios value describes the iOS mobile operating system.
|
+| catos | The catos value describes the Cisco CatOS operating system.
|
+| ios | The ios value describes the Cisco IOS operating system.
|
+| iosxe | The iosxe value describes the Cisco IOS XE operating system.
|
+| junos | The junos value describes the Juniper JunOS operating system.
|
+| macos | The macos value describes the Mac operating system.
|
+| pixos | The pixos value describes the Cisco PIX operating system.
|
+| undefined | The undefined value is to be used when the desired family is not available.
|
+| unix | The unix value describes the UNIX operating system.
|
+| vmware_infrastructure | The vmware_infrastructure value describes VMWare Infrastructure.
|
+| windows | The windows value describes the Microsoft Windows operating system.
|
+
+## -- MessageLevelEnumeration --
+
+The MessageLevelEnumeration simple type defines the different levels associated with a message. There is no specific criteria about which messages get assigned which level. This is completely arbitrary and up to the content producer to decide what is an error message and what is a debug message.
+
+| Value | Description |
+| ----- | ----------- |
+| debug | Debug messages should only be displayed by a tool when run in some sort of verbose mode.
|
+| error | Error messages should be recorded when there was an error that did not allow the collection of specific data.
|
+| fatal | A fatal message should be recorded when an error causes the failure of more than just a single piece of data.
|
+| info | Info messages are used to pass useful information about the data collection to a user.
|
+| warning | A warning message reports something that might not correct but information was still collected.
|
+
+## -- OperationEnumeration --
+
+The OperationEnumeration simple type defines acceptable operations. Each operation defines how to compare entities against their actual values.
+
+| Value | Description |
+| ----- | ----------- |
+| equals | The 'equals' operation returns true if the actual value on the system is equal to the stated entity. When the specified datatype is a string, this results in a case-sensitive comparison.
|
+| not equal | The 'not equal' operation returns true if the actual value on the system is not equal to the stated entity. When the specified datatype is a string, this results in a case-sensitive comparison.
|
+| case insensitive equals | The 'case insensitive equals' operation is meant for string data and returns true if the actual value on the system is equal (using a case insensitive comparison) to the stated entity.
|
+| case insensitive not equal | The 'case insensitive not equal' operation is meant for string data and returns true if the actual value on the system is not equal (using a case insensitive comparison) to the stated entity.
|
+| greater than | The 'greater than' operation returns true if the actual value on the system is greater than the stated entity.
|
+| less than | The 'less than' operation returns true if the actual value on the system is less than the stated entity.
|
+| greater than or equal | The 'greater than or equal' operation returns true if the actual value on the system is greater than or equal to the stated entity.
|
+| less than or equal | The 'less than or equal' operation returns true if the actual value on the system is less than or equal to the stated entity.
|
+| bitwise and | The 'bitwise and' operation is used to determine if a specific bit is set. It returns true if performing a BITWISE AND with the binary representation of the stated entity against the binary representation of the actual value on the system results in a binary value that is equal to the binary representation of the stated entity. For example, assuming a datatype of 'int', if the actual integer value of the setting on your machine is 6 (same as 0110 in binary), then performing a 'bitwise and' with the stated integer 4 (0100) returns 4 (0100). Since the result is the same as the state mask, then the test returns true. If the actual value on your machine is 1 (0001), then the 'bitwise and' with the stated integer 4 (0100) returns 0 (0000). Since the result is not the same as the stated mask, then the test fails.
|
+| bitwise or | The 'bitwise or' operation is used to determine if a specific bit is not set. It returns true if performing a BITWISE OR with the binary representation of the stated entity against the binary representation of the actual value on the system results in a binary value that is equal to the binary representation of the stated entity. For example, assuming a datatype of 'int', if the actual integer value of the setting on your machine is 6 (same as 0110 in binary), then performing a 'bitwise or' with the stated integer 14 (1110) returns 14 (1110). Since the result is the same as the state mask, then the test returns true. If the actual value on your machine is 1 (0001), then the 'bitwise or' with the stated integer 14 (1110) returns 15 (1111). Since the result is not the same as the stated mask, then the test fails.
|
+| pattern match | The 'pattern match' operation allows an item to be tested against a regular expression. When used by an entity in an OVAL Object, the regular expression represents the unique set of matching items on the system. OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html
|
+| subset of | The 'subset of' operation returns true if the actual set on the system is a subset of the set defined by the stated entity.
|
+| superset of | The 'superset of' operation returns true if the actual set on the system is a superset of the set defined by the stated entity.
|
+
+## -- OperatorEnumeration --
+
+The OperatorEnumeration simple type defines acceptable operators. Each operator defines how to evaluate multiple arguments.
+
+| Value | Description |
+| ----- | ----------- |
+| AND | The AND operator produces a true result if every argument is true. If one or more arguments are false, the result of the AND is false. If one or more of the arguments are unknown, and if none of the arguments are false, then the AND operator produces a result of unknown.
|
+| ONE | The ONE operator produces a true result if one and only one argument is true. If there are more than argument is true (or if there are no true arguments), the result of the ONE is false. If one or more of the arguments are unknown, then the ONE operator produces a result of unknown.
|
+| OR | The OR operator produces a true result if one or more arguments is true. If every argument is false, the result of the OR is false. If one or more of the arguments are unknown and if none of arguments are true, then the OR operator produces a result of unknown.
|
+| XOR | XOR is defined to be true if an odd number of its arguments are true, and false otherwise. If any of the arguments are unknown, then the XOR operator produces a result of unknown.
|
+
+Below are some tables that outline how each operator effects evaluation. The far left column identifies the operator in question. The middle column specifies the different combinations of individual results that the operator may bind together. (T=true, F=false, E=error, U=unknown, NE=not evaluated, NA=not applicable) For example, a 1+ under T means that one or more individual results are true, while a 0 under U means that zero individual results are unknown. The last column specifies what the final result would be according to each combination of individual results. Note that if the individual test is negated, then a true result is false and a false result is true, all other results stay as is.
+```
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0 | 0 | 0 | 0 | 0+ || True
+ || 0+ | 1+ | 0+ | 0+ | 0+ | 0+ || False
+ AND || 0+ | 0 | 1+ | 0+ | 0+ | 0+ || Error
+ || 0+ | 0 | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0+ | 0 | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+
+```
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1 | 0+ | 0 | 0 | 0 | 0+ || True
+ || 2+ | 0+ | 0+ | 0+ | 0+ | 0+ || ** False **
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || ** False **
+ ONE ||0,1 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ ||0,1 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ ||0,1 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+
+```
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || True
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || False
+ OR || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+
+```
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ ||odd | 0+ | 0 | 0 | 0 | 0+ || True
+ ||even| 0+ | 0 | 0 | 0 | 0+ || False
+ XOR || 0+ | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0+ | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0+ | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+```
+
+______________
+
+## -- DefinitionIDPattern --
+
+Define the format for acceptable OVAL Definition ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer.
+
+oval:[A-Za-z0-9_\-\.]+:def:[1-9][0-9]*## -- ObjectIDPattern --
+
+Define the format for acceptable OVAL Object ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'obj', and ending with an integer.
+
+oval:[A-Za-z0-9_\-\.]+:obj:[1-9][0-9]*## -- StateIDPattern --
+
+Define the format for acceptable OVAL State ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'ste', and ending with an integer.
+
+oval:[A-Za-z0-9_\-\.]+:ste:[1-9][0-9]*## -- TestIDPattern --
+
+Define the format for acceptable OVAL Test ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'tst', and ending with an integer.
+
+oval:[A-Za-z0-9_\-\.]+:tst:[1-9][0-9]*## -- VariableIDPattern --
+
+Define the format for acceptable OVAL Variable ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'var', and ending with an integer.
+
+oval:[A-Za-z0-9_\-\.]+:var:[1-9][0-9]*## -- ItemIDPattern --
+
+Define the format for acceptable OVAL Item ids. The format is an integer. An item id is used to identify the different items found in an OVAL System Characteristics file.
+
+## -- SchemaVersionPattern --
+
+Define the format for acceptable OVAL Language version strings.
+
+[0-9]+\.[0-9]+(\.[0-9]+)?(:[0-9]+\.[0-9]+(\.[0-9]+)?)?______________
+
+## -- EmptyStringType --
+
+The EmptyStringType simple type is a restriction of the built-in string simpleType. The only allowed string is the empty string with a length of zero. This type is used by certain elements to allow empty content when non-string data is accepted. See the EntityIntType in the OVAL Definition Schema for an example of its use.
+
+## -- NonEmptyStringType --
+
+The NonEmptyStringType simple type is a restriction of the built-in string simpleType. Empty strings are not allowed. This type is used by comment attributes where an empty value is not allowed.
+
diff --git a/guidelines/oval-schema-documentation/oval-definitions-schema.md b/guidelines/oval-schema-documentation/oval-definitions-schema.md
new file mode 100644
index 0000000..8470123
--- /dev/null
+++ b/guidelines/oval-schema-documentation/oval-definitions-schema.md
@@ -0,0 +1,1336 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Core Definition
+* Version: 5.11.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Definitions. Some of the objects defined here are extended and enhanced by individual component schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core Definition Schema are described in detail and should provide the information necessary to understand what each represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+
+The OVAL Schema is maintained by OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < oval_definitions >
+
+The oval_definitions element is the root of an OVAL Definition Document. Its purpose is to bind together the major sections of a document - generator, definitions, tests, objects, states, and variables - which are the children of the root element.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| generator | [oval:GeneratorType](oval-common-schema.md#GeneratorType) (1..1) |
+||The required generator section provides information about when the definition file was compiled and under what version.
|
+| definitions | [oval-def:DefinitionsType](oval-definitions-schema.md#DefinitionsType) (0..1) |
+||The optional definitions section contains 1 or more definitions.
|
+| tests | [oval-def:TestsType](oval-definitions-schema.md#TestsType) (0..1) |
+||The optional tests section contains 1 or more tests.
|
+| objects | [oval-def:ObjectsType](oval-definitions-schema.md#ObjectsType) (0..1) |
+||The optional objects section contains 1 or more objects.
|
+| states | [oval-def:StatesType](oval-definitions-schema.md#StatesType) (0..1) |
+||The optional states section contains 1 or more states.
|
+| variables | [oval-def:VariablesType](oval-definitions-schema.md#VariablesType) (0..1) |
+||The optional variables section contains 1 or more variables.
|
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+||The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
|
+
+## < ~~notes~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11.1** :small_red_triangle:
**Reason:** Replaced by the oval:notes element.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+The notes element is a container for one or more note child elements. It exists for backwards-compatibility purposes, for the pre-5.11.0 oval-def:NotesType, which has been replaced by the oval:notes element in 5.11.1.
+
+**Extends:** [oval:NotesType](oval-common-schema.md#NotesType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| note | xsd:string (0..unbounded) |
+|||
+
+______________
+
+## == DefinitionsType ==
+
+The DefinitionsType complex type is a container for one or more definition elements. Each definition element describes a single OVAL Definition. Please refer to the description of the DefinitionType for more information about an individual definition.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:definition](oval-definitions-schema.md#definition) | n/a (1..unbounded) |
+|||
+
+## < definition >
+
+The definition element represents the globally defined element of type DefinitionType. For more information please see the documentation on the DefinitionType.
+
+[oval-def:DefinitionType](oval-definitions-schema.md#DefinitionType)
+
+## == DefinitionType ==
+
+The DefinitionType defines a single OVAL Definition. A definition is the key structure in OVAL. It is analogous to the logical sentence or proposition: if a computer's state matches the configuration parameters laid out in the criteria, then that computer exhibits the state described. The DefinitionType contains a section for various metadata related elements that describe the definition. This includes a description, version, affected system types, and reference information. The notes section of a definition should be used to hold information that might be helpful to someone examining the technical aspects of the definition. For example, why certain tests have been included in the criteria, or maybe a link to where further information can be found. The DefinitionType also (unless the definition is deprecated) contains a criteria child element that joins individual tests together with a logical operator to specify the specific computer state being described.
+
+The required id attribute is the OVAL-ID of the Definition. The form of an OVAL-ID must follow the specific format described by the oval:DefinitionIDPattern. The required version attribute holds the current version of the definition. Versions are integers, starting at 1 and incrementing every time a definition is modified. The required class attribute indicates the specific class to which the definition belongs. The class gives a hint to a user so they can know what the definition writer is trying to say. See the definition of oval-def:ClassEnumeration for more information about the different valid classes. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+
+When the deprecated attribute is set to true, the definition is considered to be deprecated. The criteria child element of a deprecated definition is optional. If a deprecated definition does not contain a criteria child element, the definition must evaluate to "not evaluated". If a deprecated definition contains a criteria child element, an interpreter should evaluate the definition as if it were not deprecated, but an interpreter may evaluate the definition to "not evaluated".
+
+#### Attributes:
+
+* **id** [oval:DefinitionIDPattern](oval-common-schema.md#DefinitionIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **class** [oval:ClassEnumeration](oval-common-schema.md#ClassEnumeration) (required)
+* **deprecated** xsd:boolean (optional -- default='false')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+|||
+| metadata | [oval-def:MetadataType](oval-definitions-schema.md#MetadataType) (1..1) |
+|||
+| [oval:notes](oval-common-schema.md#notes) | n/a (0..1) |
+|||
+| criteria | [oval-def:CriteriaType](oval-definitions-schema.md#CriteriaType) (0..1) |
+|||
+
+## == MetadataType ==
+
+The MetadataType complex type contains all the metadata available to an OVAL Definition. This metadata is for informational purposes only and is not part of the criteria used to evaluate machine state. The required title child element holds a short string that is used to quickly identify the definition to a human user. The affected metadata item contains information about the system(s) for which the definition has been written. Remember that this is just metadata and not part of the criteria. Please refer to the AffectedType description for more information. The required description element contains a textual description of the configuration state being addressed by the OVAL Definition. In the case of a definition from the vulnerability class, the reference is usually the Common Vulnerability and Exposures (CVE) Identifier, and this description field corresponds with the CVE description.
+
+Additional metadata is also allowed although it is not part of the official OVAL Schema. Individual organizations can place metadata items that they feel are important and these will be skipped during the validation. All OVAL really cares about is that the stated metadata items are there.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| title | xsd:string (1..1) |
+|||
+| affected | [oval-def:AffectedType](oval-definitions-schema.md#AffectedType) (0..unbounded) |
+|||
+| reference | [oval-def:ReferenceType](oval-definitions-schema.md#ReferenceType) (0..unbounded) |
+|||
+| description | xsd:string (1..1) |
+|||
+| xsd:any | n/a (0..unbounded) |
+|||
+
+## == AffectedType ==
+
+Each OVAL Definition is written to evaluate a certain type of system(s). The family, platform(s), and product(s) of this target are described by the AffectedType whose main purpose is to provide hints for tools using OVAL Definitions. For instance, to help a reporting tool only use Windows definitions, or to preselect only Red Hat definitions to be evaluated. Note, the inclusion of a particular platform or product does not mean the definition is physically checking for the existence of the platform or product. For the actual test to be performed, the correct test must still be included in the definition's criteria section.
+
+The AffectedType complex type details the specific system, application, subsystem, library, etc. for which a definition has been written. If a definition is not tied to a specific product, then this element should not be included. The absence of the platform or product element can be thought of as definition applying to all platforms or products. The inclusion of a particular platform or product does not mean the definition is physically checking for the existence of the platform or product. For the actual test to be performed, the correct test must still be included in the definition's criteria section. To increase the utility of this element, care should be taken when assigning and using strings for product names. The schema places no restrictions on the values that can be assigned, potentially leading to many different representations of the same value. For example, 'Internet Explorer' and 'IE' might be used to refer to the same product. The current convention is to fully spell out all terms, and avoid the use of abbreviations at all costs.
+
+Please note that the AffectedType will change in future versions of OVAL in order to support the Common Platform Enumeration (CPE).
+
+#### Attributes:
+
+* **family** [oval:FamilyEnumeration](oval-common-schema.md#FamilyEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| platform | xsd:string (0..unbounded) |
+|||
+| product | xsd:string (0..unbounded) |
+|||
+
+## == ReferenceType ==
+
+The ReferenceType complex type links the OVAL Definition to a definitive external reference. For example, CVE Identifiers are used for referencing vulnerabilities. The intended purpose for this reference is to link the definition to a variety of other sources that address the same issue being specified by the OVAL Definition.
+
+The required source attribute specifies where the reference is coming from. In other words, it identifies the reference repository being used. The required ref_id attribute is the external id of the reference. The optional ref_url attribute is the URL to the reference.
+
+#### Attributes:
+
+* **source** xsd:string (required)
+* **ref_id** xsd:string (required)
+* **ref_url** xsd:anyURI (optional)
+
+## == CriteriaType ==
+
+The CriteriaType complex type describes a container for a set of sub criteria, criteria, criterion, or extend_definition elements allowing complex logical trees to be constructed. Each referenced test is represented by a criterion element. Please refer to the description of the CriterionType for more information about and individual criterion element. The optional extend_definition element allows existing definitions to be included in the criteria. Refer to the description of the ExtendDefinitionType for more information.
+
+The required operator attribute provides the logical operator that binds the different statements inside a criteria together. The optional negate attribute signifies that the result of the criteria as a whole should be negated during analysis. For example, consider a criteria that evaluates to TRUE if certain software is installed. By negating this test, it now evaluates to TRUE if the software is NOT installed. The optional comment attribute provides a short description of the criteria.
+
+The optional applicability_check attribute provides a Boolean flag that when true indicates that the criteria is being used to determine whether the OVAL Definition applies to a given system.
+
+#### Attributes:
+
+* **applicability_check** xsd:boolean (optional)
+* **operator** [oval:OperatorEnumeration](oval-common-schema.md#OperatorEnumeration) (optional -- default='AND')
+* **negate** xsd:boolean (optional -- default='false')
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (optional)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| criteria | [oval-def:CriteriaType](oval-definitions-schema.md#CriteriaType) (1..unbounded) |
+|||
+| criterion | [oval-def:CriterionType](oval-definitions-schema.md#CriterionType) (1..unbounded) |
+|||
+| extend_definition | [oval-def:ExtendDefinitionType](oval-definitions-schema.md#ExtendDefinitionType) (1..unbounded) |
+|||
+
+## == CriterionType ==
+
+The CriterionType complex type identifies a specific test to be included in the definition's criteria.
+
+The required test_ref attribute is the actual id of the test being referenced. The optional negate attribute signifies that the result of an individual test should be negated during analysis. For example, consider a test that evaluates to TRUE if a specific patch is installed. By negating this test, it now evaluates to TRUE if the patch is NOT installed. The optional comment attribute provides a short description of the specified test and should mirror the comment attribute of the actual test.
+
+The optional applicability_check attribute provides a Boolean flag that when true indicates that the criterion is being used to determine whether the OVAL Definition applies to a given system.
+
+#### Attributes:
+
+* **applicability_check** xsd:boolean (optional)
+* **test_ref** [oval:TestIDPattern](oval-common-schema.md#TestIDPattern) (required)
+* **negate** xsd:boolean (optional -- default='false')
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (optional)
+
+## == ExtendDefinitionType ==
+
+The ExtendDefinitionType complex type allows existing definitions to be extended by another definition. This works by evaluating the extended definition and then using the result within the logical context of the extending definition.
+
+The required definition_ref attribute is the actual id of the definition being extended. The optional negate attribute signifies that the result of an extended definition should be negated during analysis. For example, consider a definition that evaluates TRUE if certainsoftware is installed. By negating the definition, it now evaluates to TRUE if the software is NOT installed. The optional comment attribute provides a short description of the specified definition and should mirror the title metadata of the extended definition.
+
+The optional applicability_check attribute provides a Boolean flag that when true indicates that the extend_definition is being used to determine whether the OVAL Definition applies to a given system.
+
+#### Attributes:
+
+* **applicability_check** xsd:boolean (optional)
+* **definition_ref** [oval:DefinitionIDPattern](oval-common-schema.md#DefinitionIDPattern) (required)
+* **negate** xsd:boolean (optional -- default='false')
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (optional)
+
+______________
+
+## == TestsType ==
+
+The TestsType complex type is a container for one or more test child elements. Each test element describes a single OVAL Test. Please refer to the description of the TestType for more information about an individual test.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:test](oval-definitions-schema.md#test) | n/a (1..unbounded) |
+|||
+
+## < test >
+
+The test element is an abstract element that is meant to be extended (via substitution groups) by the individual tests found in the component schemas. An OVAL Test is used to compare an object(s) against a defined state. An actual test element is not valid. The use of this abstract class simplifies the OVAL schema by allowing individual tests to inherit the optional notes child element, and the id and comment attributes from the base TestType. Please refer to the description of the TestType complex type for more information.
+
+[oval-def:TestType](oval-definitions-schema.md#TestType)
+
+## == TestType ==
+
+The base type of every test includes an optional notes element and several attributes. The notes section of a test should be used to hold information that might be helpful to someone examining the technical aspects of the test. For example, why certain values have been used by the test, or maybe a link to where further information can be found. Please refer to the description of the NotesType complex type for more information about the notes element. The required comment attribute provides a short description of the test. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+
+The required id attribute uniquely identifies each test, and must conform to the format specified by the TestIdPattern simple type. The required version attribute holds the current version of the test. Versions are integers, starting at 1 and incrementing every time a test is modified.
+
+The optional check_existence attribute specifies how many items in the set defined by the OVAL Object must exist for the test to evaluate to true. The default value for this attribute is 'at_least_one_exists' indicating that by default the test may evaluate to true if at least one item defined by the OVAL Object exists on the system. For example, if a value of 'all_exist' is given, every item defined by the OVAL Object must exist on the system for the test to evaluate to true. If the OVAL Object uses a variable reference, then every value of that variable must exist. Note that a pattern match defines a unique set of matching items found on a system. So when check_existence = 'all_exist' and a regex matches anything on a system the test will evaluate to true (since all matching objects on the system were found on the system). When check_existence = 'all_exist' and a regex does not match anything on a system the test will evaluate to false.
+
+The required check attribute specifies how many items in the set defined by the OVAL Object (ignoring items with a status of Does Not Exist) must satisfy the state requirements. For example, should the test check that all matching files have a specified version or that at least one file has the specified version? The valid check values are explained in the description of the CheckEnumeration simple type. Note that if the test does not contain any references to OVAL States, then the check attribute has no meaning and can be ignored during evaluation.
+
+An OVAL Test evaluates to true if both the check_existence and check attributes are satisfied during evaluation. The evaluation result for a test is determined by first evaluating the check_existence attribute. If the result of evaluating the check_existence attribute is true then the check attribute is evaluated. An interpreter may choose to always evaluate both the check_existence and the check attributes, but once the check_existence attribute evaluation has resulted in false the overall test result after evaluating the check attribute will not be affected.
+
+The optional state_operator attribute provides the logical operator that combines the evaluation results from each referenced state on a per item basis. Each matching item is compared to each referenced state. The result of comparing each state to a single item is combined based on the specified state_operator value to determine one result for each item. Finally, the results for each item are combined based on the specified check value. Note that if the test does not contain any references to OVAL States, then the state_operator attribute has no meaning and can be ignored during evaluation. Referencing multiple states in one test allows ranges of possible values to be expressed. For example, one state can check that a value greater than 8 is found and another state can check that a value of less than 16 is found. In this example the referenced states are combined with a state_operator = 'AND' indicating that the conditions of all referenced states must be satisfied and that the value must be between 8 AND 16. The valid state_operation values are explained in the description of the OperatorEnumeration simple type.
+
+#### Attributes:
+
+* **id** [oval:TestIDPattern](oval-common-schema.md#TestIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **check_existence** [oval:ExistenceEnumeration](oval-common-schema.md#ExistenceEnumeration) (optional -- default='at_least_one_exists')
+* **check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (required)
+* **state_operator** [oval:OperatorEnumeration](oval-common-schema.md#OperatorEnumeration) (optional -- default='AND')
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (required)
+* **deprecated** xsd:boolean (optional -- default='false')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+|||
+| [oval:notes](oval-common-schema.md#notes) | n/a (0..1) |
+|||
+
+## == ObjectRefType ==
+
+The ObjectRefType complex type defines an object reference to be used by OVAL Tests that are defined in the component schemas. The required object_ref attribute specifies the id of the OVAL Object being referenced.
+
+#### Attributes:
+
+* **object_ref** [oval:ObjectIDPattern](oval-common-schema.md#ObjectIDPattern) (required)
+
+## == StateRefType ==
+
+The StateRefType complex type defines a state reference to be used by OVAL Tests that are defined in the component schemas. The required state_ref attribute specifies the id of the OVAL State being referenced.
+
+#### Attributes:
+
+* **state_ref** [oval:StateIDPattern](oval-common-schema.md#StateIDPattern) (required)
+
+______________
+
+## == ObjectsType ==
+
+The ObjectsType complex type is a container for one or more object child elements. Each object element provides details that define a unique set of matching items to be used by an OVAL Test. Please refer to the description of the object element for more information about an individual object.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:object](oval-definitions-schema.md#object) | n/a (1..unbounded) |
+|||
+
+## < object >
+
+The object element is an abstract element that is meant to be extended (via substitution groups) by the objects found in the component schemas. An actual object element is not valid. The use of this abstract element simplifies the OVAL schema by allowing individual objects to inherit any common elements and attributes from the base ObjectType. Please refer to the description of the ObjectType complex type for more information.
+
+An object is used to identify a set of items to collect. The author of a schema object must define sufficient object entities to allow a user to identify a unique item to be collected.
+
+A simple object typically results in a single file, process, etc being identified. But through the use of pattern matches, sets, and variables, multiple matching items can be identified. The set of items matching the object can then be used by an OVAL test and compared against an OVAL state.
+
+[oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## == ObjectType ==
+
+The base type of every object includes an optional notes element. The notes element of an object should be used to hold information that might be helpful to someone examining the technical aspects of the object. For example, why certain values have been used, or maybe a link to where further information can be found. Please refer to the description of the NotesType complex type for more information about the notes element.
+
+The required id attribute uniquely identifies each object, and must conform to the format specified by the ObjectIdPattern simple type. The required version attribute holds the current version of the object element. Versions are integers, starting at 1 and incrementing every time an object is modified. The optional comment attribute provides a short description of the object. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+
+#### Attributes:
+
+* **id** [oval:ObjectIDPattern](oval-common-schema.md#ObjectIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (optional)
+* **deprecated** xsd:boolean (optional -- default='false')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+|||
+| [oval:notes](oval-common-schema.md#notes) | n/a (0..1) |
+|||
+
+## < set >
+
+The set element enables complex objects to be described. It is a recursive element in that each set element can contain additional set elements as children. Each set element defines characteristics that produce a matching unique set of items. This set of items is defined by one or two references to OVAL Objects that provide the criteria needed to collect a set of system items. These items can have one or more filters applied to allow a subset of those items to be specifically included or excluded from the overall set of items.
+
+The set element's object_reference refers to an existing OVAL Object. The set element's filter element provides a reference to an existing OVAL State and includes an optional action attribute. The filter's action attribute allows the author to specify whether matching items should be included or excluded from the overall set. The default filter action is to exclude all matching items. In other words, the filter can be thought of filtering items out by default.
+
+Each filter is applied to the items identified by each OVAL Object before the set_operator is applied. For example, if an object_reference points to an OVAL Object that identifies every file in a certain directory, a filter might be set up to limit the object set to only those files with a size less than 10 KB. If multiple filters are provided, then each filter is applied to the set of items identified by the OVAL Object. Care must be taken to ensure that conflicting filters are not applied. It is possible to exclude all items with a size of 10 KB and then include only items with a size of 10 KB. This example would result in the empty set.
+
+The required set_operator attribute defines how different child sets are combined to form the overall unique set of objects. For example, does one take the union of different sets or the intersection? For a description of the valid values please refer to the SetOperatorEnumeration simple type.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object_reference | [oval:ObjectIDPattern](oval-common-schema.md#ObjectIDPattern) (1..2) |
+|||
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < filter >
+
+The filter element provides a reference to an existing OVAL State and includes an optional action attribute. The action attribute is used to specify whether items that match the referenced OVAL State will be included in the resulting set or excluded from the resulting set.
+
+______________
+
+## == StatesType ==
+
+The StatesType complex type is a container for one or more state child elements. Each state provides details about specific characteristics that can be used during an evaluation of an object. Please refer to the description of the state element for more information about an individual state.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:state](oval-definitions-schema.md#state) | n/a (1..unbounded) |
+|||
+
+## < state >
+
+The state element is an abstract element that is meant to be extended (via substitution groups) by the states found in the component schemas. An actual state element is not valid. The use of this abstract class simplifies the OVAL schema by allowing individual states to inherit the optional notes child element, and the id and operator attributes from the base StateType. Please refer to the description of the StateType complex type for more information.
+
+An OVAL State is a collection of one or more characteristics pertaining to a specific object type. The OVAL State is used by an OVAL Test to determine if a unique set of items identified on a system meet certain characteristics.
+
+[oval-def:StateType](oval-definitions-schema.md#StateType)
+
+## == StateType ==
+
+The base type of every state includes an optional notes element and two attributes. The notes section of a state should be used to hold information that might be helpful to someone examining the technical aspects of the state. For example, why certain values have been used by the state, or maybe a link to where further information can be found. Please refer to the description of the NotesType complex type for more information about the notes element.
+
+The required id attribute uniquely identifies each state, and must conform to the format specified by the StateIdPattern simple type. The required version attribute holds the current version of the state. Versions are integers, starting at 1 and incrementing every time a state is modified. The required operator attribute provides the logical operator that binds the different characteristics inside a state together. The optional comment attribute provides a short description of the state. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+
+When evaluating a particular state against an object, one should evaluate each individual entity separately. The individual results are then combined by the operator to produce an overall result. This process holds true even when there are multiple instances of the same entity. Evaluate each instance separately, taking the entity check attribute into account, and then combine everything using the operator.
+
+#### Attributes:
+
+* **id** [oval:StateIDPattern](oval-common-schema.md#StateIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **operator** [oval:OperatorEnumeration](oval-common-schema.md#OperatorEnumeration) (optional -- default='AND')
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (optional)
+* **deprecated** xsd:boolean (optional -- default='false')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+|||
+| [oval:notes](oval-common-schema.md#notes) | n/a (0..1) |
+|||
+
+______________
+
+## == VariablesType ==
+
+The VariablesType complex type is a container for one or more variable child elements. Each variable element is a way to define one or more values to be obtained at the time a definition is evaluated.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:variable](oval-definitions-schema.md#variable) | n/a (1..unbounded) |
+|||
+
+## < variable >
+
+The variable element is an abstract element that is meant to be extended (via substitution groups) by the different types of variables. An actual variable element is not valid. The different variable types describe different sources for obtaining a value(s) for the variable. There are currently three types of variables; local, external, and constant. Please refer to the description of each one for more specific information. The value(s) of a variable is treated as if it were inserted where referenced. One of the main benefits of variables is that they allow tests to evaluate user-defined policy. For example, an OVAL Test might check to see if a password is at least a certain number of characters long, but this number depends upon the individual policy of the user. To solve this, the test for password length can be written to refer to a variable element that defines the length.
+
+If a variable defines a collection of values, any entity that references the variable will evaluate to true depending on the value of the var_check attribute. For example, if an entity 'size' with an operation of 'less than' references a variable that returns five different integers, and the var_check attribute has a value of 'all', then the 'size' entity returns true only if the actual size is less than each of the five integers defined by the variable. If a variable does not return any value, then an error should be reported during OVAL analysis.
+
+[oval-def:VariableType](oval-definitions-schema.md#VariableType)
+
+## == VariableType ==
+
+The VariableType complex type defines attributes associated with each OVAL Variable. The required id attribute uniquely identifies each variable, and must conform to the format specified by the VariableIDPattern simple type. The required version attribute holds the current version of the variable. Versions are integers, starting at 1 and incrementing every time a variable is modified. The required comment attribute provides a short description of the variable. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+
+The required datatype attribute specifies the type of value being defined. The set of values identified by a variable must comply with the specified datatype, otherwise an error should be reported. Please see the DatatypeEnumeration for details about each valid datatype. For example, if the datatype of the variable is specified as boolean then the value(s) returned by the component / function should be "true", "false", "1", or "0".
+
+Note that the 'record' datatype is not permitted on variables. The notes section of a variable should be used to hold information that might be helpful to someone examining the technical aspects of the variable. Please refer to the description of the NotesType complex type for more information about the notes element.
+
+#### Attributes:
+
+* **id** [oval:VariableIDPattern](oval-common-schema.md#VariableIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required)
+Note that the 'record' datatype is not permitted on variables.
+* **comment** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (required)
+* **deprecated** xsd:boolean (optional -- default='false')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+|||
+| [oval:notes](oval-common-schema.md#notes) | n/a (0..1) |
+|||
+
+## < external_variable >
+
+The external_variable element extends the VariableType and defines a variable with some external source. The actual value(s) for the variable is not provided within the OVAL file, but rather it is retrieved during the evaluation of the OVAL Definition from an external source. An unbounded set of possible-value and possible_restriction child elements can be specified that together specify the list of all possible values that an external source is allowed to supply for the external variable. In other words, the value assigned by an external source must match one of the possible_value or possible_restriction elements specified. Each possible_value element contains a single value that could be assigned to the given external_variable while each possible_restriction element outlines a range of possible values. Note that it is not necessary to declare a variable's possible values, but the option is available if desired. If no possible child elements are specified, then the valid values are only bound to the specified datatype of the external variable. Please refer to the description of the PossibleValueType and PossibleRestrictionType complex types for more information.
+
+**Extends:** [oval-def:VariableType](oval-definitions-schema.md#VariableType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| possible_value | [oval-def:PossibleValueType](oval-definitions-schema.md#PossibleValueType) (0..unbounded) |
+|||
+| possible_restriction | [oval-def:PossibleRestrictionType](oval-definitions-schema.md#PossibleRestrictionType) (0..unbounded) |
+|||
+
+## == PossibleValueType ==
+
+The PossibleValueType complex type is used to outline a single expected value of an external variable. The required hint attribute gives a short description of what the value means or represents.
+
+#### Attributes:
+
+* **hint** xsd:string (required)
+
+**Simple Content:** xsd:anySimpleType
+
+## == PossibleRestrictionType ==
+
+The PossibleRestrictionType complex type outlines a range of possible expected value of an external variable. Each possible_restriction element contains an unbounded list of child restriction elements that each specify a range that an actual value may fall in. For example, a restriction element may specify that a value must be less than 10. When multiple restriction elements are present, a valid possible value's evaluation is based on the operator attribute. The operator attribute is set to AND by default. Other valid operation values are explained in the description of the OperatorEnumeration simple type. One can think of the possible_value and possible_restriction elements as an OR'd list of possible values, with the restriction elements as using the selected operation to evaluate its own list of value descriptions. Please refer to the description of the RestrictionType complex type for more information. The required hint attribute gives a short description of what the value means or represents.
+
+#### Attributes:
+
+* **operator** [oval:OperatorEnumeration](oval-common-schema.md#OperatorEnumeration) (optional -- default='AND')
+* **hint** xsd:string (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| restriction | [oval-def:RestrictionType](oval-definitions-schema.md#RestrictionType) (1..unbounded) |
+|||
+
+## == RestrictionType ==
+
+The RestrictionType complex type outlines a restriction that is placed on expected values for an external variable. For example, a possible value may be restricted to a integer less than 10. Please refer to the operationEnumeration simple type for a description of the valid operations.
+
+#### Attributes:
+
+* **operation** [oval:OperationEnumeration](oval-common-schema.md#OperationEnumeration) (required)
+
+**Simple Content:** xsd:anySimpleType
+
+## < constant_variable >
+
+The constant_variable element extends the VariableType and defines a variable with a constant value(s). Each constant_variable defines either a single value or a collection of values to be used throughout the evaluation of the OVAL Definition File in which it has been defined. Constant variables cannot be over-ridden by an external source. The actual value of a constant variable is defined by the required value child element. A collection of values can be specified by including multiple instances of the value element. Please refer to the description of the ValueType complex type for more information.
+
+**Extends:** [oval-def:VariableType](oval-definitions-schema.md#VariableType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| value | [oval-def:ValueType](oval-definitions-schema.md#ValueType) (1..unbounded) |
+|||
+
+## == ValueType ==
+
+The ValueType complex type holds the actual value of the variable when dealing with a constant variable. This value should be used by all tests that reference this variable. The value cannot be over-ridden by an external source.
+
+**Simple Content:** xsd:anySimpleType
+
+## < local_variable >
+
+The local_variable element extends the VariableType and defines a variable with some local source. The actual value(s) for the variable is not provided in the OVAL Definition document but rather it is retrieved during the evaluation of the OVAL Definition. Each local variable is defined by either a single component or a complex function, meaning that a value can be as simple as a literal string or as complex as multiple registry keys concatenated together. Note that if an individual component is used and it returns a collection of values, then there will be multiple values associated with the local_variable. For example, if an object_component is used and it references a file object that identifies a set of 5 files, then the local variable would evaluate to a collection of those 5 values. Please refer to the description of the ComponentGroup for more information.
+
+**Extends:** [oval-def:VariableType](oval-definitions-schema.md#VariableType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## -- ComponentGroup --
+
+Any value that is pulled directly off the local system is defined by the basic component element. For example, the name of a user or the value of a registry key. Please refer to the definition of the ObjectComponentType for more information. A value can also be obtained from another variable. The variable element identifies a variable id to pull a value(s) from. Please refer to the definition of the VariableComponentType for more information. Literal values can also be specified.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object_component | [oval-def:ObjectComponentType](oval-definitions-schema.md#ObjectComponentType) (1..1) |
+|||
+| variable_component | [oval-def:VariableComponentType](oval-definitions-schema.md#VariableComponentType) (1..1) |
+|||
+| literal_component | [oval-def:LiteralComponentType](oval-definitions-schema.md#LiteralComponentType) (1..1) |
+|||
+| [oval-def:FunctionGroup](oval-definitions-schema.md#FunctionGroup) | n/a (1..1) |
+|||
+
+## == LiteralComponentType ==
+
+The LiteralComponentType complex type defines a literal value to be used as a component. The optional datatype attribute defines the type of data expected. The default datatype is 'string'.
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string')
+
+**Simple Content:** xsd:anySimpleType
+
+## == ObjectComponentType ==
+
+The ObjectComponentType complex type defines a specific value or set of values on the local system to obtain.
+
+The required object_ref attribute provides a reference to an existing OVAL Object declaration. The referenced OVAL Object specifies a set of OVAL Items to collect. Note that an OVAL Object might identify 0, 1, or many OVAL Items on a system. If no items are found on the system then an error should be reported when determining the value of an ObjectComponentType. If 1 or more OVAL Items are found then each OVAL Item will be considered and the ObjectComponentType may have one or more values.
+
+The required item_field attribute specifies the name of the entity whose value will be retrieved from each OVAL Item collected by the referenced OVAL Object. For example, if the object_ref references a win-def:file_object, the item_field may specify the 'version' entity as the field to use as the value of the ObjectComponentType. Note that an OVAL Item may have 0, 1, or many entities whose name matches the specified item_field value. If an entity is not found with a name that matches the value of the item_field an error should be reported when determining the value of an ObjectComponentType. If 1 or more matching entities are found in a single OVAL Item the value of the ObjectComponentType is the list of the values from each of the matching entities.
+
+The optional record_field attribute specifies the name of a field in a record entity in an OVAL Item. The record_field attribute allows the value of a specific field to be retrieved from an entity with a datatype of 'record'. If a field with a matching name attribute value is not found in the referenced OVAL Item entity an error should be reported when determining the value of the ObjectComponentType.
+
+#### Attributes:
+
+* **object_ref** [oval:ObjectIDPattern](oval-common-schema.md#ObjectIDPattern) (required)
+* **item_field** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (required)
+* **record_field** [oval:NonEmptyStringType](oval-common-schema.md#NonEmptyStringType) (optional)
+
+## == VariableComponentType ==
+
+The VariableComponentType complex type defines a specific value obtained by looking at the value of another OVAL Variable. The required var_ref attribute provides a reference to the variable. One must make sure that the variable reference does not point to the parent variable that uses this component to avoid a race condition.
+
+#### Attributes:
+
+* **var_ref** [oval:VariableIDPattern](oval-common-schema.md#VariableIDPattern) (required)
+
+## -- FunctionGroup --
+
+Complex functions have been defined that help determine how to manipulate specific values. These functions can be nested together to form complex statements. Each function is designed to work on a specific type of data. If the data being worked on is not of the correct type, a cast should be attempted before reporting an error. For example, if a concat function includes a registry component that returns an integer, then the integer should be cast as a string in order to work with the concat function. Note that if the operation being applied to the variable by the calling entity is "pattern match", then all the functions are performed before the regular expression is evaluated. In short, the variable would produce a value as normal and then any pattern match operation would be performed. It is also important to note that when using these functions with sub-components that return a collection of values that the operation will be performed on the Cartesian product of the components and the result is also a collection of values. For example, assume a local_variable specifies the arithmetic function with an arithmetic_operation of "add" and has two sub-components under this function: the first component returns "1" and "2", and the second component returns "3" and "4" and "5". The local_variable element would be evaluated to have a collection of six values: 1+3, 1+4, 1+5, 2+3, 2+4, and 2+5. Please refer to the description of a specific function for more details about it.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| arithmetic | [oval-def:ArithmeticFunctionType](oval-definitions-schema.md#ArithmeticFunctionType) (1..1) |
+|||
+| begin | [oval-def:BeginFunctionType](oval-definitions-schema.md#BeginFunctionType) (1..1) |
+|||
+| concat | [oval-def:ConcatFunctionType](oval-definitions-schema.md#ConcatFunctionType) (1..1) |
+|||
+| end | [oval-def:EndFunctionType](oval-definitions-schema.md#EndFunctionType) (1..1) |
+|||
+| escape_regex | [oval-def:EscapeRegexFunctionType](oval-definitions-schema.md#EscapeRegexFunctionType) (1..1) |
+|||
+| split | [oval-def:SplitFunctionType](oval-definitions-schema.md#SplitFunctionType) (1..1) |
+|||
+| substring | [oval-def:SubstringFunctionType](oval-definitions-schema.md#SubstringFunctionType) (1..1) |
+|||
+| time_difference | [oval-def:TimeDifferenceFunctionType](oval-definitions-schema.md#TimeDifferenceFunctionType) (1..1) |
+|||
+| regex_capture | [oval-def:RegexCaptureFunctionType](oval-definitions-schema.md#RegexCaptureFunctionType) (1..1) |
+|||
+| unique | [oval-def:UniqueFunctionType](oval-definitions-schema.md#UniqueFunctionType) (1..1) |
+|||
+| count | [oval-def:CountFunctionType](oval-definitions-schema.md#CountFunctionType) (1..1) |
+|||
+| glob_to_regex | [oval-def:GlobToRegexFunctionType](oval-definitions-schema.md#GlobToRegexFunctionType) (1..1) |
+|||
+
+## == ArithmeticFunctionType ==
+
+The arithmetic function takes two or more integer or float components and performs a basic mathematical function on them. The result of this function is a single integer or float unless one of the components returns a collection of values. In this case the specified arithmetic function would be performed multiple times and the end result would also be a collection of values for the local variable. For example assume a local_variable specifies the arithmetic function with an arithmetic_operation of "add" and has two sub-components under this function: the first component returns "1" and "2", and the second component returns "3" and "4" and "5". The local_variable element would be evaluated to be a collection of six values: 1+3, 1+4, 1+5, 2+3, 2+4, and 2+5.
+
+Note that if both an integer and float components are used then the result is a float.
+
+#### Attributes:
+
+* **arithmetic_operation** [oval-def:ArithmeticEnumeration](oval-definitions-schema.md#ArithmeticEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == BeginFunctionType ==
+
+The begin function takes a single string component and defines a character (or string) that the component string should start with. The character attribute defines the specific character (or string). The character (or string) is only added to the component string if the component string does not already start with the specified character (or string). If the component string does not start with the specified character (or string) the entire character (or string) will be prepended to the component string..
+
+#### Attributes:
+
+* **character** xsd:string (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == ConcatFunctionType ==
+
+The concat function takes two or more components and concatenates them together to form a single string. The first component makes up the beginning of the resulting string and any following components are added to the end it. If one of the components returns multiple values then the concat function would be performed multiple times and the end result would be a collection of values for the local variable. For example assume a local variable has two sub-components: a basic component element returns the values "abc" and "def", and a literal component element that has a value of "xyz". The local_variable element would evaluate to a collection of two values, "abcxyz" and "defxyz". If one of the components does not exist, then the result of the concat operation should be does not exist.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+Below is a chart that specifies how to classify the flag status of a variable using the concat function during evaluation when multiple components are supplied. Both the object and variable component are indirectly associated with collected objects in a system characteristics file. These objects could have been completely collected from the system, or there might have been some type of error that led to the object not being collected, or maybe only a part of the object set was collected. This flag status is important as OVAL Objects or OVAL States that are working with a variable (through the var_ref attribute on an entity) can use this information to report more accurate results. For example, an OVAL Test with a check attribute of 'at least one' that specifies an object with a variable reference, might be able to produce a valid result based on an incomplete object set as long as one of the objects in the set is true.
+```
+ || num of components with flag ||
+ || || resulting flag is
+ || E | C | I | DNE | NC | NA ||
+------||-----------------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || Error
+ || 0 | 1+ | 0 | 0 | 0 | 0 || Complete
+ || 0 | 0+ | 1+ | 0 | 0 | 0 || Incomplete
+ || 0 | 0+ | 0+ | 1+ | 0 | 0 || Does Not Exist
+ || 0 | 0+ | 0+ | 0+ | 1+ | 0 || Not Collected
+ || 0 | 0+ | 0+ | 0+ | 0+ | 1+ || Not Applicable
+------||-----------------------------------||------------------
+```
+
+## == EndFunctionType ==
+
+The end function takes a single string component and defines a character (or string) that the component string should end with. The character attribute defines the specific character (or string). The character (or string) is only added to the component string if the component string does not already end with the specified character (or string). If the desired end character is a string, then the entire end string must exist at the end if the component string. If the entire end string is not present then the entire end string is appended to the component string.
+
+#### Attributes:
+
+* **character** xsd:string (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == EscapeRegexFunctionType ==
+
+The escape_regex function takes a single string component and escapes all of the regular expression characters. If the string sub-component contains multiple values, then the escape_regex function will be applied to each individual value and return a multiple-valued result. For example, the string '(\.test_string*)?' will evaluate to '\(\\\.test_string\*\)\?'. The purpose for this is that many times, a component used in pattern match needs to be treated as a literal string and not a regular expression. For example, assume a basic component element that identifies a file path that is held in the Windows registry. This path is a string that might contain regular expression characters. These characters are likely not intended to be treated as regular expression characters and need to be escaped. This function allows a definition writer to mark convert the values of components to regular expression format.
+
+Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. The set of Perl metacharacters which must be escaped by this function is as follows, enclosed by single quotes: '^$\.[](){}*+?|'. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == SplitFunctionType ==
+
+The split function takes a single string component and turns it into a collection of values based on a delimiter string. For example, assume that a basic component element returns the value "a-b-c-d" to the split function with the delimiter set to "-". The local_variable element would be evaluated to have four values "a", "b", "c", and "d". If the basic component returns a value that begins, or ends, with a delimiter, the local_variable element would contain empty string values at the beginning, or end, of the collection of values returned for that string component. For example, if the delimiter is "-", and the basic component element returns the value "-a-a-", the local_variable element would evaluate to a collection of four values "", "a", "a", and "". Likewise, if the basic component element returns a value that contains adjacent delimiters such as "---", the local_variable element would evaluate to a collection of four values "", "", "", and "". Lastly, if the basic component element used by the split function returnsa collection of values, then the split function is performed multiple times, and all of the results, from each of the split functions, are returned.
+
+#### Attributes:
+
+* **delimiter** xsd:string (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == SubstringFunctionType ==
+
+The substring function takes a single string component and produces a single value that contains a portion of the original string. The substring_start attribute defines the starting position in the original string. To include the first character of the string, the start position would be 1. A value less than 1 also means that the start position would be 1. If the substring_start attribute has value greater than the length of the original string an error should be reported. The substring_length attribute defines how many characters after, and including, the starting character to include. A substring_length value greater than the actual length of the string, or a negative value, means to include all of the characters after the starting character. For example, assume a basic component element that returns the value "abcdefg" with a substring_start value of 3 and a substring_length value of 2. The local_variable element would evaluate to have a single value of "cd". If the string component used by the substring function returns a collection of values, then the substring operation is performed multiple times and results in a collection of values for the component.
+
+#### Attributes:
+
+* **substring_start** xsd:int (required)
+* **substring_length** xsd:int (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == TimeDifferenceFunctionType ==
+
+The time_difference function calculates the difference in seconds between date-time values. If one component is specified, the values of that component are subtracted from the current time (UTC). The current time is the time at which the function is evaluated. If two components are specified, the value of the second component is subtracted from the value of the first component. If the component(s) contain a collection of values, the operation is performed multiple times on the Cartesian product of the component(s) and the result is also a collection of time difference values. For example, assume a local_variable specifies the time_difference function and has two sub-components under this function: the first component returns "04/02/2009" and "04/03/2009", and the second component returns "02/02/2005" and "02/03/2005" and "02/04/2005". The local_variable element would evaluate to a collection of six values: (ToSeconds("04/02/2009") - ToSeconds("02/02/2005")), (ToSeconds("04/02/2009") - ToSeconds("02/03/2005")), (ToSeconds("04/02/2009") - ToSeconds("02/04/2005")), (ToSeconds("04/03/2009") - ToSeconds("02/02/2005")), (ToSeconds("04/03/2009") - ToSeconds("02/03/2005")), and (ToSeconds("04/03/2009") - ToSeconds("02/04/2005")).
+
+The date-time format of each component is determined by the two format attributes. The format1 attribute applies to the first component, and the format2 attribute applies to the second component. Valid values for the attributes are 'win_filetime', 'seconds_since_epoch', 'day_month_year', 'year_month_day', and 'month_day_year'. Please see the DateTimeFormatEnumeration for more information about each of these values. If an input value is not understood, the result is an error. If only one input is specified, specify the format with the format2 attribute, as the first input is considered to be the implied 'current time' input.
+
+Note that the datatype associated with the components should be 'string' or 'int' depending on which date time format is specified. The result of this function though is always an integer.
+
+#### Attributes:
+
+* **format_1** [oval-def:DateTimeFormatEnumeration](oval-definitions-schema.md#DateTimeFormatEnumeration) (optional -- default='year_month_day')
+* **format_2** [oval-def:DateTimeFormatEnumeration](oval-definitions-schema.md#DateTimeFormatEnumeration) (optional -- default='year_month_day')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == RegexCaptureFunctionType ==
+
+The regex_capture function captures a single substring from a single string component. If the string sub-component contains multiple values, then the regex_capture function will extract a substring from each value. The 'pattern' attribute provides a regular expression that should contain a single subexpression (using parentheses). For example, the pattern ^abc(.*)xyz$ would capture a substring from each of the string component's values if the value starts with abc and ends with xyz. In this case the subexpression would be all the characters that exist in between the abc and the xyz. Note that subexpressions match the longest possible substrings.
+
+If the regular expression contains multiple capturing sub-patterns, only the first capture is used. If there are no capturing sub-patterns, the result for each target string must be the empty string. Otherwise, if the regular expression could match the target string in more than one place, only the first match (and its first capture) is used. If no matches are found in a target string, the result for that target must be the empty string.
+
+Note that a quantified capturing sub-pattern does not produce multiple substrings. Standard regular expression semantics are such that if a capturing sub-pattern is required to match multiple times in order for the overall regular expression to match, the capture produced is the last substring to have matched the sub-pattern.
+
+Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. If any of the Perl metacharacters are to be used literally, then they must be escaped. The set of metacharacters which must be escaped for this purpose is as follows, enclosed by single quotes: '^$\.[](){}*+?|'. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
+
+#### Attributes:
+
+* **pattern** xsd:string
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == UniqueFunctionType ==
+
+The unique function takes one or more components and removes any duplicate value from the set of components. All components used in the unique function will be treated as strings. For example, assume that three components exist, one that contains a string value of 'foo', and two of which both resolve to the string value 'bar'. Applying the unique function to these three components resolves to a local_variable with two string values, 'foo' and 'bar'. Additionally, if any of the components referenced by the unique function evaluate to a collection of values, then those values are used in the unique calculation. For example, assume that there are two components, one of which resolves to a single string value, 'foo', the other of which resolves to two string values, 'foo' and 'bar'. If the unique function is used to remove duplicates from these two components, the function will resolve to a local_variable that is a collection of two string values, 'foo' and 'bar'.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == CountFunctionType ==
+
+The count function takes one or more components and returns the count of all of the values represented by the components. For example, assume that two variables exist, each with a single value. By applying the count function against two variable components that resolve to the two variables, the resulting local_variable would have a value of '2'. Additionally, if any of the components referenced by the count function evaluate to a collection of values, then those values are used in the count calculation. For example, assume that there are two components, one of which resolves to a single value, the other of which resolves to two values. If the count function is used to provide a count of these two components, the function will resolve to a local_variable with the values '3'.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+## == GlobToRegexFunctionType ==
+
+The glob_to_regex function takes a single string component representing shell glob pattern and produces a single value that corresponds to result of a conversion of the original glob pattern into Perl 5's regular expression pattern. The glob_noescape attribute defines the way how the backslash ('\') character should be interpreted. It defaults to 'false' meaning backslash should be interpreted as an escape character (backslash is allowed to be used as an escape character). If the glob_noescape attribute would be set to 'true' it instructs the glob_to_regex function to interpret the backslash ('\') character as a literal, rather than as an escape character (backslash is *not* allowed to be used as an escape character). Refer to table with examples below to see the difference how a different boolean value of the 'glob_noescape' attribute will impact the output form of the resulting Perl 5's regular expression produced by glob_to_regex function.
+
+Please note the glob_to_regex function will fail to perform the conversion and return an error when the provided string argument (to represent glob pattern) does not represent a syntactically correct glob pattern. For example given the 'a*b?[' as the argument to be converted, glob_to_regex would return an error since there's missing the corresponding closing bracket in the provided glob pattern argument.
+
+Also, it is necessary to mention that the glob_to_regex function respects the default behaviour for the input glob pattern and output Perl 5's regular expression spaces. Namely this means that:
+
+- glob_to_regex will respect the UNIX glob behavior when processing forward slashes, forward slash should be treated as a path separator and * or ? shall not match it,
+
+- glob_to_regex will rule out matches having special meaning (for example '.' as a representation of the current working directory or '..' as a representation of the parent directory of the current working directory,
+
+- glob_to_regex will rule out files or folders starting with '.' character (e.g. dotfiles) unless the respective glob pattern part itself starts with the '.' character,
+
+- glob_to_regex will not perform case-sensitivity transformation (alphabetical characters will be copied from input glob pattern space to output Perl 5's regular expression pattern space intact). It is kept as a responsibility of the OVAL content author to provide input glob pattern argument in such case so the resulting Perl 5's regular expression pattern will match the expected pathname entries according to the case of preference,
+
+- glob_to_regex will not perform any possible brace expansion. Therefore glob patterns like '{pat,pat,pat}' would be converted into Perl 5's regular expression syntax in the original un-expanded form (kept for any potential subsequent expansion to be performed by Perl 5's regular expression engine in the moment of the use of that resulting regular expression),
+
+- glob_to_regex will not perform tilde ('~') character substitution to user name home directory pathname. The ('~') character will be passed to Perl 5's regular expression engine intact. If user name home directory pathname glob pattern behaviour is expected, the pathname of the user name home directory needs to be specified in the original input glob pattern already,
+
+- glob_to_regex function will not perform any custom changes wrt to the ordering of items (perform any additional sorting of set of pathnames represented by the provided glob pattern argument).
+
+#### Attributes:
+
+* **glob_noescape** xsd:boolean (optional -- default='false')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-def:ComponentGroup](oval-definitions-schema.md#ComponentGroup) | n/a (1..1) |
+|||
+
+Below are some examples that outline how the glob_noescape attribute value affects the output form of the produced Perl regular expression. The far left column identifies the shell glob pattern provided as the input string component to the glob_to_regex function. The middle column specifies the two possible different boolean values of the 'glob_noescape' attribute that can be used. Finally the last column depicts how the output produced by the glob_to_regex function - the resulting Perl regular expression would look like.
+```
+ || ||
+ input shell glob pattern || glob_noescape attribute value || corresponding Perl regular expression
+ || ||
+--------------------------||-------------------------------||--------------------------------------
+ '\*' || false || ^\*$
+ ||-------------------------------||--------------------------------------
+ '\*' || true || ^\\[^/]*$
+--------------------------||-------------------------------||--------------------------------------
+ '\?' || false || ^\?$
+ ||-------------------------------||--------------------------------------
+ '\?' || true || ^\\[^./]$
+--------------------------||-------------------------------||--------------------------------------
+ '\[hello\]' || false || ^\[hello\]$
+ ||-------------------------------||--------------------------------------
+ '\[hello\]' || true || ^\\[hello\\]$
+--------------------------||-------------------------------||--------------------------------------
+ '/root/*' || false || ^/root/(?=[^.])[^/]*$
+ ||-------------------------------||--------------------------------------
+ '/root/.*' || false || ^/root/\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '/root/x*' || false || ^/root/x[^/]*$
+ ||-------------------------------||--------------------------------------
+ '/root/?' || false || ^/root/[^./]$
+ ||-------------------------------||--------------------------------------
+ '/root/.?' || false || ^/root/\.[^/]$
+ ||-------------------------------||--------------------------------------
+ '/root/x?' || false || ^/root/x[^/]$
+--------------------------||-------------------------------||--------------------------------------
+ 'list.?' || false || ^list\.[^/]$
+ ||-------------------------------||--------------------------------------
+ 'list.?' || true || ^list\.[^/]$
+ ||-------------------------------||--------------------------------------
+ 'project.*' || false || ^project\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ 'project.*' || true || ^project\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*old' || false || ^(?=[^.])[^/]*old$
+ ||-------------------------------||--------------------------------------
+ '*old' || true || ^(?=[^.])[^/]*old$
+ ||-------------------------------||--------------------------------------
+ 'type*.[ch]' || false || ^type[^/]*\.[ch]$
+ ||-------------------------------||--------------------------------------
+ 'type*.[ch]' || true || ^type[^/]*\.[ch]$
+ ||-------------------------------||--------------------------------------
+ '*.*' || false || ^(?=[^.])[^/]*\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*.*' || true || ^(?=[^.])[^/]*\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*' || false || ^(?=[^.])[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*' || true || ^(?=[^.])[^/]*$
+ ||-------------------------------||--------------------------------------
+ '?' || false || ^[^./]$
+ ||-------------------------------||--------------------------------------
+ '?' || true || ^[^./]$
+ ||-------------------------------||--------------------------------------
+ '\*' || false || ^\*$
+ ||-------------------------------||--------------------------------------
+ '\*' || true || ^\\[^/]*$
+ ||-------------------------------||--------------------------------------
+ '\?' || false || ^\?$
+ ||-------------------------------||--------------------------------------
+ '\?' || true || ^\\[^./]$
+ ||-------------------------------||--------------------------------------
+ 'x[[:digit:]]\*' || false || ^x[[:digit:]]\*$
+ ||-------------------------------||--------------------------------------
+ 'x[[:digit:]]\*' || true || ^x[[:digit:]]\\[^/]*$
+ ||-------------------------------||--------------------------------------
+ '' || false || ^$
+ ||-------------------------------||--------------------------------------
+ '' || true || ^$
+ ||-------------------------------||--------------------------------------
+ '~/files/*.txt' || false || ^~/files/(?=[^.])[^/]*\.txt$
+ ||-------------------------------||--------------------------------------
+ '~/files/*.txt' || true || ^~/files/(?=[^.])[^/]*\.txt$
+ ||-------------------------------||--------------------------------------
+ '\' || false || ^\\$
+ ||-------------------------------||--------------------------------------
+ '\' || true || ^\\$
+ ||-------------------------------||--------------------------------------
+ '[ab' || false || INVALID
+ ||-------------------------------||--------------------------------------
+ '[ab' || true || INVALID
+ ||-------------------------------||--------------------------------------
+ '.*.conf' || false || ^\.[^/]*\.conf$
+ ||-------------------------------||--------------------------------------
+ '.*.conf' || true || ^\.[^/]*\.conf$
+ ||-------------------------------||--------------------------------------
+ 'docs/?b' || false || ^docs/[^./]b$
+ ||-------------------------------||--------------------------------------
+ 'docs/?b' || true || ^docs/[^./]b$
+ ||-------------------------------||--------------------------------------
+ 'xy/??z' || false || ^xy/[^./][^/]z$
+ ||-------------------------------||--------------------------------------
+ 'xy/??z' || true || ^xy/[^./][^/]z$
+---------------------------------------------------------------------------------------------------
+```
+
+## -- ArithmeticEnumeration --
+
+The ArithmeticEnumeration simple type defines basic arithmetic operations. Currently add and multiply are defined.
+
+| Value | Description |
+| ----- | ----------- |
+| add | |
+| multiply | |
+
+## -- DateTimeFormatEnumeration --
+
+The DateTimeFormatEnumeration simple type defines the different date-time formats that are understood by OVAL. Note that in some cases there are a few different possibilities within a given format. Each of these possibilities is unique though and can be distinguished from each other. The different formats are used to clarify the higher level structure of the date-time string being used.
+
+| Value | Description |
+| ----- | ----------- |
+| year_month_day | The year_month_day value specifies date-time strings that follow the formats: 'yyyymmdd', 'yyyymmddThhmmss', 'yyyy/mm/dd hh:mm:ss', 'yyyy/mm/dd', 'yyyy-mm-dd hh:mm:ss', or 'yyyy-mm-dd'
|
+| month_day_year | The month_day_year value specifies date-time strings that follow the formats: 'mm/dd/yyyy hh:mm:ss', 'mm/dd/yyyy', 'mm-dd-yyyy hh:mm:ss', 'mm-dd-yyyy', 'NameOfMonth, dd yyyy hh:mm:ss' or 'NameOfMonth, dd yyyy', 'AbreviatedNameOfMonth, dd yyyy hh:mm:ss', or 'AbreviatedNameOfMonth, dd yyyy'
|
+| day_month_year | The day_month_year value specifies date-time strings that follow the formats: 'dd/mm/yyyy hh:mm:ss', 'dd/mm/yyyy', 'dd-mm-yyyy hh:mm:ss', or 'dd-mm-yyyy'
|
+| win_filetime | The win_filetime value specifies date-time strings that follow the windows file time format.
|
+| seconds_since_epoch | The seconds_since_epoch value specifies date-time values that represent the time in seconds since the UNIX epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| cim_datetime | The cim_datetime model is used by WMI and its value specifies date-time strings that follow the format: 'yyyymmddHHMMSS.mmmmmmsUUU', and alternatively 'yyyy-mm-dd HH:MM:SS:mmm' only when used in WMI Query Language queries.
|
+
+## -- FilterActionEnumeration --
+
+The FilterActionEnumeration simple type defines the different options for filtering sets of items.
+
+| Value | Description |
+| ----- | ----------- |
+| exclude | The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
|
+| include | The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
|
+
+## -- SetOperatorEnumeration --
+
+The SetOperatorEnumeration simple type defines acceptable set operations. Set operations are used to take multiple different sets of objects within OVAL and merge them into a single unique set. The different operators that guide this merge are defined below. For each operator, if only a single object has been supplied, then the resulting set is simply that complete object.
+
+| Value | Description |
+| ----- | ----------- |
+| COMPLEMENT | The complement operator is defined in OVAL as a relative complement. The resulting unique set contains everything that belongs to the first declared set that is not part of the second declared set. If A and B are sets (with A being the first declared set), then the relative complement is the set of elements in A, but not in B, with the duplicates removed.
|
+| INTERSECTION | The intersection of two sets in OVAL results in a unique set that contains everything that belongs to both sets in the collection, but nothing else. If A and B are sets, then the intersection of A and B contains all the elements of A that also belong to B, but no other elements, with the duplicates removed.
|
+| UNION | The union of two sets in OVAL results in a unique set that contains everything that belongs to either of the original sets. If A and B are sets, then the union of A and B contains all the elements of A and all elements of B, with the duplicates removed.
|
+
+Below are some tables that outline how different flags are combined with a given set_operator to return a new flag. These tables are needed when computing the flag for collected objects that represent object sets in an OVAL Definition. The top row identifies the flag associated with the first set or object reference. The left column identifies the flag associated with the second set or object reference. The matrix inside the table represent the resulting flag when the given set_operator is applied. (E=error, C=complete, I=incomplete, DNE=does not exist, NC=not collected, NA=not applicable)
+```
+ || ||
+ set_operator is || obj 1 flag ||
+ union || ||
+ || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+ E || E | E | E | E | E | E ||
+ obj C || E | C | I | C | I | C ||
+ 2 I || E | I | I | I | I | I ||
+ flag DNE || E | C | I | DNE | I | DNE ||
+ NC || E | I | I | I | NC | NC ||
+ NA || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+```
+
+
+```
+ || ||
+ set_operator is || obj 1 flag ||
+ intersection || ||
+ || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+ E || E | E | E | DNE | E | E ||
+ obj C || E | C | I | DNE | NC | C ||
+ 2 I || E | I | I | DNE | NC | I ||
+ flag DNE || DNE | DNE | DNE | DNE | DNE | DNE ||
+ NC || E | NC | NC | DNE | NC | NC ||
+ NA || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+```
+
+
+```
+ || ||
+ set_operator is || obj 1 flag ||
+ complement || ||
+ || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+ E || E | E | E | DNE | E | E ||
+ obj C || E | C | I | DNE | NC | E ||
+ 2 I || E | E | E | DNE | NC | E ||
+ flag DNE || E | C | I | DNE | NC | E ||
+ NC || E | NC | NC | DNE | NC | E ||
+ NA || E | E | E | E | E | E ||
+-----------------||-----------------------------------||
+```
+
+## -- EntityAttributeGroup --
+
+The EntityAttributeGroup is a collection of attributes that are common to all entities. This group defines these attributes and their default values. Individual entities may limit allowed values for these attributes, but all entities will support these attributes.
+
+#### Attributes:
+
+* **datatype** [oval:DatatypeEnumeration](oval-common-schema.md#DatatypeEnumeration) (optional -- default='string')
+The optional datatype attribute specifies how the given operation should be applied to the data. Since we are dealing with XML everything is technically a string, but often the value is meant to represent some other datatype and this affects the way an operation is performed. For example, with the statement 'is 123 less than 98'. If the data is treated as integers the answer is no, but if the data is treated as strings, then the answer is yes. Specifying a datatype defines how the less than operation should be performed. Another way of thinking of things is that the datatype attribute specifies how the data should be cast before performing the operation (note that the default datatype is 'string'). In the previous example, if the datatype is set to int, then '123' and '98' should be cast as integers. Another example is applying the 'equals' operation to '1.0.0.0' and '1.0'. With datatype 'string' they are not equal, with datatype 'version' they are. Note that there are certain cases where a cast from one datatype to another is not possible. If a cast cannot be made, (trying to cast 'abc' to an integer) then an error should be reported. For example, if the datatype is set to 'integer' and the value is the empty string. There is no way to cast the empty string (or NULL) to an integer, and in cases like this an error should be reported.
+* **operation** [oval:OperationEnumeration](oval-common-schema.md#OperationEnumeration) (optional -- default='equals')
+The optional operation attribute determines how the individual entities should be evaluated (the default operation is 'equals').
+* **mask** xsd:boolean (optional -- default='false')
+The optional mask attribute is used to identify values that have been hidden for sensitivity concerns. This is used by the Result document which uses the System Characteristics schema to format the information found on a specific system. When the mask attribute is set to 'true' on an OVAL Entity or an OVAL Field, the corresponding collected value of that OVAL Entity or OVAL Field MUST NOT be present in the "results" section of the OVAL Results document; the "oval_definitions" section must not be altered and must be an exact copy of the definitions evaluated. Values MUST NOT be masked in OVAL System Characteristics documents that are not contained within an OVAL Results document. It is possible for masking conflicts to occur where one entity has mask set to true and another entity has mask set to false. A conflict will occur when the mask attribute is set differently on an OVAL Object and matching OVAL State or when more than one OVAL Objects identify the same OVAL Item(s). When such a conflict occurs the result is always to mask the entity.
+* **var_ref** [oval:VariableIDPattern](oval-common-schema.md#VariableIDPattern) (optional)
+The optional var_ref attribute refers the value of the element to a variable element. When supplied, the value(s) associated with the OVAL Variable should be used as the value(s) of the element. If there is an error computing the value of the variable, then that error should be passed up to the element referencing it. If the variable being referenced does not have a value (for example, if the variable pertains to the size of a file, but the file does not exist) then one of two results are possible. If the element is part of an object declaration, then the object element referencing it is considered to not exist. If the element is part of a state declaration, then the state element referencing it will evaluate to error.
+* **var_check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (optional)
+The optional var_check attribute specifies how data collection or state evaluation should proceed when an element uses a var_ref attribute, and the associated variable defines more than one value. For example, if an object entity 'filename' with an operation of 'not equal' references a variable that returns five different values, and the var_check attribute has a value of 'all', then an actual file on the system matches only if the actual filename does not equal any of the variable values. As another example, if a state entity 'size' with an operation of 'less than' references a variable that has five different integer values, and the var_check attribute has a value of 'all', then the 'size' state entity evaluates to true only if the corresponding 'size' item entity is less than each of the five integers defined by the variable. If a variable does not have any value value when referenced by an OVAL Object the object should be considered to not exist. If a variable does not have any value when referenced by an OVAL State an error should be reported during OVAL analysis. When an OVAL State uses a var_ref, if both the state entity and a corresponding item entity are collections of values, the var_check is applied to each value of the item entity individually, and all must evaluate to true for the state entity to evaluate to true. In this condition, there is no value of var_check which enables an element-wise comparison, and so there is no way to determine whether the two entities are truly 'equal' in that sense. If var_ref is present but var_check is not, the element should be processed as if var_check has the value "all".
+
+## == EntitySimpleBaseType ==
+
+The EntitySimpleBaseType complex type is an abstract type that defines the default attributes associated with every simple entity. Entities can be found in both OVAL Objects and OVAL States and represent the individual properties associated with items found on a system. An example of a single entity would be the path of a file. Another example would be the version of the file.
+
+**Simple Content:** xsd:anySimpleType
+
+## == EntityComplexBaseType ==
+
+The EntityComplexBaseType complex type is an abstract type that defines the default attributes associated with every complex entity. Entities can be found in both OVAL Objects and OVAL States and represent the individual properties associated with items found on a system. An example of a single entity would be the path of a file. Another example would be the version of the file.
+
+## == EntityObjectIPAddressType ==
+
+The EntityObjectIPAddressType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes any IPv4/IPv6 address or address prefix.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required) ('ipv4_address', 'ipv6_address')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityObjectIPAddressStringType ==
+
+The EntityObjectIPAddressStringType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes any IPv4/IPv6 address, address prefix, or its string representation.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string') ('ipv4_address', 'ipv6_address', 'string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityObjectAnySimpleType ==
+
+The EntityObjectAnySimpleType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes any simple data.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityObjectBinaryType ==
+
+The EntityBinaryType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple binary data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='binary')
+
+**Simple Content:** Union of xsd:hexBinary, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityObjectBoolType ==
+
+The EntityBoolType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple boolean data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='boolean')
+
+**Simple Content:** Union of xsd:boolean, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityObjectFloatType ==
+
+The EntityObjectFloatType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple float data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='float')
+
+**Simple Content:** Union of xsd:float, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityObjectIntType ==
+
+The EntityIntType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple integer data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='int')
+
+**Simple Content:** Union of xsd:integer, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityObjectStringType ==
+
+The EntityStringType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple string data.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- fixed='string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityObjectVersionType ==
+
+The EntityObjectVersionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple version data.
+
+**Restricts:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='version')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityObjectRecordType ==
+
+The EntityObjectRecordType defines an entity that consists of a number of uniquely named fields. This structure is used for representing a record from a database query and other similar structures where multiple related fields must be represented at once. Note that for all entities of this type, the only allowed datatype is 'record' and the only allowed operation is 'equals'. During analysis of a system characteristics item, each field is analyzed and then the overall result for elements of this type is computed by logically anding the results for each field and then applying the entity_check attribute.
+
+Note the datatype attribute must be set to 'record'.
+
+Note the operation attribute must be set to 'equals'.
+
+Note the var_ref attribute is not permitted and the var_check attribute does not apply.
+
+Note that when the mask attribute is set to 'true', all child field elements must be masked regardless of the child field's mask attribute value.
+
+**Extends:** [oval-def:EntityComplexBaseType](oval-definitions-schema.md#EntityComplexBaseType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| field | [oval-def:EntityObjectFieldType](oval-definitions-schema.md#EntityObjectFieldType) (0..unbounded) |
+|||
+
+## == EntityObjectFieldType ==
+
+The EntityObjectFieldType defines an element with simple content that represents a named field in a record that may contain any number of named fields. The EntityObjectFieldType is much like all other entities with one significant difference, the EntityObjectFieldType has a name attribute
+
+The required name attribute specifies a unique name for the field. Field names are lowercase and must be unique within a given parent record element. When analyzing system characteristics an error should be reported for the result of a field that is present in the OVAL State, but not found in the system characteristics Item.
+
+The optional entity_check attribute specifies how to handle multiple record fields with the same name in the OVAL Systems Characteristics file. For example, while collecting group information where one field is the represents the users that are members of the group. It is very likely that there will be multiple fields with a name of 'user' associated with the group. If the OVAL State defines the value of the field with name equal 'user' to equal 'Fred', then the entity_check attribute determines if all values for field entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc.
+
+Note that when the mask attribute is set to 'true' on a field's parent element the field must be masked regardless of the field's mask attribute value.
+
+#### Attributes:
+
+* **name** Restriction of xsd:string (required)
+A string restricted to disallow upper case characters.
+* **entity_check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (optional -- default='all')
+
+**Simple Content:** xsd:anySimpleType
+
+## == EntityStateSimpleBaseType ==
+
+The EntityStateSimpleBaseType complex type is an abstract type that extends the EntitySimpleBaseType and is used by some entities within an OVAL State.
+
+The optional check_existence attribute specifies how to interpret the status of corresponding item entities when performing an item-state comparison. The default value for this attribute is 'at_least_one_exists' indicating that by default an item comparison may evaluate to true only if at least one corresponding item entity has a status of 'exists'. For example, if a value of 'none_exist' is given, then the comparison can evaluate to true only if there are one or more corresponding item entities, each with a status of 'does not exist'.
+
+The optional entity_check attribute specifies how to handle multiple item entities with the same name in the OVAL Systems Characteristics file. For example, suppose we are dealing with a Group Test and an entity in the state is related to the user. It is very likely that when the information about the group is collected off of the system (and represented in the OVAL System Characteristics file) that there will be multiple users associated with the group (i.e. multiple 'user' item entities associated with the same 'user' state entity). If the OVAL State defines the value of the user entity to equal 'Fred', then the entity_check attribute determines if all values for 'user' item entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc. Note that with the exception of the 'none_satisfy' check value, the entity_check attribute can only affect the result of the test if the corresponding OVAL Item allows more than one occurrence of the entity (e.g. 'maxOccurs' is some value greater than one).
+
+The entity_check and var_check attributes are considered together when evaluating a single state entity. When a variable identifies more than one value and multiple item entities with the same name exist, for a single state entity, a many-to-many comparison must be conducted. In this situation, there are many values for the state entity that must be compared to many item entities. Each item entity is compared to the state entity. For each item entity, an interim result is calculated by using the var_check attribute to combine the result of comparing each variable value with a single system value. Then these interim results are combined for each system value using the entity_check attribute.
+
+#### Attributes:
+
+* **entity_check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (optional -- default='all')
+* **check_existence** [oval:ExistenceEnumeration](oval-common-schema.md#ExistenceEnumeration) (optional -- default='at_least_one_exists')
+
+**Simple Content:** [oval-def:EntitySimpleBaseType](oval-definitions-schema.md#EntitySimpleBaseType)
+
+## == EntityStateComplexBaseType ==
+
+The EntityStateComplexBaseType complex type is an abstract type that extends the EntityComplexBaseType and is used by some entities within an OVAL State.
+
+The optional check_existence attribute specifies how to interpret the status of corresponding item entities when performing an item-state comparison. The default value for this attribute is 'at_least_one_exists' indicating that by default an item comparison may evaluate to true only if at least one corresponding item entity has a status of 'exists'. For example, if a value of 'none_exist' is given, then the comparison can evaluate to true only if there are one or more corresponding item entities, each with a status of 'does not exist'.
+
+The optional entity_check attribute specifies how to handle multiple item entities with the same name in the OVAL Systems Characteristics file. For example, suppose we are dealing with a Group Test and an entity in the state is related to the user. It is very likely that when the information about the group is collected off of the system (and represented in the OVAL System Characteristics file) that there will be multiple users associated with the group (i.e. multiple 'user' item entities associated with the same 'user' state entity). If the OVAL State defines the value of the user entity to equal 'Fred', then the entity_check attribute determines if all values for 'user' item entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc. Note that with the exception of the 'none_satisfy' check value, the entity_check attribute can only affect the result of the test if the corresponding OVAL Item allows more than one occurrence of the entity (e.g. 'maxOccurs' is some value greater than one).
+
+The entity_check and var_check attributes are considered together when evaluating a single state entity. When a variable identifies more than one value and multiple item entities with the same name exist, for a single state entity, a many-to-many comparison must be conducted. In this situation, there are many values for the state entity that must be compared to many item entities. Each item entity is compared to the state entity. For each item entity, an interim result is calculated by using the var_check attribute to combine the result of comparing each variable value with a single system value. Then these interim results are combined for each system value using the entity_check attribute.
+
+**Extends:** [oval-def:EntityComplexBaseType](oval-definitions-schema.md#EntityComplexBaseType)
+
+#### Attributes:
+
+* **entity_check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (optional -- default='all')
+* **check_existence** [oval:ExistenceEnumeration](oval-common-schema.md#ExistenceEnumeration) (optional -- default='at_least_one_exists')
+
+## == EntityStateIPAddressType ==
+
+The EntityStateIPAddressType type is extended by the entities of an individual OVAL State. This type provides uniformity to each object entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes any IPv4/IPv6 address or address prefix.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required) ('ipv4_address', 'ipv6_address')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateIPAddressStringType ==
+
+The EntityStateIPAddressStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each object entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes any IPv4/IPv6 address, address prefix, or its string representation.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string') ('ipv4_address', 'ipv6_address', 'string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateAnySimpleType ==
+
+The EntityStateAnySimpleType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes any simple data.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateBinaryType ==
+
+The EntityStateBinaryType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple binary data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='binary')
+
+**Simple Content:** Union of xsd:hexBinary, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityStateBoolType ==
+
+The EntityStateBoolType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple boolean data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='boolean')
+
+**Simple Content:** Union of xsd:boolean, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityStateFloatType ==
+
+The EntityStateFloatType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple float data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='float')
+
+**Simple Content:** Union of xsd:float, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityStateIntType ==
+
+The EntityStateIntType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple integer data. The empty string is also allowed when using a variable reference with an element.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='int')
+
+**Simple Content:** Union of xsd:integer, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityStateEVRStringType ==
+
+The EntityStateEVRStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This type represents the epoch, version, and release fields, for an RPM package, as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='evr_string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateDebianEVRStringType ==
+
+The EntityStateDebianEVRStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. Comparisons involving this datatype should follow the algorithm outlined in Chapter 5 of the "Debian Policy Manual" (https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version). An implementation of this is the cmpversions() function in dpkg's enquiry.c.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='debian_evr_string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateVersionType ==
+
+The EntityStateVersionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple version data.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='version')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateFileSetRevisionType ==
+
+The EntityStateFileSetRevisionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type represents the version string related to filesets in HP-UX.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='fileset_revision')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateIOSVersionType ==
+
+The EntityStateIOSVersionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type represents the version string related to CISCO IOS.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string') ('ios_version', 'string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateStringType ==
+
+The EntityStateStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple string data.
+
+**Restricts:** [oval-def:EntityStateSimpleBaseType](oval-definitions-schema.md#EntityStateSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- fixed='string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityStateRecordType ==
+
+The EntityStateRecordType defines an entity that consists of a number of uniquely named fields. This structure is used for representing a record from a database query and other similar structures where multiple related fields must be collected at once. Note that for all entities of this type, the only allowed datatype is 'record' and the only allowed operation is 'equals'. During analysis of a system characteristics item, each field is analyzed and then the overall result for elements of this type is computed by logically anding the results for each field and then applying the entity_check attribute.
+
+Note the datatype attribute must be set to 'record'.
+
+Note the operation attribute must be set to 'equals'.
+
+Note the var_ref attribute is not permitted and the var_check attribute does not apply.
+
+Note that when the mask attribute is set to 'true', all child field elements must be masked regardless of the child field's mask attribute value.
+
+**Extends:** [oval-def:EntityStateComplexBaseType](oval-definitions-schema.md#EntityStateComplexBaseType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| field | [oval-def:EntityStateFieldType](oval-definitions-schema.md#EntityStateFieldType) (0..unbounded) |
+|||
+
+## == EntityStateFieldType ==
+
+The EntityStateFieldType defines an element with simple content that represents a named field in a record that may contain any number of named fields. The EntityStateFieldType is much like all other entities with one significant difference, the EntityStateFieldType has a name attribute
+
+The required name attribute specifies a unique name for the field. Field names are lowercase and must be unique within a given parent record element. When analyzing system characteristics an error should be reported for the result of a field that is present in the OVAL State, but not found in the system characteristics Item.
+
+The optional entity_check attribute specifies how to handle multiple record fields with the same name in the OVAL Systems Characteristics file. For example, while collecting group information where one field is the represents the users that are members of the group. It is very likely that there will be multiple fields with a name of 'user' associated with the group. If the OVAL State defines the value of the field with name equal 'user' to equal 'Fred', then the entity_check attribute determines if all values for field entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc.
+
+Note that when the mask attribute is set to 'true' on a field's parent element the field must be masked regardless of the field's mask attribute value.
+
+#### Attributes:
+
+* **name** Restriction of xsd:string (required)
+A string restricted to disallow upper case characters.
+* **entity_check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (optional -- default='all')
+
+**Simple Content:** xsd:anySimpleType
+
diff --git a/guidelines/oval-schema-documentation/oval-directives-schema.md b/guidelines/oval-schema-documentation/oval-directives-schema.md
new file mode 100644
index 0000000..755e68d
--- /dev/null
+++ b/guidelines/oval-schema-documentation/oval-directives-schema.md
@@ -0,0 +1,27 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Core Directives
+* Version: 5.11.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Directives. Each of the elements, types, and attributes that make up the Core Directives Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+
+The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
+
+______________
+
+## < oval_directives >
+
+The oval_directives element is the root of an OVAL Directive Document. Its purpose is to bind together the generator and the set of directives contained in the document. The generator section must be present and provides information about when the directives document was compiled and under what version. The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| generator | [oval:GeneratorType](oval-common-schema.md#GeneratorType) (1..1) |
+||The required generator section provides information about when the directives document was compiled and under what version.
|
+| directives | [oval-res:DefaultDirectivesType](oval-results-schema.md#DefaultDirectivesType) (1..1) |
+||The required directives section presents flags describing what information must be been included in an oval results document. This element represents the default set of directives. These directives apply to all classes of definitions for which there is not a class specific set of directives.
|
+| class_directives | [oval-res:ClassDirectivesType](oval-results-schema.md#ClassDirectivesType) (0..5) |
+||The optional class_directives section presents flags describing what information has been included in the results document for a specific OVAL Definition class. The directives for a particlar class override the default directives.
|
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+||The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
|
+
diff --git a/guidelines/oval-schema-documentation/oval-results-schema.md b/guidelines/oval-schema-documentation/oval-results-schema.md
new file mode 100644
index 0000000..ab8e452
--- /dev/null
+++ b/guidelines/oval-schema-documentation/oval-results-schema.md
@@ -0,0 +1,317 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Core Results
+* Version: 5.11.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Results. Each of the elements, types, and attributes that make up the Core Results Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < oval_results >
+
+The oval_results element is the root of an OVAL Results Document. Its purpose is to bind together the four major sections of a results document - generator, directives, oval_definitions, and results - which are the children of the root element. It must contain exactly one generator section, one directives section, and one results section.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| generator | [oval:GeneratorType](oval-common-schema.md#GeneratorType) (1..1) |
+||The required generator section provides information about when the results document was compiled and under what version.
|
+| directives | [oval-res:DefaultDirectivesType](oval-results-schema.md#DefaultDirectivesType) (1..1) |
+||The required directives section presents flags describing what information has been included in the results document. This element represents the default set of directives. These directives apply to all classes of definitions for which there is not a class specific set of directives.
|
+| class_directives | [oval-res:ClassDirectivesType](oval-results-schema.md#ClassDirectivesType) (0..5) |
+||The optional class_directives section presents flags describing what information has been included in the results document for a specific OVAL Definition class. The directives for a particlar class override the default directives. Using OVAL Results class_directives, an OVAL Results document dealing with vulnerabilities might by default include only minimal information and then include full details for all vulnerability definitions that evaluated to true.
|
+| [oval-def:oval_definitions](oval-definitions-schema.md#oval_definitions) | n/a (0..1) |
+||The oval_definitions section is optional and dependent on the include_source_definitions attribute of the directives element. Its purpose is to provide an exact copy of the definitions evaluated for the results document.
|
+| results | [oval-res:ResultsType](oval-results-schema.md#ResultsType) (1..1) |
+||The required results section holds all the results of the evaluated definitions.
|
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+||The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
|
+
+______________
+
+## == DirectivesType ==
+
+The DirectivesType complex type presents a set of flags that describe what information has been included in the results document. There are six possible results (true, false, unknown, error, not evaluated, and not applicable) for the evaluation of an OVAL Definition. The directives state which of these results are being reported in the results document.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| definition_true | [oval-res:DirectiveType](oval-results-schema.md#DirectiveType) (1..1) |
+|||
+| definition_false | [oval-res:DirectiveType](oval-results-schema.md#DirectiveType) (1..1) |
+|||
+| definition_unknown | [oval-res:DirectiveType](oval-results-schema.md#DirectiveType) (1..1) |
+|||
+| definition_error | [oval-res:DirectiveType](oval-results-schema.md#DirectiveType) (1..1) |
+|||
+| definition_not_evaluated | [oval-res:DirectiveType](oval-results-schema.md#DirectiveType) (1..1) |
+|||
+| definition_not_applicable | [oval-res:DirectiveType](oval-results-schema.md#DirectiveType) (1..1) |
+|||
+
+## == DefaultDirectivesType ==
+
+The DefaultDirectivesType complex type presents the default set of flags that describe what information has been included in the results document. See the definition of the oval-res:DirectivesType for more information.
+
+The optional include_source_definitions attribute indicates whether or not the source OVAL Definitions document has been included in the results document. A value of false indicates that the source OVAL Definitions has not been included. By default the source document is included.
+
+**Extends:** [oval-res:DirectivesType](oval-results-schema.md#DirectivesType)
+
+#### Attributes:
+
+* **include_source_definitions** xsd:boolean (optional -- default='true')
+
+## == ClassDirectivesType ==
+
+The ClassDirectivesType complex type presents a set of flags that describe what information has been included in the results document for a specific OVAL Definition class. See the definition of the oval-res:DirectivesType for more information.
+
+The required class attribute allows a set of directives to be specified for each supported OVAL Definition class (See the definition of the oval:ClassEnumeration for more information about the supported classes). A set of class specific directives overrides the default directives for the specified definition class. A given class may be specified once.
+
+**Extends:** [oval-res:DirectivesType](oval-results-schema.md#DirectivesType)
+
+#### Attributes:
+
+* **class** [oval:ClassEnumeration](oval-common-schema.md#ClassEnumeration) (required)
+
+## == DirectiveType ==
+
+An individual directive element determines whether or not a specific type of result is included in the results document. The required reported attribute controls this by providing a true or false for the specific directive. The optional content attribute controls how much information about the specific result is provided. For example, thin content would only be the id of the definition and the result, while a full content set would be the definition id with the result along with results for all the individual tests and extended definitions. Please refer to the oval-res:ContentEnumeration for details about the different content options.
+
+#### Attributes:
+
+* **reported** xsd:boolean (required)
+* **content** [oval-res:ContentEnumeration](oval-results-schema.md#ContentEnumeration) (optional -- default='full')
+
+______________
+
+## == ResultsType ==
+
+The ResultsType complex type is a container for one or more system elements. Each system element defines the results associated with an individual system. Please refer to the description of SystemType for more information about an individual system element.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| system | [oval-res:SystemType](oval-results-schema.md#SystemType) (1..unbounded) |
+|||
+
+## == SystemType ==
+
+The SystemType complex type holds the evaluation results of the definitions and tests, as well as a copy of the OVAL System Characteristics used to perform the evaluation. The definitions section holds the results of the definitions and the tests section holds the results of the tests. The oval_system_characteristics section is a copy of the System Characteristics document used to perform the evaluation of the OVAL Definitions.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| definitions | [oval-res:DefinitionsType](oval-results-schema.md#DefinitionsType) (0..1) |
+|||
+| tests | [oval-res:TestsType](oval-results-schema.md#TestsType) (0..1) |
+|||
+| [oval-sc:oval_system_characteristics](oval-system-characteristics-schema.md#oval_system_characteristics) | n/a (1..1) |
+|||
+
+______________
+
+## == DefinitionsType ==
+
+The DefinitionsType complex type is a container for one or more definition elements. Each definition element holds the result of the evaluation of an OVAL Definition. Please refer to the description of DefinitionType for more information about an individual definition element.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| definition | [oval-res:DefinitionType](oval-results-schema.md#DefinitionType) (1..unbounded) |
+|||
+
+## == DefinitionType ==
+
+The DefinitionType complex type holds the result of the evaluation of an OVAL Definition. The message element holds an error message or some other string that the analysis engine wishes to pass along. In addition, the optional criteria element provides the results of the individual pieces of the criteria. Please refer to the description of the CriteriaType for more information.
+
+The required definition_id attribute is the OVAL id of the definition.
+
+The required version attribute is the specific version of the OVAL Definition used during analysis.
+
+The optional variable_instance attribute is a unique id that differentiates each unique instance of a definition. Capabilities that use OVAL may reference the same definition multiple times and provide different variable values each time the definition is referenced. This will result in multiple instances of a definition being included in the OVAL Results document (definitions that do not use variables can only have one unique instance). The inclusion of this unique instance identifier allows the OVAL Results document to associate the correct objects and items for each combination of supplied values.
+
+The optional class attribute ...
+
+The required result attribute holds the result of the evaluation. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+#### Attributes:
+
+* **definition_id** [oval:DefinitionIDPattern](oval-common-schema.md#DefinitionIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **variable_instance** xsd:nonNegativeInteger (optional -- default='1')
+* **class** [oval:ClassEnumeration](oval-common-schema.md#ClassEnumeration) (optional)
+* **result** [oval-res:ResultEnumeration](oval-results-schema.md#ResultEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| message | [oval:MessageType](oval-common-schema.md#MessageType) (0..unbounded) |
+|||
+| criteria | [oval-res:CriteriaType](oval-results-schema.md#CriteriaType) (0..1) |
+|||
+
+## == CriteriaType ==
+
+The CriteriaType complex type describes the high level container for all the tests and represents the meat of the definition. Each criteria can contain other criteria elements in a recursive structure allowing complex logical trees to be constructed. Each referenced test is represented by a criterion element. Please refer to the description of the CriterionType for more information about and individual criterion element. The optional extend_definition element allows existing definitions to be included in the criteria. Refer to the description of the ExtendDefinitionType for more information.
+
+The required operator attribute provides the logical operator that binds the different statements inside a criteria together. The optional negate attribute signifies that the result of an extended definition should be negated during analysis. For example, consider a definition that evaluates TRUE if a certain software is installed. By negating the definition, it now evaluates to TRUE if the software is NOT installed. The required result attribute holds the result of the evaluation of the criteria. Note that this would be after any negation operation has been applied. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+The optional applicability_check attribute provides a Boolean flag that when true indicates that the criteria is being used to determine whether the OVAL Definition applies to a given system.
+
+#### Attributes:
+
+* **applicability_check** xsd:boolean (optional)
+* **operator** [oval:OperatorEnumeration](oval-common-schema.md#OperatorEnumeration) (required)
+* **negate** xsd:boolean (optional -- default='false')
+* **result** [oval-res:ResultEnumeration](oval-results-schema.md#ResultEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| criteria | [oval-res:CriteriaType](oval-results-schema.md#CriteriaType) (1..unbounded) |
+|||
+| criterion | [oval-res:CriterionType](oval-results-schema.md#CriterionType) (1..unbounded) |
+|||
+| extend_definition | [oval-res:ExtendDefinitionType](oval-results-schema.md#ExtendDefinitionType) (1..unbounded) |
+|||
+
+## == CriterionType ==
+
+The CriterionType complex type identifies a specific test that is included in the definition's criteria.
+
+The optional applicability_check attribute provides a Boolean flag that when true indicates that the criterion is being used to determine whether the OVAL Definition applies to a given system.
+
+The required test_ref attribute is the actual id of the included test.
+
+The required version attribute is the specific version of the OVAL Test used during analysis.
+
+The optional variable_instance attribute differentiates between unique instances of a test. This can happen when a test includes a variable reference and different variable values are used by different definitions.
+
+The optional negate attribute signifies that the result of an individual test should be negated during analysis. For example, consider a test that evaluates to TRUE if a specific patch is installed. By negating this test, it now evaluates to TRUE if the patch is NOT installed.
+
+The required result attribute holds the result of the evaluation. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+#### Attributes:
+
+* **applicability_check** xsd:boolean (optional)
+* **test_ref** [oval:TestIDPattern](oval-common-schema.md#TestIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **variable_instance** xsd:nonNegativeInteger (optional -- default='1')
+* **negate** xsd:boolean (optional -- default='false')
+* **result** [oval-res:ResultEnumeration](oval-results-schema.md#ResultEnumeration) (required)
+
+## == ExtendDefinitionType ==
+
+The ExtendDefinitionType complex type identifies a specific definition that has been extended by the criteria.
+
+The optional applicability_check attribute provides a Boolean flag that when true indicates that the extend_definition is being used to determine whether the OVAL Definition applies to a given system.
+
+The required definition_ref attribute is the actual id of the extended definition.
+
+The required version attribute is the specific version of the OVAL Definition used during analysis.
+
+The optional variable_instance attribute is a unique id that differentiates each unique instance of a definition. Capabilities that use OVAL may reference the same definition multiple times and provide different variable values each time the definition is referenced. This will result in multiple instances of a definition being included in the OVAL Results document (definitions that do not use variables can only have one unique instance). The inclusion of this unique instance identifier allows the OVAL Results document to associate the correct objects and items for each combination of supplied values.
+
+The optional negate attribute signifies that the result of an extended definition should be negated during analysis. For example, consider a definition that evaluates TRUE if certain software is installed. By negating the definition, it now evaluates to TRUE if the software is NOT installed.
+
+The required result attribute holds the result of the evaluation. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+#### Attributes:
+
+* **applicability_check** xsd:boolean (optional)
+* **definition_ref** [oval:DefinitionIDPattern](oval-common-schema.md#DefinitionIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **variable_instance** xsd:nonNegativeInteger (optional -- default='1')
+* **negate** xsd:boolean (optional -- default='false')
+* **result** [oval-res:ResultEnumeration](oval-results-schema.md#ResultEnumeration) (required)
+
+______________
+
+## == TestsType ==
+
+The TestsType complex type is a container for one or more test elements. Each test element holds the result of the evaluation of an OVAL Test. Please refer to the description of TestType for more information about an individual test element.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| test | [oval-res:TestType](oval-results-schema.md#TestType) (1..unbounded) |
+|||
+
+## == TestType ==
+
+The TestType complex type provides a reference to every item that matched the object section of the original test as well as providing an overall test result based on those items. The optional message element holds an error message or some other string that the analysis engine wishes to pass along. The optional tested_variable elements hold the value of each variable used by the test during evaluation. This includes the values used in both OVAL Objects and OVAL States. If a variable represents a collection of values, then multiple tested_variable elements would exist with the same variable_id attribute. Please refer to the description of oval-res:TestedVariableType for more information.
+
+The required test_id attribute identifies the test and must conform to the format specified by the oval:TestIDPattern simple type.
+
+The required version attribute is the specific version of the OVAL Test used during analysis.
+
+The optional variable_instance attribute differentiates between unique instances of a test. This can happen when a test includes a variable reference and different values for that variable are used by different definitions.
+
+The check_existence, check, and state_operator attributes reflect the values that were specified on the test as it was evaluated. These evaluation control attributes are copied into the OVAL Results file to enable post processing of results documents. More information on each of these attributes is provided with the definition of the oval-def:TestType.
+
+The required result attribute holds the result of the evaluation after all referenced items have been examined and the evaluation control attributes have been applied. Please refer to the description of the oval-res:ResultEnumeration for details about the different result values. In general, the overall result of an OVAL Test is determined by combining the results of each matching item based first on the check_existence attribute, then the check attribute, and finally the state_operator attribute.
+
+The following section provides a more detailed description of how the result for an OVAL Test is determined when using an OVAL System Characteristics document. An OVAL System Characteristics document can contain an optional collected_objects section. When the collected_objects section is present the following rules specify how the overall result for an OVAL Test is determined: When an oval-sc:collected_objects/oval-sc:object with an id that matches the OVAL Object id that is referenced by the OVAL Test is not found, the result for the OVAL Test must be "unknown". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "error", the result of the OVAL Test must be "error". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "not collected", the result of the OVAL Test must be "unknown". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "not applicable", the result of the OVAL Test must be "not applicable". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "does not exist", the result of the OVAL Test is determined by examining the check_existence attribute's value and if the check_existence attribute is "none_exist" or "any_exist" the OVAL Test should evaluate to "true", for all other values of the check_existence attribute the OVAL Test should evaluate to "false". The check and state_operator attributes do not need to be considered in this condition. When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "complete", the result of the OVAL Test is determined by first evaluating the check_existence attribute specified by the OVAL Test and then evaluating the check and state_operator attributes. The check attribute only needs to be considered if the result of evaluating the check_existence attribute is "true". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "incomplete", the result of the OVAL Test must be "unknown" with the following exceptions: 1) When the check_existence attribute of the OVAL Test is set to "none_exist" and the collected object has 1 or more item references with a status of "exists", a result of "false" must be reported; 2) When the check_existence attribute of the OVAL Test is set to "only_one_exists", the collected object has more than 1 item reference with a status of "exists", a result of "false" must be reported; 3) If after evaluating the check_existence attribute a non "true" result has not been determined, the check attribute must be considered as follows: 3a) If the check attribute evaluation results in "false", then the OVAL Test result must be "false"; 3b) If the check attribute is set to "at_least_one_satisfies" and its evaluation results in "true", the OVAL Test result must be "true". When the collected_objects section is not present in the OVAL System Characteristics document, the evaluation engine must search the system characteristics for all Items that match the OVAL Object referenced by the OVAL Test. The set of matching OVAL Items is then evaluated first based on the check_existence attribute, then the check attribute, and finally the state_operator attribute.
+
+#### Attributes:
+
+* **test_id** [oval:TestIDPattern](oval-common-schema.md#TestIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **variable_instance** xsd:nonNegativeInteger (optional -- default='1')
+* **check_existence** [oval:ExistenceEnumeration](oval-common-schema.md#ExistenceEnumeration) (optional -- default='at_least_one_exists')
+* **check** [oval:CheckEnumeration](oval-common-schema.md#CheckEnumeration) (required)
+* **state_operator** [oval:OperatorEnumeration](oval-common-schema.md#OperatorEnumeration) (optional -- default='AND')
+* **result** [oval-res:ResultEnumeration](oval-results-schema.md#ResultEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| message | [oval:MessageType](oval-common-schema.md#MessageType) (0..unbounded) |
+|||
+| tested_item | [oval-res:TestedItemType](oval-results-schema.md#TestedItemType) (0..unbounded) |
+|||
+| tested_variable | [oval-res:TestedVariableType](oval-results-schema.md#TestedVariableType) (0..unbounded) |
+|||
+
+## == TestedItemType ==
+
+The TestedItemType complex type holds a reference to a system characteristic item that matched the object specified in a test. Details of the item can be found in the oval_system_characteristics section of the OVAL Results document by using the required item_id. The optional message element holds an error message or some other message that the analysis engine wishes to pass along. The required result attribute holds the result of the evaluation of the individual item as it relates to the state specified by the test. If the test did not include a state reference then the result attribute will be set to 'not evaluated'. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+#### Attributes:
+
+* **item_id** [oval:ItemIDPattern](oval-common-schema.md#ItemIDPattern) (required)
+* **result** [oval-res:ResultEnumeration](oval-results-schema.md#ResultEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| message | [oval:MessageType](oval-common-schema.md#MessageType) (0..unbounded) |
+|||
+
+## == TestedVariableType ==
+
+The TestedVariableType complex type holds the value of a variable used during the evaluation of a test. Of special importance are the values of any external variables used since these values are not captured in either the definition or system characteristic documents. If a variable is represented by a collection of values, then multiple elements of TestedVariableType, each with the same variable_id attribute, would exist. The required variable_id attribute is the unique id of the variable that was used.
+
+#### Attributes:
+
+* **variable_id** [oval:VariableIDPattern](oval-common-schema.md#VariableIDPattern) (required)
+
+**Simple Content:** xsd:anySimpleType
+
+______________
+
+## -- ContentEnumeration --
+
+The ContentEnumeration defines the valid values for the directives controlling the amount of expected depth found in the results document. Each directive specified at the top of an OVAL Results document defines how much information should be included in the document for each of the different result types. The amount of content that is expected with each value is defined by Schematron statements embedded throughout the OVAL Results Schema. Currently, the enumeration defines two values: thin and full. Please refer to the documentation of each individual value of this enumeration for more information about what each means.
+
+| Value | Description |
+| ----- | ----------- |
+| thin | A value of 'thin' means only the minimal amount of information will be provided. This is the id associated with an evaluated OVAL Definition and the result of the evaluation. The criteria child element of a definition should not be present when providing thin results. In addition, system characteristic information for the objects used by the given definition should not be presented.
|
+| full | A value of 'full' means that very detailed information will be provided allowing in-depth reports to be generated from the results. In addition to the results of the evaluated definition, the results of all extended definitions and tests included in the criteria as well as the actual information collected off the system must be presented.
|
+
+## -- ResultEnumeration --
+
+The ResultEnumeration defines the acceptable result values for the DefinitionType, CriteriaType, CriterionType, ExtendDefinitionType, TestType, and TestedItemType constructs.
+
+| Value | Description |
+| ----- | ----------- |
+| true | When evaluating a definition or test, a result value of 'true' means that the characteristics being evaluated match the information represented in the system characteristic document. When evaluating a tested_item, and a state exists, a result value of 'true' indicates that the item matches the state.
|
+| false | When evaluating a definition or test, a result value of 'false' means that the characteristics being evaluated do not match the information represented in the system characteristic document. When evaluating a tested_item, and a state exists, a result value of 'false' indicates that the item does not match the state.
|
+| unknown | When evaluating a definition or test, a result value of 'unknown' means that the characteristics being evaluated cannot be found in the system characteristic document (or the characteristics can be found but collected object flag is 'not collected'). For example, assume that a definition tests a file, but data pertaining to that file cannot be found and is not recorded in the System Characteristics document. The lack of an item (in the system_data section) for this file in the System Characteristics document means that no attempt was made to collect information about the file. In this situation, there is no way of knowing what the result would be if the file was collected. Note that finding a collected_object element in the system characteristic document is not the same as finding a matching element of the system. When evaluating an OVAL Test, the lack of a matching object on a system (for example, file not found) does not cause a result of unknown since an test considers both the state of an item and its existence. In this case the test result would be based on the existence check specified by the check_existence attribute on the test. When evaluating a tested_item, and a state exists, a result value of 'unknown' indicates that it could not be determined whether or not the item and state match. For example, if a registry_object with a hive equal to HKEY_LOCAL_MACHINE, a key with the xsi:nil attribute set to 'true', and a name with the xsi:nil attribute set to 'true' was collected and compared against a registry_state with key entity equal to 'SOFTWARE', the tested_item result would be 'unknown' because an assertion of whether or not the item matches the state could not be determined since the key entity of the item was not collected.
|
+| error | When evaluating a definition or test, a result value of 'error' means that the characteristics being evaluated exist in the system characteristic document but there was an error either collecting information or in performing analysis. For example, if there was an error returned by an api when trying to determine if an object exists on a system. Another example would be: xsi:nil might be set on an object entity, but then the entity is compared to a state entity with a value, thus producing an error. When evaluating a tested_item, and a state exists, a result value of 'error' indicates that there was either an error collecting the item or there was an error analyzing the item against the state. For example, a tested_item will receive a result value of 'error' if an attempt is made to compare a state entity against an item entity that has a status of 'error'.
|
+| not evaluated | When evaluating a definition or test, a result value of 'not evaluated' means that a choice was made not to evaluate the given definition or test. The actual result is not known since if evaluation had occurred the result could have been either true or false. When evaluating a tested_item, a result value of 'not evaluated' indicates that a state was not specified and is equivalent to an existence check.
|
+| not applicable | When evaluating a definition or test, a result value of 'not applicable' means that the definition or test being evaluated is not valid on the given platform. For example, trying to collect Linux RPM information on a Windows system is not possible and so a result of not applicable is used. Another example would be in trying to collect RPM information on a linux system that does not have the RPM packaging system installed.
|
+
diff --git a/guidelines/oval-schema-documentation/oval-system-characteristics-schema.md b/guidelines/oval-schema-documentation/oval-system-characteristics-schema.md
new file mode 100644
index 0000000..450b448
--- /dev/null
+++ b/guidelines/oval-schema-documentation/oval-system-characteristics-schema.md
@@ -0,0 +1,423 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Core System Characteristics
+* Version: 5.11.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) System Characteristics. The Core System Characteristics Schema defines all operating system independent objects. These objects are extended and enhanced by individual family schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core System Characteristics Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < oval_system_characteristics >
+
+The system_characteristics element is the root of an OVAL System Characteristics Document, and must occur exactly once. Its purpose is to bind together the four major sections of a system characteristics file - generator, system_info, collected_objects, and system_data - which are the children of the oval_system_characteristics element.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| generator | [oval:GeneratorType](oval-common-schema.md#GeneratorType) (1..1) |
+||The generator section must be present and provides information about when the system characteristics file was compiled and under what version.
|
+| system_info | [oval-sc:SystemInfoType](oval-system-characteristics-schema.md#SystemInfoType) (1..1) |
+||The required system_info element is used to record information about the system being described.
|
+| collected_objects | [oval-sc:CollectedObjectsType](oval-system-characteristics-schema.md#CollectedObjectsType) (0..1) |
+||The optional collected_objects section is used to associated the ids of the OVAL Objects collected with the system characteristics items that have been defined. The collected_objects section provides a listing of all the objects used to generate this system characteristics file.
|
+| system_data | [oval-sc:SystemDataType](oval-system-characteristics-schema.md#SystemDataType) (0..1) |
+||The optional system_data section defines the specific characteristics that have been collected from the system.
|
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+||The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
|
+
+______________
+
+## == SystemInfoType ==
+
+The SystemInfoType complex type specifies general information about the system that data was collected from, including information that can be used to identify the system. See the description of the InterfacesType complex type for more information. Note that the high level interfaces is required due to the inclusion of the xsd:any tag that follows it. The interfaces tag can be empty if no single interface is present.
+
+Additional system information is also allowed although it is not part of the official OVAL Schema. Individual organizations can place system information that they feel is important and these will be skipped during the validation. All OVAL really cares about is that the required system information items are there.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| os_name | xsd:string (1..1) |
+||The required os_name elements describes the operating system of the machine the data was collected on.
|
+| os_version | xsd:string (1..1) |
+||The required os_version elements describe the operating system version of the machine the data was collected on.
|
+| architecture | xsd:string (1..1) |
+||The required architecture element describes the hardware architecture type of the system data was collected on.
|
+| primary_host_name | xsd:string (1..1) |
+||The required primary_host_name element is the primary host name of the machine the data was collected on.
|
+| interfaces | [oval-sc:InterfacesType](oval-system-characteristics-schema.md#InterfacesType) (1..1) |
+||The required interfaces element outlines the network interfaces that exist on the system.
|
+| xsd:any | n/a (0..unbounded) |
+||The Asset Identification specification (http://scap.nist.gov/specifications/ai/) provides a standardized way of reporting asset information across different organizations.
The information contained within an AI computing-device element is similar to the information collected by OVAL's SystemInfoType.
To support greater interoperability, an ai:computing-device element describing the system that data was collected from may appear at this point in an OVAL System Characteristics document.
|
+
+## == InterfacesType ==
+
+The InterfacesType complex type is a container for zero or more interface elements. Each interface element is used to describe an existing network interface on the system.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| interface | [oval-sc:InterfaceType](oval-system-characteristics-schema.md#InterfaceType) (0..unbounded) |
+||Please refer to the description of the InterfaceType for more information.
|
+
+## == InterfaceType ==
+
+The InterfaceType complex type is used to describe an existing network interface on the system. This information can help identify a specific system on a given network.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| interface_name | xsd:string (1..1) |
+||The required interface_name element is the name of the interface
|
+| ip_address | xsd:string (1..1) |
+||The required ip_address element holds the IP address for the interface. Note that the IP address can be IPv4 or IPv6.
|
+| mac_address | xsd:string (1..1) |
+||The required mac_address element holds the MAC address for the interface. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
|
+
+______________
+
+## == CollectedObjectsType ==
+
+The CollectedObjectsType complex type states all the objects that have been collected by the system characteristics file. The details of each object are defined by the global OVAL object that is identified by the id.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-sc:ObjectType](oval-system-characteristics-schema.md#ObjectType) (1..unbounded) |
+|||
+
+## == ObjectType ==
+
+The ObjectType complex type provides a reference between items collected and a related global OVAL Object.
+
+If an OVAL Object does not exist on the system, then an object element is still provided but with the flag attribute set to 'does not exist'. For details on how to handle items, when an OVAL Object does not exist on the system, please see the ItemType documentation. This shows that the object was looked for but not found on the system. If no object element is written in this case, users of the system characteristics file will not know whether the object was not found or no attempt was made to collect it.
+
+The required id attribute is the id of the global OVAL Object.
+
+The required version attribute is the specific version of the global OVAL Object that was used by the data collection engine. The version is necessary so that analysis using a system characteristics file knows exactly what was collected.
+
+The optional variable_instance identifier is a unique id that differentiates each unique instance of an object. Capabilities that use OVAL may reference the same definition multiple times and provide different variable values each time the definition is referenced. This will result in multiple instances of an object being included in the OVAL System Characteristics file (definitions that do not use variables can only have one unique instance). The inclusion of this unique instance identifier allows the OVAL Results document to associate the correct objects and items for each combination of supplied values.
+
+The optional comment attribute provides a short description of the object.
+
+The required flag attribute holds information regarding the outcome of the data collection. For example, if there was an error looking for items that match the object specification, then the flag would be 'error'. Please refer to the description of FlagEnumeration for details about the different flag values.
+
+#### Attributes:
+
+* **id** [oval:ObjectIDPattern](oval-common-schema.md#ObjectIDPattern) (required)
+* **version** xsd:nonNegativeInteger (required)
+* **variable_instance** xsd:nonNegativeInteger (optional -- default='1')
+* **comment** xsd:string (optional)
+* **flag** [oval-sc:FlagEnumeration](oval-system-characteristics-schema.md#FlagEnumeration) (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| message | [oval:MessageType](oval-common-schema.md#MessageType) (0..unbounded) |
+||The optional message element holds an error message or some other string that the data collection engine wishes to pass along.
|
+| variable_value | [oval-sc:VariableValueType](oval-system-characteristics-schema.md#VariableValueType) (0..unbounded) |
+||The optional variable_value elements define the actual value(s) used during data collection of any variable referenced by the object (as well as any object referenced via a set element). An OVAL Object that includes a variable maybe have a different unique set of matching items depending on the value assigned to the variable. A tool that is given an OVAL System Characteristics file in order to analyze an OVAL Definition needs to be able to determine the exact instance of an object to use based on the variable values supplied. If a variable represents a collection of values, then multiple variable_value elements would exist with the same variable_id attribute.
|
+| reference | [oval-sc:ReferenceType](oval-system-characteristics-schema.md#ReferenceType) (0..unbounded) |
+||The optional reference element links the collected item found by the data collection engine and the global OVAL Object. A global OVAL Object my have multiple matching items on a system. For example a global file object that is a pattern match might match 10 different files on a specific system. In this case, there would be 10 reference elements, one for each of the files found on the system.
|
+
+## == VariableValueType ==
+
+The VariableValueType complex type holds the value to a variable used during the collection of an object. The required variable_id attribute is the unique id of the variable being identified.
+
+#### Attributes:
+
+* **variable_id** [oval:VariableIDPattern](oval-common-schema.md#VariableIDPattern) (required)
+
+**Simple Content:** xsd:anySimpleType
+
+## == ReferenceType ==
+
+The ReferenceType complex type specifies an item in the system characteristics file. This reference is used to link global OVAL Objects to specific items.
+
+#### Attributes:
+
+* **item_ref** [oval:ItemIDPattern](oval-common-schema.md#ItemIDPattern) (required)
+
+______________
+
+## == SystemDataType ==
+
+The SystemDataType complex type is a container for one or more item elements. Each item defines a specific piece of data on the system.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| [oval-sc:item](oval-system-characteristics-schema.md#item) | n/a (1..unbounded) |
+|||
+
+## < item >
+
+The abstract item element holds information about a specific item on a system. An item might be a file, a rpm, a process, etc. This element is extended by the different component schemas through substitution groups. Each item represents a unique instance of an object as specified by an OVAL Object. For example, a single file or a single user. Each item may be referenced by more than one object in the collected object section. Please refer to the description of ItemType for more details about the information stored in items.
+
+[oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+## == ItemType ==
+
+The ItemType complex type specifies an optional message element that is used to pass things like error messages during data collection to a tool that will utilize the information.
+
+The required id attribute is a unique (to the file) identifier that allows the specific item to be referenced.
+
+The required status attribute holds information regarding the success of the data collection. For example, if an item exists on the system then the status would reflect this with a value of 'exists'. If an error occurs which is not associated with any item entities, or if an error occurs that is associated with an item entity matching an associated object entity, then the status would be 'error'. An error specific to any particular entity should be addressed at the entity level and, for item entities not associated with an object entity, not the item level. When creating items, any entities that can successfully be collected should be reported.
+
+In some cases, when an item for a specified object does not exist, it may be beneficial to report a partial match of an item showing what entities did exist and what entities did not exist for debugging purposes. This is especially true when considering items that are collected by objects with hierarchical object entities. An example of such a case is when a file_object has a path entity equal to 'C:\' and a filename entity equal to 'test.txt' where 'test.txt' does not exist in the 'C:\' directory. This would result in the creation of a partially matching file_item with a status of 'does not exist' where the path entity equals 'C:\' and the filename entity equals 'test.txt' with a status of 'does not exist'. By showing the partial match, someone reading a system-characteristics document can quickly see that a matching file_item did not exist because the specified filename did not exist and not that the specified path did not exist. Again, please note that the implementation of partial matches, when an item for a specified object does not exist, is completely optional.
+
+#### Attributes:
+
+* **id** [oval:ItemIDPattern](oval-common-schema.md#ItemIDPattern) (required)
+* **status** [oval-sc:StatusEnumeration](oval-system-characteristics-schema.md#StatusEnumeration) (optional -- default='exists')
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| message | [oval:MessageType](oval-common-schema.md#MessageType) (0..50) |
+|||
+
+______________
+
+## -- FlagEnumeration --
+
+The FlagEnumeration simple type defines the valid flags associated with a collected object. These flags are meant to provide information about how the specified object was handled by the data collector. In order to evaluate an OVAL Definition, information about the defined objects needs to be available. The flags help detail the outcome of attempting to collect information related to these objects..
+
+| Value | Description |
+| ----- | ----------- |
+| error | A flag of 'error' indicates that there was an error trying to identify items on the system that match the specified object declaration. This flag is not meant to be used when there was an error retrieving a specific entity, but rather when it could not be determined if an item exists or not. Any error in retrieving a specific entity should be represented by setting the status of that specific entity to 'error'.
|
+| complete | A flag of 'complete' indicates that every matching item on the system has been identified and is represented in the system characteristics file. It can be assumed that no additional matching items exist on the system.
|
+| incomplete | A flag of 'incomplete' indicates that a matching item exists on the system, but only some of the matching items have been identified and are represented in the system characteristics file. It is unknown if additional matching items also exist. Note that with a flag of 'incomplete', each item that has been identified matches the object declaration, but additional items might also exist on the system.
|
+| does not exist | A flag of 'does not exist' indicates that the underlying structure is installed on the system but no matching item was found. For example, the Windows metabase is installed but there were no items that matched the metabase_object. In this example, if the metabase itself was not installed, then the flag would have been 'not applicable'.
|
+| not collected | A flag of 'not collected' indicates that no attempt was made to collect items on the system. An object with this flag will produce an 'unknown' result during analysis since it is unknown if matching items exists on the system or not. This is different from an 'error' flag because an 'error' flag indicates that an attempt was made to collect items on system whereas a 'not collected' flag indicates that an attempt was not made to collect items on the system.
|
+| not applicable | A flag of 'not applicable' indicates that the specified object is not applicable to the system being characterized. This could be because the data repository is not installed or that the object structure is for a different flavor of systems. An example would be trying to collect objects related to a Red Hat system off of a Windows system. Another example would be trying to collect an rpminfo_object on a Linux system if the rpm packaging system is not installed. If the rpm packaging system is installed and the specified rpminfo_object could not be found, then the flag would be 'does not exist'.
|
+
+Below is a table that outlines how each FlagEnumeration value effects evaluation of a given test. Note that this is related to the existence of a unique set of items identified by an object and not each item's compliance with a state. The left column identifies the FlagEnumeration value in question. The right column specifies the ResultEnumeration value that should be used when evaluating the collected object.
+```
+ ||
+ flag value || test result is
+ ||
+-----------------||----------------------------
+ error || error
+ complete || (test result depends on
+ incomplete || check_existence and
+ does not exist || check attributes)
+ not collected || unknown
+ not applicable || not applicable
+-----------------||-----------------------------
+```
+
+## -- StatusEnumeration --
+
+The StatusEnumeration simple type defines the valid status messages associated with collection of specific information associated with an item.
+
+| Value | Description |
+| ----- | ----------- |
+| error | A status of 'error' says that there was an error collecting information associated with an item as a whole or any specific entity. An item would have a status of 'error' if a problem occurred that prevented the item from being collected. For example, a file_item would have a status of 'error' if a handle to the file could not be opened because the handle was already in use by another program. See the documentation for ItemType for information about when an item entity status of 'error' should propagate up to the item status level.
|
+| exists | A status of 'exists' says that the item or specific piece of information exists on the system and has been collected.
|
+| does not exist | A status of 'does not exist' says that the item or specific piece of information does not exist and therefore has not been collected. This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.
|
+| not collected | A status of 'not collected' says that no attempt was made to collect the item or specific piece of information so it is unknown what the value is and if it even exists.
|
+
+## -- EntityAttributeGroup --
+
+The EntityAttributeGroup is a collection of attributes that are common to all entities. This group defines these attributes and their default values. Individual entities may limit allowed values for these attributes, but all entities will support these attributes.
+
+#### Attributes:
+
+* **datatype** [oval:DatatypeEnumeration](oval-common-schema.md#DatatypeEnumeration) (optional -- default='string')
+The optional datatype attribute determines the type of data expected (the default datatype is 'string'). Note that the datatype attribute simply defines the type of data as found on the system, it is not used during evaluation. An OVAL Definition defines how the data should be interpreted during analysis. If the definition states a datatype that is different than what the system characteristics presents, then a type cast must be made.
+* **mask** xsd:boolean (optional -- default='false')
+The optional mask attribute is used to identify values that have been hidden for sensitivity concerns. This is used by the Result document which uses the System Characteristics schema to format the information found on a specific system. When the mask attribute is set to 'true' on an OVAL Entity or an OVAL Field, the corresponding collected value of that OVAL Entity or OVAL Field MUST NOT be present in the "results" section of the OVAL Results document; the "oval_definitions" section must not be altered and must be an exact copy of the definitions evaluated. Values MUST NOT be masked in OVAL System Characteristics documents that are not contained within an OVAL Results document. It is possible for masking conflicts to occur where one entity has mask set to true and another entity has mask set to false. A conflict will occur when the mask attribute is set differently on an OVAL Object and matching OVAL State or when more than one OVAL Objects identify the same OVAL Item(s). When such a conflict occurs the result is always to mask the entity.
+* **status** [oval-sc:StatusEnumeration](oval-system-characteristics-schema.md#StatusEnumeration) (optional -- default='exists')
+The optional status attribute holds information regarding the success of the data collection. For example, if there was an error collecting a particular piece of data, then the status would be 'error'.
+
+## == EntityItemSimpleBaseType ==
+
+The EntityItemSimpleBaseType complex type is an abstract type that serves as the base type for all simple item entities.
+
+**Simple Content:** xsd:anySimpleType
+
+## == EntityItemComplexBaseType ==
+
+The EntityItemComplexBaseType complex type is an abstract type that serves as the base type for all complex item entities.
+
+## == EntityItemIPAddressType ==
+
+The EntityItemIPAddressType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes any IPv4/IPv6 address or address prefix.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required) ('ipv4_address', 'ipv6_address')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemIPAddressStringType ==
+
+The EntityItemIPAddressStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes any IPv4/IPv6 address, address prefix, or its string representation.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** Restriction of [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string') ('ipv4_address', 'ipv6_address', 'string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemAnySimpleType ==
+
+The EntityItemAnySimpleType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes any simple data.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- default='string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemBinaryType ==
+
+The EntityItemBinaryType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple binary data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='binary')
+
+**Simple Content:** Union of xsd:hexBinary, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityItemBoolType ==
+
+The EntityItemBoolType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple boolean data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='boolean')
+
+**Simple Content:** Union of xsd:boolean, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityItemFloatType ==
+
+The EntityItemFloatType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple float data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='float')
+
+**Simple Content:** Union of xsd:float, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityItemIntType ==
+
+The EntityItemIntType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple integer data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='int')
+
+**Simple Content:** Union of xsd:integer, [oval:EmptyStringType](oval-common-schema.md#EmptyStringType)
+
+## == EntityItemStringType ==
+
+The EntityItemStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple string data.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (optional -- fixed='string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemRecordType ==
+
+The EntityItemRecordType defines an entity that consists of a number of named fields. This structure is used for representing a record from a database query and other similar structures where multiple related fields must be collected at once. Note that for all entities of this type, the only allowed datatype is 'record'.
+
+Note the datatype attribute must be set to 'record'.
+
+Note that when the mask attribute is set to 'true', all child field elements must be masked regardless of the child field's mask attribute value.
+
+**Extends:** [oval-sc:EntityItemComplexBaseType](oval-system-characteristics-schema.md#EntityItemComplexBaseType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| field | [oval-sc:EntityItemFieldType](oval-system-characteristics-schema.md#EntityItemFieldType) (0..unbounded) |
+|||
+
+## == EntityItemFieldType ==
+
+The EntityItemFieldType defines an element with simple content that represents a named field in a record that may contain any number of named fields. The EntityItemFieldType is much like all other entities with one significant difference, the EntityItemFieldType has a name attribute.
+
+The required name attribute specifies a name for the field. Field names are lowercase and may occur more than once to allow for a field to have multiple values.
+
+Note that when the mask attribute is set to 'true' on a field's parent element the field must be masked regardless of the field's mask attribute value.
+
+#### Attributes:
+
+* **name** Restriction of xsd:string (required)
+A string restricted to disallow upper case characters.
+
+**Simple Content:** xsd:anySimpleType
+
+## == EntityItemVersionType ==
+
+The EntityItemVersionType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes version data.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='version')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemFilesetRevisionType ==
+
+The EntityItemFilesetRevisionType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type represents the version string related to filesets in HP-UX.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='fileset_revision')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemIOSVersionType ==
+
+The EntityItemIOSVersionType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type represents the version string for IOS.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='ios_version')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemEVRStringType ==
+
+The EntityItemEVRStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This type represents the epoch, version, and release fields, for an RPM package, as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='evr_string')
+
+**Simple Content:** Restricts xsd:string
+
+## == EntityItemDebianEVRStringType ==
+
+The EntityItemDebianEVRStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. Comparisons involving this datatype should follow the algorithm outlined in Chapter 5 of the "Debian Policy Manual" (https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version). An implementation of this is the cmpversions() function in dpkg's enquiry.c.
+
+**Restricts:** [oval-sc:EntityItemSimpleBaseType](oval-system-characteristics-schema.md#EntityItemSimpleBaseType)
+
+#### Attributes:
+
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required -- fixed='debian_evr_string')
+
+**Simple Content:** Restricts xsd:string
+
diff --git a/guidelines/oval-schema-documentation/oval-variables-schema.md b/guidelines/oval-schema-documentation/oval-variables-schema.md
new file mode 100644
index 0000000..c826bf8
--- /dev/null
+++ b/guidelines/oval-schema-documentation/oval-variables-schema.md
@@ -0,0 +1,60 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Core Variable
+* Version: 5.11.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+
+
+The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Variables. This schema is provided to give structure to any external variables and their values that an OVAL Definition is expecting.
+
+The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
+
+______________
+
+## < oval_variables >
+
+The oval_variables element is the root of an OVAL Variable Document. Its purpose is to bind together the different variables contained in the document. The generator section must be present and provides information about when the variable file was compiled and under what version. The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| generator | [oval:GeneratorType](oval-common-schema.md#GeneratorType) (1..1) |
+|||
+| variables | [oval-var:VariablesType](oval-variables-schema.md#VariablesType) (0..1) |
+|||
+| [ds:Signature](http://www.w3.org/TR/xmldsig-core/#sec-Signature) | n/a (0..1) |
+|||
+
+______________
+
+## == VariablesType ==
+
+The VariablesType complex type is a container for one or more variable elements. Each variable element holds the value of an external variable used in an OVAL Definition. Please refer to the description of the VariableType for more information about an individual variable.
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| variable | [oval-var:VariableType](oval-variables-schema.md#VariableType) (1..unbounded) |
+|||
+
+## == VariableType ==
+
+Each variable element contains the associated datatype and value which will be substituted into the OVAL Definition that is referencing this specific variable.
+
+The notes section of a variable should be used to hold information that might be helpful to someone examining the technical aspects of the variable. Please refer to the description of the NotesType complex type for more information about the notes element.
+
+#### Attributes:
+
+* **id** [oval:VariableIDPattern](oval-common-schema.md#VariableIDPattern) (required)
+* **datatype** [oval:SimpleDatatypeEnumeration](oval-common-schema.md#SimpleDatatypeEnumeration) (required)
+Note that the 'record' datatype is not permitted on variables.
+* **instance** xsd:nonNegativeInteger
+Use to specify multiple variable instances.
+* **comment** xsd:string (required)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| value | xsd:anySimpleType (1..unbounded) |
+|||
+| notes | [oval:NotesType](oval-common-schema.md#NotesType) (0..1) |
+|||
+
diff --git a/guidelines/oval-schema-documentation/pixos-definitions-schema.md b/guidelines/oval-schema-documentation/pixos-definitions-schema.md
new file mode 100644
index 0000000..d0762e3
--- /dev/null
+++ b/guidelines/oval-schema-documentation/pixos-definitions-schema.md
@@ -0,0 +1,96 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: PixOS Definition
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the PIX specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+This schema was originally developed by Yuzheng Zhou and Eric Grey at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+## Test Listing
+
+ *[ line_test ](#line_test)
+ *[ version_test ](#version_test)
+
+______________
+
+## < line_test >
+
+The line_test is used to check the properties of specific output lines from a SHOW command, such as SHOW RUNNING-CONFIG. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < line_object >
+
+The line_object element is used by a line_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A line object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| show_subcommand | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of a SHOW sub-command.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < line_state >
+
+The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| show_subcommand | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the SHOW sub-command.
|
+| config_line | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The value returned from by the specified SHOW sub-command.
|
+
+______________
+
+## < version_test >
+
+The version test is used to check the version of the PIX operating system. It is based off of the SHOW VERSION command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < version_object >
+
+The version_object element is used by a version test to define the different version information associated with a PIX system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < version_state >
+
+The version_state element defines the version information held within a Cisco PIX software release. The pix_release element specifies the whole PIX version information. The pix_major_release, pix_minor_release and pix_build elements specify seperated parts of PIX software version information. For instance, if the PIX version is 7.1(2.3)49, then pix_release is 7.1(2.3)49, pix_major_release is 7.1, pix_minor_release is 2.3 and pix_build is 49. See the SHOW VERSION command within PIX for more information.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pix_release | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The pix_release element specifies the whole PIX version information.
|
+| pix_major_release | [oval-def:EntityStateVersionType](oval-definitions-schema.md#EntityStateVersionType) (0..1) |
+||The pix_major_release is the dotted version that starts a version string. For example the pix_release 7.1(2.3)49 has a pix_major_release of 7.1.
|
+| pix_minor_release | [oval-def:EntityStateVersionType](oval-definitions-schema.md#EntityStateVersionType) (0..1) |
+||The pix_minor_release is the dotted version that starts a version string. For example the pix_release 7.1(2.3)49 has a pix_minor_release of 2.3.
|
+| pix_build | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The pix_build is an integer. For example the pix_release 7.1(2.3)49 has a pix_build of 49.
|
+
diff --git a/guidelines/oval-schema-documentation/pixos-system-characteristics-schema.md b/guidelines/oval-schema-documentation/pixos-system-characteristics-schema.md
new file mode 100644
index 0000000..72c398b
--- /dev/null
+++ b/guidelines/oval-schema-documentation/pixos-system-characteristics-schema.md
@@ -0,0 +1,44 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: PixOS System Characteristics
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the Cisco PIX (Private Internet Exchange) specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+This schema was originally developed by Yuzheng Zhou and Eric Grey at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < line_item >
+
+Stores the properties of specific lines in the PIX config file.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| show_subcommand | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the SHOW sub-command.
|
+| config_line | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The value returned from by the specified SHOW sub-command.
|
+
+______________
+
+## < version_item >
+
+Stores results from SHOW VERSION command.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pix_release | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| pix_major_release | [oval-sc:EntityItemVersionType](oval-system-characteristics-schema.md#EntityItemVersionType) (0..1) |
+|||
+| pix_minor_release | [oval-sc:EntityItemVersionType](oval-system-characteristics-schema.md#EntityItemVersionType) (0..1) |
+|||
+| pix_build | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+|||
+
diff --git a/guidelines/oval-schema-documentation/sharepoint-definitions-schema.md b/guidelines/oval-schema-documentation/sharepoint-definitions-schema.md
new file mode 100644
index 0000000..0ba826c
--- /dev/null
+++ b/guidelines/oval-schema-documentation/sharepoint-definitions-schema.md
@@ -0,0 +1,1040 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: SharePoint Definition
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the SharePoint specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+The SharePoint Component Schema is based on the SharePoint Object Model (Windows SharePoint Services 3.0)
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+## Test Listing
+
+ *[ spwebapplication_test ](#spwebapplication_test)
+ *[ spgroup_test ](#spgroup_test)
+ *[ spweb_test ](#spweb_test)
+ *[ splist_test ](#splist_test)
+ *[ spantivirussettings_test ](#spantivirussettings_test)
+ *[ spsiteadministration_test ](#spsiteadministration_test)
+ *[ spsite_test ](#spsite_test)
+ *[ spcrawlrule_test ](#spcrawlrule_test)
+ *[ ~~spjobdefinition_test~~ ](#spjobdefinition_test)
+ *[ spjobdefinition510_test ](#spjobdefinition510_test)
+ *[ bestbet_test ](#bestbet_test)
+ *[ infopolicycoll_test ](#infopolicycoll_test)
+ *[ spdiagnosticsservice_test ](#spdiagnosticsservice_test)
+ *[ spdiagnosticslevel_test ](#spdiagnosticslevel_test)
+ *[ sppolicyfeature_test ](#sppolicyfeature_test)
+ *[ sppolicy_test ](#sppolicy_test)
+
+______________
+
+## < spwebapplication_test >
+
+The spwebapplication test is used to check the properties or permission settings of a SharePoint web application. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a spwebapplication_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spwebapplication_object >
+
+The spwebapplication_object element is used by a spwebapplication test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spwebapplication object consists of a webapplicationurl used to define a specific web application. See the defintion of the SPWebApplication class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webapplicationurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The webapplicationurl element defines the SPWebApplication to evaluate specific security settings or permissions.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spwebapplication_state >
+
+The spwebapplication_state element defines security settings and permissions that can be checked for a specified SPWebApplications.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webapplicationurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The webapplicationurl element identifies a Web application.
|
+| allowparttopartcommunication | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the allowparttopartcommunication is enabled it allows users to create connections between Web parts.
|
+| allowaccesstowebpartcatalog | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the allowaccesstowebpartcatalog is enabled it allows users access to the online Web part gallery.
|
+| blockedfileextention | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The blockedfileextention element identifies one or more file extensions that should be blocked from the deployment.
|
+| defaultquotatemplate | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The defaultquotatemplate element identifies the default quota template set for the web application.
|
+| externalworkflowparticipantsenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the externalworkflowparticipantsenabled is enabled then users are allowed to participate in workflows.
|
+| recyclebinenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the recyclebinenabled is enabled it will be easy to restore deleted files.
|
+| automaticallydeleteunusedsitecollections | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the automaticallydeleteunusedsitecollections is disabled, sites will not be automatically deleted.
|
+| selfservicesitecreationenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the selfservicesitecreationenabled is enabled users will be allowed to create and manager their own top-level Web sites .
|
+| secondstagerecyclebinquota | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The secondstagerecyclebinquota is the quota for the second stage recyle bin
|
+| recyclebinretentionperiod | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The recyclebinretentionperiod is the retention period for the recyle bin
|
+| outboundmailserverinstance | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The outboundmailserverinstance element identifies the string name of the SMPT server. Note that there is a small naming inconsistency here. The SharePoint SDK calls this 'outboundmailserviceinstance'.
|
+| outboundmailsenderaddress | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The outboundmailsenderaddress element identifies the address that the mail is being send from.
|
+| outboundmailreplytoaddress | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The outboundmailreplytoaddress element identifies the address that the mail should be replied to.
|
+| secvalexpires | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the secvalexpires is enabled then the form will expire after the security validation time (timeout) .
|
+| timeout | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The timeout is the amount of time before security validation expires in seconds.
|
+| isadministrationwebapplication | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If this is true, the web application to which this test refers is the Central Administration web application.
|
+| applicationpoolname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The applicationpoolname element identifies the web applications application pool name.
|
+| applicationpoolusername | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The applicationpoolusername element identifies the web applications application pool username.
|
+| openitems | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the openitems is enabled the permission to view the source of documents with server-side file handlers is available to use for this web application..
|
+| addlistitems | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the addlistitems is enabled the permission to add items to lists, add documents to document libraries, and add Web discussion comments is available to use for this Web application.
|
+| approveitems | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If approveitems is enabled the permission to approve a minor version of a list item or document is available to use for this the Web application.
|
+| deletelistitems | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the deletelistitems is enabled the permission to delete items from a list, documents from a document library, and Web discussion comments in documents is available to use for this Web application.
|
+| deleteversions | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the deleteversions is enabled the permission to delete past versions of a list item or document is available to use for this Web application.
|
+| editlistitems | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the editlistitems is enabled the permission to edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries is available to use for this Web application.
|
+| managelists | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the managelists is enabled the permission to create and delete lists, add or remove columns in a list, and add or remove public views of a list is available to use for this the Web application.
|
+| viewversions | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the viewversions is enabled the permission to view past versions of a list item or document is available to use for this Web application.
|
+| viewlistitems | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the viewlistitems is enabled the permission to view items in lists, documents in document libraries, and view Web discussion commentsis available is available to use for this Web application.
|
+| cancelcheckout | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the cancelcheckout is enabled the permission to discard or check in a document which is checked out to another user is available to use for this the Web application.
|
+| createalerts | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the createalerts is enabled the permission to Create e-mail alerts is available to use for this Web application.
|
+| viewformpages | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the viewformpages is enabled the permission to view forms, views, and application pages, and enumerate lists is available to use for this Web application.
|
+| viewpages | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the viewpages is enabled the permission to view pages in a Web site is available to use for this Web application.
|
+| addandcustomizepages | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If addandcustomizepages is enabled the permission to add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor is available to use for this Web application.
|
+| applystylesheets | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the applystylesheets is enabled the permission to Apply a style sheet (.css file) to the Web site is available to use for this Web application.
|
+| applythemeandborder | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the applythemeanborder is enabled the permission to apply a theme or borders to the entire Web site is available to use for this Web application.
|
+| browsedirectories | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the browsedirectories is enabled the permission to enumerate files and folders in a Web site using Microsoft Office SharePoint Designer and WebDAV interfaces is available to use for this Web application.
|
+| browseuserinfo | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the browseuserinfo is enabled the permission to view information about users of the Web site is available to use for this Web application.
|
+| creategroups | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the creategroups is enabled the permission to create a group of users that can be used anywhere within the site collection is available to use for this Web application.
|
+| createsscsite | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the createsscsite is enabled the permission to create a Web site using Self-Service Site Creation is available to use for this Web application.
|
+| editmyuserinfo | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the editmyuserinfo is enabled the permission to allows a user to change his or her user information, such as adding a picture is available to use for this Web application.
|
+| enumeratepermissions | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If enumeratepermissions is enabled the permission to enumerate permissions on the Web site, list, folder, document, or list itemis is available to use for this Web application.
|
+| managealerts | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the managealerts is enabled the permission to manage alerts for all users of the Web site is available to use for this Web application.
|
+| managepermissions | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the managepermissions is enabled the permission to create and change permission levels on the Web site and assign permissions to users and groups is available to use for this Web application.
|
+| managesubwebs | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the managesubwebs is enabled the permission to create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites is available to use for this Web application.
|
+| manageweb | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the manageweb is enabled the permission to perform all administration tasks for the Web site as well as manage content is available to use for this Web application.
|
+| open | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If open is enabled the permission to allow users to open a Web site, list, or folder to access items inside that containeris available to use for this Web application.
|
+| useclientintegration | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the useclientintegration is enabled the permission to use features that launch client applications; otherwise, users must work on documents locally and upload changesis is available to use for this Web application.
|
+| useremoteapis | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the useremoteapis is enabled the permission to use SOAP, WebDAV, or Microsoft Office SharePoint Designer interfaces to access the Web siteis available to use for this Web application.
|
+| viewusagedata | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the viewusagedata is enabled the permission to view reports on Web site usage in documents is available to use for this Web application.
|
+| managepersonalviews | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the managepersonalviews is enabled the permission to Create, change, and delete personal views of lists is available to use for this Web application.
|
+| adddelprivatewebparts | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the adddelprivatewebparts is enabled the permission to add or remove personal Web Parts on a Web Part Page is available to use for this Web application.
|
+| updatepersonalwebparts | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the updatepersonalwebparts is enabled the permission to update Web Parts to display personalized informationis available to use for this Web application.
|
+
+______________
+
+## < spgroup_test >
+
+The spgroup test is used to check the group properties for site collections. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spgroup_object >
+
+The spgroup_object element is used by a spgroup test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spgroup object consists of a sitecollectionurl used to define a specific site collection. See the defintion of the SPGroup class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The sitecollectionurl element defines the Site Colection to evaluate specific group settings.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spgroup_state >
+
+The spgroup_state element defines settings for groups in a site collections.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The sitecollectionurl element identifies a Site Collection.
|
+| gname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name element identifies a Group name.
|
+| autoacceptrequesttojoinleave | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the autoacceptrequesttojoinleave is enabled it allows users to automatically join groups.
|
+| allowmemberseditmembership | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the allowmemberseditmembership is enabled than all group memebers will be allowed to edit the membership of a group..
|
+| onlyallowmembersviewmembership | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the onlyallowmembersviewmembership is enabled it allows users to automatically join groups.
|
+
+______________
+
+## < spweb_test >
+
+The spweb test is used to check the properties for site collections. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to check. See https://msdn.microsoft.com/en-us/library/ms473633.aspx for more information.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spweb_object >
+
+The spweb_object element is used by a spweb test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spweb object consists of a webcollection url and sitecollection url used to define a specific web apoplication and a specific site collection. See the defintion of the SPWeb class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webcollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies a web site (this is the SPWeb object we want).
|
+| sitecollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies a site collection.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spweb_state >
+
+The spweb_state element defines settings for a site collection.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webcollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The webcollectionurl specifies a web site (the SPWeb object).
|
+| sitecollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The sitecollectionurl element specifies a site collection.
|
+| secondarysitecolladmin | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The secondarysitecolladmin element identifies a secondary site collection admin.
|
+| secondsitecolladminenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||A boolean that represents if the secondarysitecolladmin is enabled.
|
+| allowanonymousaccess | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the allowanonymousaccess is enabled users will be allowed to create and manager their own top-level Web sites .
|
+
+______________
+
+## < splist_test >
+
+The splist test is used to check the properties of lists associated with a SharePoint site or site collection. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an splist_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < splist_object >
+
+The splist_object element is used by a splist test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An splist object consists of a spsiteurl used to define a specific site in a site collection that various security related configuration items need to be checked. See the defintion of the SPList class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spsiteurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The spsiteurl element defines the Sharepoint website being specified ...
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < splist_state >
+
+The splist_state element defines the different information that can be used to evaluate the specified Sharepoint sites....
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spsiteurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The spsiteurl element identifies an Sharepoint site to test for.
|
+| irmenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the irmenabled option is enabled, documents are protected whenever they leave the control of the Sharepoint system.
|
+| enableversioning | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the enableversioning option is enabled, backup copies of documents are kept and managed by the Sharepoint system.
|
+| nocrawl | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the nocrawl option is enabled, the site is excluded from crawls that Sharepoint does when it indexes sites.
|
+
+______________
+
+## < spantivirussettings_test >
+
+The spantivirussettings test is used to check the settings for antivirus software associated with a SharePoint deployment.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spantivirussettings_object >
+
+The spantivirussettings_object element is used by a spantivirussettings test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spantivirussettings object consists of a spwebservicename used to define a specific webservice in a farm that various security related configuration items need to be checked and an spfarmname which denotes the farm of which the spwebservice is a part. See the defintion of the SPAntiVirusSettings class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spwebservicename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The spwebservicename element denotes the web service for which antivirus settings will be checked.
|
+| spfarmname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The spfarmname element denotes the farm on which a web service to be queried resides.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spantivirussettings_state >
+
+The spantivirus_state element defines the different information that can be used to evaluate the specified Sharepoint sites....
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spwebservicename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The spwebservicename denotes the name of a SharePoint web service to be tested or * (the default) to test all web services.
|
+| spfarmname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The spfarmname denotes the name of the farm on which the Sharepoint webservice resides or the local farm (default).
|
+| allowdownload | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether infected documents can be downloaded on the SharePoint system.
|
+| cleaningenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the virus scanner should attempt to cure files that are infected.
|
+| downloadscanenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whetehr files are scanned for viruses when they are downloaded.
|
+| numberofthreads | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number of threads that the antivirus scanner can use to scan documents for viruses.
|
+| skipsearchcrawl | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether to skip scanning for viruses during a search crawl.
|
+| timeout | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Denotes the amount of time before the virus scanner times out in seconds.
|
+| uploadscanenabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether files are scanned when they are uploaded.
|
+| vendorupdatecount | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Denotes the current increment of the number of times the vendor has been updated.
|
+
+______________
+
+## < spsiteadministration_test >
+
+The spsiteadministration test is used to check the properties of a site. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spsiteadministration_object >
+
+The spsiteadministration_object element is used by a spsiteadministration test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spsiteadministration object consists of a webapplicationurl used to define a specific web application. The collected data is available via the SPQuota class, which can be found via the SPSite object. See the defintions of the SPSite and the SPQuota classes in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The sitecollectionurl element defines the site to evaluate.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spsiteadministration_state >
+
+The spspsiteadministration_state element defines security settings and permissions that can be checked for a specified SPSite.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The sitecollectionurl element identifies a site.
|
+| storagemaxlevel | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The storagemaxlevel is the maximum storage allowed for the site.
|
+| storagewarninglevel | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||When the storagewarninglevel is reached a site collection receive advance notice before available storage is expended.s.
|
+
+______________
+
+## < spsite_test >
+
+The spsite test is used to check the properties of a site. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spsite_object >
+
+The spsite_object element is used by a spsiteadministration test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spsite object consists of a sitecollectionurl used to define a specific web application. See the defintion of the SPSite class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The sitecollectionurl element defines the site to evaluate.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spsite_state >
+
+The spsite_state element defines security settings and permissions that can be checked for a specified SPSite.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The sitecollectionurl element identifies a site.
|
+| quotaname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The quota name is the name of quota template for a site collection.
|
+| ~~url~~ | ~~[oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1~~) |
+||~~The URL is the full URL to the root Web site of the site collection, including host name, port number, and path.
~~|
+
+______________
+
+## < spcrawlrule_test >
+
+The spcrawlrule test is used to check the configuration or rules associated with the SharePoint system's built-in indexer and the sites or documents that will be indexed.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spcrawlrule_object >
+
+The spcrawlrule_object element is used by a spcrawlrule test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spcrawlrule object consists of a spsiteurl used to define a specific resource (eg. website or document) on a server that can be indexed by the SharePoint indexer. See the defintion of the CrawlRule class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spsiteurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The spsiteurl element denotes the resource on the SharePoint server (eg. a site or document) for which indexing settings will be checked.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spcrawlrule_state >
+
+The spcrawlrule state element defines the various properties of the SharePoint indexer that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spsiteurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The spsiteurl denotes the URL of a website or resource whose indexing properties should be tested.
|
+| crawlashttp | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the crawler should crawl content from a hierarchical content source, such as HTTP content.
|
+| enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether a particular crawl rule is enabled.
|
+| followcomplexurls | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the indexer should crawl websites that contain the question mark (?) character.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path to which a particular crawl rule applies.
|
+| priority | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The priority setting for a particular crawl rule.
|
+| suppressindexing | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the crawler should exclude the content of items that this rule applies to from the content index.
|
+| accountname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string containing the account name for the crawl rule.
|
+
+______________
+
+## < ~~spjobdefinition_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** Replaced by the spjobdefinition510_test. This test does not uniquely identify a single job definition. A new test was created to use displaynames, which are unique. See the spjobdefinition510_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The spjobdefinition test is used to check the status of the various properties associated with scheduled jobs in the SharePoint system.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < ~~spjobdefinition_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** Replaced by the spjobdefinition510_object. This test does not uniquely identify a single job definition. A new object was created to use displaynames, which are unique. See the spjobdefinition510_object.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The spjobdefinition_object element is used by a spjobdefinition test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spjobdefinition_object consists of a webappuri used to define a specific web application for which job checks should be done. See the defintion of the SPJobDefinition class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The URI that represents the web application for which jobs should be checked.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~spjobdefinition_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** Replaced by the spjobdefinition510_state. This state does not uniquely identify a single job definition. A new state was created to use displaynames, which are unique. See the spjobdefinition510_state.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The various properties of a Sharepoint job that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URI that represents the web application for which jobs should be checked.
|
+| displayname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the job as displayed in the SharePoint Central Administration site.
|
+| isdisabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Determines whether or not the job definition is enabled.
|
+| retry | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Determines whether the job definition should be retried if it ends abnormally.
|
+| title | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The title of a job as displayed in the SharePoint Central Administration site.
|
+
+______________
+
+## < spjobdefinition510_test >
+
+The spjobdefinition test is used to check the status of the various properties associated with scheduled jobs in the SharePoint system.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spjobdefinition510_object >
+
+The spjobdefinition510_object element is used by a spjobdefinition test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spjobdefinition510_object consists of a webappuri and displayname used to define a specific web application for which job checks should be done. See the defintion of the SPJobDefinition class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The URI that represents the web application for which jobs should be checked.
|
+| displayname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the job as displayed in the SharePoint Central Administration site.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spjobdefinition510_state >
+
+The various properties of a Sharepoint job that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URI that represents the web application for which jobs should be checked.
|
+| displayname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the job as displayed in the SharePoint Central Administration site.
|
+| isdisabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Determines whether or not the job definition is enabled.
|
+| retry | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Determines whether the job definition should be retried if it ends abnormally.
|
+| title | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The title of a job as displayed in the SharePoint Central Administration site.
|
+
+______________
+
+## < bestbet_test >
+
+The bestbet test is used to get all the best bets associated with a site.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < bestbet_object >
+
+The bestbet_object element is used by a bestbet test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An bestbet object consists of a sitecollectionurl used to define a specific site and a bestbeturl used to define a specific best bet. See the defintion of the BestBet class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The URL that represents the site collection.
|
+| bestbeturl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The URL that represents the best bet.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < bestbet_state >
+
+The various properties of a Best Bet that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URL that represents the site collection.
|
+| bestbeturl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the job as displayed in the SharePoint Central Administration site.
|
+| title | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The title of a best bet.
|
+| description | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Thedescription of a best bet..
|
+
+______________
+
+## < infopolicycoll_test >
+
+The policycoll test is used to get all the Information Policies associated with a site.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < infopolicycoll_object >
+
+The infopolicycoll_object element is used by a policycoll test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A infopolicycoll object consists of a sitecollectionurl used to define a specific site and an id used to define a specific information policy. See the defintion of the Policy class and policycollection class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The URL that represents the site collection.
|
+| id | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The id that represents the Information Policy.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < infopolicycoll_state >
+
+The various properties of the Information Policy that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URL that represents the site collection.
|
+| id | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The id of the Information Policy.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the Information Policy.
|
+| description | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The description of an Information Policy..
|
+| longdescription | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The long description of an Information Policy..
|
+
+______________
+
+## < spdiagnosticsservice_test >
+
+The spdiagnosticsservice test is used to check the diagnostic properties associated with a Sharepoint system.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spdiagnosticsservice_object >
+
+The spdiagnosticsservice_object element is used by an spdiagnosticsservice test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spdiagnosticsservice object consists of a farmname used to define a specific Sharepoint farm for which diagnostics properties should be checked. See the defintion of the SPDiagnosticsService class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The farm whose diagnostic capabilities should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spdiagnosticsservice_state >
+
+The various properties of a diagnostics service that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The farm whose diagnostic capabilities should be checked.
|
+| displayname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the diagnostic service as shown in the Sharepoint Central Administration site.
|
+| logcutinterval | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number of minutes to capture events to a single log file. This value lies in the range 0 to 1440. The default value is 30.
|
+| loglocation | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path to the file system directory where log files are created and stored.
|
+| logstokeep | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The value that indicates the number of log files to create. This lies in the range 0 to 1024 with a default of 96.
|
+| required | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The required property specifies whether an instance of the spdiagnosticsservice must be running on the farm.
|
+| typename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The friendly name for the service as displayed in the Central Administration and in logs. This should be "Windows Sharepoint Diagnostics Service" by default.
|
+
+______________
+
+## < spdiagnosticslevel_test >
+
+The spdiagnosticslevel_test is used to check the status of the logging features associated with a Sharepoint deployment.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < spdiagnosticslevel_object >
+
+The spdiagnosticslevel_object element is used by an spdiagnosticslevel test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An spdiagnosticslevel object consists of a farmname used to define a specific Sharepoint farm for which policy properties should be checked. See the defintion of the SPWebApplication class in the SharePoint object model documentation. See the defintion of the IDiagnosticsLevel Interface in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The farm whose diagnostics levels should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < spdiagnosticslevel_state >
+
+The various properties of a Diagnostics level that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the farm for which diagnostics level properties should be checked.
|
+| eventseverity | [sp-def:EntityStateEventSeverityType](#EntityStateEventSeverityType) (0..1) |
+||The event severity setting for a particular diagnostic level category.
|
+| hidden | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the trace log category is hidden in the Windows Sharepoint Services Central Administration interface.
|
+| levelid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string that represents the ID of the trace log category. This is its English language name.
|
+| levelname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the trace log category. This represents the localized name for the category.
|
+| traceseverity | [sp-def:EntityStateTraceSeverityType](#EntityStateTraceSeverityType) (0..1) |
+||The trace severity setting for a particular diagnostic level category.
|
+
+______________
+
+## < sppolicyfeature_test >
+
+The sppolicyfeature test enables one to check the attributes associated with policies and policy features on the Sharepoint deployment.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < sppolicyfeature_object >
+
+The sppolicyfeature_object element is used by an sppolicyfeature test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An sppolicyfeature object consists of a farmname used to define a specific Sharepoint farm for which policy feature properties should be checked. See the defintion of the PolicyFeature class in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The farm whose policy features should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sppolicyfeature_state >
+
+The various properties of a policy feature that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The farm whose policy features should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| configpage | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URL to a web control used to edit policy instance-level settings.
|
+| defaultcustomdata | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The default values for any policy instance-level settings for a policy feature.
|
+| description | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The short description of the policy feature and of the service it provides.
|
+| globalconfigpage | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URL to a web control used to edit server farm-level settings for this policy feature.
|
+| globalcustomdata | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The default settings for any server farm-level settings for this policy feature.
|
+| group | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The policy feature group to which a policy feature belongs.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name to display in the Microsoft Office Sharepoint Server 2007 interface for an information policy feature.
|
+| publisher | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the creator of the policy feature as it is displayed in the Microsoft Office Sharepoint Server 2007 user interface.
|
+| state | [sp-def:EntityStatePolicyFeatureStateType](#EntityStatePolicyFeatureStateType) (0..1) |
+||Specifies whether the policy feature is hidden or visible.
|
+
+______________
+
+## < sppolicy_test >
+
+The sppolicy test enables one to check the attributes of the policies associated with a particular URL Zone in a Sharepoint system.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..1) |
+|||
+
+## < sppolicy_object >
+
+The sppolicy_object element is used by an sppolicy test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An sppolicy object consists of a webappuri and a URL Zone used to define a specific Sharepoint web application and zone for which policy properties should be checked. See the defintion of the SPPolicy class and the sppolicyroletype in the SharePoint object model documentation.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The URI that represents the web application for which policies should be checked.
|
+| urlzone | [sp-def:EntityObjectUrlZoneType](#EntityObjectUrlZoneType) (1..1) |
+||The zone for which policies should be checked.
|
+
+## < sppolicy_state >
+
+The various properties of a policy that can be checked.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The URI that represents the web application for which policies should be checked.
|
+| urlzone | [sp-def:EntityStateUrlZoneType](#EntityStateUrlZoneType) (0..1) |
+||The zone for which policies should be checked.
|
+| displayname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user or group display name for a policy. This defaults to the user name if the display name cannot be resolved through Active Directory.
|
+| issystemuser | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether the user identified by a particular policy is visible only as a System account within the Windows Sharepoint Services user interface.
|
+| username | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user name of the user or group that is associated with policy.
|
+| policyroletype | [sp-def:EntityStatePolicyRoleType](#EntityStatePolicyRoleType) (0..1) |
+||The policy role type to apply globally in a Sharepoint web application to a user or group.
|
+
+## == EntityObjectUrlZoneType ==
+
+The EntityObjectUrlZoneType restricts a string value to a set of values that describe the different IIS Url Zones. The empty string is also allowed to support empty element associated with error conditions.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Custom | |
+| Default | |
+| Extranet | |
+| Intranet | |
+| Internet | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateEventSeverityType ==
+
+The EntityStateEventSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level event severity level property of the diagnostics service.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Error | |
+| ErrorCritical | |
+| ErrorSecurityBreach | |
+| ErrorServiceUnavailable | |
+| FailureAudit | |
+| Information | |
+| None | |
+| Success | |
+| SuccessAudit | |
+| Warning | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateTraceSeverityType ==
+
+The EntityStateTraceSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level trace severity level property of the diagnostics service.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| High | |
+| Medium | |
+| Monitorable | |
+| None | |
+| Unexpected | |
+| Verbose | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStatePolicyRoleType ==
+
+The EntityStatePolicyRoleType restricts a string value to a set of values that describe the different Policy settings for Access Control that are available for users.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DenyAll | Deny all rights.
|
+| DenyWrite | Deny write permissions.
|
+| FullControl | Grant full control.
|
+| FullRead | Grant full read permissions.
|
+| None | No role type assigned.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStatePolicyFeatureStateType ==
+
+The EntityStatePolicyRoleType restricts a string value to a set of values that describe the different policy feature states that can be configured for a policy feature.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Hidden | Specifies that the policy feature is hidden from the Sharepoint Central Administration user interface.
|
+| Visible | Specifies that the policy feature is visible from the Sharepoint Central Administration user interface.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateUrlZoneType ==
+
+The EntityStateUrlZoneType restricts a string value to a set of values that describe the different IIS Url Zones.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Custom | |
+| Default | |
+| Extranet | |
+| Intranet | |
+| Internet | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
diff --git a/guidelines/oval-schema-documentation/sharepoint-system-characteristics-schema.md b/guidelines/oval-schema-documentation/sharepoint-system-characteristics-schema.md
new file mode 100644
index 0000000..475be5c
--- /dev/null
+++ b/guidelines/oval-schema-documentation/sharepoint-system-characteristics-schema.md
@@ -0,0 +1,544 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: SharePoint System Characteristics
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the SharePoint specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+
+The SharePoint Component Schema is based on the SharePoint Object Model (Windows SharePoint Services 3.0)
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < spwebapplication_item >
+
+This spwebapplication item stores information for security related features and permissions related to each web application. See the defintion of the SPWebApplication class in the SharePoint object model documentation.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webapplicationurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the url that identifies the web application.
|
+| allowparttopartcommunication | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if a user can create connections between Web Parts.
|
+| allowaccesstowebpartcatalog | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if a user can create connections to Online Web Part Galleries.
|
+| blockedfileextention | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A single blockedfileextention for the application. An applicaiton may have zero or more blocked file extensions.
|
+| defaultquotatemplate | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the default quota template for the web application.
|
+| externalworkflowparticipantsenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if a user is allowed to participate in workflow by sending them a copy of the document.
|
+| recyclebinenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the recycle bin is enabled or disabled.
|
+| automaticallydeleteunusedsitecollections | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the site can be automatically deleted.
|
+| selfservicesitecreationenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if a self service site can be created.
|
+| secondstagerecyclebinquota | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Size of the second stage recycle bin quota.
|
+| recyclebinretentionperiod | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The recyclebinretentionperiod is the retention period for the recyle bin.
|
+| outboundmailserverinstance | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The string name of the outboundmailserver.
|
+| outboundmailsenderaddress | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The from address that is used when sending email.
|
+| outboundmailreplytoaddress | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The reply to address that is used when sending email.
|
+| secvalexpires | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if a security validation can expire.
|
+| timeout | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The timeout is the amount of time before security validation expires in seconds.
|
+| isadministrationwebapplication | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that specifies whether the current web application is the Central Administration web application.
|
+| applicationpoolname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that represents the application pool name.
|
+| applicationpoolusername | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that represents the application pool username.
|
+| openitems | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view the source of documents with server-side file handlers is available to the Web application.
|
+| addlistitems | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to add items to lists, add documents to document libraries, and add Web discussion comments to the Web application.
|
+| approveitems | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to approve a minor version of a list item or document is available to the Web application.
|
+| deletelistitems | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to delete items from a list, documents from a document library, and Web discussion comments in documents is available to the Web application.
|
+| deleteversions | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to delete past versions of a list item or document is available to the Web application.
|
+| editlistitems | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries is available to the Web application.
|
+| managelists | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to create and delete lists, add or remove columns in a list, and add or remove public views of a list is available to the Web application.
|
+| viewversions | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view past versions of a list item or document is available to the Web application.
|
+| viewlistitems | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view items in lists, documents in document libraries, and view Web discussion commentsis available to the Web application.
|
+| cancelcheckout | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to discard or check in a document which is checked out to another user is available to the Web application.
|
+| createalerts | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to Create e-mail alerts is available to the Web application.
|
+| viewformpages | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view forms, views, and application pages, and enumerate lists is available to the Web application.
|
+| viewpages | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view pages in a Web site is available to the Web application.
|
+| addandcustomizepages | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| applystylesheets | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to Apply a style sheet (.css file) to the Web site is available to the Web application.
|
+| applythemeandborder | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to apply a theme or borders to the entire Web site is available to the Web application.
|
+| browsedirectories | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to enumerate files and folders in a Web site using Microsoft Office SharePoint Designer and WebDAV interfaces is available to the Web application.
|
+| browseuserinfo | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view information about users of the Web site is available to the Web application.
|
+| creategroups | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to create a group of users that can be used anywhere within the site collection is available to the Web application.
|
+| createsscsite | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to create a Web site using Self-Service Site Creation is available to the Web application.
|
+| editmyuserinfo | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to allows a user to change his or her user information, such as adding a picture is available to the Web application.
|
+| enumeratepermissions | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to enumerate permissions on the Web site, list, folder, document, or list itemis is available to the Web application.
|
+| managealerts | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to manage alerts for all users of the Web site is available for the Web application.
|
+| managepermissions | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to create and change permission levels on the Web site and assign permissions to users and groups is available to the Web application.
|
+| managesubwebs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites is available to the Web application.
|
+| manageweb | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to perform all administration tasks for the Web site as well as manage content is available to the Web application.
|
+| open | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to allow users to open a Web site, list, or folder to access items inside that containeris available to the Web application.
|
+| useclientintegration | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to use features that launch client applications; otherwise, users must work on documents locally and upload changesis is available to the Web application.
|
+| useremoteapis | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to use SOAP, WebDAV, or Microsoft Office SharePoint Designer interfaces to access the Web siteis available to the Web application.
|
+| viewusagedata | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to view reports on Web site usage in documents is available to the Web application.
|
+| managepersonalviews | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to Create, change, and delete personal views of lists is available to the Web application.
|
+| adddelprivatewebparts | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to add or remove personal Web Parts on a Web Part Page is available to the Web application.
|
+| updatepersonalwebparts | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the permission to update Web Parts to display personalized informationis available to the Web application.
|
+
+______________
+
+## < spgroup_item >
+
+This spgroup item stores information for security related features related to site groups
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the url that identifies the site collection.
|
+| gname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the name of a group in a site collection.
|
+| autoacceptrequesttojoinleave | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if sites can automatically accepts requests.
|
+| allowmemberseditmembership | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if owners other than the group owner can edit the membership of groups.
|
+| onlyallowmembersviewmembership | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if owners other than the group owner can edit the membership of groups.
|
+
+______________
+
+## < spweb_item >
+
+This spweb item stores information for security related features related to site collections.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webcollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that specifies a web site (the SPWeb object).
|
+| sitecollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that specifies a site collection.
|
+| secondarysitecolladmin | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the secondarysitecolladmin.
|
+| secondsitecolladminenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if the secondsitecolladmin is enabled.
|
+| allowanonymousaccess | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents if a anonymous access is allowed to the web site.
|
+
+______________
+
+## < splist_item >
+
+An SPList represents a list of content on a Sharepoint web site. It consists of items or rows and columns or fields that contain data.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spsiteurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The url that identifies the website.
|
+| irmenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The irmenabled attribute tests to see if documents that leave the Sharepoint environment are protected.
|
+| enableversioning | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The enableversioning attribute specifies whether backup copies of files should be created and managed in the Sharepoint system.
|
+| nocrawl | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The nocrawl attribute indicates that this site should not be among those crawled and indexed.
|
+
+______________
+
+## < spantivirussettings_item >
+
+An SPAntivirusSettings Item represents the set of antivirus-related security settings on a Sharepoint server.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spwebservicename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the SP Web Service for which to retrieve the antivirus settings or * for all web services. The default value is * which checks all SP Web services
|
+| spfarmname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Farm in which the SP Web Service resides.
|
+| allowdownload | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether SharePoint users can download documents that are found to be infected.
|
+| cleaningenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether or not the virus scanner should attempt to cure infected files.
|
+| downloadscanenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether files are scanned when they are downloaded.
|
+| numberofthreads | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the number of threads that the virus scanner may use to perform virus scans.
|
+| skipsearchcrawl | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether to skip document virus scanning during a search crawl.
|
+| timeout | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The amount of time before the virus scanner times out in seconds.
|
+| uploadscanenabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether files are scanned for viruses when they are uploaded.
|
+| vendorupdatecount | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The current increment of the number of times the vendor has been updated.
|
+
+______________
+
+## < spsiteadministration_item >
+
+This spsiteadministration item stores information for security related features and permissions related to each top-level web sites. See the defintion of the SPSiteAdministration class in the SharePoint object model documentation.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the url that identifies the sitecollection application.
|
+| storagemaxlevel | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The storagemaxlevel is the maximum storage allowed for the site.
|
+| storagewarninglevel | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||When the storagewarninglevel is reached a site collection receive advance notice before available storage is expended.
|
+
+______________
+
+## < spsite_item >
+
+This spsite item stores information for security related features for sites. See the defintion of the SPSite class in the SharePoint object model documentation.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the url that identifies the sitecollection application.
|
+| quotaname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The string that represents the name of the quota for a specific site collection.
|
+| url | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+
+______________
+
+## < spcrawlrule_item >
+
+The spcrawlrule_item specifies rules that the SharePoint system follows when it crawls the content of sites stored within it.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| spsiteurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A URL that represents the resource (eg. sites, documents,etc.) on which the crawlrule tests should be run or * if the check should be run on all sites/documents on the server.
|
+| crawlashttp | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether the crawler should crawl content from a hierarchical content source, such as HTTP content.
|
+| enabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether a particular crawl rule is enabled.
|
+| followcomplexurls | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether the indexer should crawl websites that contain the question mark (?) character.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path to which a particular crawl rule applies.
|
+| priority | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The priority setting for a particular crawl rule.
|
+| suppressindexing | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether the crawler should exclude the content of items that this rule applies to from the content index.
|
+| accountname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string containing the account name for the crawl rule.
|
+
+______________
+
+## < ~~spjobdefinition_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** Replaced by the spjobdefinition510_item. This item does not uniquely identify a single job definition. A new state was created to use displaynames, which are unique. See the spjobdefinition510_item.
**Comment:** This item has been deprecated and may be removed in a future version of the language.
+
+This represents the set of Job Definitions that are scheduled to run on each SharePoint Web Application
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The URI that represents the web application for which the IIS Settings should be checked.
|
+| displayname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the job as displayed in the SharePoint Central Administration site.
|
+| isdisabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Determines whether or not the job definition is enabled.
|
+| retry | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Determines whether the job definition should be retried if it ends abnormally.
|
+| title | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The title of a job as displayed in the SharePoint Central Administration site.
|
+
+______________
+
+## < spjobdefinition510_item >
+
+This represents the set of Job Definitions that are scheduled to run on each SharePoint Web Application
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The URI that represents the web application for which the IIS Settings should be checked.
|
+| displayname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the job as displayed in the SharePoint Central Administration site.
|
+| isdisabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Determines whether or not the job definition is enabled.
|
+| retry | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Determines whether the job definition should be retried if it ends abnormally.
|
+| title | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The title of a job as displayed in the SharePoint Central Administration site.
|
+
+______________
+
+## < bestbet_item >
+
+This represents the set of Best Bets for a site collection.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The sitecollectionurl represents the URL for the site.
|
+| bestbeturl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The bestbeturl represents the URL for the best bet.
|
+| title | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The title of the Best Bet.
|
+| description | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The description of the Best Bet.
|
+
+______________
+
+## < infopolicycoll_item >
+
+This represents the set of Information Policies for a site collection.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| sitecollectionurl | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The sitecollectionurl represents the URL for the site.
|
+| id | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The id of the sitecollection poilicy.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the sitecollection poilicy.
|
+| description | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The description of the Information Policy.
|
+| longdescription | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The long description of an Information Policy.
|
+
+______________
+
+## < spdiagnosticsservice_item >
+
+This represents the set of diagnostic capabilities for Windows Sharepoint Services.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The farm whose diagnostic capabilities should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| displayname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the diagnostic service as shown in the Sharepoint Central Administration site.
|
+| logcutinterval | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number of minutes to capture events to a single log file. This value lies in the range 0 to 1440. The default value is 30.
|
+| loglocation | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path to the file system directory where log files are created and stored.
|
+| logstokeep | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The value that indicates the number of log files to create. This lies in the range 0 to 1024 with a default of 96.
|
+| required | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The required property specifies whether an instance of the spdiagnosticsservice must be running on the farm.
|
+| typename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The friendly name for the service as displayed in the Central Administration and in logs. This should be "Windows Sharepoint Diagnostics Service" by default.
|
+
+______________
+
+## < spdiagnosticslevel_item >
+
+The diagnostics level associated with a particular instance of a diagnostics service on a Sharepoint farm.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The farm whose diagnostics levels should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| eventseverity | [sp-sc:EntityItemEventSeverityType](#EntityItemEventSeverityType) (0..1) |
+||The event severity setting for a particular diagnostic level category.
|
+| hidden | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether the trace log category is hidden in the Windows Sharepoint Services Central Administration interface.
|
+| levelid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that represents the ID of the trace log category. This is its English language name.
|
+| levelname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the trace log category. This represents the localized name for the category.
|
+| traceseverity | [sp-sc:EntityItemTraceSeverityType](#EntityItemTraceSeverityType) (0..1) |
+||The trace severity setting for a particular diagnostic level category.
|
+
+______________
+
+## < sppolicyfeature_item >
+
+This represents a policy feature that is installed on the Sharepoint server farm.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| farmname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The farm whose policy features should be checked. Use .* for all farms or SPFarm.Local for the local farm.
|
+| configpage | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The URL to a web control used to edit policy instance-level settings.
|
+| defaultcustomdata | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The default values for any policy instance-level settings for a policy feature.
|
+| description | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The short description of the policy feature and of the service it provides.
|
+| globalconfigpage | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The URL to a web control used to edit server farm-level settings for this policy feature.
|
+| globalcustomdata | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The default settings for any server farm-level settings for this policy feature.
|
+| group | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The policy feature group to which a policy feature belongs.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name to display in the Microsoft Office Sharepoint Server 2007 interface for an information policy feature.
|
+| publisher | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the creator of the policy feature as it is displayed in the Microsoft Office Sharepoint Server 2007 user interface.
|
+| state | [sp-sc:EntityItemPolicyFeatureStateType](#EntityItemPolicyFeatureStateType) (0..1) |
+||Specifies whether the policy feature is hidden or visible.
|
+
+______________
+
+## < sppolicy_item >
+
+This represents a policy on the Sharepoint system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| webappuri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The URI that represents the web application for which policies should be checked.
|
+| urlzone | [sp-sc:EntityItemUrlZoneType](#EntityItemUrlZoneType) (0..1) |
+||The zone for which policies should be checked.
|
+| displayname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user or group display name for a policy. This defaults to the user name if the display name cannot be resolved through Active Directory.
|
+| issystemuser | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether the user identified by a particular policy is visible only as a System account within the Windows Sharepoint Services user interface.
|
+| username | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user name of the user or group that is associated with policy.
|
+| policyroletype | [sp-sc:EntityItemPolicyRoleType](#EntityItemPolicyRoleType) (0..1) |
+||The policy role type to apply globally in a Sharepoint web application to a user or group.
|
+
+## == EntityItemUrlZoneType ==
+
+The EntityItemUrlZoneType restricts a string value to a set of values that describe the different IIS Url Zones. The empty string is also allowed to support empty element associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Custom | |
+| Default | |
+| Extranet | |
+| Intranet | |
+| Internet | |
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemEventSeverityType ==
+
+The EntityItemEventSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level event severity level property of the diagnostics service.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Error | |
+| ErrorCritical | |
+| ErrorSecurityBreach | |
+| ErrorServiceUnavailable | |
+| FailureAudit | |
+| Information | |
+| None | |
+| Success | |
+| SuccessAudit | |
+| Warning | |
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemTraceSeverityType ==
+
+The EntityItemTraceSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level trace severity level property of the diagnostics service.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| High | |
+| Medium | |
+| Monitorable | |
+| None | |
+| Unexpected | |
+| Verbose | |
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemPolicyFeatureStateType ==
+
+The EntityItemPolicyFeatureStateType restricts a string value to a set of values that describe the different states that can be configured for a policy feature.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Hidden | Specifies that the policy feature is hidden from the Sharepoint Central Administration user interface.
|
+| Visible | Specifies that the policy feature is visible from the Sharepoint Central Administration user interface.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemPolicyRoleType ==
+
+The EntityItemPolicyRoleType restricts a string value to a set of values that describe the different Policy settings for Access Control that are available for users.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DenyAll | Deny all rights.
|
+| DenyWrite | Deny write permissions.
|
+| FullControl | Grant full control.
|
+| FullRead | Grant full read permissions.
|
+| None | No role type assigned.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
diff --git a/guidelines/oval-schema-documentation/solaris-definitions-schema.md b/guidelines/oval-schema-documentation/solaris-definitions-schema.md
new file mode 100644
index 0000000..b6f13c1
--- /dev/null
+++ b/guidelines/oval-schema-documentation/solaris-definitions-schema.md
@@ -0,0 +1,898 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Solaris Definition
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the Solaris specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+## Test Listing
+
+ *[ facet_test ](#facet_test)
+ *[ image_test ](#image_test)
+ *[ isainfo_test ](#isainfo_test)
+ *[ ndd_test ](#ndd_test)
+ *[ package_test ](#package_test)
+ *[ package511_test ](#package511_test)
+ *[ packageavoidlist_test ](#packageavoidlist_test)
+ *[ packagecheck_test ](#packagecheck_test)
+ *[ packagefreezelist_test ](#packagefreezelist_test)
+ *[ packagepublisher_test ](#packagepublisher_test)
+ *[ patch54_test ](#patch54_test)
+ *[ ~~patch_test~~ ](#patch_test)
+ *[ smf_test ](#smf_test)
+ *[ smfproperty_test ](#smfproperty_test)
+ *[ variant_test ](#variant_test)
+ *[ virtualizationinfo_test ](#virtualizationinfo_test)
+
+______________
+
+## < facet_test >
+
+The facet_test is used to check the facets associated with the specified Image Packaging System image. Facets are properties that control whether or not optional components from a package are installed on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an facet_object and the optional state elements reference a facet_state and specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < facet_object >
+
+The facet_object element is used by a facet test to define the image facet items to be evaluated based on the specified states. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path to the Solaris IPS image.
|
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the facet property associated with an IPS image.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < facet_state >
+
+The facet_state specifies the various facet properties associated with an IPS image.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the path to the Solaris IPS image.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the name of the facet property associated with an IPS image.
|
+| value | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies the value of the facet property associated with an IPS image.
|
+
+______________
+
+## < image_test >
+
+The image_test provides support for checking the metadata of IPS images on Solaris systems. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a image_object and the optional state elements reference image_states that specify the metadata to check about a set of images.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < image_object >
+
+The image_object element is used by a image_test to identify the set of images to check on a system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path to the Solaris IPS image.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (1..1) |
+||The name of the property associated with the Solaris IPS image.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < image_state >
+
+The image_state element defines the different system state information that can be used to check the metadata associated with the specified IPS image on a Solaris system.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path to the Solaris IPS image.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the property associated with the Solaris IPS image.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value of a property that is associated with a Solaris IPS image.
|
+
+______________
+
+## < isainfo_test >
+
+The isainfo test reveals information about the instruction set architectures. This information can be retrieved by the isainfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an isainfo_object and the optional state element specifies the metadata to check.
+
+The isainfo_test was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < isainfo_object >
+
+The isainfo_object element is used by an isainfo test to define those objects to evaluated based on a specified state. There is actually only one object relating to isainfo and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check isainfo will reference the same isainfo_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < isainfo_state >
+
+The isainfo_state element defines the information about the instruction set architectures. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| bits | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the number of bits in the address space of the native instruction set (isainfo -b).
|
+| kernel_isa | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the name of the instruction set used by kernel components (isainfo -k).
|
+| application_isa | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the name of the instruction set used by portable applications (isainfo -n).
|
+
+______________
+
+## < ndd_test >
+
+From /usr/bin/ndd. See ndd manpage for specific fields
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ndd_object >
+
+
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| device | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the device to examine. If multiple instances of this device exist on the system, an item for each instance will be collected.
|
+| parameter | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the parameter, For example, ip_forwarding.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ndd_state >
+
+
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| device | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the device to examine.
|
+| instance | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, an item for each instance will be collected and will have this entity populated with its respective instance value. If only a single instance exists, this entity will not be collected.
|
+| parameter | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the parameter, For example, ip_forwarding.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value of the named parameter.
|
+
+______________
+
+## < package_test >
+
+The package test is used to check information associated with different SVR4 packages installed on the system. Image Packaging System (IPS) packages are not supported by this test. The information used by this test is modeled after the /usr/bin/pkginfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an package_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < package_object >
+
+The package_object element is used by a package test to define the SVR4 packages to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A package object consists of a single pkginst entity that identifies the package to be used.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pkginst | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < package_state >
+
+The package_state element defines the different information associated with SVR4 packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pkginst | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name entity is a text string that specifies a full package name.
|
+| category | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The category entity is a string in the form of a comma-separated list of categories under which a package may be displayed. Note that a package must at least belong to the system or application category. Categories are case-insensitive and may contain only alphanumerics. Each category is limited in length to 16 characters.
|
+| version | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The version entity is a text string that specifies the current version associated with the software package. The maximum length is 256 ASCII characters and the first character cannot be a left parenthesis. Current Solaris software practice is to assign this parameter monotonically increasing Dewey decimal values of the form: major_revision.minor_revision[.micro_revision] where all the revision fields are integers. The versioning fields can be extended to an arbitrary string of numbers in Dewey-decimal format, if necessary.
|
+| vendor | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The vendor entity is a string used to identify the vendor that holds the software copyright (maximum length of 256 ASCII characters).
|
+| description | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The description entity is a string that represents a more in-depth description of a package.
|
+
+______________
+
+## < package511_test >
+
+The package511_test provides support for checking the metadata of packages installed using the Solaris Image Packaging System. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a package511_object and the optional state elements reference package511_states that specify the metadata to check about a set of packages.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < package511_object >
+
+The package511_object element is used by a package511_test to identify the set of packages to check on a system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| publisher | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components.
|
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components.
|
+| version | [oval-def:EntityObjectVersionType](oval-definitions-schema.md#EntityObjectVersionType) (1..1) |
+||The version of the package which consists of the component version, build version, and branch version.
|
+| timestamp | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ).
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < package511_state >
+
+The package511_state element defines the different system state information that can be used to check the metadata associated with the specified IPS packages on a Solaris system.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| publisher | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components.
|
+| version | [oval-def:EntityStateVersionType](oval-definitions-schema.md#EntityStateVersionType) (0..1) |
+||The version of the package which consists of the component version, build version, and branch version.
|
+| timestamp | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ).
|
+| fmri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
|
+| summary | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A summary of what the package provides.
|
+| description | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A description of what the package provides.
|
+| category | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The category of the package.
|
+| updates_available | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||A boolean value indicating whether or not updates are available for this package.
|
+
+______________
+
+## < packageavoidlist_test >
+
+The packageavoidlist_test provides support for checking the metadata of IPS packages that have been flagged as needing to avoid from installation on a Solaris system. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packageavoidlist_object and the optional state elements reference packageavoidlist_states that specify the metadata to check about a set of packages that have been flagged as to be avoided on a Solaris system.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < packageavoidlist_object >
+
+The packageavoidlist_object element is used by a packageavoidlist_test to identify the set of IPS packages that have been flagged as to be avoided from installation on a Solaris system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < packageavoidlist_state >
+
+The packageavoidlist_state element defines the different system state information that can be used to evaluate the specified IPS packages that have been flagged as to be avoided from installation on a Solaris system.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
|
+
+______________
+
+## < packagecheck_test >
+
+The packagecheck_test is used to verify the integrity of an installed Solaris SVR4 package. Image Packaging System (IPS) packages are not supported by this test. The information used by this test is modeled after the pkgchk command. For more information, see pkgchk(1M). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagecheck_object and the optional packagecheck_state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < packagecheck_object >
+
+The packagecheck_object element is used by a packagecheck_test to define the SVR4 packages to be verified. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [sol-def:PackageCheckBehaviors](#PackageCheckBehaviors) (0..1) |
+|||
+| pkginst | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
|
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file or directory in the specified package.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < packagecheck_state >
+
+The package_state element defines the different verification information associated with SVR4 packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pkginst | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
|
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file or directory in the specified package.
|
+| checksum_differs | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed.
|
+| size_differs | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed.
|
+| mtime_differs | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed.
|
+| uread | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual user read permission changed from the expected user read permission?
|
+| uwrite | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual user write permission changed from the expected user write permission?
|
+| uexec | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual user exec permission changed from the expected user exec permission?
|
+| gread | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual group read permission changed from the expected group read permission?
|
+| gwrite | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual group write permission changed from the expected group write permission?
|
+| gexec | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual group exec permission changed from the expected group exec permission?
|
+| oread | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+| owrite | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+| oexec | [sol-def:EntityStatePermissionCompareType](#EntityStatePermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+
+## == PackageCheckBehaviors ==
+
+The PackageCheckBehaviors complex type defines a set of behaviors that for controlling how installed SVR4 packages are checked. These behaviors align with the options of the pkgchk command (specifically '-a', '-c', and '-n').
+
+#### Attributes:
+
+* **fileattributes_only** xsd:boolean (optional -- default='false')
+'fileattributes_only' when true this behavior means only check the file attributes and do not check file contents. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-a'.
+* **filecontents_only** xsd:boolean (optional -- default='false')
+'filecontents_only' when true this behavior means only check the file contents and do not check file attributes. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-c'.
+* **no_volatileeditable** xsd:boolean (optional -- default='false')
+'no_volatileeditable' when true this behavior means do not check volatile or editable files' contents. When false, volatile and editable files' contents will be checked. This aligns with the pkgchk option '-n'.
+
+______________
+
+## < packagefreezelist_test >
+
+The packagefreezelist_test provides support for checking the metadata of IPS packages that have been frozen at a particular version. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagefreezelist_object and the optional state elements reference packagefreezelist_states that specify the metadata to check about a set of packages.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < packagefreezelist_object >
+
+The packagefreezelist_object element is used by a packagefreezelist_test to identify the set of IPS packages that have been frozen at a particular version on a system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < packagefreezelist_state >
+
+The packagefreezelist_state element defines the different system state information that can be used to evaluate the specified IPS packages on a Solaris system that have been frozen at a particular version.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
|
+
+______________
+
+## < packagepublisher_test >
+
+The packagepublisher_test provides support for checking the metadata of package publishers on a Solaris system. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagepublisher_object and the optional state elements reference packagepublisher_states that specify the metadata to check about a set of package publishers on a Solaris system.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < packagepublisher_object >
+
+The packagepublisher_object element is used by a packagepublisher_test to identify the set of package publishers to check on a Solaris system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the IPS package publisher.
|
+| type | [sol-def:EntityObjectPublisherTypeType](#EntityObjectPublisherTypeType) (1..1) |
+||The type of the IPS package publisher.
|
+| origin_uri | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (0..1) |
+||The origin URI of the IPS package publisher.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < packagepublisher_state >
+
+The packagepublisher_state element defines the different system information that can be used to evaluate the specified package publishers.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the IPS package publisher.
|
+| type | [sol-def:EntityStatePublisherTypeType](#EntityStatePublisherTypeType) (0..1) |
+||The type of the IPS package publisher.
|
+| origin_uri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The origin URI of the IPS package publisher.
|
+| alias | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The alias of the IPS package publisher.
|
+| ssl_key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The Secure Socket Layer (SSL) key registered by a client for publishers using client-side SSL authentication.
|
+| ssl_cert | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The Secure Socket Layer (SSL) certificate registered by a client for publishers using client-side SSL authentication.
|
+| client_uuid | [sol-def:EntityStateClientUUIDType](#EntityStateClientUUIDType) (0..1) |
+||The universally unique identifier (UUID) that identifies the image to its IPS package publisher.
|
+| catalog_updated | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The last time that the IPS package publisher's catalog was updated in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Specifies whether or not the IPS package publisher is enabled.
|
+| order | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies where in the search order the IPS package publisher is listed. The first publisher in the search order will have a value of '1'.
|
+| properties | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||The properties associated with the IPS package publisher.
|
+
+______________
+
+## < patch54_test >
+
+The patch test is used to check information associated with different patches for SVR4 packages installed on the system. Image Packaging System (IPS) packages do not support patches and are not supported by this test. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+______________
+
+## < ~~patch_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.4** :small_red_triangle:
**Reason:** Replaced by the patch54_test. The new test includes additional functionality that allows the object element to match both the original patch and any superseding patches. As a result of this new functionality, the patch_object was also expanded to include behaviors and version entities. See the patch54_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The patch test is used to check information associated with different patches installed on the system. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < patch54_object >
+
+The patch54_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A patch object consists of a base entity that identifies the patch to be used, and a version entity that represent the patch revision number.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [sol-def:PatchBehaviors](#PatchBehaviors) (0..1) |
+|||
+| base | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||The base entity represents a patch base code found before the hyphen.
|
+| version | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||The version entity represents a patch version number found after the hyphen.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~patch_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.4** :small_red_triangle:
**Reason:** Replaced by the patch54_object. Due to the additional functionality that allows the object element to match both the original patch and any superseding patches, a new object was created that includes behaviors and version entities. See the patch54_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The patch_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A patch object consists of a single base entity that identifies the patch to be used.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| base | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||The base entity reresents a patch base code found before the hyphen.
|
+
+## < patch_state >
+
+The patch_state element defines the different information associated with a specific patch for an SVR4 package installed on the system. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| base | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The base entity reresents a patch base code found before the hyphen.
|
+| version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The version entity represents a patch version number found after the hyphen.
|
+
+## == PatchBehaviors ==
+
+The PatchBehaviors complex type defines a number of behaviors that allow a more detailed definition of the patch_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* **supersedence** Restriction of xsd:boolean (optional -- default='false')
+'supersedence' specifies that the object should also match any superseding patches to the one being specified. In Solaris, a patch can be superseded in two ways. The first way is implicitly when a new revision of a patch is released (e.g. patch 12345-02 supersedes patch 12345-01). The second way is explicitly where a new patch contains the complete functionality of another patch. If set to 'true', the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
+
+______________
+
+## < smf_test >
+
+The smf_test is used to check service management facility controlled services including traditional unix rc level start/kill scrips and inetd daemon services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a smf_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < smf_object >
+
+The smf_object element is used by a smf_test to define the specific service instance to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A smf_object consists of a fmri entity that represents the Fault Management Resource Identifier (FMRI) which uniquely identifies a service.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The FMRI (Fault Managed Resource Identifier) entity is used to identify system objects for which advanced fault and resource management capabilities are provided. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < smf_state >
+
+The smf_state element defines the different information associated with a specific smf controlled service. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The FMRI (Fault Managed Resource Identifier) entity describes a possible identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
|
+| service_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log.
|
+| service_state | [sol-def:EntityStateSmfServiceStateType](#EntityStateSmfServiceStateType) (0..1) |
+||The service_state entity describes a possible state that the service may be in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN.
|
+| protocol | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The protocol entity describes a possible protocol supported by the service.
|
+| server_executable | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a'
|
+| server_arguements | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The server_arguments entity describes possible parameters that are passed to the service.
|
+| exec_as_user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root
|
+
+______________
+
+## < smfproperty_test >
+
+The smfproperty_test is used to check the value of properties associated with SMF services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an smfproperty_object and the optional state elements reference a smfproperty_state and specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < smfproperty_object >
+
+The smfproperty_object element is used by a SMF property test to define the SMF property items to be evaluated based on the specified states. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/").
|
+| instance | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The instance of an SMF service which represents a specific configuration of a service.
|
+| property | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/").
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < smfproperty_state >
+
+The smfproperty_state specifies the values of properties associated with SMF services.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/").
|
+| instance | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the instance of an SMF service which represents a specific configuration of a service.
|
+| property | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/").
|
+| fmri | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the SMF service which uniquely identifies the service on the system.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||Specifies the value of the property associated with an SMF service.
|
+
+______________
+
+## < variant_test >
+
+The variant_test is used to check the variants associated with the current Image Packaging System image. Variants are properties that control whether or not mutually exclusive components from a package are installed on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an variant_object and the optional state elements reference a variant_state and specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < variant_object >
+
+The variant_object element is used by a variant test to define the image variant items to be evaluated based on the specified states. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path to the Solaris IPS image.
|
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the variant property associated with an IPS image.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < variant_state >
+
+The variant_state specifies the various variant properties associated with the specified IPS image.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the path to the Solaris IPS image.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the name of the variant property associated with an IPS image.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||Specifies the value of the variant property associated with an IPS image.
|
+
+______________
+
+## < virtualizationinfo_test >
+
+The virtualizationinfo_test provides support for checking the metadata associated with the current virtualization environment this instance of Solaris is running on. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a virtualizationinfo_object and the optional state elements reference virtualizationinfo_states that specify the metadata to check the current virtualization environment.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < virtualizationinfo_object >
+
+The virtualizationinfo_object element is used by a virtualizationinfo_test to identify the current virtualization environment this instance of Solaris is running on. Given that this object only retrieves the current virtualization environment for the system, there are no child entities to specify in the object.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < virtualizationinfo_state >
+
+The virtualizationinfo_state element defines the different information that can be used to evaluate the current virtualization environment this instance of Solaris is running on.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| current | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the current environment.
|
+| supported | [sol-def:EntityStateV12NEnvType](#EntityStateV12NEnvType) (0..1) |
+||The list of virtualization environments that this node supports as children.
|
+| parent | [sol-def:EntityStateV12NEnvType](#EntityStateV12NEnvType) (0..1) |
+||The parent environment of the current environment.
|
+| ldom-role | [sol-def:EntityStateLDOMRoleType](#EntityStateLDOMRoleType) (0..1) |
+||The logical domain roles associated with the current environment.
|
+| properties | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||The properties associated with the current environment.
|
+
+## == EntityObjectPublisherTypeType ==
+
+The EntityObjectPublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| archive | The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages.
|
+| mirror | The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content.
|
+| origin | The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateClientUUIDType ==
+
+The EntityStateClientUUIDType restricts a string value to a representation of a client UUID, used to identify an image to its IPS package publisher. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+**Pattern:** ([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})?
+
+## == EntityStatePermissionCompareType ==
+
+The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| more | The actual permission is more restrictive than the expected permission.
|
+| less | The actual permission is less restrictive than the expected permission.
|
+| same | The actual permission is the same as the expected permission.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStatePublisherTypeType ==
+
+The EntityStatePublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| archive | The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages.
|
+| mirror | The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content.
|
+| origin | The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateSmfServiceStateType ==
+
+The EntityStateSmfServiceStateType complex type defines the different values that are valid for the service_state entity of a smf_state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DEGRADED | The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation.
|
+| DISABLED | The instance is disabled.
|
+| MAINTENANCE | The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states.
|
+| LEGACY-RUN | This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running.
|
+| OFFLINE | The instance is enabled, but not yet running or available to run.
|
+| ONLINE | The instance is enabled and running or is available to run.
|
+| UNINITIALIZED | This is the initial state for all service instances.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateV12NEnvType ==
+
+The EntityStateV12NEnvType complex type restricts a string value to a specific set of values that describe the virtalization environment. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| unknown | The virtualization environment is unknown. This could mean it is a bare metal virtualization environment.
|
+| kvm | The virtualization environment is a Kernel-based Virtual Machine (KVM).
|
+| logical-domain | The virtualization environment is a logical domain.
|
+| non-global-zone | The virtualization environment is a non-global zone.
|
+| kernel-zone | The virtualization environment is a kernel zone.
|
+| vmware | The virtualization environment is VMware.
|
+| virtualbox | The virtualization environment is Oracle VirtualBox.
|
+| xen | The virtualization environment is Xen.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateLDOMRoleType ==
+
+The EntityStateLDOMRoleType complex type restricts a string value to a specific set of roles for the current virtualization environment. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| control-role | The current virtualization environment is a control domain.
|
+| io-role | The current virtualization environment is an I/O domain.
|
+| root-role | The current virtualization environment is a root I/O domain.
|
+| service-role | The current virtualization environment is a service domain.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
diff --git a/guidelines/oval-schema-documentation/solaris-system-characteristics-schema.md b/guidelines/oval-schema-documentation/solaris-system-characteristics-schema.md
new file mode 100644
index 0000000..4e76c06
--- /dev/null
+++ b/guidelines/oval-schema-documentation/solaris-system-characteristics-schema.md
@@ -0,0 +1,414 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Solaris System Characteristics
+* Version: 5.11.1:1.1
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the Solaris specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < facet_item >
+
+This item stores the facet properties and values of an IPS system image.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the path to the Solaris IPS image.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the name of the facet property associated with an IPS image.
|
+| value | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies the value of the facet property associated with an IPS image.
|
+
+______________
+
+## < image_item >
+
+This item stores system state information associated with an IPS image on a Solaris system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path to the Solaris IPS image.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the property associated with the Solaris IPS image.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value of a property that is associated with a Solaris IPS image.
|
+
+______________
+
+## < isainfo_item >
+
+Information about the instruction set architectures. This information can be retrieved by the isainfo command.
+
+The isainfo_item was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| bits | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the number of bits in the address space of the native instruction set (isainfo -b).
|
+| kernel_isa | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the name of the instruction set used by kernel components (isainfo -k).
|
+| application_isa | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the name of the instruction set used by portable applications (isainfo -n).
|
+
+______________
+
+## < ndd_item >
+
+This item represents data collected by the ndd command.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| device | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the device for which the parameter was collected.
|
+| instance | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, this entity should be populated with its respective instance value. If only a single instance exists, this entity should not be collected.
|
+| parameter | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of a parameter for example, ip_forwarding
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..1) |
+||The observed value of the named parameter.
|
+
+______________
+
+## < package_item >
+
+The package_item holds information about installed SVR4 packages. Output of /usr/bin/pkginfo. See pkginfo(1).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pkginst | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| category | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| version | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| vendor | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| description | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+
+______________
+
+## < package511_item >
+
+This item stores system state information associated with IPS packages installed on a Solaris system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| publisher | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components.
|
+| version | [oval-sc:EntityItemVersionType](oval-system-characteristics-schema.md#EntityItemVersionType) (0..1) |
+||The version of the package which consists of the component version, build version, and branch version.
|
+| timestamp | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ).
|
+| fmri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
|
+| summary | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A summary of what the package provides.
|
+| description | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A description of what the package provides.
|
+| category | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The category of the package.
|
+| updates_available | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean value indicating whether or not updates are available for this package.
|
+
+______________
+
+## < packageavoidlist_item >
+
+This item stores the FMRI associated with associated with IPS packages that have been flagged as to be avoided from installation on a Solaris system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
|
+
+______________
+
+## < packagecheck_item >
+
+The packagecheck_item holds verification information about an individual file that is part of an installed SVR4 package. Each packagecheck_item contains a package designation, filepath, whether the checksum differs, whether the size differs, whether the modfication time differs, and how the actual permissions differ from the expected permissions. For more information, see pkgchk(1M). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| pkginst | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
|
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filepath element specifies the absolute path for a file or directory in the specified package..
|
+| checksum_differs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed.
|
+| size_differs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed.
|
+| mtime_differs | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed.
|
+| uread | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual user read permission changed from the expected user read permission?
|
+| uwrite | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual user write permission changed from the expected user write permission?
|
+| uexec | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual user exec permission changed from the expected user exec permission?
|
+| gread | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual group read permission changed from the expected group read permission?
|
+| gwrite | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual group write permission changed from the expected group write permission?
|
+| gexec | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual group exec permission changed from the expected group exec permission?
|
+| oread | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+| owrite | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+| oexec | [sol-sc:EntityItemPermissionCompareType](#EntityItemPermissionCompareType) (0..1) |
+||Has the actual others read permission changed from the expected others read permission?
|
+
+______________
+
+## < packagefreezelist_item >
+
+This item stores the FMRI associated with associated with IPS packages that have been frozen at a particular version.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
|
+
+______________
+
+## < packagepublisher_item >
+
+This item stores system state information associated with IPS package publishers on a Solaris system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the IPS package publisher.
|
+| type | [sol-sc:EntityItemPublisherTypeType](#EntityItemPublisherTypeType) (0..1) |
+||The type of the IPS package publisher.
|
+| origin_uri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The origin URI of the IPS package publisher.
|
+| alias | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The alias of the IPS package publisher.
|
+| ssl_key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Secure Socket Layer (SSL) key registered by a client for publishers using client-side SSL authentication.
|
+| ssl_cert | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Secure Socket Layer (SSL) certificate registered by a client for publishers using client-side SSL authentication.
|
+| client_uuid | [sol-sc:EntityItemClientUUIDType](#EntityItemClientUUIDType) (0..1) |
+||The universally unique identifier (UUID) that identifies the image to its publisher.
|
+| catalog_updated | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The last time that the IPS package publisher's catalog was updated in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| enabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Specifies whether or not the publisher is enabled.
|
+| order | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies where in the search order the IPS package publisher is listed. The first publisher in the search order will have a value of '1'.
|
+| properties | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..1) |
+||The properties associated with an IPS package publisher.
|
+
+______________
+
+## < patch_item >
+
+Patches for SVR4 packages are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. The information can be obtained using /usr/bin/showrev -p. Please see showrev(1M).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| base | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The base entity reresents a patch base code found before the hyphen.
|
+| version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The version entity represents a patch version number found after the hyphen.
|
+
+______________
+
+## < smf_item >
+
+The smf_item is used to hold information related to service management facility controlled services
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| fmri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The FMRI (Fault Managed Resource Identifier) entity holds the identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
|
+| service_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log.
|
+| service_state | [sol-sc:EntityItemSmfServiceStateType](#EntityItemSmfServiceStateType) (0..1) |
+||The service_state entity describes the state that the service is in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN.
|
+| protocol | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||The protocol entity describes the protocol supported by the service.
|
+| server_executable | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a'
|
+| server_arguements | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The server_arguments entity describes the parameters that are passed to the service.
|
+| exec_as_user | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root
|
+
+______________
+
+## < smfproperty_item >
+
+This item stores the properties and values of an SMF service.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/").
|
+| instance | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the instance of an SMF service which represents a specific configuration of a service.
|
+| property | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/").
|
+| fmri | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The Fault Management Resource Identifier (FMRI) of the SMF service which uniquely identifies the service on the system.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..1) |
+||Specifies the value of the property associated with an SMF service.
|
+
+______________
+
+## < variant_item >
+
+This item stores the variant properties and values of the specified IPS system image.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the path to the Solaris IPS image.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the name of the variant property associated with an IPS image.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||Specifies the value of the variant property associated with an IPS image.
|
+
+______________
+
+## < virtualizationinfo_item >
+
+This item stores the information associated with the current virtualization environment this instance of Solaris is running on and is capable of supporting.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| current | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the current environment. This information could be collected using the libv12n library or by executing the 'virtinfo -c current list -H -o name' command.
|
+| supported | [sol-sc:EntityItemV12NEnvType](#EntityItemV12NEnvType) (0..unbounded) |
+||The list of virtualization environments that this node supports as children. This information could be collected using the libv12n library or by executing the 'virtinfo -c supported list -H -o name' command.
|
+| parent | [sol-sc:EntityItemV12NEnvType](#EntityItemV12NEnvType) (0..1) |
+||The parent environment of the current environment. This information could be collected using libv12n library or by executing the 'virtinfo -c parent list -H -o name' command.
|
+| ldom-role | [sol-sc:EntityItemLDOMRoleType](#EntityItemLDOMRoleType) (0..unbounded) |
+||The logical domain roles associated with the current environment. This information could be collected using libv12n library.
|
+| properties | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..1) |
+||The properties associated with the current environment. This information could be collected using libv12n library.
|
+
+## == EntityItemClientUUIDType ==
+
+The EntityItemClientUUIDType restricts a string value to a representation of a client UUID, used to identify an image to its IPS package publisher. The empty string is also allowed to support empty element associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+**Pattern:** ([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})?
+
+## == EntityItemPermissionCompareType ==
+
+The EntityItemPermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| more | The actual permission is more restrictive than the expected permission.
|
+| less | The actual permission is less restrictive than the expected permission.
|
+| same | The actual permission is the same as the expected permission.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemPublisherTypeType ==
+
+The EntityItemPublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| archive | The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages.
|
+| mirror | The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content.
|
+| origin | The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemSmfServiceStateType ==
+
+The EntityItemSmfServiceStateType defines the different values that are valid for the service_state entity of a smf_item. The empty string is also allowed as a valid value to support empty emlements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DEGRADED | The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation.
|
+| DISABLED | The instance is disabled.
|
+| MAINTENANCE | The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states.
|
+| LEGACY-RUN | This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running.
|
+| OFFLINE | The instance is enabled, but not yet running or available to run.
|
+| ONLINE | The instance is enabled and running or is available to run.
|
+| UNINITIALIZED | This is the initial state for all service instances.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemV12NEnvType ==
+
+The EntityItemV12NEnvypeType complex type restricts a string value to a specific set of values that describe the virtalization environment. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| unknown | The virtualization environment is unknown. This could mean it is a bare metal virtualization environment.
|
+| kvm | The virtualization environment is a Kernel-based Virtual Machine (KVM).
|
+| logical-domain | The virtualization environment is a logical domain.
|
+| non-global-zone | The virtualization environment is a non-global zone.
|
+| kernel-zone | The virtualization environment is a kernel zone.
|
+| vmware | The virtualization environment is VMware.
|
+| virtualbox | The virtualization environment is Oracle VirtualBox.
|
+| xen | The virtualization environment is Xen.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemLDOMRoleType ==
+
+The EntityItemLDOMRoleType complex type restricts a string value to a specific set of roles for the current virtualization environment. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| control-role | The current virtualization environment is a control domain.
|
+| io-role | The current virtualization environment is an I/O domain.
|
+| root-role | The current virtualization environment is a root I/O domain.
|
+| service-role | The current virtualization environment is a service domain.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
diff --git a/guidelines/oval-schema-documentation/unix-definitions-schema.md b/guidelines/oval-schema-documentation/unix-definitions-schema.md
new file mode 100644
index 0000000..ac1f7ca
--- /dev/null
+++ b/guidelines/oval-schema-documentation/unix-definitions-schema.md
@@ -0,0 +1,1240 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: UNIX Definition
+* Version: 5.11.1:1.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose generic UNIX tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+## Test Listing
+
+ *[ dnscache_test ](#dnscache_test)
+ *[ file_test ](#file_test)
+ *[ fileextendedattribute_test ](#fileextendedattribute_test)
+ *[ gconf_test ](#gconf_test)
+ *[ inetd_test ](#inetd_test)
+ *[ interface_test ](#interface_test)
+ *[ password_test ](#password_test)
+ *[ ~~process_test~~ ](#process_test)
+ *[ process58_test ](#process58_test)
+ *[ routingtable_test ](#routingtable_test)
+ *[ runlevel_test ](#runlevel_test)
+ *[ ~~sccs_test~~ ](#sccs_test)
+ *[ shadow_test ](#shadow_test)
+ *[ symlink_test ](#symlink_test)
+ *[ sysctl_test ](#sysctl_test)
+ *[ uname_test ](#uname_test)
+ *[ xinetd_test ](#xinetd_test)
+
+______________
+
+## < dnscache_test >
+
+The dnscache_test is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dnscache_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < dnscache_object >
+
+The dnscache_object is used by the dnscache_test to specify the domain name(s) that should be collected from the DNS cache on the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| domain_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The domain_name element specifies the domain name(s) that should be collected from the DNS cache on the local system.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < dnscache_state >
+
+The dnscache_state contains three entities that are used to check the domain name, time to live, and IP addresses associated with the DNS cache entry.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| domain_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
|
+| ttl | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
|
+| ip_address | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||The ip_address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6.
|
+
+______________
+
+## < file_test >
+
+The file test is used to check metadata associated with UNIX files, of the sort returned by either an ls command, stat command or stat() system call. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a file_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < file_object >
+
+The file_object element is used by a file test to define the specific file(s) to be evaluated. The file_object will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A file object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
+
+The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [unix-def:FileBehaviors](#FileBehaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < file_state >
+
+The file_state element defines the different metadata associate with a UNIX file. This includes the path, filename, type, group id, user id, size, etc. In addition, the permission associated with the file are also included. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the file.
|
+| type | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the file's type: regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.
|
+| group_id | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The group_id entity represents the group owner of a file, by group number.
|
+| user_id | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
|
+| a_time | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This is the time that the file was last accessed, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| c_time | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This is the time of the last change to the file's inode, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. An inode is a Unix data structure that stores all of the information about a particular file.
|
+| m_time | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This is the time of the last change to the file's contents, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| size | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the size of the file in bytes.
|
+| suid | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Does the program run with the uid (thus privileges) of the file's owner, rather than the calling user?
|
+| sgid | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Does the program run with the gid (thus privileges) of the file's group owner, rather than the calling user's group?
|
+| sticky | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can users delete each other's files in this directory, when said directory is writable by those users?
|
+| uread | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the owner (user owner) of the file read this file or, if a directory, read the directory contents?
|
+| uwrite | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the owner (user owner) of the file write to this file or, if a directory, write to the directory?
|
+| uexec | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the owner (user owner) of the file execute it or, if a directory, change into the directory?
|
+| gread | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the group owner of the file read this file or, if a directory, read the directory contents?
|
+| gwrite | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the group owner of the file write to this file or, if a directory, write to the directory?
|
+| gexec | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the group owner of the file execute it or, if a directory, change into the directory?
|
+| oread | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can all other users read this file or, if a directory, read the directory contents?
|
+| owrite | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the other users write to this file or, if a directory, write to the directory?
|
+| oexec | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Can the other users execute this file or, if a directory, change into the directory?
|
+| has_extended_acl | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Does the file or directory have ACL permissions applied to it? If the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the value will be 'false'. Otherwise, if a file or directory has an ACL, the value will be 'true'.
|
+
+## == FileBehaviors ==
+
+The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of the file_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+#### Attributes:
+
+* **max_depth** Restriction of xsd:integer (optional -- default='-1')
+'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.
+Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+Note that this behavior only applies with the equality operation on the path entity.
+* **recurse** Restriction of xsd:string (optional -- default='symlinks and directories') ('~~none~~', '~~files~~', 'directories', '~~files and directories~~', 'symlinks', 'symlinks and directories')
+'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything.
+Note that this behavior only applies with the equality operation on the path entity.
+* **recurse_direction** Restriction of xsd:string (optional -- default='none') ('none', 'up', 'down')
+'recurse_direction' defines the direction to recurse, either 'up' to parent directories, or 'down' into child directories. The default value is 'none' for no recursion.
+Note that this behavior only applies with the equality operation on the path entity.
+* **recurse_file_system** Restriction of xsd:string (optional -- default='all') ('all', 'local', 'defined')
+'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, if the path specified was "/", you would search only the filesystem mounted there, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.
+Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications.
+
+______________
+
+## < fileextendedattribute_test >
+
+The file extended attribute test is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileextendedattribute_object and the optional state element specifies the extended attributes to check.
+
+NOTE: Solaris has a very different implementation of "extended attributes" in which the attributes are really an orthogonal directory hierarchy of files. See the Solaris documentation for more details. The file extended attribute test only handles simple name/value pairs as implemented by most other UNIX derived operating systems.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < fileextendedattribute_object >
+
+The fileextendedattribute_object element is used by a file extended attribute test to define the specific file(s) and attribute(s) to be evaluated. The fileextendedattribute_object will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A file extended attribute object defines the path, filename and attribute name. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileExtendedAttributeBehaviors complex type for more information about specific behaviors.
+
+The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [unix-def:FileBehaviors](#FileBehaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
|
+| attribute_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The attribute_name element specifies the name of an extended attribute to evaluate.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < fileextendedattribute_state >
+
+The fileextendedattribute_state element defines an extended attribute associated with a UNIX file. This includes the path, filename, attribute name, and attribute value.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the file.
|
+| attribute_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the extended attribute's name, identifier or key.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value entity represents the extended attribute's value or contents. To test for an attribute with no value assigned to it, this entity would be used with an empty value.
|
+
+______________
+
+## < gconf_test >
+
+The gconf_test is used to check the attributes and value(s) associated with GConf preference keys. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a gconf_object and the optional gconf_state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < gconf_object >
+
+The gconf_object element is used by a gconf_test to define the preference keys to collect and the sources from which to collect the preference keys. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||This is the preference key to check.
|
+| source | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The source element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future. If the xsi:nil attribute is set to 'true', the preference key is looked up using the GConf daemon. Otherwise, the preference key is looked up using the values specified in this entity.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < gconf_state >
+
+The gconf_state element defines the different information that can be used to evaluate the specified GConf preference key. This includes the preference key, source, type, whether it's writable, the user who last modified it, the time it was last modified, whether it's the default value, as well as the preference key's value. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The preference key to check.
|
+| source | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The source used to look up the preference key.
|
+| type | [unix-def:EntityStateGconfTypeType](#EntityStateGconfTypeType) (0..1) |
+||The type of the preference key.
|
+| is_writable | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
|
+| mod_user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user who last modified the preference key.
|
+| mod_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| is_default | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value of the preference key.
|
+
+______________
+
+## < inetd_test >
+
+The inetd test is used to check information associated with different Internet services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < inetd_object >
+
+The inetd_object element is used by an inetd test to define the specific protocol-service to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An inetd object consists of a protocol entity and a service_name entity that identifies the specific service to be tested.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| protocol | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||A recognized protocol listed in the file /etc/inet/protocols.
|
+| service_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < inetd_state >
+
+The inetd_state element defines the different information associated with a specific Internet service. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| protocol | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A recognized protocol listed in the file /etc/inet/protocols.
|
+| service_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
|
+| server_program | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service.
|
+| server_arguments | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The arguments for running the service. These are either passed to the server program invoked by inetd, or used to configure a service provided by inetd. In the case of server programs, the arguments shall begin with argv[0], which is typically the name of the program. In the case of a service provided by inted, the first argument shall be the word "internal".
|
+| endpoint_type | [unix-def:EntityStateEndpointType](#EntityStateEndpointType) (0..1) |
+||The endpoint type (aka, socket type) associated with the service.
|
+| exec_as_user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user id of the user the server program should run under. (This allows for running with less permission than root.)
|
+| wait_status | [unix-def:EntityStateWaitStatusType](#EntityStateWaitStatusType) (0..1) |
+||This field has values wait or nowait. This entry specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
|
+
+______________
+
+## < interface_test >
+
+The interface test enumerates various attributes about the interfaces on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an interface_object and the optional state element specifies the interface information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < interface_object >
+
+The interface_object element is used by an interface test to define the specific interfaces(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An interface object consists of a single name entity that identifies which interface is being specified.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name element is the interface (eth0, eth1, fw0, etc.) name to check.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < interface_state >
+
+The interface_state element enumerates the different properties associate with a Unix interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name element is the interface (eth0, eth1, fw0, etc.) name to check.
|
+| type | [unix-def:EntityStateInterfaceType](#EntityStateInterfaceType) (0..1) |
+||The type element specifies the type of interface.
|
+| hardware_addr | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The hardware_addr element is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
|
+| inet_addr | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||This is the IP address of the interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
|
+| broadcast_addr | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||This is the broadcast IP address for this interface's network. Note that the IP address can be IPv4 or IPv6.
|
+| netmask | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||This is the bitmask used to calculate the interface's IP network. The network number is calculated by bitwise-ANDing this with the IP address. The host number on that network is calculated by bitwise-XORing this with the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity will not be collected.
|
+| flag | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The flag entity represents the interface flag line, which generally contains flags like "UP" to denote an active interface, "PROMISC" to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times.
|
+
+______________
+
+## < password_test >
+
+/etc/passwd. See passwd(4).
+
+The password test is used to check metadata associated with the UNIX password file, of the sort returned by the passwd command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a password_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < password_object >
+
+The password_object element is used by a password test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A password object consists of a single username entity that identifies the user(s) whose password is to be evaluated.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| username | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The user(s) account whose password is to be evaluated.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < password_state >
+
+The password_state element defines the different information associated with the system passwords. Please refer to the individual elements in the schema for more details about what each represents.
+
+See documentation on /etc/passwd for more details on the fields.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| username | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The UNIX account name.
|
+| password | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the encrypted version of the user's password.
|
+| user_id | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd.
|
+| group_id | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The id of the primary UNIX group the user belongs to.
|
+| gcos | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The GECOS (or GCOS) field from /etc/passwd; typically contains the user's full name.
|
+| home_dir | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user's home directory.
|
+| login_shell | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user's shell program.
|
+| last_login | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The date and time when the last login occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, UTC.
|
+
+______________
+
+## < ~~process_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_test has been deprecated and replaced by the process58_test. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_test for additional information.
+
+The process test is used to check information found in the UNIX processes. It is equivalent to parsing the output of the ps command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process_object and the optional state element specifies the process information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~process_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_object has been deprecated and replaced by the process58_object. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_object for additional information.
+
+The process_object element is used by a process test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A process object defines the command line used to start the process(es).
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The command element specifies the command/program name to check.
|
+
+## < ~~process_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_state has been deprecated and replaced by the process58_state. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_state for additional information.
+
+The process_state element defines the different metadata associated with a UNIX process. This includes the command line, pid, ppid, priority, and user id. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The command element specifies the command/program name to check.
|
+| exec_time | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
|
+| pid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the process ID of the process.
|
+| ppid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the process ID of the process's parent process.
|
+| priority | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
|
+| ruid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the real user id which represents the user who has created the process.
|
+| scheduling_class | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
|
+| start_time | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
|
+| tty | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the TTY on which the process was started, if applicable.
|
+| user_id | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the effective user id which represents the actual privileges of the process.
|
+
+______________
+
+## < process58_test >
+
+The process58_test is used to check information found in the UNIX processes. It is equivalent to parsing the output of the ps command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process58_object and the optional state element references a process58_state that specifies the process information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < process58_object >
+
+The process58_object element is used by a process58_test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A process58_object defines the command line used to start the process(es) and pid.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
|
+| pid | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||The pid entity is the process ID of the process.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < process58_state >
+
+The process58_state element defines the different metadata associated with a UNIX process. This includes the command line, pid, ppid, priority, and user id. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the string used to start the process. This includes any parameters that are part of the command line.
|
+| exec_time | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
|
+| pid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the process ID of the process.
|
+| ppid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the process ID of the process's parent process.
|
+| priority | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
|
+| ruid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the real user id which represents the user who has created the process.
|
+| scheduling_class | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
|
+| start_time | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
|
+| tty | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the TTY on which the process was started, if applicable.
|
+| user_id | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This is the effective user id which represents the actual privileges of the process.
|
+| exec_shield | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||A boolean that when true would indicates that ExecShield is enabled for the process. Applicable only to RedHat-based Linux distros, an example script demonstrating the collection of this entity can be found at http://people.redhat.com/sgrubb/files/lsexec
|
+| loginuid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
|
+| posix_capability | [unix-def:EntityStateCapabilityType](#EntityStateCapabilityType) (0..1) |
+||An effective capability associated with the process. See linux/include/linux/capability.h for more information.
|
+| selinux_domain_label | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||An selinux domain label associated with the process.
|
+| session_id | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The session ID of the process.
|
+
+______________
+
+## < routingtable_test >
+
+The routingtable_test is used to check information about the IPv4 and IPv6 routing table entries found in a system's primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the '-n' option with route(8) or netstat(8). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a routingtable_object and the optional routingtable_state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < routingtable_object >
+
+The routingtable_object element is used by a routingtable_test to define the destination IP address(es), found in a system's primary routing table, to collect. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| destination | [oval-def:EntityObjectIPAddressType](oval-definitions-schema.md#EntityObjectIPAddressType) (1..1) |
+||This is the destination IP address of the routing table entry to check.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < routingtable_state >
+
+The routingtable_state element defines the different information that can be used to check an entry found in a system's primary routing table. This includes the destination IP address, gateway, netmask, flags, and the name of the interface associated with it. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| destination | [oval-def:EntityStateIPAddressType](oval-definitions-schema.md#EntityStateIPAddressType) (0..1) |
+||The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
|
+| gateway | [oval-def:EntityStateIPAddressType](oval-definitions-schema.md#EntityStateIPAddressType) (0..1) |
+||The gateway of the specified routing table entry.
|
+| flags | [unix-def:EntityStateRoutingTableFlagsType](#EntityStateRoutingTableFlagsType) (0..1) |
+||The flags associated with the specified routing table entry.
|
+| interface_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the interface associated with the routing table entry.
|
+
+______________
+
+## < runlevel_test >
+
+The runlevel test is used to check information about which runlevel specified services are scheduled to exist at. For more information see the output generated by a chkconfig --list. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a runlevel_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < runlevel_object >
+
+The runlevel_object element is used by a runlevel_test to define the specific service(s)/runlevel combination to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The service_name entity refers to the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory.
|
+| runlevel | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The system runlevel to examine. A runlevel is defined as a software configuration of the system that allows only a selected group of processes to exist.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < runlevel_state >
+
+The runlevel_state element holds information about whether a specific service is scheduled to start or stop at a given runlevel. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The service_name entity refers the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory.
|
+| runlevel | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The runlevel entity refers to the system runlevel associated with a service. A runlevel is defined as a software configuration of the system that allows only a selected group of processes to exist.
|
+| start | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The start entity determines if the process is scheduled to be spawned at the specified runlevel.
|
+| kill | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The kill entity determines if the process is supposed to be killed at the specified runlevel.
|
+
+______________
+
+## < ~~sccs_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** The sccs_test has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_test may be removed in a future version of the language.
+
+
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~sccs_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** The sccs_object has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_object may be removed in a future version of the language.
+
+The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [unix-def:FileBehaviors](#FileBehaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to an SCCS file.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of an SCCS file.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~sccs_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** The sccs_state has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_state may be removed in a future version of the language.
+
+
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to an SCCS file.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the name of a SCCS file.
|
+| module_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+| module_type | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+| release | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+| level | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+| branch | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+| sequence | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+| what_string | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+|||
+
+______________
+
+## < shadow_test >
+
+The shadow test is used to check information from the /etc/shadow file for a specific user. This file contains a user's password, but also their password aging and lockout information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an shadow_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < shadow_object >
+
+The shadow_object element is used by a shadow test to define the shadow file to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A shdow object consists of a single user entity that identifies the username associted with the shadow file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| username | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+|||
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < shadow_state >
+
+The shadows_state element defines the different information associated with the system shadow file. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| username | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the name of the user being checked.
|
+| password | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the encrypted version of the user's password.
|
+| chg_lst | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This is the date of the last password change in days since 1/1/1970.
|
+| chg_allow | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
|
+| chg_req | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This describes how long the user can keep a password before the system forces them to change it.
|
+| exp_warn | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
|
+| exp_inact | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The exp_inact entity describes how many days of account inactivity the system will wait after a password expires before locking the account. Unix systems are generally configured to only allow a given password to last for a fixed period of time. When this time, the chg_req parameter, is near running out, the system begins warning the user at each login. How soon before the expiration the user receives these warnings is specified in exp_warn. The only hiccup in this design is that a user may not login in time to ever receive a warning before account expiration. The exp_inact parameter gives the sysadmin flexibility so that a user who reaches the end of their expiration time gains exp_inact more days to login and change their password manually.
|
+| exp_date | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This specifies when will the account's password expire, in days since 1/1/1970.
|
+| flag | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This is a numeric reserved field that the shadow file may use in the future.
|
+| encrypt_method | [unix-def:EntityStateEncryptMethodType](#EntityStateEncryptMethodType) (0..1) |
+||The encrypt_method entity describes method that is used for hashing passwords.
|
+
+______________
+
+## < symlink_test >
+
+The symlink_test is used to obtain canonical path information for symbolic links.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < symlink_object >
+
+The symlink_object element is used by a symlink_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A symlink_object consists of a filepath entity that contains the path to a symbolic link file. The resulting item identifies the canonical path of the link target (followed to its final destination, if there are intermediate links), an error if the link target does not exist or is a circular link (e.g., a link to itself). If the file located at filepath is not a symlink, or if there is no file located at the filepath, then any resulting item would itself have a status of does not exist.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies the filepath for the symbolic link.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < symlink_state >
+
+The symlink_state element defines a value used to evaluate the result of a specific symlink_object item.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the filepath used to create the object.
|
+| canonical_path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the canonical path for the target of a symbolic link file specified by the filepath.
|
+
+______________
+
+## < sysctl_test >
+
+The sysctl_test is used to check the values associated with the kernel parameters that are used by the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sysctl_object and the optional state element references a sysctl_state that specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < sysctl_object >
+
+The sysctl_object is used by a sysctl_test to define which kernel parameters on the local system should be collected. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name element specifies the name(s) of the kernel parameter(s) that should be collected from the local system.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sysctl_state >
+
+The sysctl_state contains two entities that are used to check the kernel parameter name and value(s).
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name element contains a string that represents the name of a kernel parameter that was collected from the local system.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value element contains a string that represents the value(s) associated with the specified kernel parameter.
|
+
+______________
+
+## < uname_test >
+
+The uname test reveals information about the hardware the machine is running on. This information is the parsed equivalent of uname -a. For example: "Linux quark 2.6.5-7.108-default #1 Wed Aug 25 13:34:40 UTC 2004 i686 i686 i386 GNU/Linux" or "Darwin TestHost 7.7.0 Darwin Kernel Version 7.7.0: Sun Nov 7 16:06:51 PST 2004; root:xnu/xnu-517.9.5.obj~1/RELEASE_PPC Power Macintosh powerpc". It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a uname_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < uname_object >
+
+The uname_object element is used by an uname test to define those objects to evaluated based on a specified state. There is actually only one object relating to uname and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check uname will reference the same uname_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < uname_state >
+
+The uname_state element defines the information about the hardware the machine is running one. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| machine_class | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity specifies a machine hardware name. This corresponds to the command uname -m.
|
+| node_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity specifies a host name. This corresponds to the command uname -n.
|
+| os_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity specifies an operating system name. This corresponds to the command uname -s.
|
+| os_release | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity specifies a build version. This corresponds to the command uname -r.
|
+| os_version | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity specifies an operating system version. This corresponds to the command uname -v.
|
+| processor_type | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity specifies a processor type. This corresponds to the command uname -p.
|
+
+______________
+
+## < xinetd_test >
+
+The xinetd test is used to check information associated with different Internet services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < xinetd_object >
+
+The xinetd_object element is used by an xinetd test to define the specific protocol-service to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An xinetd object consists of a protocol entity and a service_name entity that identifies the specific service to be tested.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| protocol | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols.
|
+| service_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The service_name entity specifies the name of the service.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < xinetd_state >
+
+The xinetd_state element defines the different information associated with a specific Internet service. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| protocol | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols.
|
+| service_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The service_name entity specifies the name of the service.
|
+| flags | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The flags entity specifies miscellaneous settings associated with the service.
|
+| no_access | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The no_access entity specifies the remote hosts to which the service is unavailable. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
|
+| only_from | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||The only_from entity specifies the remote hosts to which the service is available. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
|
+| port | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The port entity specifies the port used by the service.
|
+| server | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The server entity specifies the executable that is used to launch the service.
|
+| server_arguments | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The server_arguments entity specifies the arguments that are passed to the executable when launching the service.
|
+| socket_type | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The socket_type entity specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket.
|
+| type | [unix-def:EntityStateXinetdTypeStatusType](#EntityStateXinetdTypeStatusType) (0..1) |
+||The type entity specifies the type of the service. A service may have multiple types.
|
+| user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user entity specifies the user identifier of the process that is running the service. The user identifier may be expressed as a numerical value or as a user name that exists in /etc/passwd.
|
+| wait | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The wait entity specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi-threaded and xinetd will accept the connection.
|
+| disabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The disabled entity specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled.
|
+
+## == EntityStateCapabilityType ==
+
+The EntityStateCapabilityType complex type restricts a string value to a specific set of values that describe POSIX capability types associated with a process service. This list is based off the values defined in linux/include/linux/capability.h. Documentation on each allowed value can be found in capability.h. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| CAP_CHOWN | |
+| CAP_DAC_OVERRIDE | |
+| CAP_DAC_READ_SEARCH | |
+| CAP_FOWNER | |
+| CAP_FSETID | |
+| CAP_KILL | |
+| CAP_SETGID | |
+| CAP_SETUID | |
+| CAP_SETPCAP | |
+| CAP_LINUX_IMMUTABLE | |
+| CAP_NET_BIND_SERVICE | |
+| CAP_NET_BROADCAST | |
+| CAP_NET_ADMIN | |
+| CAP_NET_RAW | |
+| CAP_IPC_LOCK | |
+| CAP_IPC_OWNER | |
+| CAP_SYS_MODULE | |
+| CAP_SYS_RAWIO | |
+| CAP_SYS_CHROOT | |
+| CAP_SYS_PTRACE | |
+| CAP_SYS_ADMIN | |
+| CAP_SYS_BOOT | |
+| CAP_SYS_NICE | |
+| CAP_SYS_RESOURCE | |
+| CAP_SYS_TIME | |
+| CAP_SYS_TTY_CONFIG | |
+| CAP_MKNOD | |
+| CAP_LEASE | |
+| CAP_AUDIT_WRITE | |
+| CAP_AUDIT_CONTROL | |
+| CAP_SETFCAP | |
+| CAP_MAC_OVERRIDE | |
+| CAP_MAC_ADMIN | |
+| CAP_SYS_PACCT | |
+| CAP_SYSLOG | |
+| CAP_WAKE_ALARM | |
+| CAP_BLOCK_SUSPEND | |
+| CAP_AUDIT_READ | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+______________
+
+## == EntityStateEndpointType ==
+
+The EntityStateEndpointType complex type restricts a string value to a specific set of values that describe endpoint types associated with an Internet service. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| stream | The stream value is used to describe a stream socket.
|
+| dgram | The dgram value is used to describe a datagram socket.
|
+| raw | The raw value is used to describe a raw socket.
|
+| seqpacket | The seqpacket value is used to describe a sequenced packet socket.
|
+| tli | The tli value is used to describe all TLI endpoints.
|
+| sunrpc_tcp | The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints.
|
+| sunrpc_udp | The sunrpc_udp value is used to describe all SUNRPC UDP endpoints.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateGconfTypeType ==
+
+The EntityStateGconfTypeType complex type restricts a string value to the seven values GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, GCONF_VALUE_SCHEMA, GCONF_VALUE_LIST, and GCONF_VALUE_PAIR that specify the datatype of the value associated with a GConf preference key. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| GCONF_VALUE_STRING | The GCONF_VALUE_STRING type is used to describe a preference key that has a string value.
|
+| GCONF_VALUE_INT | The GCONF_VALUE_INT type is used to describe a preference key that has a integer value.
|
+| GCONF_VALUE_FLOAT | The GCONF_VALUE_FLOAT type is used to describe a preference key that has a float value.
|
+| GCONF_VALUE_BOOL | The GCONF_VALUE_BOOL type is used to describe a preference key that has a boolean value.
|
+| GCONF_VALUE_SCHEMA | The GCONF_VALUE_SCHEMA type is used to describe a preference key that has a schema value. The actual value will be the default value as specified in the GConf schema.
|
+| GCONF_VALUE_LIST | The GCONF_VALUE_LIST type is used to describe a preference key that has a list of values. The actual values will be one of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that all of the values associated with a GCONF_VALUE_LIST are required to have the same type.
|
+| GCONF_VALUE_PAIR | The GCONF_VALUE_PAIR type is used to describe a preference key that has a pair of values. The actual values will consist of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that the values associated with a GCONF_VALUE_PAIR are not required to have the same type.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateRoutingTableFlagsType ==
+
+The EntityStateRoutingTableFlagsType complex type restricts a string value to a specific set of values that describe the flags associated with a routing table entry. This list is based off the values defined in the man pages of various platforms. For Linux, please see route(8). For Solaris, please see netstat(1M). For HP-UX, please see netstat(1). For Mac OS, please see netstat(1). For FreeBSD, please see netstat(1). Documentation on each allowed value can be found in the previously listed man pages. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| UP | |
+| GATEWAY | |
+| HOST | |
+| REINSTATE | |
+| DYNAMIC | |
+| MODIFIED | |
+| ADDRCONF | |
+| CACHE | |
+| REJECT | |
+| REDUNDANT | |
+| SETSRC | |
+| BROADCAST | |
+| LOCAL | |
+| PROTOCOL_1 | |
+| PROTOCOL_2 | |
+| PROTOCOL_3 | |
+| BLACK_HOLE | |
+| CLONING | |
+| PROTOCOL_CLONING | |
+| INTERFACE_SCOPE | |
+| LINK_LAYER | |
+| MULTICAST | |
+| STATIC | |
+| WAS_CLONED | |
+| XRESOLVE | |
+| USABLE | |
+| PINNED | |
+| ACTIVE_DEAD_GATEWAY_DETECTION | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+The following table is a mapping between the generic flag enumeration values and the actual flag values found on the various platforms. If the flag value is not specified, for a particular generic flag enumeration value, the flag value is not defined for that platform.
+```
+Name Linux Solaris HPUX Mac OS FreeBSD AIX
+UP U U U U U U
+GATEWAY G G G G G G
+HOST H H H H H H
+REINSTATE R
+DYNAMIC D D D D D
+MODIFIED M M M M
+ADDRCONF A A
+CACHE C e
+REJECT ! R R R
+REDUNDANT M (>=9)
+SETSRC S
+BROADCAST B b b b
+LOCAL L l
+PROTOCOL_1 1 1 1
+PROTOCOL_2 2 2 2
+PROTOCOL_3 3 3 3
+BLACK_HOLE B B
+CLONING C C c
+PROTOCOL_CLONING c c
+INTERFACE_SCOPE I
+LINK_LAYER L L L
+MULTICAST m m
+STATIC S S S
+WAS_CLONED W W W
+XRESOLVE X X
+USABLE u
+PINNED P
+ACTIVE_DEAD_GATEWAY_DETECTION A (>=5.1)
+```
+
+## == EntityStateXinetdTypeStatusType ==
+
+The EntityStateXinetdTypeStatusType complex type restricts a string value to five values, either RPC, INTERNAL, UNLISTED, TCPMUX, or TCPMUXPLUS that specify the type of service registered in xinetd. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| INTERNAL | The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself.
|
+| RPC | The RPC type is used to describe services that use remote procedure call ala NFS.
|
+| UNLISTED | The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc.
|
+| TCPMUX | The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake.
|
+| TCPMUXPLUS | The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateWaitStatusType ==
+
+The EntityStateWaitStatusType complex type restricts a string value to two values, either wait or nowait, that specify whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| wait | The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
|
+| nowait | The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateEncryptMethodType ==
+
+The EntityStateEncryptMethodType complex type restricts a string value to a set that corresponds to the allowed encrypt methods used for protected passwords in a shadow file. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DES | The DES method corresponds to the (none) prefix.
|
+| BSDi | The BSDi method corresponds to BSDi modified DES or the '_' prefix.
|
+| MD5 | The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix.
|
+| Blowfish | The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes.
|
+| Sun MD5 | The Sun MD5 method corresponds to the $md5$ prefix.
|
+| SHA-256 | The SHA-256 method corresponds to the $5$ prefix.
|
+| SHA-512 | The SHA-512 method corresponds to the $6$ prefix.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateInterfaceType ==
+
+The EntityStateInterfaceType complex type restricts a string value to a specific set of values. These values describe the different interface types which are defined in 'if_arp.h'. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| ARPHRD_ETHER | The ARPHRD_ETHER type is used to describe ethernet interfaces.
|
+| ARPHRD_FDDI | The ARPHRD_FDDI type is used to describe fiber distributed data interfaces (FDDI).
|
+| ARPHRD_LOOPBACK | The ARPHRD_LOOPBACK type is used to describe loopback interfaces.
|
+| ARPHRD_VOID | The ARPHRD_VOID type is used to describe unknown interfaces.
|
+| ARPHRD_PPP | The ARPHRD_PPP type is used to describe point-to-point protocol interfaces (PPP).
|
+| ARPHRD_SLIP | The ARPHRD_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
|
+| ARPHRD_PRONET | The ARPHRD_PRONET type is used to describe PROnet token ring interfaces.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
diff --git a/guidelines/oval-schema-documentation/unix-system-characteristics-schema.md b/guidelines/oval-schema-documentation/unix-system-characteristics-schema.md
new file mode 100644
index 0000000..e09e4f7
--- /dev/null
+++ b/guidelines/oval-schema-documentation/unix-system-characteristics-schema.md
@@ -0,0 +1,691 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Unix System Characteristics
+* Version: 5.11.1:1.2
+* Release Date: 11/30/2016 09:00:00 AM
+
+The following is a description of the elements, types, and attributes that compose the UNIX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < dnscache_item >
+
+The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| domain_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
|
+| ttl | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
|
+| ip_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..unbounded) |
+||The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6.
|
+
+______________
+
+## < file_item >
+
+The file item holds information about the individual files found on a system. Each file item contains path and filename information as well as its type, associated user and group ids, relevant dates, and the privialeges granted. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
|
+| type | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the file's type: regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.
|
+| group_id | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This is the group owner of the file, by group number.
|
+| user_id | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
|
+| a_time | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This is the time that the file was last accessed, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| c_time | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This is the time of the last change to the file's inode, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. An inode is a Unix data structure that stores all of the information about a particular file.
|
+| m_time | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This is the time of the last change to the file's contents, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| size | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the size of the file in bytes.
|
+| suid | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Does the program run with the uid (thus privileges) of the file's owner, rather than the calling user?
|
+| sgid | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Does the program run with the gid (thus privileges) of the file's group owner, rather than the calling user's group?
|
+| sticky | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can users delete each other's files in this directory, when said directory is writable by those users?
|
+| uread | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the owner (user owner) of the file read this file or, if a directory, read the directory contents?
|
+| uwrite | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the owner (user owner) of the file write to this file or, if a directory, write to the directory?
|
+| uexec | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the owner (user owner) of the file execute it or, if a directory, change into the directory?
|
+| gread | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the group owner of the file read this file or, if a directory, read the directory contents?
|
+| gwrite | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the group owner of the file write to this file, or if a directory, write to the directory?
|
+| gexec | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the group owner of the file execute it or, if a directory, change into the directory?
|
+| oread | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can all other users read this file or, if a directory, read the directory contents?
|
+| owrite | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the other users write to this file, or if a directory, write to the directory?
|
+| oexec | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Can the other users execute this file or, if a directory, change into the directory?
|
+| has_extended_acl | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Does the file or directory have ACL permissions applied to it? If a system supports ACLs and the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the entity will have a status of 'exists' and a value of 'false'. If the system supports ACLs and the file or directory has an ACL, the entity will have a status of 'exists' and a value of 'true'. Lastly, if a system doesn't support ACLs, the entity will have a status of 'does not exist'.
|
+
+______________
+
+## < fileextendedattribute_item >
+
+The file extended attribute item holds information about the individual file extended attributes found on a system. Each file extended attribute item contains path, filename, and attribute name information as well as the attribute's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
|
+| attribute_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the extended attribute's name, identifier or key.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..1) |
+||This is the extended attribute's value or contents.
|
+
+______________
+
+## < gconf_item >
+
+The gconf_item holds information about an individual GConf preference key found on a system. Each gconf_item contains a preference key, source, type, whether it's writable, the user who last modified it, the time it was last modified, whether it's the default value, as well as the preference key's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The preference key to check.
|
+| source | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The source used to look up the preference key.
|
+| type | [unix-sc:EntityItemGconfTypeType](#EntityItemGconfTypeType) (0..1) |
+||The type of the preference key.
|
+| is_writable | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
|
+| mod_user | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user who last modified the preference key.
|
+| mod_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
|
+| is_default | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value of the preference key.
|
+
+______________
+
+## < inetd_item >
+
+The inetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| protocol | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A recognized protocol listed in the file /etc/inet/protocols.
|
+| service_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
|
+| server_program | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service.
|
+| server_arguments | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The arguments for running the service. These are either passed to the server program invoked by inetd, or used to configure a service provided by inetd. In the case of server programs, the arguments shall begin with argv[0], which is typically the name of the program. In the case of a service provided by inted, the first argument shall be the word "internal".
|
+| endpoint_type | [unix-sc:EntityItemEndpointType](#EntityItemEndpointType) (0..1) |
+||The endpoint type (aka, socket type) associated with the service.
|
+| exec_as_user | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user id of the user the server program should run under. (This allows for running with less permission than root.)
|
+| wait_status | [unix-sc:EntityItemWaitStatusType](#EntityItemWaitStatusType) (0..1) |
+||This field has values wait or nowait. This entry specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
|
+
+______________
+
+## < interface_item >
+
+The interface item holds information about the interfaces on a system. Each interface item contains name and address information as well as any associated flags. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name entity is the actual name of the specific interface. Examples might be eth0, eth1, fwo, etc.
|
+| type | [unix-sc:EntityItemInterfaceType](#EntityItemInterfaceType) (0..1) |
+||This element specifies the type of interface.
|
+| hardware_addr | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The hardware_addr entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
|
+| inet_addr | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||The inet_addr entity is the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity should be expressed as an IPv6 address prefix using CIDR notation and the netmask entity should not be collected.
|
+| broadcast_addr | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||The broadcast_addr entity is the broadcast IP address for this interface's network. Note that the IP address can be IPv4 or IPv6.
|
+| netmask | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This is the bitmask used to calculate the interface's IP network. The network number is calculated by bitwise-ANDing this with the IP address. The host number on that network is calculated by bitwise-XORing this with the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity should not be collected.
|
+| flag | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||This is the interface flag line, which generally contains flags like "UP" to denote an active interface, "PROMISC" to note that the interface is listening for Ethernet frames not specifically addressed to it, and others.
|
+
+______________
+
+## < password_item >
+
+/etc/passwd. See passwd(4).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| username | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the name of the user for which data was gathered.
|
+| password | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the encrypted version of the user's password.
|
+| user_id | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||The numeric user id, or uid, is the third column of each user's entry in /etc/passwd.
|
+| group_id | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||The id of the primary UNIX group the user belongs to.
|
+| gcos | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The GECOS (or GCOS) field from /etc/passwd; typically contains the user's full name.
|
+| home_dir | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user's home directory.
|
+| login_shell | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user's shell program.
|
+| last_login | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The date and time when the last login occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, UTC.
|
+
+______________
+
+## < ~~process_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_item has been deprecated and replaced by the process58_item. The entity 'command' was changed to 'command_line' in the process58_item to accurately describe what information is collected. Please see the process58_item for additional information.
+
+Output of /usr/bin/ps. See ps(1).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This specifies the command/program name about which data has has been collected.
|
+| exec_time | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the process ID of the process.
|
+| ppid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the process ID of the process's parent process.
|
+| priority | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
|
+| ruid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the real user id which represents the user who has created the process.
|
+| scheduling_class | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
|
+| start_time | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
|
+| tty | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the TTY on which the process was started, if applicable.
|
+| user_id | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the effective user id which represents the actual privileges of the process.
|
+
+______________
+
+## < process58_item >
+
+Output of /usr/bin/ps. See ps(1).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the string used to start the process. This includes any parameters that are part of the command line.
|
+| exec_time | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the process ID of the process.
|
+| ppid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the process ID of the process's parent process.
|
+| priority | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
|
+| ruid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the real user id which represents the user who has created the process.
|
+| scheduling_class | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
|
+| start_time | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
|
+| tty | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the TTY on which the process was started, if applicable.
|
+| user_id | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This is the effective user id which represents the actual privileges of the process.
|
+| exec_shield | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that when true would indicates that ExecShield is enabled for the process.
|
+| loginuid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
|
+| posix_capability | [unix-sc:EntityItemCapabilityType](#EntityItemCapabilityType) (0..unbounded) |
+||An effective capability associated with the process. See linux/include/linux/capability.h for more information.
|
+| selinux_domain_label | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||An selinux domain label associated with the process.
|
+| session_id | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The session ID of the process.
|
+
+______________
+
+## < routingtable_item >
+
+The routingtable_item holds information about an individual routing table entry found in a system's primary routing table. Each routingtable_item contains a destination IP address, gateway, netmask, flags, and the name of the interface associated with it. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the '-n' option with route(8) or netstat(8). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| destination | [oval-sc:EntityItemIPAddressType](oval-system-characteristics-schema.md#EntityItemIPAddressType) (0..1) |
+||The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
|
+| gateway | [oval-sc:EntityItemIPAddressType](oval-system-characteristics-schema.md#EntityItemIPAddressType) (0..1) |
+||The gateway of the specified routing table entry.
|
+| flags | [unix-sc:EntityItemRoutingTableFlagsType](#EntityItemRoutingTableFlagsType) (0..unbounded) |
+||The flags associated with the specified routing table entry.
|
+| interface_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the interface associated with the routing table entry.
|
+
+______________
+
+## < runlevel_item >
+
+The runlevel item holds information about the start or kill state of a specified service at a given runlevel. Each runlevel item contains service name and runlevel information as well as start and kill information. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The service_name entity is the actual name of the specific service.
|
+| runlevel | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The runlevel entity specifies the system runlevel associated with a service.
|
+| start | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The start entity specifies whether the service is scheduled to start at the runlevel.
|
+| kill | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The kill entity specifies whether the service is scheduled to be killed at the runlevel.
|
+
+______________
+
+## < ~~sccs_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.10** :small_red_triangle:
**Reason:** The sccs_item has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_item may be removed in a future version of the language.
+
+
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the absolute path to an SCCS file. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to an SCCS file.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of an SCCS file.
|
+| module_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| module_type | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| release | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| level | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| branch | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| sequence | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| what_string | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+
+______________
+
+## < shadow_item >
+
+/etc/shadow. See shadow(4).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| username | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the name of the user for which data was gathered.
|
+| password | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the encrypted version of the user's password.
|
+| chg_lst | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This is the date of the last password change in days since 1/1/1970.
|
+| chg_allow | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
|
+| chg_req | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This describes how long the user can keep a password before the system forces them to change it.
|
+| exp_warn | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
|
+| exp_inact | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This describes how many days of account inactivity the system will wait after a password expires before locking the account? This window, usually only set to a few days, gives users who are logging in very seldomly a bit of extra time to receive the password expiration warning and change their password.
|
+| exp_date | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This specifies when will the account's password expire, in days since 1/1/1970.
|
+| flag | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This is a numeric reserved field that the shadow file may use in the future.
|
+| encrypt_method | [unix-sc:EntityItemEncryptMethodType](#EntityItemEncryptMethodType) (0..1) |
+||The encrypt_method entity describes method that is used for hashing passwords.
|
+
+______________
+
+## < symlink_item >
+
+The symlink_item element identifies the result generated for a symlink_object.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the filepath to the subject symbolic link file, specified by the symlink_object.
|
+| canonical_path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the canonical path for the target of the symbolic link file specified by the filepath.
|
+
+______________
+
+## < sysctl_item >
+
+The sysctl_item stores information retrieved from the local system about a kernel parameter and its respective value(s).
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name element contains a string that represents the name of a kernel parameter that was collected from the local system.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value element contains a string that represents the current value(s) for the specified kernel parameter on the local system.
|
+
+______________
+
+## < uname_item >
+
+Information about the hardware the machine is running on. This information is the parsed equivalent of uname -a.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| machine_class | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity specifies the machine hardware name. This corresponds to the command uname -m.
|
+| node_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity specifies the host name. This corresponds to the command uname -n.
|
+| os_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity specifies the operating system name. This corresponds to the command uname -s.
|
+| os_release | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity specifies the build version. This corresponds to the command uname -r.
|
+| os_version | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity specifies the operating system version. This corresponds to the command uname -v.
|
+| processor_type | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity specifies the processor type. This corresponds to the command uname -p.
|
+
+______________
+
+## < xinetd_item >
+
+The xinetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| protocol | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols.
|
+| service_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The service_name entity specifies the name of the service.
|
+| flags | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||The flags entity specifies miscellaneous settings associated with the service.
|
+| no_access | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||The no_access entity specifies the remote hosts to which the service is unavailable. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
|
+| only_from | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..unbounded) |
+||The only_from entity specifies the remote hosts to which the service is available. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
|
+| port | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The port entity specifies the port used by the service.
|
+| server | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The server entity specifies the executable that is used to launch the service.
|
+| server_arguments | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The server_arguments entity specifies the arguments that are passed to the executable when launching the service.
|
+| socket_type | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The socket_type entity specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket.
|
+| type | [unix-sc:EntityItemXinetdTypeStatusType](#EntityItemXinetdTypeStatusType) (0..unbounded) |
+||The type entity specifies the type of the service. A service may have multiple types.
|
+| user | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user entity specifies the user identifier of the process that is running the service. The user identifier may be expressed as a numerical value or as a user name that exists in /etc/passwd.
|
+| wait | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The wait entity specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi-threaded and xinetd will accept the connection.
|
+| disabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The disabled entity specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled.
|
+
+## == EntityItemCapabilityType ==
+
+The EntityItemCapabilityType complex type restricts a string value to a specific set of values that describe POSIX capability types associated with a process service. This list is based off the values defined in linux/include/linux/capability.h. Documentation on each allowed value can be found in capability.h. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| CAP_CHOWN | |
+| CAP_DAC_OVERRIDE | |
+| CAP_DAC_READ_SEARCH | |
+| CAP_FOWNER | |
+| CAP_FSETID | |
+| CAP_KILL | |
+| CAP_SETGID | |
+| CAP_SETUID | |
+| CAP_SETPCAP | |
+| CAP_LINUX_IMMUTABLE | |
+| CAP_NET_BIND_SERVICE | |
+| CAP_NET_BROADCAST | |
+| CAP_NET_ADMIN | |
+| CAP_NET_RAW | |
+| CAP_IPC_LOCK | |
+| CAP_IPC_OWNER | |
+| CAP_SYS_MODULE | |
+| CAP_SYS_RAWIO | |
+| CAP_SYS_CHROOT | |
+| CAP_SYS_PTRACE | |
+| CAP_SYS_ADMIN | |
+| CAP_SYS_BOOT | |
+| CAP_SYS_NICE | |
+| CAP_SYS_RESOURCE | |
+| CAP_SYS_TIME | |
+| CAP_SYS_TTY_CONFIG | |
+| CAP_MKNOD | |
+| CAP_LEASE | |
+| CAP_AUDIT_WRITE | |
+| CAP_AUDIT_CONTROL | |
+| CAP_SETFCAP | |
+| CAP_MAC_OVERRIDE | |
+| CAP_MAC_ADMIN | |
+| CAP_SYS_PACCT | |
+| CAP_SYSLOG | |
+| CAP_WAKE_ALARM | |
+| CAP_BLOCK_SUSPEND | |
+| CAP_AUDIT_READ | |
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+______________
+
+## == EntityItemEndpointType ==
+
+The EntityItemEndpointType complex type restricts a string value to a specific set of values that describe endpoint types associated with an Internet service. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| stream | The stream value is used to describe a stream socket.
|
+| dgram | The dgram value is used to describe a datagram socket.
|
+| raw | The raw value is used to describe a raw socket.
|
+| seqpacket | The seqpacket value is used to describe a sequenced packet socket.
|
+| tli | The tli value is used to describe all TLI endpoints.
|
+| sunrpc_tcp | The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints.
|
+| sunrpc_udp | The sunrpc_udp value is used to describe all SUNRPC UDP endpoints.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemGconfTypeType ==
+
+The EntityItemGconfTypeType complex type restricts a string value to the seven values GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, GCONF_VALUE_SCHEMA, GCONF_VALUE_LIST, and GCONF_VALUE_PAIR that specify the type of the value associated with a GConf preference key. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| GCONF_VALUE_STRING | The GCONF_VALUE_STRING type is used to describe a preference key that has a string value.
|
+| GCONF_VALUE_INT | The GCONF_VALUE_INT type is used to describe a preference key that has a integer value.
|
+| GCONF_VALUE_FLOAT | The GCONF_VALUE_FLOAT type is used to describe a preference key that has a float value.
|
+| GCONF_VALUE_BOOL | The GCONF_VALUE_BOOL type is used to describe a preference key that has a boolean value.
|
+| GCONF_VALUE_SCHEMA | The GCONF_VALUE_SCHEMA type is used to describe a preference key that has a schema value. The actual value will be the default value as specified in the GConf schema.
|
+| GCONF_VALUE_LIST | The GCONF_VALUE_LIST type is used to describe a preference key that has a list of values. The actual values will be one of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that all of the values associated with a GCONF_VALUE_LIST are required to have the same type.
|
+| GCONF_VALUE_PAIR | The GCONF_VALUE_PAIR type is used to describe a preference key that has a pair of values. The actual values will consist of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that the values associated with a GCONF_VALUE_PAIR are not required to have the same type.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemRoutingTableFlagsType ==
+
+The EntityItemRoutingTableFlagsType complex type restricts a string value to a specific set of values that describe the flags associated with a routing table entry. This list is based off the values defined in the man pages of various platforms. For Linux, please see route(8). For Solaris, please see netstat(1M). For HP-UX, please see netstat(1). For Mac OS, please see netstat(1). For FreeBSD, please see netstat(1). Documentation on each allowed value can be found in the previously listed man pages. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| UP | |
+| GATEWAY | |
+| HOST | |
+| REINSTATE | |
+| DYNAMIC | |
+| MODIFIED | |
+| ADDRCONF | |
+| CACHE | |
+| REJECT | |
+| REDUNDANT | |
+| SETSRC | |
+| BROADCAST | |
+| LOCAL | |
+| PROTOCOL_1 | |
+| PROTOCOL_2 | |
+| PROTOCOL_3 | |
+| BLACK_HOLE | |
+| CLONING | |
+| PROTOCOL_CLONING | |
+| INTERFACE_SCOPE | |
+| LINK_LAYER | |
+| MULTICAST | |
+| STATIC | |
+| WAS_CLONED | |
+| XRESOLVE | |
+| USABLE | |
+| PINNED | |
+| ACTIVE_DEAD_GATEWAY_DETECTION | |
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+The following table is a mapping between the generic flag enumeration values and the actual flag values found on the various platforms. If the flag value is not specified, for a particular generic flag enumeration value, the flag value is not defined for that platform.
+```
+Name Linux Solaris HPUX Mac OS FreeBSD AIX
+UP U U U U U U
+GATEWAY G G G G G G
+HOST H H H H H H
+REINSTATE R
+DYNAMIC D D D D D
+MODIFIED M M M M
+ADDRCONF A A
+CACHE C e
+REJECT ! R R R
+REDUNDANT M (>=9)
+SETSRC S
+BROADCAST B b b b
+LOCAL L l
+PROTOCOL_1 1 1 1
+PROTOCOL_2 2 2 2
+PROTOCOL_3 3 3 3
+BLACK_HOLE B B
+CLONING C C c
+PROTOCOL_CLONING c c
+INTERFACE_SCOPE I
+LINK_LAYER L L L
+MULTICAST m m
+STATIC S S S
+WAS_CLONED W W W
+XRESOLVE X X
+USABLE u
+PINNED P
+ACTIVE_DEAD_GATEWAY_DETECTION A (>=5.1)
+```
+
+## == EntityItemXinetdTypeStatusType ==
+
+The EntityItemXinetdTypeStatusType complex type restricts a string value to five values, either RPC, INTERNAL, UNLISTED, TCPMUX, or TCPMUXPLUS that specify the type of service registered in xinetd. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| INTERNAL | The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself.
|
+| RPC | The RPC type is used to describe services that use remote procedure call ala NFS.
|
+| UNLISTED | The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc.
|
+| TCPMUX | The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake.
|
+| TCPMUXPLUS | The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemWaitStatusType ==
+
+The EntityItemWaitStatusType complex type restricts a string value to two values, either wait or nowait, that specify whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| wait | The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
|
+| nowait | The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemEncryptMethodType ==
+
+The EntityItemEncryptMethodType complex type restricts a string value to a set that corresponds to the allowed encrypt methods used for protected passwords in a shadow file. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DES | The DES method corresponds to the (none) prefix.
|
+| BSDi | The BSDi method corresponds to BSDi modified DES or the '_' prefix.
|
+| MD5 | The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix.
|
+| Blowfish | The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes.
|
+| Sun MD5 | The Sun MD5 method corresponds to the $md5$ prefix.
|
+| SHA-256 | The SHA-256 method corresponds to the $5$ prefix.
|
+| SHA-512 | The SHA-512 method corresponds to the $6$ prefix.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityItemInterfaceType ==
+
+The EntityItemInterfaceType complex type restricts a string value to a specific set of values. These values describe the different interface types which are defined in 'if_arp.h'. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| ARPHRD_ETHER | The ARPHRD_ETHER type is used to describe ethernet interfaces.
|
+| ARPHRD_FDDI | The ARPHRD_FDDI type is used to describe fiber distributed data interfaces (FDDI).
|
+| ARPHRD_LOOPBACK | The ARPHRD_LOOPBACK type is used to describe loopback interfaces.
|
+| ARPHRD_VOID | The ARPHRD_VOID type is used to describe unknown interfaces.
|
+| ARPHRD_PPP | The ARPHRD_PPP type is used to describe point-to-point protocol interfaces (PPP).
|
+| ARPHRD_SLIP | The ARPHRD_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
|
+| ARPHRD_PRONET | The ARPHRD_PRONET type is used to describe PROnet token ring interfaces.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
diff --git a/guidelines/oval-schema-documentation/windows-definitions-schema.md b/guidelines/oval-schema-documentation/windows-definitions-schema.md
new file mode 100644
index 0000000..9a04e62
--- /dev/null
+++ b/guidelines/oval-schema-documentation/windows-definitions-schema.md
@@ -0,0 +1,4429 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Windows Definition
+* Version: 5.11.1:1.4
+* Release Date: 01/09/2017 10:00:00 PM
+
+The following is a description of the elements, types, and attributes that compose the Windows specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+## Test Listing
+
+ *[ ~~accesstoken_test~~ ](#accesstoken_test)
+ *[ activedirectory_test ](#activedirectory_test)
+ *[ ~~activedirectory57_test~~ ](#activedirectory57_test)
+ *[ auditeventpolicy_test ](#auditeventpolicy_test)
+ *[ auditeventpolicysubcategories_test ](#auditeventpolicysubcategories_test)
+ *[ cmdlet_test ](#cmdlet_test)
+ *[ dnscache_test ](#dnscache_test)
+ *[ file_test ](#file_test)
+ *[ fileauditedpermissions53_test ](#fileauditedpermissions53_test)
+ *[ ~~fileauditedpermissions_test~~ ](#fileauditedpermissions_test)
+ *[ fileeffectiverights53_test ](#fileeffectiverights53_test)
+ *[ ~~fileeffectiverights_test~~ ](#fileeffectiverights_test)
+ *[ ~~group_test~~ ](#group_test)
+ *[ group_sid_test ](#group_sid_test)
+ *[ interface_test ](#interface_test)
+ *[ junction_test ](#junction_test)
+ *[ license_test ](#license_test)
+ *[ lockoutpolicy_test ](#lockoutpolicy_test)
+ *[ metabase_test ](#metabase_test)
+ *[ ntuser_test ](#ntuser_test)
+ *[ passwordpolicy_test ](#passwordpolicy_test)
+ *[ peheader_test ](#peheader_test)
+ *[ port_test ](#port_test)
+ *[ printereffectiverights_test ](#printereffectiverights_test)
+ *[ ~~process_test~~ ](#process_test)
+ *[ process58_test ](#process58_test)
+ *[ registry_test ](#registry_test)
+ *[ regkeyauditedpermissions53_test ](#regkeyauditedpermissions53_test)
+ *[ ~~regkeyauditedpermissions_test~~ ](#regkeyauditedpermissions_test)
+ *[ regkeyeffectiverights53_test ](#regkeyeffectiverights53_test)
+ *[ ~~regkeyeffectiverights_test~~ ](#regkeyeffectiverights_test)
+ *[ service_test ](#service_test)
+ *[ serviceeffectiverights_test ](#serviceeffectiverights_test)
+ *[ sharedresource_test ](#sharedresource_test)
+ *[ sharedresourceauditedpermissions_test ](#sharedresourceauditedpermissions_test)
+ *[ sharedresourceeffectiverights_test ](#sharedresourceeffectiverights_test)
+ *[ sid_test ](#sid_test)
+ *[ sid_sid_test ](#sid_sid_test)
+ *[ systemmetric_test ](#systemmetric_test)
+ *[ uac_test ](#uac_test)
+ *[ ~~user_test~~ ](#user_test)
+ *[ user_sid55_test ](#user_sid55_test)
+ *[ ~~user_sid_test~~ ](#user_sid_test)
+ *[ userright_test ](#userright_test)
+ *[ volume_test ](#volume_test)
+ *[ ~~wmi_test~~ ](#wmi_test)
+ *[ wmi57_test ](#wmi57_test)
+ *[ wuaupdatesearcher_test ](#wuaupdatesearcher_test)
+
+______________
+
+## < ~~accesstoken_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the userright_test. This accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The accesstoken_test is used to check the properties of a Windows access token as well as individual privileges and rights associated with it. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an accesstoken_object and the optional state element specifies the data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~accesstoken_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the userright_object. The accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The accesstoken_object element is used by an access token test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An accesstoken_object consists of a single security principle that identifies user, group, or computer account that is associated with the token.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:AccesstokenBehaviors](#AccesstokenBehaviors) (0..1) |
+|||
+| security_principle | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The security_principle element defines the access token being specified. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain. If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the Local Security Authority database. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~accesstoken_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the userright_state. The accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The accesstoken_state element defines the different information that can be used to evaluate the specified access tokens. This includes the multitude of user rights and permissions that can be granted. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| security_principle | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The security_principle element identifies an access token to test for. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| seassignprimarytokenprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seassignprimarytokenprivilege privilege is enabled, it allows a parent process to replace the access token that is associated with a child process.
|
+| seauditprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seauditprivilege privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
|
+| sebackupprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sebackupprivilege privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
|
+| sechangenotifyprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sechangenotifyprivilege privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
|
+| secreateglobalprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the secreateglobalprivilege privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
|
+| secreatepagefileprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the secreatepagefileprivilege privilege is enabled, it allows the user to create and change the size of a pagefile.
|
+| secreatepermanentprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the secreatepermanentprivilege privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
|
+| secreatesymboliclinkprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the secreatesymboliclinkprivilege privilege is enabled, it allows users to create symbolic links.
|
+| secreatetokenprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the secreatetokenprivilege privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
|
+| sedebugprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sedebugprivilege privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
|
+| seenabledelegationprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seenabledelegationprivilege privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
|
+| seimpersonateprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seimpersonateprivilege privilege is enabled, it allows the user to impersonate a client after authentication.
|
+| seincreasebasepriorityprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seincreasebasepriorityprivilege privilege is enabled, it allows a user to increase the base priority class of a process.
|
+| seincreasequotaprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seincreasequotaprivilege privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
|
+| seincreaseworkingsetprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seincreaseworkingsetprivilege privilege is enabled, it allows a user to increase a process working set.
|
+| seloaddriverprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seloaddriverprivilege privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
|
+| selockmemoryprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the selockmemoryprivilege privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
|
+| semachineaccountprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the semachineaccountprivilege privilege is enabled, it allows the user to add a computer to a specific domain.
|
+| semanagevolumeprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the semanagevolumeprivilege privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
|
+| seprofilesingleprocessprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seprofilesingleprocessprivilege privilege is enabled, it allows a user to sample the performance of an application process.
|
+| serelabelprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the serelabelprivilege privilege is enabled, it allows a user to modify an object label.
|
+| seremoteshutdownprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seremoteshutdownprivilege privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
|
+| serestoreprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the serestoreprivilege privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
|
+| sesecurityprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sesecurityprivilege privilege is enabled, it allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
|
+| seshutdownprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seshutdownprivilege privilege is enabled, it allows a user to shut down the local computer.
|
+| sesyncagentprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sesyncagentprivilege privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
|
+| sesystemenvironmentprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sesystemenvironmentprivilege privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
|
+| sesystemprofileprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sesystemprofileprivilege privilege is enabled, it allows a user to sample the performance of system processes.
|
+| sesystemtimeprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the sesystemtimeprivilege privilege is enabled, it allows the user to adjust the time on the computer's internal clock. It is not required to change the time zone or other display characteristics of the system time.
|
+| setakeownershipprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the setakeownershipprivilege privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
|
+| setcbprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the setcbprivilege privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
|
+| setimezoneprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the setimezoneprivilege privilege is enabled, it allows the user to change the time zone.
|
+| seundockprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seundockprivilege privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
|
+| seunsolicitedinputprivilege | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If the seunsolicitedinputprivilege privilege is enabled, it allows the user to read unsolicited data from a terminal device.
|
+| sebatchlogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the sebatchlogonright right, it can log on using the batch logon type.
|
+| seinteractivelogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the seinteractivelogonright right, it can log on using the interactive logon type.
|
+| senetworklogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the senetworklogonright right, it can log on using the network logon type.
|
+| seremoteinteractivelogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the seremoteinteractivelogonright right, it can log on to the computer by using a Remote Desktop connection.
|
+| seservicelogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the seservicelogonright right, it can log on using the service logon type.
|
+| sedenybatchLogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the sedenybatchLogonright right, it is explicitly denied the ability to log on using the batch logon type.
|
+| sedenyinteractivelogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the sedenyinteractivelogonright right, it is explicitly denied the ability to log on using the interactive logon type.
|
+| sedenynetworklogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the sedenynetworklogonright right, it is explicitly denied the ability to log on using the network logon type.
|
+| sedenyremoteInteractivelogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the sedenyremoteInteractivelogonright right, it is explicitly denied the ability to log on through Terminal Services.
|
+| sedenyservicelogonright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned the sedenyservicelogonright right, it is explicitly denied the ability to log on using the service logon type.
|
+| setrustedcredmanaccessnameright | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||If an account is assigned this right, it can access the Credential Manager as a trusted caller.
|
+
+## == ~~AccesstokenBehaviors~~ ==
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the userright_test. The AccesstokenBehaviors complex type is used by the accesstoken_test which suffers from scalability issues when run on a domain controller and should not be used. As a result, the AccesstokenBehaviors complex type is no longer needed. See the userright_test.
**Comment:** This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+The AccesstokenBehaviors complex type defines a number of behaviors that allow a more detailed definition of the accesstoken_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+If a group security principle is specified, this behavior specifies whether to include the group or not. For example, maybe you want to check the access tokens associated with every user within a group, but not the group itself. In this case, you would set the include_group behavior to 'false'. If the security_principle is not a group, then this behavior should be ignored.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved and any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < activedirectory_test >
+
+The active directory test is used to check information about specific entries in active directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an activedirectory_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < activedirectory_object >
+
+The activedirectory_object element is used by an active directory test to define those objects to evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An active directory object consists of three pieces of information, a naming context, a relative distinguished name, and an attribute. Each piece helps identify a specific active directory entry.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| naming_context | [win-def:EntityObjectNamingContextType](#EntityObjectNamingContextType) (1..1) |
+||Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
|
+| relative_dn | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object's distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the object being specified is the higher level naming context. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative dn under a given naming context.
|
+| attribute | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative dn.
|
+
+## < activedirectory_state >
+
+The activedirectory_state element defines the different information that can be used to evaluate the specified entries in active directory. An active directory test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| naming_context | [win-def:EntityStateNamingContextType](#EntityStateNamingContextType) (0..1) |
+||Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
|
+| relative_dn | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context.
|
+| attribute | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies a named value contained by the object.
|
+| object_class | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the class of which the object is an instance.
|
+| adstype | [win-def:EntityStateAdstypeType](#EntityStateAdstypeType) (0..1) |
+||Specifies the type of information that the specified attribute represents.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The actual value of the specified active directory attribute.
|
+
+______________
+
+## < ~~activedirectory57_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.2** :small_red_triangle:
**Reason:** Use the original activedirectory_test. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The active directory test is used to check information about specific entries in active directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an activedirectory57_object and the optional state element specifies the metadata to check.
+
+Note that this test supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_test.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~activedirectory57_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.2** :small_red_triangle:
**Reason:** Use the original activedirectory_object. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The activedirectory57_object element is used by an active directory test to define those objects to evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An active directory object consists of three pieces of information, a naming context, a relative distinguished name, and an attribute. Each piece helps identify a specific active directory entry.
+
+Note that this object supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_object.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| naming_context | [win-def:EntityObjectNamingContextType](#EntityObjectNamingContextType) (1..1) |
+||Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
|
+| relative_dn | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object's distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the object being specified is the higher level naming context. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative dn under a given naming context.
|
+| attribute | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative dn.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~activedirectory57_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.2** :small_red_triangle:
**Reason:** Use the original activedirectory_state. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The activedirectory57_state element defines the different information that can be used to evaluate the specified entries in active directory. An active directory test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+Note that this state supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_state.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| naming_context | [win-def:EntityStateNamingContextType](#EntityStateNamingContextType) (0..1) |
+||Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
|
+| relative_dn | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object's distinguished name except those outlined by the naming context.
|
+| attribute | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies a named value contained by the object.
|
+| object_class | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the class of which the object is an instance.
|
+| adstype | [win-def:EntityStateAdstypeType](#EntityStateAdstypeType) (0..1) |
+||The type of information that the specified attribute represents.
|
+| value | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the 'record' datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field and satisfy this requirement.
|
+
+______________
+
+## < auditeventpolicy_test >
+
+The auditeventpolicy_test is used to check different types of events the system should audit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditeventpolicy_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < auditeventpolicy_object >
+
+The auditeventpolicy_object element is used by an audit event policy test to define those objects to evaluate based on a specified state. There is actually only one object relating to audit event policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check audit event policy will reference the same auditeventpolicy_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < auditeventpolicy_state >
+
+The auditeventpolicy_state element specifies the different system activities that can be audited. An audit event policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| account_logon | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
|
+| account_management | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
|
+| detailed_tracking | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Note that this activitiy is also known as process tracking.
|
+| directory_service_access | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to access the directory service.
|
+| logon | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
|
+| object_access | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to access securable objects, such as files.
|
+| policy_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to change Policy object rules.
|
+| privilege_use | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to use privileges.
|
+| system | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.
|
+
+______________
+
+## < auditeventpolicysubcategories_test >
+
+The auditeventpolicysubcategories_test is used to check the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, if the credential_validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditeventpolicy_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < auditeventpolicysubcategories_object >
+
+The auditeventpolicysubcategories_object element is used by an audit event policy subcategories test to define those objects to evaluate based on a specified state. There is actually only one object relating to audit event policy subcategories and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check audit event policy subcategories will reference the same auditeventpolicysubcategories_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < auditeventpolicysubcategories_state >
+
+The auditeventpolicysubcategories_state element specifies the different system activities that can be audited. An audit event policy subcategories test will reference a specific instance of this state that defines the exact subcategories that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| credential_validation | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced during the validation of a user's logon credentials. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Credential Validation
|
+| kerberos_authentication_service | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by Kerberos authentication ticket-granting requests. This state corresponds with the following GUID specified in ntsecapi.h: 0CCE9242-69AE-11D9-BED3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerboros Authentication Service
|
+| kerberos_service_ticket_operations | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by Kerberos service ticket requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9240-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerberos Service Ticket Operations
|
+| ~~kerberos_ticket_events~~ | ~~[win-def:EntityStateAuditType](#EntityStateAuditType) (0..1~~) |
+||~~Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
~~|
+| other_account_logon_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9241-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Other Account Logon Events
|
+| application_group_management | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to application groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9239-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Application Group Management
|
+| computer_account_management | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to computer accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9236-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Computer Account Management
|
+| distribution_group_management | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to distribution groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9238-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Distribution Account Management
|
+| other_account_management_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by other user account changes that are not covered by other events in the Account Management category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Other Account Management Events
|
+| security_group_management | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to security groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9237-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Security Group Management
|
+| user_account_management | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to user accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9235-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit User Account Management
|
+| dpapi_activity | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when requests are made to the Data Protection application interface. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit DPAPI Activity
|
+| process_creation | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when a process is created or starts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Creation
|
+| process_termination | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when a process ends. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Termination
|
+| rpc_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by inbound remote procedure call connections. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit RPC Events
|
+| directory_service_access | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when a Active Directory Domain Services object is accessed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
|
+| directory_service_changes | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when changes are made to Active Directory Domain Services objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Changes
|
+| directory_service_replication | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when two Active Directory Domain Services domain controllers are replicated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
|
+| detailed_directory_service_replication | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by detailed Active Directory Domain Services replication between domain controllers. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Detailed Directory Service Replication
|
+| account_lockout | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by a failed attempt to log onto a locked out account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9217-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Account Lockout
|
+| ipsec_extended_mode | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Extended Mode
|
+| ipsec_main_mode | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9218-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logof/Logoff: Audit IPsec Main Mode
|
+| ipsec_quick_mode | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9219-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Quick Mode
|
+| logoff | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by closing a logon session. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9216-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logoff
|
+| logon | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by attempts to log onto a user account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9215-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logon
|
+| network_policy_server | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by RADIUS and Network Access Protection user access requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9243-69ae-11d9-bed3-505054503030.This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Network Policy Server
|
+| other_logon_logoff_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events
|
+| special_logon | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by special logons. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Special Logon
|
+| logon_claims | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit user and device claims information in the user's logon token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit User / Device Claims
|
+| application_generated | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by applications that use the Windows Auditing API. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9222-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Application Generated
|
+| certification_services | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by operations on Active Directory Certificate Services. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9221-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Certification Services
|
+| detailed_file_share | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by attempts to access files and folders on a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9244-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Detailed File Share
|
+| file_share | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by attempts to access a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9224-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File Share
|
+| file_system | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced user attempts to access file system objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File System
|
+| filtering_platform_connection | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9226-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Connection
|
+| filtering_platform_packet_drop | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by packets that are dropped by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9225-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Packet Drop
|
+| handle_manipulation | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced when a handle is opened or closed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9223-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Handle Manipulation
|
+| kernel_object | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by attempts to access the system kernel. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Kernel Object
|
+| other_object_access_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by the management of Task Scheduler jobs or COM+ objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9227-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Other Object Access Events
|
+| registry | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by attempts to access registry objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Registry
|
+| sam | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by attempts to access Security Accounts Manager objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9220-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit SAM
|
+| removable_storage | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit events that indicate file object access attemps to removable storage. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9245-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Removable Storage
|
+| central_access_policy_staging | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit events that indicate permission granted or denied by a proposed policy differs from the current central access policy on an object. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9246-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Central Access Policy Staging
|
+| audit_policy_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes in security audit policy settings. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Audit Policy Change
|
+| authentication_policy_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to the authentication policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9230-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authentication Policy Change
|
+| authorization_policy_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to the authorization policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9231-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authorization Policy Change
|
+| filtering_platform_policy_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to the Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9233-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Filtering Platform Policy Change
|
+| mpssvc_rule_level_policy_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes to policy rules used by the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9232-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit MPSSVC Rule-Level Policy Change
|
+| other_policy_change_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by other security policy changes that are not covered other events in the Policy Change category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9234-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Other Policy Change Events
|
+| non_sensitive_privilege_use | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by the use of non-sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9229-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Non Sensitive Privilege Use
|
+| other_privilege_use_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||This is currently not used and has been reserved by Microsoft for use in the future. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Other Privilege Use Events
|
+| sensitive_privilege_use | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by the use of sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9228-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Sensitive Privilege Use
|
+| ipsec_driver | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by the IPsec filter driver. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9213-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit IPsec Driver
|
+| other_system_events | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9214-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Other System Events
|
+| security_state_change | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by changes in the security state. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9210-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security State Change
|
+| security_system_extension | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events produced by the security system extensions or services. This state corresponds with the following GUID specified in ntsecapi.h: cce9211-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security System Extension
|
+| system_integrity | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Audit the events that indicate that the integrity security subsystem has been violated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9212-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit System Integrity
|
+| group_membership | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||This subcategory audits the group membership of a token for an associated log on. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9249-69ae-11d9-bed3-505054503030.
|
+| pnp_activity | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||This subcategory audits events generated by plug and play (PNP). This state corresponds with the following GUID specified in ntsecapi.h: 0cce9248-69ae-11d9-bed3-505054503030.
|
+| user_device_claims | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||This subcategory audits the user and device claims that are present in the token of an associated logon. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030.
|
+| audit_detailedtracking_tokenrightadjusted | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||This subcategory audits when token privileges are enabled or disabled for a specific account’s token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce924a-69ae-11d9-bed3-505054503030.
|
+
+______________
+
+## < cmdlet_test >
+
+The cmdlet_test is used to levarage a PowerShell cmdlet to check a Windows system. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a cmdlet_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < cmdlet_object >
+
+The cmdlet_object element is used by a cmdlet_test to identify the set of cmdlets to use and the parameters to provide to them for checking the state of a system. In order to ensure the consistency of PowerShell cmdlet support among OVAL interpreters as well as ensure that the state of a system is not changed, every OVAL interpreter must implement the following requirements. An OVAL interpreter must only support the processing of the verbs specified in the EntityObjectCmdletVerbType. If a cmdlet verb that is not defined in this enumeration is discovered, an error should be reported and the cmdlet must not be executed on the system. While XML Schema validation will enforce this requirement, it is strongly recommended that OVAL interpreters implement a whitelist of allowed cmdlets. This can be done using constrained runspaces which can limit the PowerShell execution environment. For more information, please see Microsoft's documentation on Windows PowerShell Host Application Concepts. Furthermore, it is strongly recommended that OVAL interpreters also implement PowerShell support with the NoLanguage mode enabled. The NoLanguage mode ensures that scripts that need to be evaluated are not allowed in the runspace. For more information about the NoLanguage mode, please see Microsoft's documentation on the PSLanguageMode enumeration.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| module_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name of the module that contains the cmdlet.
|
+| module_id | [win-def:EntityObjectGUIDType](#EntityObjectGUIDType) (1..1) |
+||The globally unique identifier for the module. If xsi:nil='true', it does not matter which module GUID the command comes from.
|
+| module_version | [oval-def:EntityObjectVersionType](oval-definitions-schema.md#EntityObjectVersionType) (1..1) |
+||The version of the module that contains the cmdlet in the form of MAJOR.MINOR. If xsi:nil='true', that implies it does not matter which version of the module the command refers to.
|
+| verb | [win-def:EntityObjectCmdletVerbType](#EntityObjectCmdletVerbType) (1..1) |
+||The cmdlet verb.
|
+| noun | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The cmdlet noun.
|
+| parameters | [oval-def:EntityObjectRecordType](oval-definitions-schema.md#EntityObjectRecordType) (1..1) |
+||A list of properties (name and value pairs) as input to invoke the cmdlet. Each property name must be unique. When xsi:nil='true', parameters are not provided to the cmdlet.
|
+| select | [oval-def:EntityObjectRecordType](oval-definitions-schema.md#EntityObjectRecordType) (1..1) |
+||A list of fields (name and value pairs) used as input to the Select-Object cmdlet to select specific output properties. Each property name must be unique. Please note that the use of the '*' character, to select all properties, is not permitted. This is because the value record entity, in the state and item, require unique field name values to ensure that any query results can be evaluated consistently. This is equivalent to piping the output of a cmdlet to the Select-Object cmdlet. When xsi:nil='true', the Select-Object is not used.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < cmdlet_state >
+
+The cmdlet_state allows for assertions about the presence of PowerShell cmdlet related properties and values obtained from a cmdlet.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| module_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the module that contains the cmdlet.
|
+| module_id | [win-def:EntityStateGUIDType](#EntityStateGUIDType) (0..1) |
+||The globally unique identifier for the module.
|
+| module_version | [oval-def:EntityStateVersionType](oval-definitions-schema.md#EntityStateVersionType) (0..1) |
+||The version of the module that contains the cmdlet in the form of MAJOR.MINOR.
|
+| verb | [win-def:EntityStateCmdletVerbType](#EntityStateCmdletVerbType) (0..1) |
+||The cmdlet verb.
|
+| noun | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The cmdlet noun.
|
+| parameters | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||A list of properties (name and value pairs) as input to invoke the cmdlet. Each property name must be unique.
|
+| select | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||A list of fields (name and value pairs) used as input to the Select-Object cmdlet to select specific output properties. Each property name must be unique.
|
+| value | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||The expected value represented as a set of fields (name and value pairs). Each field must be have a unique name.
|
+
+______________
+
+## < dnscache_test >
+
+The dnscache_test is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. The entries in the DNS cache can be collected using Microsoft's DnsGetCacheDataTable() and DnsQuery() API calls. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dnscache_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < dnscache_object >
+
+The dnscache_object is used by the dnscache_test to specify the domain name(s) that should be collected from the DNS cache on the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| domain_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The domain_name element specifies the domain name(s) that should be collected from the DNS cache on the local system.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < dnscache_state >
+
+The dnscache_state contains three entities that are used to check the domain name, time to live, and IP addresses associated with the DNS cache entry.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| domain_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
|
+| ttl | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
|
+| ip_address | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||The ip_address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6.
|
+
+______________
+
+## < file_test >
+
+The file test is used to check metadata associated with Windows files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a file_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < file_object >
+
+The file_object element is used by a file test to define the specific file(s) to be evaluated. The file_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A file object defines the path and filename or complete filepath of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
+
+The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileBehaviors](#FileBehaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < file_state >
+
+The file_state element defines the different metadata associate with a Windows file. This includes the path, filename, owner, size, last modified time, version, etc. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filename element specifies the name of the file.
|
+| owner | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The owner element is a string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
|
+| size | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size element is the size of the file in bytes.
|
+| a_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| c_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| m_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| ms_checksum | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The checksum of the file as supplied by Microsoft's MapFileAndCheckSum function.
|
+| version | [oval-def:EntityStateVersionType](oval-definitions-schema.md#EntityStateVersionType) (0..1) |
+||The version element is the delimited version string of the file.
|
+| type | [win-def:EntityStateFileTypeType](#EntityStateFileTypeType) (0..1) |
+||The type element marks whether the file is a named pipe, standard file, etc. These types are the return values for GetFileType. For directories, this element must have a status of 'does not exist'.
|
+| attribute | [win-def:EntityStateFileAttributeType](#EntityStateFileAttributeType) (0..1) |
+||The attribute element marks a Windows file attribute. These types are the return values for GetFileAttribute.
The attribute element can be included multiple times in a system characteristic item in order to record that a file has a number of different attributes. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like the attribute entity that refer to items that can occur an unbounded number of times.
|
+| development_class | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The development_class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
|
+| company | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity defines a company name to be found within the version-information structure.
|
+| internal_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity defines an internal name to be found within the version-information structure.
|
+| language | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity defines a language to be found within the version-information structure.
|
+| original_filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity defines an original filename to be found within the version-information structure.
|
+| product_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This entity defines a product name to be found within the version-information structure.
|
+| product_version | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||This entity defines the product version held within the version-information structure. This may not necessarily be a string compatible with the OVAL version datatype, in which case the string datatype should be used.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == FileBehaviors ==
+
+The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of the file_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+#### Attributes:
+
+* **max_depth** Restriction of xsd:integer (optional -- default='-1')
+'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.
+Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+Note that this behavior only applies with the equality operation on the path entity.
+* **recurse** Restriction of xsd:string (optional -- default='directories') ('directories', 'junctions', 'junctions and directories')
+'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include junctions, directories, or both (a junction on Windows is equivalent to a symlink on Unix). Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything.
+Note that this behavior only applies with the equality operation on the path entity.
+* **recurse_direction** Restriction of xsd:string (optional -- default='none') ('none', 'up', 'down')
+'recurse_direction' defines the direction, either 'up' to parent directories, or 'down' into child directories to recursively search for files. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
+Note that this behavior only applies with the equality operation on the path entity.
+* **recurse_file_system** Restriction of xsd:string (optional -- default='all') ('all', 'local', 'defined')
+'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, if the path specified was "C:\", you would search only the C: drive, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.
+Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications.
+* **windows_view** Restriction of xsd:string (optional -- default='64_bit') ('32_bit', '64_bit')
+64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to state which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+Note that the values have the following meaning: '64_bit' - Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' - Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between OVAL Items that were collected in the 32-bit or 64-bit views.
+
+______________
+
+## < fileauditedpermissions53_test >
+
+The file audit permissions test is used to check the audit permissions associated with Windows files. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < fileauditedpermissions53_object >
+
+The fileauditedpermissions53_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. The fileauditedpermissions53_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A fileauditedpermissions53_object is defined as a combination of a Windows file and trustee SID. The file represents the file to be evaluated while the trustee SID represents the account (SID) to check audited permissions of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissions53Behaviors complex type for more information about specific behaviors.
+
+The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileAuditPermissions53Behaviors](#FileAuditPermissions53Behaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < fileauditedpermissions53_state >
+
+The fileauditedpermissions53_state element defines the different audit permissions that can be associated with a given fileauditedpermissions53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filename element specifies the name of a file to test for.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read, write, and execute access.
|
+| file_read_data | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to read data from the file.
|
+| file_write_data | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to write data to the file.
|
+| file_append_data | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to append data to the file.
|
+| file_read_ea | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to read extended attributes.
|
+| file_write_ea | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to write extended attributes.
|
+| file_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to execute a file.
|
+| file_delete_child | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Right to delete a directory and all the files it contains (its children), even if the files are read-only.
|
+| file_read_attributes | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to read file attributes.
|
+| file_write_attributes | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to change file attributes.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == FileAuditPermissions53Behaviors ==
+
+The FileAuditPermissions53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the fileauditpermissions53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+The FileAuditPermissions53Behaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:FileBehaviors](#FileBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < ~~fileauditedpermissions_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the fileauditedpermissions53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the fileauditedpermissions53_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The file audited permissions test is used to check the audit permissions associated with Windows files. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object, and the optional state element references a fileauditedpermissions_state that specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~fileauditedpermissions_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the fileauditedpermissions53_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the fileauditedpermissions53_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The fileauditedpermissions_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. The fileauditedpermissions_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A fileauditedpermissions_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (SID) to check audited permissions of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissionsBehaviors complex type for more information about specific behaviors.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileAuditPermissionsBehaviors](#FileAuditPermissionsBehaviors) (0..1) |
+|||
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
|
+| trustee_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+
+## < ~~fileauditedpermissions_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the fileauditedpermissions53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the fileauditedpermissions53_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The fileauditedpermissions_state element defines the different audit permissions that can be associated with a given fileauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filename element specifies the name of a file to test for.
|
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_name is the unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| standard_delete | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read, write, and execute access.
|
+| file_read_data | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to read data from the file.
|
+| file_write_data | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to write data to the file.
|
+| file_append_data | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to append data to the file.
|
+| file_read_ea | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to read extended attributes.
|
+| file_write_ea | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to write extended attributes.
|
+| file_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to execute a file.
|
+| file_delete_child | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Right to delete a directory and all the files it contains (its children), even if the files are read-only.
|
+| file_read_attributes | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to read file attributes.
|
+| file_write_attributes | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Grants the right to change file attributes.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == ~~FileAuditPermissionsBehaviors~~ ==
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the FileAuditPermissionsBehaviors53. The FileAuditPermissionsBehaviors complex type is used by the fileauditedpermissions_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the FileAuditPermissionsBehaviors53 complex type, and as a result, the FileAuditPermissionsBehaviors complex type is no longer needed.
**Comment:** This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+The FileAuditPermissionsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the fileauditpermissions_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+The FileAuditPermissionsBehaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:FileBehaviors](#FileBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user SIDs that are a member of the group, but not the group trustee name itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < fileeffectiverights53_test >
+
+The file effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The fileeffectiverights53_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileeffectiverights53_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < fileeffectiverights53_object >
+
+The fileeffectiverights53_object element is used by a file effective rights test to define the objects used to evalutate against the specified state. The fileeffectiverights53_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A fileeffectiverights53_object is defined as a combination of a Windows file and trustee SID. The file represents the file to be evaluated while the trustee SID represents the account (SID) to check effective rights of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileEffectiveRights53Behaviors complex type for more information about specific behaviors.
+
+The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileEffectiveRights53Behaviors](#FileEffectiveRights53Behaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path..
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < fileeffectiverights53_state >
+
+The fileeffectiverights53_state element defines the different rights that can be associated with a given fileeffectiverights53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filename element specifies the name of the file.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read, write, and execute access.
|
+| file_read_data | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to read data from the file, or if a directory, grants the right to list the contents of the directory.
|
+| file_write_data | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to write data to the file, or if a directory, grants the right to add a file to the directory.
|
+| file_append_data | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory.
|
+| file_read_ea | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to read extended attributes.
|
+| file_write_ea | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to write extended attributes.
|
+| file_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to execute a file, or if a directory, the right to traverse the directory.
|
+| file_delete_child | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Right to delete a directory and all the files it contains (its children), even if the files are read-only.
|
+| file_read_attributes | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to read file, or directory, attributes.
|
+| file_write_attributes | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to change file, or directory, attributes.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == FileEffectiveRights53Behaviors ==
+
+The FileEffectiveRights53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the fileeffectiverights53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+The FileEffectiveRights53Behaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:FileBehaviors](#FileBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < ~~fileeffectiverights_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the fileeffectiverights53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the fileeffectiverights53_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The file effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The fileeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileeffectiverights_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~fileeffectiverights_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the fileeffectiverights_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the fileeffectiverights53_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The fileeffectiverights_object element is used by a file effective rights test to define the objects used to evalutate against the specified state. The fileeffectiverights_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A fileeffectiverights_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (SID) to check effective rights of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileEffectiveRightsBehaviors complex type for more information about specific behaviors.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileEffectiveRightsBehaviors](#FileEffectiveRightsBehaviors) (0..1) |
+|||
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
|
+| trustee_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+
+## < ~~fileeffectiverights_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the fileeffectiverights53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the fileeffectiverights53_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The fileeffectiverights_state element defines the different rights that can be associated with a given fileeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filename element specifies the name of the file.
|
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read, write, and execute access.
|
+| file_read_data | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to read data from the file, or if a directory, grants the right to list the contents of the directory.
|
+| file_write_data | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to write data to the file, or if a directory, grants the right to add a file to the directory.
|
+| file_append_data | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory.
|
+| file_read_ea | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to read extended attributes.
|
+| file_write_ea | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to write extended attributes.
|
+| file_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to execute a file, or if a directory, the right to traverse the directory.
|
+| file_delete_child | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Right to delete a directory and all the files it contains (its children), even if the files are read-only.
|
+| file_read_attributes | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to read file, or directory, attributes.
|
+| file_write_attributes | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Grants the right to change file, or directory, attributes.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == ~~FileEffectiveRightsBehaviors~~ ==
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the FileEffectiveRightsBehaviors53. The FileEffectiveRightsBehaviors complex type is used by the fileeffectiverights_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the FileEffectiveRightsBehaviors53 complex type, and as a result, the FileEffectiveRightsBehaviors complex type is no longer needed.
**Comment:** This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+The FileEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the fileeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+The FileEffectiveRightsBehaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:FileBehaviors](#FileBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group SID might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < ~~group_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the group_sid_test. This test uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_test, which uses trustee SIDs which are unique, should be used instead. See the group_sid_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The group_test allows the different users and subgroups, that directly belong to specific groups (identified by name), to be tested. When the group_test collects the groups on the system, it should only include the local and built-in group accounts and not domain group accounts. However, it is important to note that domain group accounts can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If the subgroups need to be resolved, it should be done using the sid_object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a group_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~group_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the group_sid_object. This object uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_object, which uses trustee SIDs which are unique, should be used instead. See the group_sid_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The group_object element is used by a group test to define the specific group(s) (identified by name) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| group | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The group element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the group should be identified in the form: "domain\group name". In a local environment, the group should be identified in the form: "computer name\group name". If the group is a built-in group, the group should be identified in the form: "group name" without a domain component.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~group_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the group_sid_state. This state uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_state, which uses trustee SIDs which are unique, should be used instead. See the group_sid_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The group_state element enumerates the different users and subgroups directly associated with a Windows group. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| group | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The group element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
|
+| user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user element holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
The user element can be included multiple times in a system characteristic item in order to record that a group contains a number of different users. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like user that refer to items that can occur an unbounded number of times.
|
+| subgroup | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: "domain\group name". In a local environment, the subgroups should be identified in the form: "computer name\group name". If the subgroups are built-in groups, the subgroups should be identified in the form: "group name" without a domain component.
The subgroup element can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like the subgroup entity that refer to items that can occur an unbounded number of times.
|
+
+______________
+
+## < group_sid_test >
+
+The group_sid_test allows the different users and subgroups, that directly belong to specific groups (identified by SID), to be tested. When the group_sid_test collects the group SIDs on the system, it should only include the local and built-in group SIDs and not domain group SIDs. However, it is important to note that domain group SIDs can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If the subgroups need to be resolved, it should be done using the sid_sid_object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a group_sid_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < group_sid_object >
+
+The group_sid_object element is used by a group_test to define the specific group(s) (identified by SID) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| group_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The group_sid entity holds a string that represents the SID of a particular group.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < group_sid_state >
+
+The group_state element enumerates the different users and subgroups directly associated with a Windows group. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| group_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The group_sid entity holds a string that represents the SID of a particular group.
|
+| user_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user_sid entity holds a string that represents the SID of a particular user. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different users. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like user that refer to items that can occur an unbounded number of times.
|
+| subgroup_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The subgroup_sid entity holds a string that represents the SID of particular subgroup in the specified group. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like subgroup_sid that refer to items that can occur an unbounded number of times.
|
+
+______________
+
+## < interface_test >
+
+The interface test enumerate various attributes about the interfaces on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an interface_object and the optional state element specifies the interface information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < interface_object >
+
+The interface_object element is used by an interface test to define the specific interfaces(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An interface object consists of a single name entity that identifies which interface is being specified. For help understanding this object, see the MIB_IFROW and MIB_IPADDRROW structures.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name element specifies the name of an interface.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < interface_state >
+
+The interface_state element enumerates the different properties associate with a Windows interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name element specifies the name of an interface.
|
+| index | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The index element specifies index that identifies the interface.
|
+| type | [win-def:EntityStateInterfaceTypeType](#EntityStateInterfaceTypeType) (0..1) |
+||The type element specifies the type of interface which is limited to certain set of values.
|
+| hardware_addr | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The hardware_addr entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
|
+| inet_addr | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||The inet_addr element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
|
+| broadcast_addr | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||The broadcast_addr element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
|
+| netmask | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||The netmask element specifies the subnet mask for the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity will not be collected.
|
+| addr_type | [win-def:EntityStateAddrTypeType](#EntityStateAddrTypeType) (0..1) |
+||The addr_type element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the addr_type element can occur multiple times in a system characteristic item. Note that the entity_check attribute associated with EntityStateAddrTypeType guides the evaluation of unbounded entities like addr_type.
|
+
+______________
+
+## < junction_test >
+
+The junction_test is used to obtain canonical path information for junctions (reparse points) on Windows filesystems.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < junction_object >
+
+The junction_object element is used by a junction_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A junction_object consists of a path entity that contains the path to a symbolic link file. The resulting item identifies the canonical path of the link target (followed to its final destination, if there are intermediate links), an error if the link target does not exist or is a circular link (e.g., a link to itself). If the directory located at path is not a junction, or if there is no directory located at the path, then any resulting item would itself have a status of does not exist.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileBehaviors](#FileBehaviors) (0..1) |
+|||
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies the path to the junction.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < junction_state >
+
+The junction_state element defines a value used to evaluate the result of a specific junction_object item.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the path used to create the object.
|
+| canonical_path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies the canonical path for the target of a Windows junction specified by the path.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+______________
+
+## < license_test >
+
+The license_test is used to check the content of a particular entry in the Windows registry HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions key, ProductPolicy value. Access to this data is exposed by the functions NtQueryLicenseValue (and also, in version 6.0 and higher, ZwQueryLicenseValue) in NTDLL.DLL.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < license_object >
+
+The license_object element is used by a license_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name entity provides the address of a UNICODE_STRING structure for the name of the value for which data is desired, for example, TabletPCPlatformInput-core-EnableTouchUI.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < license_state >
+
+The license_state element defines the different information that can be found in the Windows license registry value. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name entity corresponds to the license_object name entity.
|
+| type | [win-def:EntityStateRegistryTypeType](#EntityStateRegistryTypeType) (0..1) |
+||The optional type entity provides the type of data that is expected: REG_SZ (0x01) for a string; REG_BINARY (0x03) for binary data; REG_DWORD (0x04) for a dword.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value entity allows a test to be written against the value held within the specified license entry(-ies). If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
Note that if the intent is to test a version number held in the license entry (as a reg_sz) then instead of setting the datatype to 'string', the datatype can be set to 'version'. This allows tools performing the evaluation to know how to perform less than and greater than operations correctly.
|
+
+______________
+
+## < lockoutpolicy_test >
+
+The lockout policy test enumerates various attributes associated with lockout information for users and global groups in the security database. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a lockoutpolicy_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < lockoutpolicy_object >
+
+The lockoutpolicy_object element is used by a lockout policy test to define those objects to evaluated based on a specified state. There is actually only one object relating to lockout policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check lockout policy will reference the same lockoutpolicy_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < lockoutpolicy_state >
+
+The lockoutpolicy_state element specifies the various attributes associated with lockout information for users and global groups in the security database. A lockout policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| force_logoff | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies, in seconds (from a DWORD), the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
|
+| lockout_duration | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
|
+| lockout_observation_window | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
|
+| lockout_threshold | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the number of invalid password authentications that can occur before an account is marked "locked out." See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
|
+
+______________
+
+## < metabase_test >
+
+The metabase test is used to check information found in the Windows metabase. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a metabase_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < metabase_object >
+
+The metabase_object element is used by a metabase test to define the specific metabase item(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A metabase object defines the key and id of the item(s).
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element specifies a metabase key.
|
+| id | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||The id element specifies a particular object under the metabase key. If the xsi:nil attribute is set to true, then the object being specified is the higher level key. In this case, the id element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, says to collect every id under a given key. The most likely use for xsi:nil within a metabase object is when checking for the existence of a particular key, without regards to the different ids associated with it.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < metabase_state >
+
+The metabase_state element defines the different metadata associate with a metabase item. This includes the name, user type, data type, and the actual data. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The key element specifies a metabase key.
|
+| id | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The id element specifies a particular object under the metabase key.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name element describes the name of the specified metabase object. This is intended to be the string name of the constant from IIScnfg.h, e.g., MD_KEY_TYPE.
|
+| user_type | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user_type element is an unsigned 32-bit integer (DWORD) that specifies the user type of the data. See the METADATA_RECORD structure.
|
+| data_type | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The data_type element identifies the type of data in the metabase entry. See the METADATA_RECORD structure.
|
+| data | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The actual data of the named item under the specified metabase key
|
+
+______________
+
+## < ntuser_test >
+
+The ntuser test is used to check metadata associated with Windows ntuser.dat files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a ntuser_object and the optional state element specifies the ntuser data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ntuser_object >
+
+The ntuser_object element is used to specify which metadata should be collected from a Windows ntuser.dat file. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:NTUserBehaviors](#NTUserBehaviors) (0..1) |
+|||
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data is not neccessary for the ntuser test and would normally reside in the HKCU hive.
|
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name element describes the name assigned to a value associated with a specific registry key. If an empty string is specified for the name element, the registry key's default value should be collected. If the xsi:nil attribute is set to true, then the object being specified is the higher level key. In this case, the name element should not be collected or used in analysis. Setting xsi:nil equal to true on an element is different than using a .* pattern match. A .* pattern match says to collect every name under a given hive/key. The most likely use for xsi:nil within a registry object is when checking for the existence of a particular key, without regards to the different names associated with it.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ntuser_state >
+
+The ntuser_state element defines the different metadata associated with a ntuser.dat file. This includes the key, name, type, and value. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element describes a registry key normally found in the HKCU hive to be tested.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element describes the name of a value of a registry key.
|
+| sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element holds a string that represents the SID of a particular user.
|
+| username | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name".
|
+| account_type | [win-def:EntityStateNTUserAccountTypeType](#EntityStateNTUserAccountTypeType) (0..1) |
+||The account_type element describes if the user account is a local account or domain account.
|
+| logged_on | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The logged_on element describes if the user account is currently logged on to the computer.
|
+| enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The enabled element describes if the user account is enabled or disabled.
|
+| date_modified | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Time of last modification of file. The integer should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| days_since_modified | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer.
|
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element describes the filepath of the ntuser.dat file.
|
+| last_write_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a key or name. When collecting only information about a registry key the last write time will be the time the key or any of its entiries was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime.
|
+| type | [win-def:EntityStateRegistryTypeType](#EntityStateRegistryTypeType) (0..1) |
+||The type entity allows a test to be written against the registy type associated with the specified registry key(s). Please refer to the documentation on the EntityStateRegistryTypeType for more information about the different valid individual types.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value entity allows a test to be written against the value held within the specified registry key(s). If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests should be used. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
Note that if the intent is to test a version number held in the registry (as a reg_sz) then instead of setting the datatype to 'string', the datatype can be set to 'version'. This allows tools performing the evaluation to know how to perform less than and greater than operations correctly.
|
+
+## == NTUserBehaviors ==
+
+The NTUserBehaviors complex type defines a number of behaviors that allow a more detailed definition of the ntuser_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* **include_default** xsd:boolean (optional -- default='false')
+'include_default' defines if the Window's local Default ntuser.dat file is included in the results. By default, this file is not included in the results.
+The Default User's directory which contains the ntuser.dat file is stored in the registry at 'HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/Default'.
+* **max_depth** Restriction of xsd:integer (optional -- default='-1')
+'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting key must be considered in the recursive search.
+Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+Note that this behavior only applies with the equality operation on the key entity.
+* **recurse_direction** Restriction of xsd:string (optional -- default='none') ('none', 'up', 'down')
+'recurse_direction' defines the direction, either 'up' to parent keys, or 'down' into child keys to recursively search for registry keys. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
+Note that this behavior only applies with the equality operation on the key entity.
+* **windows_view** Restriction of xsd:string (optional -- default='64_bit') ('32_bit', '64_bit')
+64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to specify which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+Note that the values have the following meaning: '64_bit' – Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' – Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between the OVAL Items that are collected in the 32-bit or 64-bit views.
+
+______________
+
+## < passwordpolicy_test >
+
+The password policy test is used to check specific policy associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a passwordpolicy_object and the optional state element specifies the metadata to check.
+
+NOTE: This information is stored in the SAM or Active Directory but is encrypted or hidden so the registry_test and activedirectory57_test are of no use. If this can be figured out, then the password_policy test is not needed.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < passwordpolicy_object >
+
+The passwordpolicy_object element is used by a password policy test to define those objects to evaluated based on a specified state. There is actually only one object relating to password policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check password policy will reference the same passwordpolicy_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < passwordpolicy_state >
+
+The passwordpolicy_state element specifies the various policies associated with passwords. A password policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| max_passwd_age | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies, in seconds (from a DWORD), the maximum allowable password age. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
|
+| min_passwd_age | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
|
+| min_passwd_len | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
|
+| password_hist_len | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
|
+| password_complexity | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
|
+| reversible_encryption | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Determines whether or not passwords are stored using reversible encryption.
|
+| anonymous_name_lookup | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Determines whether or not an anonymous user may query the local LSA policy.
|
+
+______________
+
+## < peheader_test >
+
+The peheader_test is used to check data from a Portable Executable file header. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a peheader_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < peheader_object >
+
+The peheader_object is used by a peheader_test to define the specific file(s) whose headers should be evaluated. The peheader_object will collect header information from PE files. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A peheader_object defines the path and filename or complete filepath of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the PEHeaderBehaviors complex type for more information about specific behaviors.
+
+The set of files whose headers should be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+
+It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:FileBehaviors](#FileBehaviors) (0..1) |
+|||
+| filepath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filepath element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The path element specifies the directory component of the absolute path to a PE file on the machine.
|
+| filename | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The filename element specifies the name of a PE file to evaluate.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < peheader_state >
+
+The peheader_state defines the different metadata associated with the header of a PE file. Please refer to the individual elements in the schema for more details about what each represents. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filepath element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a PE file on the machine.
|
+| filename | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The filename element specifies the name of a PE file to evaluate.
|
+| header_signature | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The header_signature entity is the signature of the header.
|
+| target_machine_type | [win-def:EntityStatePeTargetMachineType](#EntityStatePeTargetMachineType) (0..1) |
+||The target_machine_type entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for.
|
+| number_of_sections | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number_of_sections entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file.
|
+| time_date_stamp | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00.
|
+| pointer_to_symbol_table | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The pointer_to_symbol_table entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table.
|
+| number_of_symbols | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number_of_symbols entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table.
|
+| size_of_optional_header | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size_of_optional_header entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes.
|
+| image_file_relocs_stripped | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_relocs_stripped entity is a boolean value that specifies if the relocation information is stripped from the file.
|
+| image_file_executable_image | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_executable_image entity is a boolean value that specifies if the file is executable.
|
+| image_file_line_nums_stripped | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_line_nums_stripped entity is a boolean value that specifies if the line numbers are stripped from the file.
|
+| image_file_local_syms_stripped | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_local_syms_stripped entity is a boolean value that specifies if the local symbols are stripped from the file.
|
+| image_file_aggresive_ws_trim | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_aggressive_ws_trim entity is a boolean value that specifies that the working set should be aggressively trimmed.
|
+| image_file_large_address_aware | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_large_address_aware entity is a boolean value that specifies that the application can handle addresses larger than 2GB.
|
+| image_file_16bit_machine | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_16bit_machine entity is a boolean value that specifies that the computer supports 16-bit words.
|
+| image_file_bytes_reversed_lo | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_bytes_reversed_lo entity is a boolean value that specifies that the bytes of the word are reversed.
|
+| image_file_32bit_machine | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_32bit_machine entity is a boolean value that specifies that the computer supports 32-bit words.
|
+| image_file_debug_stripped | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_debug_stripped entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file.
|
+| image_file_removable_run_from_swap | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_removable_run_from_swap entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file.
|
+| image_file_system | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_system entity is a boolean value that specifies that the image is a system file.
|
+| image_file_dll | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_dll entity is a boolean value that specifies that the image is a DLL.
|
+| image_file_up_system_only | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_up_system_only entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
|
+| image_file_bytes_reveresed_hi | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The image_file_bytes_reversed_hi entity is a boolean value that specifies that the bytes of the word are reversed.
|
+| magic_number | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The magic_number entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file.
|
+| major_linker_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The major_linker_version entity is a BYTE that specifies the major version of the linker that produced the file.
|
+| minor_linker_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The minor_linker_version entity is a BYTE that specifies the minor version of the linker that produced the file.
|
+| size_of_code | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections.
|
+| size_of_initialized_data | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size_of_initialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data.
|
+| size_of_uninitialized_data | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size_of_uninitialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data.
|
+| address_of_entry_point | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The address_of_entry_point entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution.
|
+| base_of_code | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The base_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's code section begins.
|
+| base_of_data | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The base_of_data entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's data section begins.
|
+| image_base_address | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The image_base_address entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address fo the first byte of the image when it is loaded into memory.
|
+| section_alignment | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The section_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory.
|
+| file_alignment | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The file_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file.
|
+| major_operating_system_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The major_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable.
|
+| minor_operating_system_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The minor_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable.
|
+| major_image_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The major_image_version entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image.
|
+| minor_image_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The minor_image_version entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image.
|
+| major_subsystem_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The major_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable.
|
+| minor_susbsystem_version | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The minor_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable.
|
+| size_of_image | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size_of_image entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers.
|
+| size_of_headers | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The size_of_headers entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers.
|
+| checksum | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The checksum entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file.
|
+| subsystem | [win-def:EntityStatePeSubsystemType](#EntityStatePeSubsystemType) (0..1) |
+||The subsystem entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface.
|
+| dll_characteristics | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The dll_characteristics entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL's initialization function will be called..
|
+| size_of_stack_reserve | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack.
|
+| size_of_stack_commit | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack.
|
+| size_of_heap_reserve | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap.
|
+| size_of_heap_commit | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap.
|
+| loader_flags | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The loader_flags entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header.
|
+| number_of_rva_and_sizes | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number_of_rva_and_sizes entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header.
|
+| real_number_of_directory_entries | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The real_number_of_directory_entries entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+______________
+
+## < port_test >
+
+The port test is used to check information about the available ports on a Windows system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a port_object and the optional state element specifies the port information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < port_object >
+
+The port_object element is used by a port test to define the specific port(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A port object defines the local address, port number, and protocol of the port(s).
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| local_address | [oval-def:EntityObjectIPAddressStringType](oval-definitions-schema.md#EntityObjectIPAddressStringType) (1..1) |
+||This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
|
+| local_port | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||This element specifies the number assigned to the local listening port.
|
+| protocol | [win-def:EntityObjectProtocolType](#EntityObjectProtocolType) (1..1) |
+||This element specifies the type of listening port. It is restricted to either TCP or UDP.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < port_state >
+
+The port_state element defines the different metadata associate with a Windows port. This includes the local address, port number, protocol, and pid. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| local_address | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
|
+| local_port | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||This element specifies the number assigned to the local listening port.
|
+| protocol | [win-def:EntityStateProtocolType](#EntityStateProtocolType) (0..1) |
+||This element specifies the type of listening port. It is restricted to either TCP or UDP.
|
+| pid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The id given to the process that is associated with the specified listening port.
|
+| foreign_address | [oval-def:EntityStateIPAddressStringType](oval-definitions-schema.md#EntityStateIPAddressStringType) (0..1) |
+||This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
|
+| foreign_port | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
|
+
+______________
+
+## < printereffectiverights_test >
+
+The printer effective rights test is used to check the effective rights associated with Windows printers. The printereffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a printereffectiverights_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < printereffectiverights_object >
+
+
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:PrinterEffectiveRightsBehaviors](#PrinterEffectiveRightsBehaviors) (0..1) |
+|||
+| printer_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The printer_name element describes a printer that a user may have rights on.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the printer's Security Descriptor. The scope is limited here to ensure that it is possible to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < printereffectiverights_state >
+
+The printereffectiverights_state element defines the different rights that can be associated with a given printereffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| printer_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies the name of the printer.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read, write, and execute access.
|
+| printer_access_administer | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| printer_access_use | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| job_access_administer | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| job_access_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+
+## == PrinterEffectiveRightsBehaviors ==
+
+The PrinterEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the pritnereffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < ~~process_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_test has been deprecated and replaced by the process58_test. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_test for additional information.
+
+The process_test is used to check information found in the Windows processes. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process_object and the optional state element references a process_state element that specifies the process information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~process_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_object has been deprecated and replaced by the process58_object. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_object for additional information.
+
+The process_object element is used by a process test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A process_object defines the command line used to start the process(es).
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
|
+
+## < ~~process_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.8** :small_red_triangle:
**Reason:** The process_state has been deprecated and replaced by the process58_state. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_state for additional information.
+
+The process_state element defines the different metadata associate with a Windows process. This includes the command line, pid, ppid, image path, and current directory. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
|
+| pid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The id given to the process that is created for a specified command line.
|
+| ppid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The id given to the parent of the process that is created for the specified command line
|
+| priority | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The base priority of the process. The priority value range is from 0 to 31.
|
+| image_path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The image_path entity contains the name of the executable file in question.
|
+| current_dir | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The current_directory entity represents the current path to the executable.
|
+
+______________
+
+## < process58_test >
+
+The process58_test is used to check information found in the Windows processes. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process58_object and the optional state element references a process58_state element that specifies the process information to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < process58_object >
+
+The process58_object element is used by a process58_test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A process58_object defines the command line used to start the process(es)and pid.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The command_line entity is the string used to start the process. This includes any parameters that are part of the command line. Use xsi:nil='true' to disregard (and permit processes with non-existent commane_lines, such as the System process).
|
+| pid | [oval-def:EntityObjectIntType](oval-definitions-schema.md#EntityObjectIntType) (1..1) |
+||The id given to the process that is created for a specified command line.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < process58_state >
+
+The process58_state element defines the different metadata associate with a Windows process. This includes the command line, pid, ppid, image path, and current directory. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
|
+| pid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The id given to the process that is created for a specified command line.
|
+| ppid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The id given to the parent of the process that is created for the specified command line
|
+| priority | Restriction of [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) . See schema for details. (0..1) |
+||The base priority of the process. The priority value range is from 0 to 31.
|
+| image_path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The image_path entity represents the name of the executable file for the process.
|
+| current_dir | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The current_dir entity represents the current path to the executable file for the process.
|
+| creation_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The creation_time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime.
|
+| dep_enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The dep_enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy lpFlags.
|
+| primary_window_text | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The primary_window_text entity represents the title of the primary window of the process. See the GetWindowText function.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the process.
|
+
+______________
+
+## < registry_test >
+
+The registry test is used to check metadata associated with Windows registry key. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a registry_object and the optional state element specifies the registry data to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < registry_object >
+
+
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:RegistryBehaviors](#RegistryBehaviors) (0..1) |
+|||
+| hive | [win-def:EntityObjectRegistryHiveType](#EntityObjectRegistryHiveType) (1..1) |
+||The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS.
|
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive. In this case, the key element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match. A .* pattern match says to collect every key under a given hive.
|
+| name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The name element describes the name assigned to a value associated with a specific registry key. If an empty string is specified for the name element, the registry key's default value should be collected. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive/key. In this case, the name element should not be collected or used in analysis. Setting xsi:nil equal to true on an element is different than using a .* pattern match. A .* pattern match says to collect every name under a given hive/key. The most likely use for xsi:nil within a registry object is when checking for the existence of a particular key, without regards to the different names associated with it.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < registry_state >
+
+The registry_state element defines the different metadata associate with a Windows registry key. This includes the hive, key, name, type, and value. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-def:EntityStateRegistryHiveType](#EntityStateRegistryHiveType) (0..1) |
+||The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS,HKEY_LOCAL_MACHINE, and HKEY_USERS.
|
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element describes a registry key to be tested. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element describes the name of a value of a registry key. If the xsi:nil attribute is set to true, then the name element should not be used in analysis.
|
+| last_write_time | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The last time that the key or any of its value entries were modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on any key, with hives being classified as a type of key. When collecting only information about a registry hive or key the last write time will be the time the key or any of its entries were modified. When collecting only information about a registry name the last write time will be the time the containing key was modified. Thus when collecting information about a registry name, the last write time does not correlate directly to the specified name. See the RegQueryInfoKey function lpftLastWriteTime.
|
+| type | [win-def:EntityStateRegistryTypeType](#EntityStateRegistryTypeType) (0..1) |
+||The type entity allows a test to be written against the registy type associated with the specified registry key(s). Please refer to the documentation on the EntityStateRegistryTypeType for more information about the different valid individual types.
|
+| value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The value entity allows a test to be written against the value held within the specified registry key(s). If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, and REG_QWORD_LITTLE_ENDIAN then the datatype attribute should be set to 'int' and the value entity should represent the data as an unsigned integer. DWORD and QWORD values represnt unsigned 32-bit and 64-bit integers, respectively. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests should be used. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string. If the value being tested is of type REG_LINK, then the datatype attribute should be set to 'string' and the null-terminated Unicode string should be represented by the value entity.
Note that if the intent is to test a version number held in the registry (as a reg_sz) then instead of setting the datatype to 'string', the datatype can be set to 'version'. This allows tools performing the evaluation to know how to perform less than and greater than operations correctly.
|
+| expanded_value | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||For registry values of type REG_EXPAND_SZ, this entity contains the expanded value. Otherwise, it should not exist.
|
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == RegistryBehaviors ==
+
+The RegistryBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registry_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* **max_depth** Restriction of xsd:integer (optional -- default='-1')
+'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting key must be considered in the recursive search.
+Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+Note that this behavior only applies with the equality operation on the key entity.
+* **recurse_direction** Restriction of xsd:string (optional -- default='none') ('none', 'up', 'down')
+'recurse_direction' defines the direction, either 'up' to parent keys, or 'down' into child keys to recursively search for registry keys. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
+Note that this behavior only applies with the equality operation on the key entity.
+* **windows_view** Restriction of xsd:string (optional -- default='64_bit') ('32_bit', '64_bit')
+64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to specify which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+Note that the values have the following meaning: '64_bit' - Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' - Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between the OVAL Items that are collected in the 32-bit or 64-bit views.
+
+______________
+
+## < regkeyauditedpermissions53_test >
+
+The registry key audited permissions test is used to check the audit permissions associated with Windows registry keys. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyauditedpermissions53_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < regkeyauditedpermissions53_object >
+
+The regkeyauditedpermissions53_object element is used by a registry key audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A regkeyauditedpermissions53_object is defined as a combination of a Windows registry key and trustee name. The hive and key elements represents the registry key to be evaluated while the trustee name represents the account (SID) to check audited permissions of. If multiple keys or SIDs are matched by either reference, then each possible combination of registry key and SID is a matching registry key audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyAuditPermissions53Behaviors complex type for more information about specific behaviors.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:RegkeyAuditPermissions53Behaviors](#RegkeyAuditPermissions53Behaviors) (0..1) |
+|||
+| hive | [win-def:EntityObjectRegistryHiveType](#EntityObjectRegistryHiveType) (1..1) |
+||The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS.
|
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive. In this case, the key element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match. A .* pattern match says to collect every key under a given hive.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the registry key's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < regkeyauditedpermissions53_state >
+
+The regkeyauditedpermissions53_state element defines the different audit permissions that can be associated with a given regkeyauditedpermissions53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-def:EntityStateRegistryHiveType](#EntityStateRegistryHiveType) (0..1) |
+||This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
|
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| ~~standard_synchronize~~ | ~~[win-def:EntityStateAuditType](#EntityStateAuditType) (0..1~~) |
+||~~The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
~~|
+| access_system_security | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read, write, and execute access.
|
+| key_query_value | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_set_value | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_create_sub_key | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_enumerate_sub_keys | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_notify | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_create_link | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_wow64_64key | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_wow64_32key | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_wow64_res | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == RegkeyAuditPermissions53Behaviors ==
+
+The RegkeyAuditPermissions53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyauditedpermissions53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+The RegkeyAuditPermissions53Behaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:RegistryBehaviors](#RegistryBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < ~~regkeyauditedpermissions_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the regkeyauditedpermissions53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the regkeyauditedpermissions53_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The registry key audited permissions test is used to check the audit permissions associated with Windows registry keys. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyauditedpermissions_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~regkeyauditedpermissions_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the regkeyauditedpermissions53_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the regkeyauditedpermissions53_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The regkeyauditedpermissions_object element is used by a registry key audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A regkeyauditedpermissions_object is defined as a combination of a Windows registry key and trustee name. The hive and key elements represents the registry key to be evaluated while the trustee name represents the account (SID) to check audited permissions of. If multiple keys or SIDs are matched by either reference, then each possible combination of file and SID is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyAuditPermissionsBehaviors complex type for more information about specific behaviors.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:RegkeyAuditPermissionsBehaviors](#RegkeyAuditPermissionsBehaviors) (0..1) |
+|||
+| hive | [win-def:EntityObjectRegistryHiveType](#EntityObjectRegistryHiveType) (1..1) |
+||The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS.
|
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element.
|
+| trustee_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+
+## < ~~regkeyauditedpermissions_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the regkeyauditedpermissions53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the regkeyauditedpermissions53_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The regkeyauditedpermissions_state element defines the different audit permissions that can be associated with a given regkeyauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-def:EntityStateRegistryHiveType](#EntityStateRegistryHiveType) (0..1) |
+||This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
|
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
|
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| standard_delete | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read, write, and execute access.
|
+| key_query_value | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_set_value | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_create_sub_key | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_enumerate_sub_keys | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_notify | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_create_link | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_wow64_64key | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_wow64_32key | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| key_wow64_res | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+|||
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == ~~RegkeyAuditPermissionsBehaviors~~ ==
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the RegkeyAuditPermissionsBehaviors53. The RegkeyAuditPermissionsBehaviors complex type is used by the regkeyauditedpermissions_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the RegkeyAuditPermissionsBehaviors53 complex type, and as a result, the RegkeyAuditPermissionsBehaviors complex type is no longer needed.
**Comment:** This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+The RegkeyAuditPermissionsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyauditedpermissions_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+The RegkeyAuditPermissionsBehaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:RegistryBehaviors](#RegistryBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < regkeyeffectiverights53_test >
+
+The registry key effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The regkeyeffectiverights53_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyeffectiverights53_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < regkeyeffectiverights53_object >
+
+The regkeyeffectiverights53_object element is used by a registry key effective rights test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A regkeyeffectiverights53_object is defined as a combination of a Windows registry and trustee SID. The key entity represents the registry key to be evaluated while the trustee SID represents the account (SID) to check effective rights of. If multiple files or SIDs are matched by either reference, then each possible combination of registry key and SID is a matching registry key effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyEffectiveRights53Behaviors complex type for more information about specific behaviors.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:RegkeyEffectiveRights53Behaviors](#RegkeyEffectiveRights53Behaviors) (0..1) |
+|||
+| hive | [win-def:EntityObjectRegistryHiveType](#EntityObjectRegistryHiveType) (1..1) |
+||The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS,HKEY_LOCAL_MACHINE, and HKEY_USERS.
|
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive. In this case, the key element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match. A .* pattern match says to collect every key under a given hive.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the registry key's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < regkeyeffectiverights53_state >
+
+The regkeyeffectiverights53_state element defines the different rights that can be associated with a given regkeyeffectiverights53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-def:EntityStateRegistryHiveType](#EntityStateRegistryHiveType) (0..1) |
+||This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
|
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| ~~standard_synchronize~~ | ~~[oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1~~) |
+||~~The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
~~|
+| access_system_security | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read, write, and execute access.
|
+| key_query_value | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_set_value | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_create_sub_key | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_enumerate_sub_keys | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_notify | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_create_link | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_wow64_64key | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_wow64_32key | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_wow64_res | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == RegkeyEffectiveRights53Behaviors ==
+
+The RegkeyEffectiveRights53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyeffectiverights53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+The RegkeyEffectiveRights53Behaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:RegistryBehaviors](#RegistryBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < ~~regkeyeffectiverights_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the regkeyeffectiverights53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the regkeyeffectiverights53_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The registry key effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The regkeyeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyeffectiverights_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~regkeyeffectiverights_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the regkeyeffectiverights53_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the regkeyeffectiverights53_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:RegkeyEffectiveRightsBehaviors](#RegkeyEffectiveRightsBehaviors) (0..1) |
+|||
+| hive | [win-def:EntityObjectRegistryHiveType](#EntityObjectRegistryHiveType) (1..1) |
+||The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS,HKEY_LOCAL_MACHINE, and HKEY_USERS.
|
+| key | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element.
|
+| trustee_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+
+## < ~~regkeyeffectiverights_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the regkeyeffectiverights53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the regkeyeffectiverights53_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The regkeyeffectiverights_state element defines the different rights that can be associated with a given regkeyeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-def:EntityStateRegistryHiveType](#EntityStateRegistryHiveType) (0..1) |
+||This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
|
+| key | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
|
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read, write, and execute access.
|
+| key_query_value | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_set_value | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_create_sub_key | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_enumerate_sub_keys | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_notify | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_create_link | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_wow64_64key | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_wow64_32key | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| key_wow64_res | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+|||
+| windows_view | [win-def:EntityStateWindowsViewType](#EntityStateWindowsViewType) (0..1) |
+||The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
|
+
+## == ~~RegkeyEffectiveRightsBehaviors~~ ==
+
+> :small_red_triangle: **Deprecated As Of Version 5.3** :small_red_triangle:
**Reason:** Replaced by the RegkeyEffectiveRightsBehaviors53. The RegkeyEffectiveRightsBehaviors complex type is used by the regkeyeffectiverights_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the RegkeyEffectiveRightsBehaviors53 complex type, and as a result, the RegkeyEffectiveRightsBehaviors complex type is no longer needed.
**Comment:** This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+The RegkeyEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+The RegkeyEffectiveRightsBehaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+**Extends:** [win-def:RegistryBehaviors](#RegistryBehaviors)
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < service_test >
+
+The service_test is used to check metadata associated with Windows services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a service_object and the optional state elements specify the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < service_object >
+
+The service_object element is used by a service_test to define the specific service(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The service_name element specifies the service name as stored in the Service Control Manager (SCM) database on the system.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < service_state >
+
+The service_state element defines the different metadata associated with a Windows service. This includes the service name, display name, description, type, start type, current state, controls accepted, start name, path, pid, service flag, and dependencies. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The service_name element specifies the name of the service as specified in the Service Control Manager (SCM) database.
|
+| display_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The display_name element specifies the name of the service as specified in tools such as Control Panel->Administrative Tools->Services.
|
+| description | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The description element specifies the description of the service.
|
+| service_type | [win-def:EntityStateServiceTypeType](#EntityStateServiceTypeType) (0..1) |
+||The service_type element specifies the type of the service.
|
+| start_type | [win-def:EntityStateServiceStartTypeType](#EntityStateServiceStartTypeType) (0..1) |
+||The start_type element specifies when the service should be started.
|
+| current_state | [win-def:EntityStateServiceCurrentStateType](#EntityStateServiceCurrentStateType) (0..1) |
+||The current_state element specifies the current state of the service.
|
+| controls_accepted | [win-def:EntityStateServiceControlsAcceptedType](#EntityStateServiceControlsAcceptedType) (0..1) |
+||The controls_accepted element specifies the control codes that a service will accept and process.
|
+| start_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The start_name element specifies the account under which the process should run.
|
+| path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The path element specifies the path to the binary of the service.
|
+| pid | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The pid element specifies the process ID of the service.
|
+| service_flag | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The service_flag element specifies if the service is in a system process that must always run (1) or if the service is in a non-system process or is not running (0). If the service is not running, the pid will be 0. Otherwise, the pid will be non-zero.
|
+| dependencies | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The dependencies element specifies the dependencies of this service on other services.
|
+
+______________
+
+## < serviceeffectiverights_test >
+
+The service effective rights test is used to check the effective rights associated with Windows services. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The serviceeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a serviceeffectiverights_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < serviceeffectiverights_object >
+
+The serviceeffectiverights_object element is used by the serviceeffectiverights_test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A serviceeffectiverights_object is defined as a combination of a Windows service_name and trustee_sid. The service_name entity represents the service to be evaluated while the trustee_sid entity represents the account (SID) to check the effective rights of. If multiple services or SIDs are matched by either reference, then each possible combination of service and SID is a matching service effective rights object.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:ServiceEffectiveRightsBehaviors](#ServiceEffectiveRightsBehaviors) (0..1) |
+|||
+| service_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The service_name element describes a service to be collected. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a set of SIDs associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the service's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < serviceeffectiverights_state >
+
+The serviceeffectiverights_state element defines the different rights that can be associated with a given serviceeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+See http://support.microsoft.com/kb/914392 for more information.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The service_name element specifies a service on the machine from which to retrieve the DACL. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that is associated with a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the DeleteService function to delete the service.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the QueryServiceObjectSecurity function to query the Security Descriptor of the service object.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the SetServiceObjectSecurity function to modify the DACL member of the service object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object's Security Descriptor.
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
|
+| service_query_conf | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
|
+| service_change_conf | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
|
+| service_query_stat | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
|
+| service_enum_dependents | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
|
+| service_start | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the StartService function to start the service.
|
+| service_stop | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the ControlService function to stop the service.
|
+| service_pause | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the ControlService function to pause or continue the service.
|
+| service_interrogate | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the ControlService function to ask the service to report its status immediately.
|
+| service_user_defined | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This permission is required to call the ControlService function to specify a user-defined control code.
|
+
+## == ServiceEffectiveRightsBehaviors ==
+
+The ServiceEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the serviceeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group trustee sid should be included in the object when the object is defined by a group trustee sid. For example, the intent of an object defined by a group trustee sid might be to retrieve all the user trustee sids that are members of the group, but not the group trustee sid itself.
+* ~~**resolve_group** xsd:boolean (optional -- default='false')~~
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < sharedresource_test >
+
+The shared resource test is used to check properties associated with any shared resource on the system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sharedresource_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < sharedresource_object >
+
+The sharedresource_object element is used by a shared resource test to define the object, in this case a shared resource, to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+An shared resource object consists of a single netname entity that identifies a specific shared resource.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The netname element is the unique name that is associated with a specific shared resource.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sharedresource_state >
+
+The sharedresource_state element defines the different metadata associated with a Windows shared resource. This includes the share type, permissions, and max uses. This state mirrors the SHARE_INFO_2 structure. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies the name associated with a particular shared resource.
|
+| shared_type | [win-def:EntityStateSharedResourceTypeType](#EntityStateSharedResourceTypeType) (0..1) |
+||The type of the shared resource.
|
+| max_uses | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The maximum number of concurrent connections that the shared resource can accommodate.
|
+| current_uses | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number of current connections to the resource.
|
+| local_path | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The local path for the shared resource.
|
+| access_read_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to read data from a resource and, by default, to execute the resource.
|
+| access_write_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to write data to the resource.
|
+| access_create_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
|
+| access_exec_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to execute the resource.
|
+| access_delete_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to delete the resource.
|
+| access_atrib_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to modify the resource's attributes (such as the date and time when a file was last modified).
|
+| access_perm_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
|
+| access_all_permission | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.
|
+
+______________
+
+## < sharedresourceauditedpermissions_test >
+
+The shared resource audited permissions test is used to check the audit permissions associated with any shared resource on the system. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sharedresourceauditedpermissions_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < sharedresourceauditedpermissions_object >
+
+The sharedresourceauditedpermissions_object element is used by a shared resource audited permissions test to define the objects used to evaluate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+A shared resource audited permissions object consists of a netname entity that identifies a specific shared resource and a trustee_sid entity that identifies a specific account (SID) to check the audited permissions of.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:SharedResourceAuditedPermissionsBehaviors](#SharedResourceAuditedPermissionsBehaviors) (0..1) |
+|||
+| netname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The netname element is the unique name that is associated with a specific shared resource.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sharedresourceauditedpermissions_state >
+
+The sharedresourceauditedpermissions_state element defines the different audited permissions that can be associated with a given sharedresourceauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies the name associated with a particular shared resource.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-def:EntityStateAuditType](#EntityStateAuditType) (0..1) |
+||Read, write, and execute access.
|
+
+## == SharedResourceAuditedPermissionsBehaviors ==
+
+The SharedResourceAuditedPermissionsBehaviors complex type defines a behavior that allows for a more detailed definition of the sharedresourceauditedpermissions_object being specified. Note that using this behavior may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+______________
+
+## < sharedresourceeffectiverights_test >
+
+The shared resource effective rights test is used to check the effective rights associated with any shared resource on the system. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sharedresourceeffectiverights_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < sharedresourceeffectiverights_object >
+
+The sharedresourceeffectiverights_object element is used by a shared resource effective rights test to define the object, in this case a shared resource effective rights object, to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A shared resource effective rights object consists of a netname entity that identifies a specific shared resource and a trustee_sid entity that identifies a specific account (SID) to check the effective rights of.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:SharedResourceEffectiveRightsBehaviors](#SharedResourceEffectiveRightsBehaviors) (0..1) |
+|||
+| netname | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The netname element is the unique name that is associated with a specific shared resource.
|
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sharedresourceeffectiverights_state >
+
+The sharedresourceeffectiverights_state element defines the different rights that can be associated with a given sharedresourceeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies the name associated with a particular shared resource.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to read the information in the object's Security Descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to modify the DACL in the object's Security Descriptor.
|
+| standard_write_owner | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to change the owner in the object's Security Descriptor.
|
+| standard_synchronize | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Read, write, and execute access.
|
+
+## == SharedResourceEffectiveRightsBehaviors ==
+
+The SharedResourceEffectiveRightsBehaviors complex type defines a behavior that allows for a more detailed definition of the sharedresourceeffectiverights_object being specified. Note that using this behavior may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* ~~**include_group** xsd:boolean (optional -- default='true')~~
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+______________
+
+## < sid_test >
+
+The SID test is used to check properties associated with the specified SID. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sid_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < sid_object >
+
+The sid_object element is used by a sid_test to define the object set, in this case a set of SIDs (identified by name), to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:SidBehaviors](#SidBehaviors) (0..1) |
+|||
+| trustee_name | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sid_state >
+
+The sid_state element defines the different metadata associate with a Windows trustee (identified by name). Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The security identifier (SID) of the specified trustee name.
|
+| trustee_domain | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The domain of the specified trustee name.
|
+
+## == SidBehaviors ==
+
+The SidBehaviors complex type defines a number of behaviors that allow a more detailed definition of the sid_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* **include_group** xsd:boolean (optional -- default='true')
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+* **resolve_group** xsd:boolean (optional -- default='false')
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < sid_sid_test >
+
+The sid_sid_test is used to check properties associated with the specified SID. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sid_sid_object and the optional state element specifies the metadata to check.
+
+Note that this sid_sid test was added in version 5.4 as a temporary fix. There is a need within the community to identify things like users and groups by both the name and the SID. For version 6 of OVAL, work is underway for a better solution to the problem, but for now, a second test was added to satisfy the need.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < sid_sid_object >
+
+The sid_sid_object element is used by a sid_sid_test to define the object set, in this case a set of SIDs, to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:SidSidBehaviors](#SidSidBehaviors) (0..1) |
+|||
+| trustee_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service).
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < sid_sid_state >
+
+The sid_state element defines the different metadata associate with a Windows trustee (identified by SID). Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The security identifier (SID) of the specified trustee name.
|
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| trustee_domain | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The domain of the specified trustee name.
|
+
+## == SidSidBehaviors ==
+
+The SidSidBehaviors complex type defines a number of behaviors that allow a more detailed definition of the sid_sid_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* **include_group** xsd:boolean (optional -- default='true')
+'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+* **resolve_group** xsd:boolean (optional -- default='false')
+The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+______________
+
+## < systemmetric_test >
+
+The system metric test is used to check the value of a particular Windows system metric. Access to this information is exposed by the GetSystemMetrics function in User32.dll.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < systemmetric_object >
+
+The system metric object element is used by a system metric test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| index | [win-def:EntityObjectSystemMetricIndexType](#EntityObjectSystemMetricIndexType) (1..1) |
+||The index entity provides the system metric index value that is desired.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < systemmetric_state >
+
+The system metric state element defines the different information that can be found in a Windows system metric value. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| index | [win-def:EntityStateSystemMetricIndexType](#EntityStateSystemMetricIndexType) (0..1) |
+||The index entity corresponds to the systemmetric_object index entity.
|
+| value | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The optional value entity provides the value of the system metric that is expected.
|
+
+______________
+
+## < uac_test >
+
+The user access control test is used to check setting related to User Access Control within Windows. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a uaac_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < uac_object >
+
+The uac_object element is used by a user access control test to define those objects to evaluate based on a specified state. There is actually only one object relating to user access control and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check user access control settings will reference the same uac_object which is basically an empty object element.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+## < uac_state >
+
+The uac_state element specifies the different settings that are available under User Access Control. A user access control test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| admin_approval_mode | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Admin Approval Mode for the Built-in Administrator account.
|
+| elevation_prompt_admin | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Behavior of the elevation prompt for administrators in Admin Approval Mode.
|
+| elevation_prompt_standard | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Behavior of the elevation prompt for standard users.
|
+| detect_installations | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Detect application installations and prompt for elevation.
|
+| elevate_signed_executables | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Only elevate executables that are signed and validated.
|
+| elevate_uiaccess | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Only elevate UIAccess applications that are installed in secure locations.
|
+| run_admins_aam | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Run all administrators in Admin Approval Mode.
|
+| secure_desktop | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Switch to the secure desktop when prompting for elevation.
|
+| virtualize_write_failures | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Virtualize file and registry write failures to per-user locations.
|
+
+______________
+
+## < ~~user_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the user_sid55_test. This test uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid55_test, which uses trustee SIDs which are unique, should be used instead. See the user_sid55_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The user_test is used to check information about Windows users. When the user_test collects the users on the system, it should only include the local and built-in user accounts and not domain user accounts. However, it is important to note that domain user accounts can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~user_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the user_sid55_object. This object uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid55_object, which uses trustee SIDs which are unique, should be used instead. See the user_sid55_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The user entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < ~~user_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the user_sid55_state. This state uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid55_state, which uses trustee SIDs which are unique, should be used instead. See the user_sid55_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The user_state element enumerates the different groups (identified by name) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
|
+| enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This element holds a boolean value that specifies whether the particular user account is enabled or not.
|
+| group | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
The group element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like group that refer to items that can occur an unbounded number of times.
|
+| last_logon | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT. If the target system is a domain controller, this data is maintained separately on each backup domain controller (BDC) in the domain. To obtain an accurate value, you must query each BDC in the domain. The last logoff occurred at the time indicated by the largest retrieved value.
|
+| full_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A Unicode string that contains the full name of the user. This string can be a NULL string, or it can have any number of characters before the terminating null character.
|
+| comment | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A Unicode string that contains a comment to associate with the user account. The string can be a NULL string, or it can have any number of characters before the terminating null character.
|
+| password_age_days | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The number of days that have elapsed since the password was last changed. This data should be rounded up to the nearest integer.
|
+| lockout | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The account is currently locked out.
|
+| passwd_notreqd | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||No password is required.
|
+| dont_expire_passwd | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The password should never expire on the account.
|
+| encrypted_text_password_allowed | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The user's password is stored under reversible encryption in the Active Directory.
|
+| not_delegated | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Marks the account as "sensitive"; other users cannot act as delegates of this user account.
|
+| use_des_key_only | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
|
+| dont_require_preauth | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This account does not require Kerberos preauthentication for logon.
|
+| password_expired | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The password expiration information. Zero if the password has not expired (and nonzero if it has).
|
+| smartcard_required | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||Requires the user to log on to the user account with a smart card.
|
+| trusted_for_delegation | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
|
+| trusted_to_authenticate_for_delegation | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The account is trusted to authenticate a user outside of the Kerberos security package and delegate that user through constrained delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assert a client's identity and authenticate as that user to specifically configured services on the network. Windows 2000: This value is not supported.
|
+
+______________
+
+## < user_sid55_test >
+
+The user_sid55_test is used to check information about Windows users. When the user_sid55_test collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_sid55_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < user_sid55_object >
+
+The user_sid55_object represents a set of users on a Windows system. This set (which might contain only one user) is identified by a SID.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user_sid | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The user_sid entity holds a string that represents the SID of a particular user.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < user_sid55_state >
+
+The user_sid55_state element enumerates the different groups (identified by SID) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user_sid entity holds a string that represents the SID of a particular user.
|
+| enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This element holds a boolean value that specifies whether the particular user account is enabled or not.
|
+| group_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string the represents the SID of a particular group. The group_sid element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like group that refer to items that can occur an unbounded number of times.
|
+| last_logon | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
|
+
+______________
+
+## < ~~user_sid_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.5** :small_red_triangle:
**Reason:** Replaced by the user_sid55_test. This test uses user and group elements that are incorrectly named. A new test was created to change the element names to their correct values which are user_sid and group_sid. See the user_sid55_test.
**Comment:** This test has been deprecated and will be removed in version 6.0 of the language.
+
+The user_sid_test is used to check information about Windows users. When the user_sid_test collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_sid_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~user_sid_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.5** :small_red_triangle:
**Reason:** Replaced by the user_sid55_object. This object uses a user element that is incorrectly named. A new object was created to change the element name to its correct value which is user_sid. See the user_sid55_object.
**Comment:** This object has been deprecated and will be removed in version 6.0 of the language.
+
+The user_sid_object represents a set of users on a Windows system. This set (which might contain only one user) is identified by a SID.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The user_sid entity holds a string that represents the SID of a particular user.
|
+
+## < ~~user_sid_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.5** :small_red_triangle:
**Reason:** Replaced by the user_sid55_state. This state uses user and group elements that are incorrectly named. A new state was created to change the element names to their correct values which are user_sid and group_sid. See the user_sid55_state.
**Comment:** This state has been deprecated and will be removed in version 6.0 of the language.
+
+The user_sid_state element enumerates the different groups (identified by SID) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The user_sid entity holds a string that represents the SID of a particular user.
|
+| enabled | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||This element holds a boolean value that specifies whether the particular user account is enabled or not.
|
+| group | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string the represents the SID of a particular group. The group_sid element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like group that refer to items that can occur an unbounded number of times.
|
+
+______________
+
+## < userright_test >
+
+The userright_test is used to enumerate all of the trustees/SIDs that have been granted a specific user right/privilege.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < userright_object >
+
+The userright_object is used to collect the trustees/SIDs that have been granted a specific user right/privilege.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| userright | [win-def:EntityObjectUserRightType](#EntityObjectUserRightType) (1..1) |
+||The userright entity holds a string that represents the name of a particular user right/privilege.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < userright_state >
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| userright | [win-def:EntityStateUserRightType](#EntityStateUserRightType) (0..1) |
+||The userright entity holds a string that represents the name of a particular user right/privilege.
|
+| trustee_name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_name entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| trustee_sid | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The trustee_sid entity identifies the SID that has been granted the specified user right/privilege.
|
+
+______________
+
+## < volume_test >
+
+The volume_test is used to check information about different storage volumes found on a Windows system. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a volume_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < volume_object >
+
+The volume_object element is used by a volume test to define the specific volume(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+A volume object defines the rootpath of the volume(s).
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| rootpath | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < volume_state >
+
+The volume_state element defines the different metadata associate with a storage volume in Windows. This includes the rootpath, the file system type, name, and serial number, as well as any associated flags. Please refer to the individual elements in the schema for more details about what each represents. The GetVolumeInformation function as defined by Microsoft is also a good place to look for information.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| rootpath | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
|
+| file_system | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The type of filesystem. For example FAT or NTFS.
|
+| name | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The name of the volume.
|
+| drive_type | [win-def:EntityStateDriveTypeType](#EntityStateDriveTypeType) (0..1) |
+||The drive type of the volume.
|
+| volume_max_component_length | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The volume_max_component_length element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
|
+| serial_number | [oval-def:EntityStateIntType](oval-definitions-schema.md#EntityStateIntType) (0..1) |
+||The volume serial number.
|
+| file_case_sensitive_search | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports case-sensitive file names.
|
+| file_case_preserved_names | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system preserves the case of file names when it places a name on disk.
|
+| file_unicode_on_disk | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports Unicode in file names as they appear on disk.
|
+| file_persistent_acls | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
|
+| file_file_compression | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports file-based compression.
|
+| file_volume_quotas | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports disk quotas.
|
+| file_supports_sparse_files | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports sparse files.
|
+| file_supports_reparse_points | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports reparse points.
|
+| file_supports_remote_storage | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports remote storage.
|
+| file_volume_is_compressed | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The specified volume is a compressed volume; for example, a DoubleSpace volume.
|
+| file_supports_object_ids | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports object identifiers.
|
+| file_supports_encryption | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports the Encrypted File System (EFS).
|
+| file_named_streams | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports named streams.
|
+| file_read_only_volume | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The specified volume is read-only.
|
+| file_sequential_write_once | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports one time writes in sequential order.
|
+| file_supports_transactions | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports transaction processing.
|
+| file_supports_hard_links | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports direct links to other devices and partitions.
|
+| file_supports_extended_attributes | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports extended attributes.
|
+| file_supports_open_by_file_id | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports fileID.
|
+| file_supports_usn_journal | [oval-def:EntityStateBoolType](oval-definitions-schema.md#EntityStateBoolType) (0..1) |
+||The file system supports update sequence number journals.
|
+
+______________
+
+## < ~~wmi_test~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.7** :small_red_triangle:
**Reason:** Replaced by the wmi57_test. This test only allows for single fields to be selected from WMI. A new test was created to allow more than one field to be selected in one statement. See the wmi57_test.
**Comment:** This test has been deprecated and may be removed in a future version of the language.
+
+The wmi test is used to check information accessed by WMI. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < ~~wmi_object~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.7** :small_red_triangle:
**Reason:** Replaced by the wmi57_object. This object allows for single fields to be selected from WMI. A new object was created to allow more than one field to be selected in one statement. See the wmi57_object.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| namespace | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
|
+| wql | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
|
+
+## < ~~wmi_state~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.7** :small_red_triangle:
**Reason:** Replaced by the wmi57_state. This object allows for single fields to be selected from WMI. A new state was created to allow more than one field to be selected in one statement. See the wmi57_state.
**Comment:** This state has been deprecated and may be removed in a future version of the language.
+
+
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| namespace | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
|
+| wql | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
|
+| result | [oval-def:EntityStateAnySimpleType](oval-definitions-schema.md#EntityStateAnySimpleType) (0..1) |
+||The result element specifies how to test objects in the result set of the specified WQL statement. Only one comparable field is allowed. So if the WQL statement look like 'SELECT name FROM ...', then a result element with a value of 'Fred' would test that value against the names returned by the WQL statement.
|
+
+______________
+
+## < wmi57_test >
+
+The wmi57 test is used to check information accessed by WMI. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi57_object and the optional state element specifies the metadata to check.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < wmi57_object >
+
+
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| namespace | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
|
+| wql | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, all fields must be named in the SELECT portion of the query. For example SELECT name, age FROM ... is valid. However, SELECT * FROM ... is not valid. This is because the record element in the state and item require a unique field name value to ensure that any query results can be evaluated consistently.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < wmi57_state >
+
+
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| namespace | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
|
+| wql | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, all fields must be named in the SELECT portion of the query. For example SELECT name, age FROM ... is valid. However, SELECT * FROM ... is not valid. This is because the record element in the state and item require a unique field name value to ensure that any query results can be evaluated consistantly.
|
+| result | [oval-def:EntityStateRecordType](oval-definitions-schema.md#EntityStateRecordType) (0..1) |
+||The result element specifies how to test items in the result set of the specified WQL statement.
|
+
+______________
+
+## < wuaupdatesearcher_test >
+
+The wuaupdatesearcher_test is used to evaluate patch level in a Windows environment utilizing the WUA (Windows Update Agent) interface. It is based on the Search method of the IUpdateSearcher interface found in the WUA API. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wuaupdatesearcher_object and the optional state element specifies the metadata to check.
+
+Note that WUA can work off of many different sources including WSUS, update.microsoft.com, and a local cab file. The content source is specific to a given system evaluating a wuaupdatesearcher_test and thus is not defined by this test. The tool being used for evaluation should determine what content source is best for the system being assessed and then evaluate this test based on that selection.
+
+**Extends:** [oval-def:TestType](oval-definitions-schema.md#TestType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| object | [oval-def:ObjectRefType](oval-definitions-schema.md#ObjectRefType) (1..1) |
+|||
+| state | [oval-def:StateRefType](oval-definitions-schema.md#StateRefType) (0..unbounded) |
+|||
+
+## < wuaupdatesearcher_object >
+
+The wuaupdatesearcher_object element is used by a wuaupdatesearcher_test to define the specific search criteria to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+**Extends:** [oval-def:ObjectType](oval-definitions-schema.md#ObjectType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| behaviors | [win-def:WuaUpdateSearcherBehaviors](#WuaUpdateSearcherBehaviors) (0..1) |
+|||
+| search_criteria | [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType) (1..1) |
+||The search_criteria entity specifies a search criteria to use when generating a search result. The string used for the search criteria entity must match the custom search language for Search method of the IUpdateSearcher interface. The string consists of criteria that are evaluated to determine which updates to return. The Search method performs a synchronous search for updates by using the current configured search options. For more information about possible search criteria, please see the Search method of the IUpdateSearcher interface.
|
+| [oval-def:filter](oval-definitions-schema.md#filter) | n/a (0..unbounded) |
+|||
+
+## < wuaupdatesearcher_state >
+
+The wuaupdatesearcher_state element defines entities that can be tested related to a uaupdatesearcher_object. This includes the search criteria and updated id. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-def:StateType](oval-definitions-schema.md#StateType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| search_criteria | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The search_criteria entity specifies a string to examine the search criteria that was used to generate the object set. Note that since this entity is part of the state, it is not used to determine the object set, but rather is used to test the search criteria that was actually used.
|
+| update_id | [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType) (0..1) |
+||The update_id enity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface's Search method.
|
+
+## == WuaUpdateSearcherBehaviors ==
+
+The WuaUpdateSearcherBehaviors complex type defines behaviors that allow a more detailed definition of the wuaupdatesearcher_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+#### Attributes:
+
+* **include_superseded_updates** xsd:boolean (optional -- default='true')
+'include_superseded_updates' is a boolean flag that when set to true indicates that the search results should include updates that are superseded by other updates in the search results. When set to 'false' superseded updates should be excluded from the set of matching update items. The default value is 'true'.
+
+______________
+
+## == EntityStateAddrTypeType ==
+
+The EntityStateAddrTypeType complex type restricts a string value to a specific set of values that describe address types associated with an interface. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| MIB_IPADDR_DELETED | The stated IP address is being deleted. The unsigned short value that this corresponds to is 0x0040
|
+| MIB_IPADDR_DISCONNECTED | The stated IP address is on a disconnected interface. The unsigned short value that this corresponds to is 0x0008.
|
+| MIB_IPADDR_DYNAMIC | The stated IP address is a dynamic IP address. The unsigned short value that this corresponds to is 0x0004.
|
+| MIB_IPADDR_PRIMARY | The stated IP address is a primary IP address. The unsigned short value that this corresponds to is 0x0001.
|
+| MIB_IPADDR_TRANSIENT | The stated IP address is a transient IP address. The unsigned short value that this corresponds to is 0x0080
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateAdstypeType ==
+
+The EntityStateAdstypeType complex type restricts a string value to a specific set of values that specify the different types of information that an active directory attribute can represents. For more information look at the ADSTYPEENUM enumeration defined by Microsoft. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| ADSTYPE_INVALID | The data type is invalid.
|
+| ADSTYPE_DN_STRING | The string is of Distinguished Name (path) of a directory service object.
|
+| ADSTYPE_CASE_EXACT_STRING | The string is of the case-sensitive type.
|
+| ADSTYPE_CASE_IGNORE_STRING | The string is of the case-insensitive type.
|
+| ADSTYPE_PRINTABLE_STRING | The string is displayable on the screen or in print.
|
+| ADSTYPE_NUMERIC_STRING | The string is of a numeric value to be interpreted as text.
|
+| ADSTYPE_BOOLEAN | The data is of a Boolean value.
|
+| ADSTYPE_INTEGER | The data is of an integer value.
|
+| ADSTYPE_OCTET_STRING | The string is of a byte array.
|
+| ADSTYPE_UTC_TIME | The data is of the universal time as expressed in Universal Time Coordinate (UTC).
|
+| ADSTYPE_LARGE_INTEGER | The data is of a long integer value.
|
+| ADSTYPE_PROV_SPECIFIC | The string is of a provider-specific string.
|
+| ADSTYPE_OBJECT_CLASS | Not used.
|
+| ADSTYPE_CASEIGNORE_LIST | The data is of a list of case insensitive strings.
|
+| ADSTYPE_OCTET_LIST | The data is of a list of octet strings.
|
+| ADSTYPE_PATH | The string is of a directory path.
|
+| ADSTYPE_POSTALADDRESS | The string is of the postal address type.
|
+| ADSTYPE_TIMESTAMP | The data is of a time stamp in seconds.
|
+| ADSTYPE_BACKLINK | The string is of a back link.
|
+| ADSTYPE_TYPEDNAME | The string is of a typed name.
|
+| ADSTYPE_HOLD | The data is of the Hold data structure.
|
+| ADSTYPE_NETADDRESS | The string is of a net address.
|
+| ADSTYPE_REPLICAPOINTER | The data is of a replica pointer.
|
+| ADSTYPE_FAXNUMBER | The string is of a fax number.
|
+| ADSTYPE_EMAIL | The data is of an e-mail message.
|
+| ADSTYPE_NT_SECURITY_DESCRIPTOR | The data is of Windows NT/Windows 2000 Security Descriptor as represented by a byte array.
|
+| ADSTYPE_UNKNOWN | The data is of an undefined type.
|
+| ADSTYPE_DN_WITH_BINARY | The data is of ADS_DN_WITH_BINARY used for mapping a distinguished name to a non varying GUID.
|
+| ADSTYPE_DN_WITH_STRING | The data is of ADS_DN_WITH_STRING used for mapping a distinguished name to a non-varying string value.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateAuditType ==
+
+The EntityStateAuditType complex type restricts a string value to a specific set of values: AUDIT_NONE, AUDIT_SUCCESS, AUDIT_FAILURE, and AUDIT_SUCCESS_FAILURE. These values describe which audit records should be generated. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| AUDIT_FAILURE | The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.
|
+| AUDIT_NONE | The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.
|
+| AUDIT_SUCCESS | The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.
|
+| AUDIT_SUCCESS_FAILURE | The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateDriveTypeType ==
+
+The EntityStateDriveTypeType complex type defines the different values that are valid for the drive_type entity of a win-def:volume_state. Note that the Windows API returns a UINT value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the drive_type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DRIVE_UNKNOWN | The DRIVE_UNKNOWN type means that drive type cannot be determined. The UINT value that this corresponds to is 0.
|
+| DRIVE_NO_ROOT_DIR | The DRIVE_NO_ROOT_DIR type means that the root path is not valid. The UINT value that this corresponds to is 1.
|
+| DRIVE_REMOVABLE | The DRIVE_REMOVABLE type means that the drive contains removable media. The UINT value that this corresponds to is 2.
|
+| DRIVE_FIXED | The DRIVE_FIXED type means that the drive contains fixed media. The UINT value that this corresponds to is 3.
|
+| DRIVE_REMOTE | The DRIVE_REMOTE type means that the drive is a remote drive (i.e. network drive). The UINT value that this corresponds to is 4.
|
+| DRIVE_CDROM | The DRIVE_CDROM type means that the drive is a CD-ROM drive. The UINT value that this corresponds to is 5.
|
+| DRIVE_RAMDISK | The DRIVE_RAMDISK type means that the drive is a RAM disk. The UINT value that this corresponds to is 6.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateInterfaceTypeType ==
+
+The EntityStateInterfaceTypeType complex type restricts a string value to a specific set of values. These values describe the different interface types. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| MIB_IF_TYPE_ETHERNET | The MIB_IF_TYPE_ETHERNET type is used to describe ethernet interfaces.
|
+| MIB_IF_TYPE_FDDI | The MIB_IF_TYPE_FDDI type is used to describe fiber distributed data interfaces (FDDI).
|
+| MIB_IF_TYPE_LOOPBACK | The MIB_IF_TYPE_LOOPBACK type is used to describe loopback interfaces.
|
+| MIB_IF_TYPE_OTHER | The MIB_IF_TYPE_OTHER type is used to describe unknown interfaces.
|
+| MIB_IF_TYPE_PPP | The MIB_IF_TYPE_PPP type is used to describe point-to-point protocol interfaces (PPP).
|
+| MIB_IF_TYPE_SLIP | The MIB_IF_TYPE_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
|
+| MIB_IF_TYPE_TOKENRING | The MIB_IF_TYPE_TOKENRING type is used to describe token ring interfaces..
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateFileTypeType ==
+
+The EntityStateFileTypeType complex type restricts a string value to a specific set of values. These values describe the type of file being represented. For more information see the GetFileType and GetFileAttributesEx functions as defined by Microsoft. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| ~~FILE_ATTRIBUTE_DIRECTORY~~ | ~~The handle identifies a directory.
~~> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.2** :small_red_triangle:
**Reason:** In version 5.11.1:1.2 of the OVAL Language windows schema, a file_attributes entity was added to the file_state, obviating the need to overload this attribute with the file-type enumeration.
**Comment:** This value has been deprecated and will be removed in version 6.0 of the language.
|
+| FILE_TYPE_CHAR | The specified file is a character file, typically an LPT device or a console.
|
+| FILE_TYPE_DISK | The specified file is a disk file.
|
+| FILE_TYPE_PIPE | The specified file is a socket, a named pipe, or an anonymous pipe.
|
+| FILE_TYPE_REMOTE | Unused.
|
+| FILE_TYPE_UNKNOWN | Either the type of the specified file is unknown, or the function failed.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateFileAttributeType ==
+
+The EntityStateFileAttributeType complex type restricts a string value to a specific set of values. These values describe the Windows file attribute being represented. For more information see the GetFileAttributes and GetFileAttributesEx functions as defined by Microsoft. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| FILE_ATTRIBUTE_ARCHIVE | A file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal.
|
+| FILE_ATTRIBUTE_COMPRESSED | A file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.
|
+| FILE_ATTRIBUTE_DEVICE | This value is reserved for system use.
|
+| FILE_ATTRIBUTE_DIRECTORY | The handle that identifies a directory.
|
+| FILE_ATTRIBUTE_ENCRYPTED | A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
|
+| FILE_ATTRIBUTE_HIDDEN | The file or directory is hidden. It is not included in an ordinary directory listing.
|
+| FILE_ATTRIBUTE_INTEGRITY_STREAM | The directory or user data stream is configured with integrity (only supported on ReFS volumes). It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set.
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows Server 2012.
|
+| FILE_ATTRIBUTE_NORMAL | A file that does not have other attributes set. This attribute is valid only when used alone.
|
+| FILE_ATTRIBUTE_NOT_CONTENT_INDEXED | The file or directory is not to be indexed by the content indexing service.
|
+| FILE_ATTRIBUTE_NO_SCRUB_DATA | The user data stream not to be read by the background data integrity scanner (AKA scrubber). When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes. It is not included in an ordinary directory listing.
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows 8 and Windows Server 2012.
|
+| FILE_ATTRIBUTE_OFFLINE | The data of a file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute.
|
+| FILE_ATTRIBUTE_READONLY | A file that is read-only. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.
|
+| FILE_ATTRIBUTE_REPARSE_POINT | A file or directory that has an associated reparse point, or a file that is a symbolic link.
|
+| FILE_ATTRIBUTE_SPARSE_FILE | A file that is a sparse file.
|
+| FILE_ATTRIBUTE_SYSTEM | A file or directory that the operating system uses a part of, or uses exclusively.
|
+| FILE_ATTRIBUTE_TEMPORARY | A file that is being used for temporary storage. File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed.
|
+| FILE_ATTRIBUTE_VIRTUAL | This value is reserved for system use.
|
+
+## == EntityObjectNamingContextType ==
+
+The EntityObjectNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different default naming context found in active directory. A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| domain | The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
|
+| configuration | The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
|
+| schema | The schema naming context contains all of the Active Directory object definitions.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateNamingContextType ==
+
+The EntityStateNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different default naming context found in active directory. A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| domain | The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
|
+| configuration | The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
|
+| schema | The schema naming context contains all of the Active Directory object definitions.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateNTUserAccountTypeType ==
+
+The EntityStateNTUserAccountTypeType restricts a string value to a specific set of values that describe the different types of accounts. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| local | Local accounts are accounts that were created directly on the machine being tested and should be in the form of machinename\username
|
+| domain | Domain accounts are accounts that were created on a domain controller and should be in the form of domain\username
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStatePeTargetMachineType ==
+
+The EntityStatePeTargetMachineType enumeration identifies the valid machine targets that can be specified in the PE file header. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| IMAGE_FILE_MACHINE_UNKNOWN | The IMAGE_FILE_MACHINE_UNKNOWN type is used to indicate an unknown machine.
|
+| IMAGE_FILE_MACHINE_ALPHA | The IMAGE_FILE_MACHINE_ALPHA type is used to indicate an Alpha APX machine.
|
+| IMAGE_FILE_MACHINE_ARM | The IMAGE_FILE_MACHINE_ARM type is used to indicate an ARM little endian machine.
|
+| IMAGE_FILE_MACHINE_ALPHA64 | The IMAGE_FILE_MACHINE_ALPHA64 type is used to indicate an 64-bit Alpha APX machine.
|
+| IMAGE_FILE_MACHINE_I386 | The IMAGE_FILE_MACHINE_I386 type is used to indicate an Intel 386 machine.
|
+| IMAGE_FILE_MACHINE_IA64 | The IMAGE_FILE_MACHINE_IA64 type is used to indicate an Intel Itanium machine.
|
+| IMAGE_FILE_MACHINE_M68K | The IMAGE_FILE_MACHINE_M68K type is used to indicate an M68K machine.
|
+| IMAGE_FILE_MACHINE_MIPS16 | The IMAGE_FILE_MACHINE_MIPS16 type is used to indicate a MIPS16 machine.
|
+| IMAGE_FILE_MACHINE_MIPSFPU | The IMAGE_FILE_MACHINE_MIPSFPU type is used to indicate an MIPS machine with FPU.
|
+| IMAGE_FILE_MACHINE_MIPSFPU16 | The IMAGE_FILE_MACHINE_MIPSFPU16 type is used to indicate a MIPS16 machine with FPU.
|
+| IMAGE_FILE_MACHINE_POWERPC | The IMAGE_FILE_MACHINE_POWERPC type is used to indicate an Power PC little endian machine.
|
+| IMAGE_FILE_MACHINE_R3000 | The IMAGE_FILE_MACHINE_R3000 type is used to indicate a MIPS little endian, 0x160 big endian machine.
|
+| IMAGE_FILE_MACHINE_R4000 | The IMAGE_FILE_MACHINE_R4000 type is used to indicate a MIPS little endian machine.
|
+| IMAGE_FILE_MACHINE_R10000 | The IMAGE_FILE_MACHINE_10000 type is used to indicate a MIPS little endian machine.
|
+| IMAGE_FILE_MACHINE_SH3 | The IMAGE_FILE_MACHINE_SH3 type is used to indicate a Hitachi SH3 machine.
|
+| IMAGE_FILE_MACHINE_SH4 | The IMAGE_FILE_MACHINE_SH4 type is used to indicate a Hitachi SH4 machine.
|
+| IMAGE_FILE_MACHINE_THUMB | The IMAGE_FILE_MACHINE_THUMB type is used to indicate an ARM or Thumb ("interworking") machine.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStatePeSubsystemType ==
+
+The EntityStatePeSubsystemType enumeration identifies the valid subsystem types that can be specified in the PE file header. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| IMAGE_SUBSYSTEM_UNKNOWN | The IMAGE_SUBSYSTEM_UNKNOWN type is used to indicate an unknown subsystem.
|
+| IMAGE_SUBSYSTEM_NATIVE | The IMAGE_SUBSYSTEM_NATIVE type is used to indicate that no subsystem is required.
|
+| IMAGE_SUBSYSTEM_WINDOWS_GUI | The IMAGE_SUBSYSTEM_WINDOWS_GUI type is used to indicate a Windows graphical user interface (GUI) subsystem.
|
+| IMAGE_SUBSYSTEM_WINDOWS_CUI | The IMAGE_SUBSYSTEM_WINDOWS_CUI type is used to indicate a Windows character-mode user interface (CUI) subsystem.
|
+| IMAGE_SUBSYSTEM_OS2_CUI | The IMAGE_SUBSYSTEM_OS2_CUI type is used to indicate an OS/2 CUI subsystem.
|
+| IMAGE_SUBSYSTEM_POSIX_CUI | The IMAGE_SUBSYSTEM_POSIX_CUI type is used to indicate a POSIX CUI subsystem.
|
+| IMAGE_SUBSYSTEM_WINDOWS_CE_GUI | The IMAGE_SUBSYSTEM_WINDOWS_CE_GUI type is used to indicate a Windows CE system.
|
+| IMAGE_SUBSYSTEM_EFI_APPLICATION | The IMAGE_SUBSYSTEM_EFI_APPLICATION type is used to indicate an Extensible Firmware Interface (EFI) application.
|
+| IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER | The IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER type is used to indicate a EFI driver with boot services.
|
+| IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER | The IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER type is used to indicate a EFI driver with run-time services subsystem.
|
+| IMAGE_SUBSYSTEM_EFI_ROM | The IMAGE_SUBSYSTEM_EFI_ROM type is used to indicate an EFI ROM image.
|
+| IMAGE_SUBSYSTEM_XBOX | The IMAGE_SUBSYSTEM_XBOX type is used to indicate an Xbox system.
|
+| IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION | The IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION type is used to indicate a boot application.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityObjectProtocolType ==
+
+The EntityObjectProtocolType restricts a string value to a specific set of values: TCP and UDP. These values describe the different protocols available to a port. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| TCP | The port uses the Transmission Control Protocol (TCP).
|
+| UDP | The port uses the User Datagram Protocol (UDP).
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateProtocolType ==
+
+The EntityStateProtocolType restricts a string value to a specific set of values: TCP and UDP. These values describe the different protocols available to a port. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| TCP | The port uses the Transmission Control Protocol (TCP).
|
+| UDP | The port uses the User Datagram Protocol (UDP).
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityObjectRegistryHiveType ==
+
+The EntityObjectRegistryHiveType restricts a string value to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS. These values describe the possible hives in the registry. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| HKEY_CLASSES_ROOT | This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
|
+| HKEY_CURRENT_CONFIG | This registry subtree contains configuration data for the current hardware profile.
|
+| HKEY_CURRENT_USER | This registry subtree contains the user profile of the user that is currently logged into the system.
|
+| HKEY_CURRENT_USER_LOCAL_SETTINGS | Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile. This key is supported starting with Windows 7 and Windows Server 2008 R2.
|
+| HKEY_LOCAL_MACHINE | This registry subtree contains information about the local system.
|
+| HKEY_USERS | This registry subtree contains user-specific data.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateRegistryHiveType ==
+
+The EntityStateRegistryHiveType restricts a string value to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_USERS. These values describe the possible hives in the registry. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| HKEY_CLASSES_ROOT | This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
|
+| HKEY_CURRENT_CONFIG | This registry subtree contains configuration data for the current hardware profile.
|
+| HKEY_CURRENT_USER | This registry subtree contains the user profile of the user that is currently logged into the system.
|
+| HKEY_LOCAL_MACHINE | This registry subtree contains information about the local system.
|
+| HKEY_USERS | This registry subtree contains user-specific data.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateRegistryTypeType ==
+
+The EntityStateRegistryTypeType complex type defines the different values that are valid for the type entity of a registry state. These values describe the possible types of data stored in a registry key. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the type entity and are not valid values for the datatype attribute. For information about how to encode registry data in OVAL for each of the different types, please visit the registry_state documentation.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| reg_binary | The reg_binary type is used by registry keys that specify binary data in any form.
|
+| reg_dword | The reg_dword type is used by registry keys that specify an unsigned 32-bit integer.
|
+| ~~reg_dword_little_endian~~ | ~~The reg_dword_little_endian type is used by registry keys that specify an unsigned 32-bit little-endian integer. It is designed to run on little-endian computer architectures.
~~> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.1** :small_red_triangle:
**Reason:** Defined to have same value as reg_dword.
**Comment:** This registry type enumeration value has been deprecated and may be removed in a future version of the language.
|
+| reg_dword_big_endian | The reg_dword_big_endian type is used by registry keys that specify an unsigned 32-bit big-endian integer. It is designed to run on big-endian computer architectures.
|
+| reg_expand_sz | The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").
|
+| reg_link | The reg_link type is used by the registry keys for null-terminated unicode strings. It is related to target path of a symbolic link created by the RegCreateKeyEx function.
|
+| reg_multi_sz | The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.
|
+| reg_none | The reg_none type is used by registry keys that have no defined value type.
|
+| reg_qword | The reg_qword type is used by registry keys that specify an unsigned 64-bit integer.
|
+| ~~reg_qword_little_endian~~ | ~~The reg_qword_little_endian type is used by registry keys that specify an unsigned 64-bit integer in little-endian computer architectures.
~~> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.1** :small_red_triangle:
**Reason:** Defined to have same value as reg_qword.
**Comment:** This registry type enumeration value has been deprecated and may be removed in a future version of the language.
|
+| reg_sz | The reg_sz type is used by registry keys that specify a single null-terminated string.
|
+| reg_resource_list | The reg_resource_list type is used by registry keys that specify a resource list.
|
+| reg_full_resource_descriptor | The reg_full_resource_descriptor type is used by registry keys that specify a full resource descriptor.
|
+| reg_resource_requirements_list | The reg_resource_requirements_list type is used by registry keys that specify a resource requirements list.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateServiceControlsAcceptedType ==
+
+The EntityStateServiceAcceptedControlsType complex type defines the different values that are valid for the controls_accepted entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the controls_accepted entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_ACCEPT_NETBINDCHANGE | The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010.
|
+| SERVICE_ACCEPT_PARAMCHANGE | The SERVICE_ACCEPT_PARAMCHANGE type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008.
|
+| SERVICE_ACCEPT_PAUSE_CONTINUE | The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_ACCEPT_PRESHUTDOWN | The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100.
|
+| SERVICE_ACCEPT_SHUTDOWN | The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004.
|
+| SERVICE_ACCEPT_STOP | The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001.
|
+| SERVICE_ACCEPT_HARDWAREPROFILECHANGE | The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020.
|
+| SERVICE_ACCEPT_POWEREVENT | The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040.
|
+| SERVICE_ACCEPT_SESSIONCHANGE | The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080.
|
+| SERVICE_ACCEPT_TIMECHANGE | The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200.
|
+| SERVICE_ACCEPT_TRIGGEREVENT | The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateServiceCurrentStateType ==
+
+The EntityStateServiceCurrentStateType complex type defines the different values that are valid for the current_state entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the current_state entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_CONTINUE_PENDING | The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000005.
|
+| SERVICE_PAUSE_PENDING | The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006.
|
+| SERVICE_PAUSED | The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007.
|
+| SERVICE_RUNNING | The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004.
|
+| SERVICE_START_PENDING | The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_STOP_PENDING | The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003.
|
+| SERVICE_STOPPED | The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateServiceStartTypeType ==
+
+The EntityStateServiceStartTypeType complex type defines the different values that are valid for the start_type entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the start_type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_AUTO_START | The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_BOOT_START | The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000.
|
+| SERVICE_DEMAND_START | The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003.
|
+| SERVICE_DISABLED | The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004.
|
+| SERVICE_SYSTEM_START | The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateServiceTypeType ==
+
+The EntityStateServiceTypeType complex type defines the different values that are valid for the service_type entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the service_type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_FILE_SYSTEM_DRIVER | The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_KERNEL_DRIVER | The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001.
|
+| SERVICE_WIN32_OWN_PROCESS | The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010.
|
+| SERVICE_WIN32_SHARE_PROCESS | The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020.
|
+| SERVICE_INTERACTIVE_PROCESS | The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateSharedResourceTypeType ==
+
+The EntityStateSharedResourceTypeType complex type defines the different values that are valid for the type entity of a shared resource state. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+It is also important to note that special shared resources are those reserved for remote administration, interprocess communication, and administrative shares.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| STYPE_DISKTREE | The STYPE_DISKTREE type means that the shared resource is a disk drive. The DWORD value that this corresponds to is 0x00000000.
|
+| STYPE_DISKTREE_SPECIAL | The STYPE_DISKTREE_SPECIAL type means that the shared resource is a special disk drive. The DWORD value that this corresponds to is 0x80000000.
|
+| STYPE_DISKTREE_TEMPORARY | The STYPE_DISKTREE_TEMPORARY type means that the shared resource is a temporary disk drive. The DWORD value that this corresponds to is 0x40000000.
|
+| STYPE_DISKTREE_SPECIAL_TEMPORARY | The STYPE_DISKTREE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special disk drive. The DWORD value that this corresponds to is 0xC0000000.
|
+| STYPE_PRINTQ | The STYPE_PRINTQ type means that the shared resource is a print queue. The DWORD value that this corresponds to is 0x00000001.
|
+| STYPE_PRINTQ_SPECIAL | The STYPE_PRINTQ_SPECIAL type means that the shared resource is a special print queue. The DWORD value that this corresponds to is 0x80000001.
|
+| STYPE_PRINTQ_TEMPORARY | The STYPE_PRINTQ_TEMPORARY type means that the shared resource is a temporary print queue. The DWORD value that this corresponds to is 0x40000001.
|
+| STYPE_PRINTQ_SPECIAL_TEMPORARY | The STYPE_PRINTQ_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special print queue. The DWORD value that this corresponds to is 0xC0000001.
|
+| STYPE_DEVICE | The STYPE_DEVICE type means that the shared resource is a communication device. The DWORD value that this corresponds to is 0x00000002.
|
+| STYPE_DEVICE_SPECIAL | The STYPE_DEVICE_SPECIAL type means that the shared resource is a special communication device. The DWORD value that this corresponds to is 0x80000002.
|
+| STYPE_DEVICE_TEMPORARY | The STYPE_DEVICE_TEMPORARY type means that the shared resource is a temporary communication device. The DWORD value that this corresponds to is 0x40000002.
|
+| STYPE_DEVICE_SPECIAL_TEMPORARY | The STYPE_DEVICE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special communication device. The DWORD value that this corresponds to is 0xC0000002.
|
+| STYPE_IPC | The STYPE_IPC type means that the shared resource is a interprocess communication. The DWORD value that this corresponds to is 0x00000003.
|
+| STYPE_IPC_SPECIAL | The STYPE_IPC_SPECIAL type means that the shared resource is a special interprocess communication. The DWORD value that this corresponds to is 0x80000003.
|
+| STYPE_IPC_TEMPORARY | The STYPE_IPC_TEMPORARY type means that the shared resource is a temporary interprocess communication. The DWORD value that this corresponds to is 0x40000003.
|
+| STYPE_IPC_SPECIAL_TEMPORARY | The STYPE_IPC_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special interprocess communication. The DWORD value that this corresponds to is 0xC0000003.
|
+| ~~STYPE_SPECIAL~~ | ~~The STYPE_SPECIAL type means that this is a special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. The DWORD value that this corresponds to is 0x40000000.
~~> :small_red_triangle: **Deprecated As Of Version 5.6** :small_red_triangle:
**Reason:** In version 5.6 of the OVAL Language, the EntityStateSharedResourceTypeType was changed to include all of the different shared resource types as specified in Microsoft's documentation of the shi2_type member of the SHARE_INFO_2 structure. As a result, the STYPE_SPECIAL value by itself is no longer valid because it would actually be equal to the value STYPE_DISKTREE_SPECIAL (0x80000000) which is STYPE_DISKTREE (0x00000000) OR'd with STYPE_SPECIAL (0x80000000).
**Comment:** This value has been deprecated and will be removed in version 6.0 of the language.
|
+| ~~STYPE_TEMPORARY~~ | ~~The STYPE_TEMPORARY type means that the shared resource is a temporary share. The DWORD value that this corresponds to is 0x80000000.
~~> :small_red_triangle: **Deprecated As Of Version 5.6** :small_red_triangle:
**Reason:** In version 5.6 of the OVAL Language, the EntityStateSharedResourceTypeType was changed to include all of the different shared resource types as specified in Microsoft's documentation of the shi2_type member of the SHARE_INFO_2 structure. As a result, the STYPE_TEMPORARY value by itself is no longer valid because it would actually be equal to the value STYPE_DISKTREE_TEMPORARY (0x40000000) which is STYPE_DISKTREE (0x00000000) OR'd with STYPE_TEMPORARY (0x40000000).
**Comment:** This value has been deprecated and will be removed in version 6.0 of the language.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityObjectSystemMetricIndexType ==
+
+The EntityObjectSystemMetricIndexType complex type defines the different values that are valid for the index entity of a system metric object. These values describe the system metric or configuration setting to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the index entity and are not valid values for the datatype attribute.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SM_ARRANGE | The flags that specify how the system arranged minimized windows.
|
+| SM_CLEANBOOT | The value that specifies how the system is started.
|
+| SM_CMONITORS | The number of display monitors on a desktop.
|
+| SM_CMOUSEBUTTONS | The number of buttons on a mouse, or zero if no mouse is installed.
|
+| SM_CXBORDER | The width of a window border, in pixels. This is equivalent to the SM_CXEDGE value for windows with the 3-D look.
|
+| SM_CXCURSOR | The width of a cursor, in pixels. The system cannot create cursors of other sizes.
|
+| SM_CXDLGFRAME | This value is the same as SM_CXFIXEDFRAME.
|
+| SM_CXDOUBLECLK | The width of the rectangle around the location of a first click in a double-click sequence, in pixels.
|
+| SM_CXDRAG | The number of pixels on either side of a mouse-down point that the mouse pointer can move before a drag operation begins.
|
+| SM_CXEDGE | The width of a 3-D border, in pixels. This metric is the 3-D counterpart of SM_CXBORDER.
|
+| SM_CXFIXEDFRAME | The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
|
+| SM_CXFOCUSBORDER | The width of the left and right edges of the focus rectangle that the DrawFocusRect draws.
|
+| SM_CXFRAME | This value is the same as SM_CXSIZEFRAME.
|
+| SM_CXFULLSCREEN | The width of the client area for a full-screen window on the primary display monitor, in pixels.
|
+| SM_CXHSCROLL | The width of the arrow bitmap on a horizontal scroll bar, in pixels.
|
+| SM_CXHTHUMB | The width of the thumb box in a horizontal scroll bar, in pixels.
|
+| SM_CXICON | The default width of an icon, in pixels.
|
+| SM_CXICONSPACING | The width of a grid cell for items in large icon view, in pixels.
|
+| SM_CXMAXIMIZED | The default width, in pixels, of a maximized top-level window on the primary display monitor.
|
+| SM_CXMAXTRACK | The default maximum width of a window that has a caption and sizing borders, in pixels.
|
+| SM_CXMENUCHECK | The width of the default menu check-mark bitmap, in pixels.
|
+| SM_CXMENUSIZE | The width of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
|
+| SM_CXMIN | The minimum width of a window, in pixels.
|
+| SM_CXMINIMIZED | The width of a minimized window, in pixels.
|
+| SM_CXMINSPACING | The width of a grid cell for a minimized window, in pixels.
|
+| SM_CXMINTRACK | The minimum tracking width of a window, in pixels.
|
+| SM_CXPADDEDBORDER | The amount of border padding for captioned windows, in pixels.
|
+| SM_CXSCREEN | The width of the screen of the primary display monitor, in pixels.
|
+| SM_CXSIZE | The width of a button in a window caption or title bar, in pixels.
|
+| SM_CXSIZEFRAME | The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
|
+| SM_CXSMICON | The recommended width of a small icon, in pixels.
|
+| SM_CXSMSIZE | The width of small caption buttons, in pixels.
|
+| SM_CXVIRTUALSCREEN | The width of the virtual screen, in pixels.
|
+| SM_CXVSCROLL | The width of a vertical scroll bar, in pixels.
|
+| SM_CYBORDER | The height of a window border, in pixels.
|
+| SM_CYCAPTION | The height of a caption area, in pixels.
|
+| SM_CYCURSOR | The height of a cursor, in pixels.
|
+| SM_CYDLGFRAME | This value is the same as SM_CYFIXEDFRAME.
|
+| SM_CYDOUBLECLK | The height of the rectangle around the location of a first click in a double-click sequence, in pixels.
|
+| SM_CYDRAG | The number of pixels above and below a mouse-down point that the mouse pointer can move before a drag operation begins.
|
+| SM_CYEDGE | The height of a 3-D border, in pixels. This is the 3-D counterpart of SM_CYBORDER.
|
+| SM_CYFIXEDFRAME | The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
|
+| SM_CYFOCUSBORDER | The height of the top and bottom edges of the focus rectangle drawn by DrawFocusRect. This value is in pixels.
|
+| SM_CYFRAME | This value is the same as SM_CYSIZEFRAME.
|
+| SM_CYFULLSCREEN | The height of the client area for a full-screen window on the primary display monitor, in pixels.
|
+| SM_CYHSCROLL | The height of a horizontal scroll bar, in pixels.
|
+| SM_CYICON | The default height of an icon, in pixels.
|
+| SM_CYICONSPACING | The height of a grid cell for items in large icon view, in pixels.
|
+| SM_CYKANJIWINDOW | For double byte character set versions of the system, this is the height of the Kanji window at the bottom of the screen, in pixels.
|
+| SM_CYMAXIMIZED | The default height, in pixels, of a maximized top-level window on the primary display monitor.
|
+| SM_CYMAXTRACK | The default maximum height of a window that has a caption and sizing borders, in pixels.
|
+| SM_CYMENU | The height of a single-line menu bar, in pixels.
|
+| SM_CYMENUCHECK | The height of the default menu check-mark bitmap, in pixels.
|
+| SM_CYMENUSIZE | The height of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
|
+| SM_CYMIN | The minimum height of a window, in pixels.
|
+| SM_CYMINIMIZED | The height of a minimized window, in pixels.
|
+| SM_CYMINSPACING | The height of a grid cell for a minimized window, in pixels.
|
+| SM_CYMINTRACK | The minimum tracking height of a window, in pixels.
|
+| SM_CYSCREEN | The height of the screen of the primary display monitor, in pixels.
|
+| SM_CYSIZE | The height of a button in a window caption or title bar, in pixels.
|
+| SM_CYSIZEFRAME | The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
|
+| SM_CYSMCAPTION | The height of a small caption, in pixels.
|
+| SM_CYSMICON | The recommended height of a small icon, in pixels.
|
+| SM_CYSMSIZE | The height of small caption buttons, in pixels.
|
+| SM_CYVIRTUALSCREEN | The height of the virtual screen, in pixels. The virtual screen is the bounding rectangle of all display monitors.
|
+| SM_CYVSCROLL | The height of the arrow bitmap on a vertical scroll bar, in pixels.
|
+| SM_CYVTHUMB | The height of the thumb box in a vertical scroll bar, in pixels.
|
+| SM_DBCSENABLED | Nonzero if User32.dll supports DBCS; otherwise, 0.
|
+| SM_DEBUG | Nonzero if the debug version of User.exe is installed; otherwise, 0.
|
+| SM_DIGITIZER | Nonzero if the current operating system is Windows 7 or Windows Server 2008 R2 and the Tablet PC Input service is started; otherwise, 0. The return value is a bitmask that specifies the type of digitizer input supported by the device.
|
+| SM_IMMENABLED | Nonzero if Input Method Manager/Input Method Editor features are enabled; otherwise, 0.
|
+| SM_MAXIMUMTOUCHES | Nonzero if there are digitizers in the system; otherwise, 0.
|
+| SM_MEDIACENTER | Nonzero if the current operating system is the Windows XP, Media Center Edition, 0 if not.
|
+| SM_MENUDROPALIGNMENT | Nonzero if drop-down menus are right-aligned with the corresponding menu-bar item; 0 if the menus are left-aligned.
|
+| SM_MIDEASTENABLED | Nonzero if the system is enabled for Hebrew and Arabic languages, 0 if not.
|
+| SM_MOUSEPRESENT | Nonzero if a mouse is installed; otherwise, 0.
|
+| SM_MOUSEHORIZONTALWHEELPRESENT | Nonzero if a mouse with a horizontal scroll wheel is installed; otherwise 0.
|
+| SM_MOUSEWHEELPRESENT | Nonzero if a mouse with a vertical scroll wheel is installed; otherwise 0.
|
+| SM_NETWORK | The least significant bit is set if a network is present; otherwise, it is cleared.
|
+| SM_PENWINDOWS | Nonzero if the Microsoft Windows for Pen computing extensions are installed; zero otherwise.
|
+| SM_REMOTECONTROL | This system metric is used in a Terminal Services environment to determine if the current Terminal Server session is being remotely controlled. Its value is nonzero if the current session is remotely controlled; otherwise, 0.
|
+| SM_REMOTESESSION | This system metric is used in a Terminal Services environment. If the calling process is associated with a Terminal Services client session, the return value is nonzero. If the calling process is associated with the Terminal Services console session, the return value is 0.
|
+| SM_SAMEDISPLAYFORMAT | Nonzero if all the display monitors have the same color format, otherwise, 0.
|
+| SM_SECURE | This system metric should be ignored; it always returns 0.
|
+| SM_SERVERR2 | The build number if the system is Windows Server 2003 R2; otherwise, 0.
|
+| SM_SHOWSOUNDS | Nonzero if the user requires an application to present information visually in situations where it would otherwise present the information only in audible form; otherwise, 0.
|
+| SM_SHUTTINGDOWN | Nonzero if the current session is shutting down; otherwise, 0.
|
+| SM_SLOWMACHINE | Nonzero if the computer has a low-end (slow) processor; otherwise, 0.
|
+| SM_STARTER | Nonzero if the current operating system is Windows 7 Starter Edition, Windows Vista Starter, or Windows XP Starter Edition; otherwise, 0.
|
+| SM_SWAPBUTTON | Nonzero if the meanings of the left and right mouse buttons are swapped; otherwise, 0.
|
+| SM_TABLETPC | Nonzero if the current operating system is the Windows XP Tablet PC edition or if the current operating system is Windows Vista or Windows 7 and the Tablet PC Input service is started; otherwise, 0.
|
+| SM_XVIRTUALSCREEN | The coordinates for the left side of the virtual screen.
|
+| SM_YVIRTUALSCREEN | The coordinates for the top of the virtual screen.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateSystemMetricIndexType ==
+
+The EntityStateSystemMetricIndexType complex type defines the different values that are valid for the index entity of a systemmetric_state. These values describe the system metric or configuration setting to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the index entity and are not valid values for the datatype attribute.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SM_ARRANGE | The flags that specify how the system arranged minimized windows.
|
+| SM_CLEANBOOT | The value that specifies how the system is started.
|
+| SM_CMONITORS | The number of display monitors on a desktop.
|
+| SM_CMOUSEBUTTONS | The number of buttons on a mouse, or zero if no mouse is installed.
|
+| SM_CXBORDER | The width of a window border, in pixels. This is equivalent to the SM_CXEDGE value for windows with the 3-D look.
|
+| SM_CXCURSOR | The width of a cursor, in pixels. The system cannot create cursors of other sizes.
|
+| SM_CXDLGFRAME | This value is the same as SM_CXFIXEDFRAME.
|
+| SM_CXDOUBLECLK | The width of the rectangle around the location of a first click in a double-click sequence, in pixels.
|
+| SM_CXDRAG | The number of pixels on either side of a mouse-down point that the mouse pointer can move before a drag operation begins.
|
+| SM_CXEDGE | The width of a 3-D border, in pixels. This metric is the 3-D counterpart of SM_CXBORDER.
|
+| SM_CXFIXEDFRAME | The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
|
+| SM_CXFOCUSBORDER | The width of the left and right edges of the focus rectangle that the DrawFocusRect draws.
|
+| SM_CXFRAME | This value is the same as SM_CXSIZEFRAME.
|
+| SM_CXFULLSCREEN | The width of the client area for a full-screen window on the primary display monitor, in pixels.
|
+| SM_CXHSCROLL | The width of the arrow bitmap on a horizontal scroll bar, in pixels.
|
+| SM_CXHTHUMB | The width of the thumb box in a horizontal scroll bar, in pixels.
|
+| SM_CXICON | The default width of an icon, in pixels.
|
+| SM_CXICONSPACING | The width of a grid cell for items in large icon view, in pixels.
|
+| SM_CXMAXIMIZED | The default width, in pixels, of a maximized top-level window on the primary display monitor.
|
+| SM_CXMAXTRACK | The default maximum width of a window that has a caption and sizing borders, in pixels.
|
+| SM_CXMENUCHECK | The width of the default menu check-mark bitmap, in pixels.
|
+| SM_CXMENUSIZE | The width of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
|
+| SM_CXMIN | The minimum width of a window, in pixels.
|
+| SM_CXMINIMIZED | The width of a minimized window, in pixels.
|
+| SM_CXMINSPACING | The width of a grid cell for a minimized window, in pixels.
|
+| SM_CXMINTRACK | The minimum tracking width of a window, in pixels.
|
+| SM_CXPADDEDBORDER | The amount of border padding for captioned windows, in pixels.
|
+| SM_CXSCREEN | The width of the screen of the primary display monitor, in pixels.
|
+| SM_CXSIZE | The width of a button in a window caption or title bar, in pixels.
|
+| SM_CXSIZEFRAME | The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
|
+| SM_CXSMICON | The recommended width of a small icon, in pixels.
|
+| SM_CXSMSIZE | The width of small caption buttons, in pixels.
|
+| SM_CXVIRTUALSCREEN | The width of the virtual screen, in pixels.
|
+| SM_CXVSCROLL | The width of a vertical scroll bar, in pixels.
|
+| SM_CYBORDER | The height of a window border, in pixels.
|
+| SM_CYCAPTION | The height of a caption area, in pixels.
|
+| SM_CYCURSOR | The height of a cursor, in pixels.
|
+| SM_CYDLGFRAME | This value is the same as SM_CYFIXEDFRAME.
|
+| SM_CYDOUBLECLK | The height of the rectangle around the location of a first click in a double-click sequence, in pixels.
|
+| SM_CYDRAG | The number of pixels above and below a mouse-down point that the mouse pointer can move before a drag operation begins.
|
+| SM_CYEDGE | The height of a 3-D border, in pixels. This is the 3-D counterpart of SM_CYBORDER.
|
+| SM_CYFIXEDFRAME | The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
|
+| SM_CYFOCUSBORDER | The height of the top and bottom edges of the focus rectangle drawn by DrawFocusRect. This value is in pixels.
|
+| SM_CYFRAME | This value is the same as SM_CYSIZEFRAME.
|
+| SM_CYFULLSCREEN | The height of the client area for a full-screen window on the primary display monitor, in pixels.
|
+| SM_CYHSCROLL | The height of a horizontal scroll bar, in pixels.
|
+| SM_CYICON | The default height of an icon, in pixels.
|
+| SM_CYICONSPACING | The height of a grid cell for items in large icon view, in pixels.
|
+| SM_CYKANJIWINDOW | For double byte character set versions of the system, this is the height of the Kanji window at the bottom of the screen, in pixels.
|
+| SM_CYMAXIMIZED | The default height, in pixels, of a maximized top-level window on the primary display monitor.
|
+| SM_CYMAXTRACK | The default maximum height of a window that has a caption and sizing borders, in pixels.
|
+| SM_CYMENU | The height of a single-line menu bar, in pixels.
|
+| SM_CYMENUCHECK | The height of the default menu check-mark bitmap, in pixels.
|
+| SM_CYMENUSIZE | The height of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
|
+| SM_CYMIN | The minimum height of a window, in pixels.
|
+| SM_CYMINIMIZED | The height of a minimized window, in pixels.
|
+| SM_CYMINSPACING | The height of a grid cell for a minimized window, in pixels.
|
+| SM_CYMINTRACK | The minimum tracking height of a window, in pixels.
|
+| SM_CYSCREEN | The height of the screen of the primary display monitor, in pixels.
|
+| SM_CYSIZE | The height of a button in a window caption or title bar, in pixels.
|
+| SM_CYSIZEFRAME | The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
|
+| SM_CYSMCAPTION | The height of a small caption, in pixels.
|
+| SM_CYSMICON | The recommended height of a small icon, in pixels.
|
+| SM_CYSMSIZE | The height of small caption buttons, in pixels.
|
+| SM_CYVIRTUALSCREEN | The height of the virtual screen, in pixels. The virtual screen is the bounding rectangle of all display monitors.
|
+| SM_CYVSCROLL | The height of the arrow bitmap on a vertical scroll bar, in pixels.
|
+| SM_CYVTHUMB | The height of the thumb box in a vertical scroll bar, in pixels.
|
+| SM_DBCSENABLED | Nonzero if User32.dll supports DBCS; otherwise, 0.
|
+| SM_DEBUG | Nonzero if the debug version of User.exe is installed; otherwise, 0.
|
+| SM_DIGITIZER | Nonzero if the current operating system is Windows 7 or Windows Server 2008 R2 and the Tablet PC Input service is started; otherwise, 0. The return value is a bitmask that specifies the type of digitizer input supported by the device.
|
+| SM_IMMENABLED | Nonzero if Input Method Manager/Input Method Editor features are enabled; otherwise, 0.
|
+| SM_MAXIMUMTOUCHES | Nonzero if there are digitizers in the system; otherwise, 0.
|
+| SM_MEDIACENTER | Nonzero if the current operating system is the Windows XP, Media Center Edition, 0 if not.
|
+| SM_MENUDROPALIGNMENT | Nonzero if drop-down menus are right-aligned with the corresponding menu-bar item; 0 if the menus are left-aligned.
|
+| SM_MIDEASTENABLED | Nonzero if the system is enabled for Hebrew and Arabic languages, 0 if not.
|
+| SM_MOUSEPRESENT | Nonzero if a mouse is installed; otherwise, 0.
|
+| SM_MOUSEHORIZONTALWHEELPRESENT | Nonzero if a mouse with a horizontal scroll wheel is installed; otherwise 0.
|
+| SM_MOUSEWHEELPRESENT | Nonzero if a mouse with a vertical scroll wheel is installed; otherwise 0.
|
+| SM_NETWORK | The least significant bit is set if a network is present; otherwise, it is cleared.
|
+| SM_PENWINDOWS | Nonzero if the Microsoft Windows for Pen computing extensions are installed; zero otherwise.
|
+| SM_REMOTECONTROL | This system metric is used in a Terminal Services environment to determine if the current Terminal Server session is being remotely controlled. Its value is nonzero if the current session is remotely controlled; otherwise, 0.
|
+| SM_REMOTESESSION | This system metric is used in a Terminal Services environment. If the calling process is associated with a Terminal Services client session, the return value is nonzero. If the calling process is associated with the Terminal Services console session, the return value is 0.
|
+| SM_SAMEDISPLAYFORMAT | Nonzero if all the display monitors have the same color format, otherwise, 0.
|
+| SM_SECURE | This system metric should be ignored; it always returns 0.
|
+| SM_SERVERR2 | The build number if the system is Windows Server 2003 R2; otherwise, 0.
|
+| SM_SHOWSOUNDS | Nonzero if the user requires an application to present information visually in situations where it would otherwise present the information only in audible form; otherwise, 0.
|
+| SM_SHUTTINGDOWN | Nonzero if the current session is shutting down; otherwise, 0.
|
+| SM_SLOWMACHINE | Nonzero if the computer has a low-end (slow) processor; otherwise, 0.
|
+| SM_STARTER | Nonzero if the current operating system is Windows 7 Starter Edition, Windows Vista Starter, or Windows XP Starter Edition; otherwise, 0.
|
+| SM_SWAPBUTTON | Nonzero if the meanings of the left and right mouse buttons are swapped; otherwise, 0.
|
+| SM_TABLETPC | Nonzero if the current operating system is the Windows XP Tablet PC edition or if the current operating system is Windows Vista or Windows 7 and the Tablet PC Input service is started; otherwise, 0.
|
+| SM_XVIRTUALSCREEN | The coordinates for the left side of the virtual screen.
|
+| SM_YVIRTUALSCREEN | The coordinates for the top of the virtual screen.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityObjectGUIDType ==
+
+The EntityObjectGUIDType restricts a string value to a representation of a GUID, used for module ID. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+**Pattern:** (\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}){0,}
+
+## == EntityStateGUIDType ==
+
+The EntityStateGUIDType restricts a string value to a representation of a GUID, used for module ID. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+**Pattern:** (\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}){0,}
+
+## == EntityObjectCmdletVerbType ==
+
+The EntityObjectCmdletVerbType restricts a string value to a set of allow cmdlet verbs. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Approve | The Approve verb confirms or agrees to the status of a resource or process.
|
+| Assert | The Assert verb affirms the state of a resource.
|
+| Compare | The Compare verb evaluates the data from one resource against the data from another resource.
|
+| Confirm | The Confirm verb acknowledges, verifies, or validates, the state of a resource or process.
|
+| Find | The Find verb looks for an object in a container that is unknown, implied, optional, or specified.
|
+| Get | The Get verb specifies an action that retrieves a resource.
|
+| Import | The Import verb creates a resource from data that is stored in a persistent data store (such as a file) or in an interchange format.
|
+| Measure | The Measure verb identifies resources that are consumed by a specified operation, or retrieves statistics about a resource.
|
+| Read | The Read verb acquires information from a source.
|
+| Request | The Request verb asks for a resource or asks for permissions.
|
+| Resolve | The Resolve verb maps a shorthand representation of a resource to a more complete representation.
|
+| Search | The Search verb creates a reference to a resource in a container.
|
+| Select | The Select verb locates a resource in a container.
|
+| Show | The Show verb makes a resource visible to the user.
|
+| Test | The Test verb verifies the operation or consistency of a resource.
|
+| Trace | The Trace verb tracks the activities of a resource.
|
+| Watch | The Watch verb continually inspects or monitors a resource for changes.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateCmdletVerbType ==
+
+The EntityStateCmdletVerbType restricts a string value to a set of allow cmdlet verbs. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Approve | The Approve verb confirms or agrees to the status of a resource or process.
|
+| Assert | The Assert verb affirms the state of a resource.
|
+| Compare | The Compare verb evaluates the data from one resource against the data from another resource.
|
+| Confirm | The Confirm verb acknowledges, verifies, or validates, the state of a resource or process.
|
+| Find | The Find verb looks for an object in a container that is unknown, implied, optional, or specified.
|
+| Get | The Get verb specifies an action that retrieves a resource.
|
+| Import | The Import verb creates a resource from data that is stored in a persistent data store (such as a file) or in an interchange format.
|
+| Measure | The Measure verb identifies resources that are consumed by a specified operation, or retrieves statistics about a resource.
|
+| Read | The Read verb acquires information from a source.
|
+| Request | The Request verb asks for a resource or asks for permissions.
|
+| Resolve | The Resolve verb maps a shorthand representation of a resource to a more complete representation.
|
+| Search | The Search verb creates a reference to a resource in a container.
|
+| Select | The Select verb locates a resource in a container.
|
+| Show | The Show verb makes a resource visible to the user.
|
+| Test | The Test verb verifies the operation or consistency of a resource.
|
+| Trace | The Trace verb tracks the activities of a resource.
|
+| Watch | The Watch verb continually inspects or monitors a resource for changes.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateWindowsViewType ==
+
+The EntityStateWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| 32_bit | Indicates the 32_bit windows view.
|
+| 64_bit | Indicates the 64_bit windows view.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityObjectUserRightType ==
+
+The EntityObjectUserRightType restricts a string value to a specific set of values that describe the different user rights/privileges. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityObjectStringType](oval-definitions-schema.md#EntityObjectStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SE_ASSIGNPRIMARYTOKEN_NAME | This privilege is required to assign the primary token of a process.
|
+| SE_AUDIT_NAME | This privilege is required to generate audit-log entries.
|
+| SE_BACKUP_NAME | This privilege is required to perform backup operations.
|
+| SE_CHANGE_NOTIFY_NAME | This privilege is required to receive notifications of changes to files or directories.
|
+| SE_CREATE_GLOBAL_NAME | This privilege is required to create named file mapping objects in the global namespace during Terminal Services sessions.
|
+| SE_CREATE_PAGEFILE_NAME | This privilege is required to create a paging file.
|
+| SE_CREATE_PERMANENT_NAME | This privilege is required to create a permanent object.
|
+| SE_CREATE_SYMBOLIC_LINK_NAME | This privilege is required to create a symbolic link.
|
+| SE_CREATE_TOKEN_NAME | This privilege is required to create a primary token.
|
+| SE_DEBUG_NAME | This privilege is required to debug and adjust the memory of a process owned by another account.
|
+| SE_ENABLE_DELEGATION_NAME | This privilege is required to mark user and computer accounts as trusted for delegation.
|
+| SE_IMPERSONATE_NAME | This privilege is required to impersonate.
|
+| SE_INC_BASE_PRIORITY_NAME | This privilege is required to increase the base priority of a process.
|
+| SE_INCREASE_QUOTA_NAME | This privilege is required to increase the quota assigned to a process.
|
+| SE_INC_WORKING_SET_NAME | This privilege is required to allocate more memory for applications that run in the context of users.
|
+| SE_LOAD_DRIVER_NAME | This privilege is required to load or unload a device driver.
|
+| SE_LOCK_MEMORY_NAME | This privilege is required to lock physical pages in memory.
|
+| SE_MACHINE_ACCOUNT_NAME | This privilege is required to create a computer account.
|
+| SE_MANAGE_VOLUME_NAME | This privilege is required to enable volume management privileges.
|
+| SE_PROF_SINGLE_PROCESS_NAME | This privilege is required to gather profiling information for a single process.
|
+| SE_RELABEL_NAME | This privilege is required to modify the mandatory integrity level of an object.
|
+| SE_REMOTE_SHUTDOWN_NAME | This privilege is required to shut down a system using a network request.
|
+| SE_RESTORE_NAME | This privilege is required to perform restore operations.
|
+| SE_SECURITY_NAME | This privilege is required to perform a number of security-related functions, such as controlling and viewing audit messages.
|
+| SE_SHUTDOWN_NAME | This privilege is required to shut down a local system.
|
+| SE_SYNC_AGENT_NAME | This privilege is required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services.
|
+| SE_SYSTEM_ENVIRONMENT_NAME | This privilege is required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
|
+| SE_SYSTEM_PROFILE_NAME | This privilege is required to gather profiling information for the entire system.
|
+| SE_SYSTEMTIME_NAME | This privilege is required to modify the system time.
|
+| SE_TAKE_OWNERSHIP_NAME | This privilege is required to take ownership of an object without being granted discretionary access.
|
+| SE_TCB_NAME | This privilege identifies its holder as part of the trusted computer base.
|
+| SE_TIME_ZONE_NAME | This privilege is required to adjust the time zone associated with the computer's internal clock.
|
+| SE_TRUSTED_CREDMAN_ACCESS_NAME | This privilege is required to access Credential Manager as a trusted caller.
|
+| SE_UNDOCK_NAME | This privilege is required to undock a laptop.
|
+| SE_UNSOLICITED_INPUT_NAME | This privilege is required to read unsolicited input from a terminal device.
|
+| SE_BATCH_LOGON_NAME | This account right is required for an account to log on using the batch logon type.
|
+| SE_DENY_BATCH_LOGON_NAME | This account right explicitly denies an account the right to log on using the batch logon type.
|
+| SE_DENY_INTERACTIVE_LOGON_NAME | This account right explicitly denies an account the right to log on using the interactive logon type.
|
+| SE_DENY_NETWORK_LOGON_NAME | This account right explicitly denies an account the right to log on using the network logon type.
|
+| SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME | This account right explicitly denies an account the right to log on remotely using the interactive logon type.
|
+| SE_DENY_SERVICE_LOGON_NAME | This account right explicitly denies an account the right to log on using the service logon type.
|
+| SE_INTERACTIVE_LOGON_NAME | This account right is required for an account to log on using the interactive logon type.
|
+| SE_NETWORK_LOGON_NAME | This account right is required for an account to log on using the network logon type.
|
+| SE_REMOTE_INTERACTIVE_LOGON_NAME | This account right is required for an account to log on remotely using the interactive logon type.
|
+| SE_SERVICE_LOGON_NAME | This account right is required for an account to log on using the service logon type.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
+## == EntityStateUserRightType ==
+
+The EntityStateUserRightType restricts a string value to a specific set of values that describe the different user rights/privileges. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+**Restricts:** [oval-def:EntityStateStringType](oval-definitions-schema.md#EntityStateStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SE_ASSIGNPRIMARYTOKEN_NAME | This privilege is required to assign the primary token of a process.
|
+| SE_AUDIT_NAME | This privilege is required to generate audit-log entries.
|
+| SE_BACKUP_NAME | This privilege is required to perform backup operations.
|
+| SE_CHANGE_NOTIFY_NAME | This privilege is required to receive notifications of changes to files or directories.
|
+| SE_CREATE_GLOBAL_NAME | This privilege is required to create named file mapping objects in the global namespace during Terminal Services sessions.
|
+| SE_CREATE_PAGEFILE_NAME | This privilege is required to create a paging file.
|
+| SE_CREATE_PERMANENT_NAME | This privilege is required to create a permanent object.
|
+| SE_CREATE_SYMBOLIC_LINK_NAME | This privilege is required to create a symbolic link.
|
+| SE_CREATE_TOKEN_NAME | This privilege is required to create a primary token.
|
+| SE_DEBUG_NAME | This privilege is required to debug and adjust the memory of a process owned by another account.
|
+| SE_ENABLE_DELEGATION_NAME | This privilege is required to mark user and computer accounts as trusted for delegation.
|
+| SE_IMPERSONATE_NAME | This privilege is required to impersonate.
|
+| SE_INC_BASE_PRIORITY_NAME | This privilege is required to increase the base priority of a process.
|
+| SE_INCREASE_QUOTA_NAME | This privilege is required to increase the quota assigned to a process.
|
+| SE_INC_WORKING_SET_NAME | This privilege is required to allocate more memory for applications that run in the context of users.
|
+| SE_LOAD_DRIVER_NAME | This privilege is required to load or unload a device driver.
|
+| SE_LOCK_MEMORY_NAME | This privilege is required to lock physical pages in memory.
|
+| SE_MACHINE_ACCOUNT_NAME | This privilege is required to create a computer account.
|
+| SE_MANAGE_VOLUME_NAME | This privilege is required to enable volume management privileges.
|
+| SE_PROF_SINGLE_PROCESS_NAME | This privilege is required to gather profiling information for a single process.
|
+| SE_RELABEL_NAME | This privilege is required to modify the mandatory integrity level of an object.
|
+| SE_REMOTE_SHUTDOWN_NAME | This privilege is required to shut down a system using a network request.
|
+| SE_RESTORE_NAME | This privilege is required to perform restore operations.
|
+| SE_SECURITY_NAME | This privilege is required to perform a number of security-related functions, such as controlling and viewing audit messages.
|
+| SE_SHUTDOWN_NAME | This privilege is required to shut down a local system.
|
+| SE_SYNC_AGENT_NAME | This privilege is required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services.
|
+| SE_SYSTEM_ENVIRONMENT_NAME | This privilege is required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
|
+| SE_SYSTEM_PROFILE_NAME | This privilege is required to gather profiling information for the entire system.
|
+| SE_SYSTEMTIME_NAME | This privilege is required to modify the system time.
|
+| SE_TAKE_OWNERSHIP_NAME | This privilege is required to take ownership of an object without being granted discretionary access.
|
+| SE_TCB_NAME | This privilege identifies its holder as part of the trusted computer base.
|
+| SE_TIME_ZONE_NAME | This privilege is required to adjust the time zone associated with the computer's internal clock.
|
+| SE_TRUSTED_CREDMAN_ACCESS_NAME | This privilege is required to access Credential Manager as a trusted caller.
|
+| SE_UNDOCK_NAME | This privilege is required to undock a laptop.
|
+| SE_UNSOLICITED_INPUT_NAME | This privilege is required to read unsolicited input from a terminal device.
|
+| SE_BATCH_LOGON_NAME | This account right is required for an account to log on using the batch logon type.
|
+| SE_DENY_BATCH_LOGON_NAME | This account right explicitly denies an account the right to log on using the batch logon type.
|
+| SE_DENY_INTERACTIVE_LOGON_NAME | This account right explicitly denies an account the right to log on using the interactive logon type.
|
+| SE_DENY_NETWORK_LOGON_NAME | This account right explicitly denies an account the right to log on using the network logon type.
|
+| SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME | This account right explicitly denies an account the right to log on remotely using the interactive logon type.
|
+| SE_DENY_SERVICE_LOGON_NAME | This account right explicitly denies an account the right to log on using the service logon type.
|
+| SE_INTERACTIVE_LOGON_NAME | This account right is required for an account to log on using the interactive logon type.
|
+| SE_NETWORK_LOGON_NAME | This account right is required for an account to log on using the network logon type.
|
+| SE_REMOTE_INTERACTIVE_LOGON_NAME | This account right is required for an account to log on remotely using the interactive logon type.
|
+| SE_SERVICE_LOGON_NAME | This account right is required for an account to log on using the service logon type.
|
+| | The empty string value is permitted here to allow for empty elements associated with variable references.
|
+
diff --git a/guidelines/oval-schema-documentation/windows-system-characteristics-schema.md b/guidelines/oval-schema-documentation/windows-system-characteristics-schema.md
new file mode 100644
index 0000000..dd8d060
--- /dev/null
+++ b/guidelines/oval-schema-documentation/windows-system-characteristics-schema.md
@@ -0,0 +1,2153 @@
+# Open Vulnerability and Assessment Language: Element Dictionary
+
+* Schema: Windows System Characteristics
+* Version: 5.11.1:1.3
+* Release Date: 12/19/2016 10:00:00 PM
+
+The following is a description of the elements, types, and attributes that compose the Windows specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+
+The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+______________
+
+## < ~~accesstoken_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the userright_item. The accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_item.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+The access token item holds information about the individual privileges and rights associated with a specific access token. It is important to note that these privileges are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Each privilege and right in the data section accepts a boolean value signifying whether the privilege is granted or not. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| security_principle | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| seassignprimarytokenprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a parent process to replace the access token that is associated with a child process.
|
+| seauditprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
|
+| sebackupprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
|
+| sechangenotifyprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
|
+| secreateglobalprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
|
+| secreatepagefileprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to create and change the size of a pagefile.
|
+| secreatepermanentprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
|
+| secreatesymboliclinkprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user create a symbolic link.
|
+| secreatetokenprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
|
+| sedebugprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
|
+| seenabledelegationprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
|
+| seimpersonateprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to impersonate a client after authentication.
|
+| seincreasebasepriorityprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to increase the base priority class of a process.
|
+| seincreasequotaprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
|
+| seincreaseworkingsetprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to increase a process working set.
|
+| seloaddriverprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
|
+| selockmemoryprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
|
+| semachineaccountprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to add a computer to a specific domain.
|
+| semanagevolumeprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
|
+| seprofilesingleprocessprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to sample the performance of an application process.
|
+| serelabelprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to modify an object label.
|
+| seremoteshutdownprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
|
+| serestoreprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
|
+| sesecurityprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
|
+| seshutdownprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to shut down the local computer.
|
+| sesyncagentprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
|
+| sesystemenvironmentprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
|
+| sesystemprofileprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to sample the performance of system processes.
|
+| sesystemtimeprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to adjust the time on the computer's internal clock. It is not required to change the time zone or other display characteristics of the system time.
|
+| setakeownershipprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
|
+| setcbprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
|
+| setimezoneprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows a user to change the time zone.
|
+| seundockprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
|
+| seunsolicitedinputprivilege | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If this privilege is enabled, it allows the user to read unsolicited data from a terminal device.
|
+| sebatchlogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it can log on using the batch logon type.
|
+| seinteractivelogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it can log on using the interactive logon type.
|
+| senetworklogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it can log on using the network logon type.
|
+| seremoteinteractivelogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it can log on to the computer by using a Remote Desktop connection.
|
+| seservicelogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it can log on using the service logon type.
|
+| sedenybatchLogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it is explicitly denied the ability to log on using the batch logon type.
|
+| sedenyinteractivelogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it is explicitly denied the ability to log on using the interactive logon type.
|
+| sedenynetworklogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it is explicitly denied the ability to log on using the network logon type.
|
+| sedenyremoteInteractivelogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it is explicitly denied the ability to log on through Terminal Services.
|
+| sedenyservicelogonright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it is explicitly denied the ability to log on using the service logon type.
|
+| setrustedcredmanaccessnameright | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||If an account is assigned this right, it can access the Credential Manager as a trusted caller.
|
+
+______________
+
+## < ~~activedirectory_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.2** :small_red_triangle:
**Reason:** Use the original activedirectory_item. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+The active directory item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+Note that this ite supports only simple (string based) value collection. For more complex values see the activedirectory57_item.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| naming_context | [win-sc:EntityItemNamingContextType](#EntityItemNamingContextType) (0..1) |
+||Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
|
+| relative_dn | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the item being represented is the higher level naming context.
|
+| attribute | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies a named value contained by the object.
|
+| object_class | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the class of which the object is an instance.
|
+| adstype | [win-sc:EntityItemAdstypeType](#EntityItemAdstypeType) (0..1) |
+||Specifies the type of information that the specified attribute represents.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The actual value of the specified active directory attribute.
|
+
+______________
+
+## < activedirectory57_item >
+
+The activedirectory57_item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+Note that this item supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_item.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| naming_context | [win-sc:EntityItemNamingContextType](#EntityItemNamingContextType) (0..1) |
+||Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
|
+| relative_dn | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the item being represented is the higher level naming context.
|
+| attribute | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies a named value contained by the object.
|
+| object_class | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the class of which the object is an instance.
|
+| adstype | [win-sc:EntityItemAdstypeType](#EntityItemAdstypeType) (0..1) |
+||Specifies the type of information that the specified attribute represents.
|
+| value | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..unbounded) |
+||The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field(s) which is a requirement for fields in the 'record' datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field(s) and satisfy this requirement. If the Active Directory attribute contains a single value, the 'record' will have a single field identified by the name of the Active Directory attribute. If the Active Directory attribute contains an array of values, the 'record' will have multiple fields all identified by the name of the Active Directory attribute
|
+
+______________
+
+## < auditeventpolicy_item >
+
+The auditeventpolicy item enumerates the different types of events the system should audit. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+Note that when audinting is disabled each of the entities listed below should be set to 'AUDIT_NONE'.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| account_logon | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
|
+| account_management | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
|
+| detailed_tracking | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.
|
+| directory_service_access | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to access the directory service.
|
+| logon | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
|
+| object_access | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to access securable objects, such as files.
|
+| policy_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to change Policy object rules.
|
+| privilege_use | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to use privileges.
|
+| system | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.
|
+
+______________
+
+## < auditeventpolicysubcategories_item >
+
+The auditeventpolicysubcategories_item is used to hold information about the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, if the credential_validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+Note that when audinting is disabled each of the entities listed below should be set to 'AUDIT_NONE'.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| credential_validation | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced during the validation of a user's logon credentials. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Credential Validation
|
+| kerberos_authentication_service | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by Kerberos authentication ticket-granting requests. This state corresponds with the following GUID specified in ntsecapi.h: 0CCE9242-69AE-11D9-BED3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerboros Authentication Service
|
+| kerberos_service_ticket_operations | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by Kerberos service ticket requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9240-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerberos Service Ticket Operations
|
+| ~~kerberos_ticket_events~~ | ~~[win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1~~) |
+||~~Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
~~|
+| other_account_logon_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9241-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Other Account Logon Events
|
+| application_group_management | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to application groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9239-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Application Group Management
|
+| computer_account_management | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to computer accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9236-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Computer Account Management
|
+| distribution_group_management | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to distribution groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9238-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Distribution Account Management
|
+| other_account_management_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by other user account changes that are not covered by other events in the Account Management category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Other Account Management Events
|
+| security_group_management | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to security groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9237-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Security Group Management
|
+| user_account_management | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to user accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9235-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit User Account Management
|
+| dpapi_activity | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when requests are made to the Data Protection application interface. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit DPAPI Activity
|
+| process_creation | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when a process is created or starts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Creation
|
+| process_termination | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when a process ends. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Termination
|
+| rpc_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by inbound remote procedure call connections. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit RPC Events
|
+| directory_service_access | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when a Active Directory Domain Services object is accessed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
|
+| directory_service_changes | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when changes are made to Active Directory Domain Services objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Changes
|
+| directory_service_replication | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when two Active Directory Domain Services domain controllers are replicated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
|
+| detailed_directory_service_replication | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by detailed Active Directory Domain Services replication between domain controllers. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Detailed Directory Service Replication
|
+| account_lockout | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by a failed attempt to log onto a locked out account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9217-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Account Lockout
|
+| ipsec_extended_mode | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Extended Mode
|
+| ipsec_main_mode | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9218-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logof/Logoff: Audit IPsec Main Mode
|
+| ipsec_quick_mode | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9219-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Quick Mode
|
+| logoff | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by closing a logon session. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9216-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logoff
|
+| logon | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by attempts to log onto a user account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9215-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logon
|
+| network_policy_server | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by RADIUS and Network Access Protection user access requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9243-69ae-11d9-bed3-505054503030.This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Network Policy Server
|
+| other_logon_logoff_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events
|
+| special_logon | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by special logons. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Special Logon
|
+| logon_claims | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit user and device claims information in the user's logon token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit User / Device Claims
|
+| application_generated | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by applications that use the Windows Auditing API. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9222-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Application Generated
|
+| certification_services | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by operations on Active Directory Certificate Services. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9221-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Certification Services
|
+| detailed_file_share | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by attempts to access files and folders on a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9244-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Detailed File Share
|
+| file_share | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by attempts to access a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9224-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File Share
|
+| file_system | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced user attempts to access file system objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File System
|
+| filtering_platform_connection | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9226-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Connection
|
+| filtering_platform_packet_drop | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by packets that are dropped by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9225-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Packet Drop
|
+| handle_manipulation | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced when a handle is opened or closed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9223-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Handle Manipulation
|
+| kernel_object | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by attempts to access the system kernel. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Kernel Object
|
+| other_object_access_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by the management of Task Scheduler jobs or COM+ objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9227-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Other Object Access Events
|
+| registry | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by attempts to access registry objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Registry
|
+| sam | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by attempts to access Security Accounts Manager objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9220-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit SAM
|
+| removable_storage | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit events that indicate file object access attemps to removable storage. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9245-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Removable Storage
|
+| central_access_policy_staging | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit events that indicate permission granted or denied by a proposed policy differs from the current central access policy on an object. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9246-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Central Access Policy Staging
|
+| audit_policy_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes in security audit policy settings. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Audit Policy Change
|
+| authentication_policy_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to the authentication policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9230-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authentication Policy Change
|
+| authorization_policy_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to the authorization policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9231-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authorization Policy Change
|
+| filtering_platform_policy_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to the Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9233-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Filtering Platform Policy Change
|
+| mpssvc_rule_level_policy_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes to policy rules used by the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9232-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit MPSSVC Rule-Level Policy Change
|
+| other_policy_change_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by other security policy changes that are not covered other events in the Policy Change category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9234-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Other Policy Change Events
|
+| non_sensitive_privilege_use | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by the use of non-sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9229-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Non Sensitive Privilege Use
|
+| other_privilege_use_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||This is currently not used and has been reserved by Microsoft for use in the future. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Other Privilege Use Events
|
+| sensitive_privilege_use | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by the use of sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9228-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Sensitive Privilege Use
|
+| ipsec_driver | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by the IPsec filter driver. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9213-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit IPsec Driver
|
+| other_system_events | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9214-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Other System Events
|
+| security_state_change | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by changes in the security state. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9210-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security State Change
|
+| security_system_extension | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events produced by the security system extensions or services. This state corresponds with the following GUID specified in ntsecapi.h: cce9211-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security System Extension
|
+| system_integrity | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Audit the events that indicate that the integrity security subsystem has been violated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9212-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit System Integrity
|
+| group_membership | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||This subcategory audits the group membership of a token for an associated log on. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9249-69ae-11d9-bed3-505054503030.
|
+| pnp_activity | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||This subcategory audits events generated by plug and play (PNP). This state corresponds with the following GUID specified in ntsecapi.h: 0cce9248-69ae-11d9-bed3-505054503030.
|
+| user_device_claims | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||This subcategory audits the user and device claims that are present in the token of an associated logon. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030.
|
+| audit_detailedtracking_tokenrightadjusted | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||This subcategory audits when token privileges are enabled or disabled for a specific account’s token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce924a-69ae-11d9-bed3-505054503030.
|
+
+______________
+
+## < cmdlet_item >
+
+The cmdlet_item represents a PowerShell cmdlet, the parameters supplied to it, and the value it returned.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| module_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the module that contains the cmdlet.
|
+| module_id | [win-sc:EntityItemGUIDType](#EntityItemGUIDType) (0..1) |
+||The globally unique identifier for the module.
|
+| module_version | [oval-sc:EntityItemVersionType](oval-system-characteristics-schema.md#EntityItemVersionType) (0..1) |
+||The version of the module that contains the cmdlet in the form of MAJOR.MINOR.
|
+| verb | [win-sc:EntityItemCmdletVerbType](#EntityItemCmdletVerbType) (0..1) |
+||The cmdlet verb.
|
+| noun | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The cmdlet noun.
|
+| parameters | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..1) |
+||A list of properties (name and value pairs) as input to invoke the cmdlet.
|
+| select | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..1) |
+||A list of fields (name and value pairs) used as input to the Select-Object cmdlet to select specific output properties.
|
+| value | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..unbounded) |
+||The expected value represented as a set of fields (name and value pairs).
|
+
+______________
+
+## < dnscache_item >
+
+The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| domain_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
|
+| ttl | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
|
+| ip_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..unbounded) |
+||The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6.
|
+
+______________
+
+## < file_item >
+
+This element describes file metadata. The time information can be retrieved by the _stst function. Development_class and other version information (company, internal name, language, original_filename, product_name, product_version) can be retrieved using the VerQueryValue function.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the directory component of the absolute path to a file on the machine.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
|
+| owner | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
|
+| size | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Size of the file in bytes.
|
+| a_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| c_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| m_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| ms_checksum | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The checksum of the file as supplied by Microsoft's MapFileAndCheckSum function.
|
+| version | [oval-sc:EntityItemVersionType](oval-system-characteristics-schema.md#EntityItemVersionType) (0..1) |
+||The version of the file.
|
+| type | [win-sc:EntityItemFileTypeType](#EntityItemFileTypeType) (0..1) |
+||The type child element marks whether the file item describes a named pipe, standard file, etc. These types are the return values for GetFileType. For directories, this element must have a status of 'does not exist'.
|
+| attribute | [win-sc:EntityItemFileAttributeType](#EntityItemFileAttributeType) (0..unbounded) |
+||The attribute child elements denote the Windows file attributes associated with the file. These types are the return values for GetFileAttributes.
|
+| development_class | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The development_class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
|
+| company | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity defines the company name held within the version-information structure.
|
+| internal_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity defines the internal name held within the version-information structure.
|
+| language | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity defines the language held within the version-information structure.
|
+| original_filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity defines the original filename held within the version-information structure.
|
+| product_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This entity defines the product name held within the version-information structure.
|
+| product_version | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||This entity defines the product version held within the version-information structure. This may not necessarily be a string compatible with the OVAL version datatype, in which case the string datatype should be used.
|
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < fileauditedpermissions_item >
+
+This item stores the audited access rights of a file that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the absolute path to a file on the machine from which the DACL was retrieved. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies the directory component of the absolute path to a file on the machine from which the DACL was retrieved.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
|
+| ~~trustee_name~~ | ~~[oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1~~) |
+||~~This element specifies the trustee name associated with this particular SACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
~~|
+| standard_delete | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| standard_synchronize | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Read, write, and execute access.
|
+| file_read_data | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to read data from the file.
|
+| file_write_data | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to write data to the file.
|
+| file_append_data | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to append data to the file.
|
+| file_read_ea | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to read extended attributes.
|
+| file_write_ea | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to write extended attributes.
|
+| file_execute | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to execute a file.
|
+| file_delete_child | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Right to delete a directory and all the files it contains (its children), even if the files are read-only.
|
+| file_read_attributes | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to read file attributes.
|
+| file_write_attributes | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Grants the right to change file attributes.
|
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < fileeffectiverights_item >
+
+This item stores the effective rights of a file that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Specifies the absolute path to a file on the machine from which the DACL was retrieved. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies the absolute path to a file on the machine from which the DACL was retrieved.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
|
+| ~~trustee_name~~ | ~~[oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1~~) |
+||~~This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
~~|
+| standard_delete | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| standard_synchronize | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read, write, and execute access.
|
+| file_read_data | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to read data from the file
|
+| file_write_data | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to write data to the file.
|
+| file_append_data | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to append data to the file.
|
+| file_read_ea | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to read extended attributes.
|
+| file_write_ea | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to write extended attributes.
|
+| file_execute | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to execute a file.
|
+| file_delete_child | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Right to delete a directory and all the files it contains (its children), even if the files are read-only.
|
+| file_read_attributes | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to read file attributes.
|
+| file_write_attributes | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Grants the right to change file attributes.
|
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < ~~group_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the group_sid_item. This item uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_item, which uses trustee SIDs which are unique, should be used instead. See the group_sid_item.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+The Windows group_item allows the different users and subgroups, that directly belong to specific groups (identified by name), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| group | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
|
+| user | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
If the specified group has more than one user as a member, then multiple user elements should exist. If the specified group does not contain a single user, then a single user element should exist with a status of 'does not exist'. If there is an error determining the users that are members of the group, then a single user element should be included with a status of 'error'.
|
+| subgroup | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: "domain\group name". In a local environment, the subgroups should be identified in the form: "computer name\group name". If the subgroups are built-in groups, the subgroups should be identified in the form: "group name" without a domain component.
If the specified group has more than one subgroup as a member, then multiple subgroup elements should exist. If the specified group does not contain a single subgroup, then a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups that are members of the group, then a single subgroup element should be included with a status of 'error'.
|
+
+______________
+
+## < group_sid_item >
+
+The Windows group_sid_item allows the different users and subgroups, that directly belong to specific groups (identified by SID), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| group_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the SID of a particular group.
|
+| user_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A string that represents the SID of a particular user. If the specified group has more than one user as a member, then multiple user_sid entities should exist. If the specified group does not contain a single user, then a single user_sid entity should exist with a status of 'does not exist'. If there is an error determining the userss that are members of the group, then a single user_sid entity should be included with a status of 'error'.
|
+| subgroup_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A string that represents the SID of a particular subgroup. If the specified group has more than one subgroup as a member, then multiple subgroup_sid entities should exist. If the specified group does not contain a single subgroup, a single subgroup_sid entity should exist with a status of 'does not exist'. If there is an error determining the subgroups that are members of the group, then a single subgroup_sid entity should be included with a status of 'error'.
|
+
+______________
+
+## < interface_item >
+
+Enumerate various attributes about the interfaces on a system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies the name of an interface.
|
+| index | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This element specifies index that identifies the interface.
|
+| type | [win-sc:EntityItemInterfaceTypeType](#EntityItemInterfaceTypeType) (0..1) |
+||This element specifies the type of interface which is limited to certain set of values.
|
+| hardware_addr | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
|
+| inet_addr | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This element specifies the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity should be expressed as an IPv6 address prefix using CIDR notation and the netmask entity should not be collected.
|
+| broadcast_addr | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
|
+| netmask | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This element specifies the subnet mask for the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity should not be collected.
|
+| addr_type | [win-sc:EntityItemAddrTypeType](#EntityItemAddrTypeType) (0..unbounded) |
+||This element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the addr_type element can occur multiple times.
|
+
+______________
+
+## < junction_item >
+
+The junction_item element identifies the result generated for a junction_object.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the path to the subject junction, specified by the junction_object.
|
+| canonical_path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (1..1) |
+||Specifies the canonical path for the target of the Windows junction specified by the path.
|
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < license_item >
+
+The license_item element stores the different information that can be found in the Windows license registry value. Please refer to the individual elements in the schema for more details about what each represents.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes the name of a license entry.
|
+| type | [win-sc:EntityItemRegistryTypeType](#EntityItemRegistryTypeType) (0..1) |
+||Specifies the type of data stored by the license entry. Valid values are REG_BINARY, REG_DWORD and REG_SZ. Please refer to the EntityItemRegistryTypeType for more information about the different possible types.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..1) |
+||The value entity holds the actual value of the specified license entry. The representation of the value as well as the associated datatype attribute depends on type of data stored in the license entry. If the specified license entry is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the registry key is of type REG_DWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
|
+
+______________
+
+## < lockoutpolicy_item >
+
+The lockoutpolicy item enumerates various attributes associated with lockout information for users and global groups in the security database.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| force_logoff | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies, in seconds (from a DWORD), the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
|
+| lockout_duration | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
|
+| lockout_observation_window | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
|
+| lockout_threshold | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the number of invalid password authentications that can occur before an account is marked "locked out." See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
|
+
+______________
+
+## < metabase_item >
+
+This item gathers information from the specified metabase keys.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes a metabase key to be gathered.
|
+| id | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The id element specifies a particular object under the metabase key. If the xsi:nil attribute is set to true, then the item being represented is the higher level metabase key. Using xsi:nil here will result in a status of 'not collected' for the other entities associated with this item since these entities are not associated with a key by itself.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes the name of the specified metabase object.
|
+| user_type | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The user_type element is an unsigned 32-bit integer (DWORD) that specifies the user type of the data. See the METADATA_RECORD structure.
|
+| data_type | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The data_type element identifies the type of data in the metabase entry. See the METADATA_RECORD structure.
|
+| data | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The actual data of the named item under the specified metabase key. If the specified metabase key is of type multi string, then multiple value elements should exist to describe the array of strings.
|
+
+______________
+
+## < ntuser_item >
+
+The windows ntuser_item specifies information that can be collected from a particular ntuser.dat file.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes a registry key normally found in the HKCU hive to be tested.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not associated with a key by itself.
|
+| sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element holds a string that represents the SID of a particular user.
|
+| username | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name".
|
+| account_type | [win-sc:EntityItemNTUserAccountTypeType](#EntityItemNTUserAccountTypeType) (0..1) |
+||The account_type element describes if the user account is a local account or domain account.
|
+| logged_on | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The logged_on element describes if the user account is currently logged on to the computer.
|
+| enabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The enabled element describes if the user account is enabled or disabled.
|
+| date_modified | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
|
+| days_since_modified | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer.
|
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes the filepath of the ntuser.dat file.
|
+| last_write_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a hive, key, or name. When collecting only information about a registry hive the last write time will be the time the hive or any of its entiries was written to. When collecting only information about a registry hive and key the last write time will be the time the key or any of its entiries was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime.
|
+| type | [win-sc:EntityItemRegistryTypeType](#EntityItemRegistryTypeType) (0..1) |
+||Specifies the type of data stored by the registry key. Please refer to the EntityItemRegistryTypeType for more information about the different possible types.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If the specified registry key is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the registry key is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the specified registry key is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
|
+
+______________
+
+## < passwordpolicy_item >
+
+Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry_item and activedirectory_item are of no use. If this can be figured out, then the password_policy item is not needed.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| max_passwd_age | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies, in seconds (from a DWORD), the maximum allowable password age. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
|
+| min_passwd_age | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
|
+| min_passwd_len | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
|
+| password_hist_len | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
|
+| password_complexity | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
|
+| reversible_encryption | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Determines whether or not passwords are stored using reversible encryption.
|
+| anonymous_name_lookup | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Determines whether or not an anonymous user may query the local LSA policy.
|
+
+______________
+
+## < peheader_item >
+
+The peheader_item describes the metadata associated with a PE file header. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| filepath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filepath element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a filepath.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path element specifies the directory component of the absolute path to a PE file on the machine.
|
+| filename | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The filename element specifies the name of a PE file to evaluate.
|
+| header_signature | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The header_signature entity is the signature of the header.
|
+| target_machine_type | [win-sc:EntityItemPeTargetMachineType](#EntityItemPeTargetMachineType) (0..1) |
+||The target_machine_type entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for.
|
+| number_of_sections | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number_of_sections entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file.
|
+| time_date_stamp | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00.
|
+| pointer_to_symbol_table | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The pointer_to_symbol_table entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table.
|
+| number_of_symbols | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number_of_symbols entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table.
|
+| size_of_optional_header | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The size_of_optional_header entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes.
|
+| image_file_relocs_stripped | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_relocs_stripped entity is a boolean value that specifies if the relocation information is stripped from the file.
|
+| image_file_executable_image | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_executable_image entity is a boolean value that specifies if the file is executable.
|
+| image_file_line_nums_stripped | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_line_nums_stripped entity is a boolean value that specifies if the line numbers are stripped from the file.
|
+| image_file_local_syms_stripped | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_local_syms_stripped entity is a boolean value that specifies if the local symbols are stripped from the file.
|
+| image_file_aggresive_ws_trim | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_aggressive_ws_trim entity is a boolean value that specifies that the working set should be aggressively trimmed.
|
+| image_file_large_address_aware | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_large_address_aware entity is a boolean value that specifies that the application can handle addresses larger than 2GB.
|
+| image_file_16bit_machine | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_16bit_machine entity is a boolean value that specifies that the computer supports 16-bit words.
|
+| image_file_bytes_reversed_lo | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_bytes_reversed_lo entity is a boolean value that specifies that the bytes of the word are reversed.
|
+| image_file_32bit_machine | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_32bit_machine entity is a boolean value that specifies that the computer supports 32-bit words.
|
+| image_file_debug_stripped | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_debug_stripped entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file.
|
+| image_file_removable_run_from_swap | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_removable_run_from_swap entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file.
|
+| image_file_system | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_system entity is a boolean value that specifies that the image is a system file.
|
+| image_file_dll | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_dll entity is a boolean value that specifies that the image is a DLL.
|
+| image_file_up_system_only | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_up_system_only entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
|
+| image_file_bytes_reveresed_hi | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The image_file_bytes_reversed_hi entity is a boolean value that specifies that the bytes of the word are reversed.
|
+| magic_number | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The magic_number entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file.
|
+| major_linker_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The major_linker_version entity is a BYTE that specifies the major version of the linker that produced the file.
|
+| minor_linker_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The minor_linker_version entity is a BYTE that specifies the minor version of the linker that produced the file.
|
+| size_of_code | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The size_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections.
|
+| size_of_initialized_data | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The size_of_initialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data.
|
+| size_of_uninitialized_data | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The size_of_uninitialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data.
|
+| address_of_entry_point | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The address_of_entry_point entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution.
|
+| base_of_code | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The base_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's code section begins.
|
+| base_of_data | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The base_of_data entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's data section begins.
|
+| image_base_address | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The image_base_address entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address fo the first byte of the image when it is loaded into memory.
|
+| section_alignment | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The section_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory.
|
+| file_alignment | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The file_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file.
|
+| major_operating_system_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The major_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable.
|
+| minor_operating_system_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The minor_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable.
|
+| major_image_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The major_image_version entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image.
|
+| minor_image_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The minor_image_version entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image.
|
+| major_subsystem_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The major_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable.
|
+| minor_susbsystem_version | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The minor_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable.
|
+| size_of_image | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The size_of_image entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers.
|
+| size_of_headers | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The size_of_headers entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers.
|
+| checksum | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The checksum entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file.
|
+| subsystem | [win-sc:EntityItemPeSubsystemType](#EntityItemPeSubsystemType) (0..1) |
+||The subsystem entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface.
|
+| dll_characteristics | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..unbounded) |
+||The dll_characteristics entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL's initialization function will be called..
|
+| size_of_stack_reserve | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack.
|
+| size_of_stack_commit | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack.
|
+| size_of_heap_reserve | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap.
|
+| size_of_heap_commit | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap.
|
+| loader_flags | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The loader_flags entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header.
|
+| number_of_rva_and_sizes | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number_of_rva_and_sizes entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header.
|
+| real_number_of_directory_entries | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The real_number_of_directory_entries entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries.
|
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < port_item >
+
+Information about open listening ports.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| local_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
|
+| local_port | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||This element specifies the number assigned to the local listening port.
|
+| protocol | [win-sc:EntityItemProtocolType](#EntityItemProtocolType) (0..1) |
+||This element specifies the type of listening port. It is restricted to either TCP or UDP.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The id given to the process that is associated with the specified listening port.
|
+| foreign_address | [oval-sc:EntityItemIPAddressStringType](oval-system-characteristics-schema.md#EntityItemIPAddressStringType) (0..1) |
+||This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
|
+| foreign_port | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This is the TCP or UDP port to which the program communicates.
|
+
+______________
+
+## < printereffectiverights_item >
+
+This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| printer_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The printer_name enitity specifies the name of the printer.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| standard_synchronize | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read, write, and execute access.
|
+| printer_access_administer | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| printer_access_use | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| job_access_administer | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| job_access_read | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+
+______________
+
+## < process_item >
+
+Information about running processes.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| command_line | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The id given to the process that is created for a specified command line.
|
+| ppid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The id given to the parent of the process that is created for the specified command line
|
+| priority | Restriction of [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) . See schema for details. (0..1) |
+||The base priority of the process. The priority value range is from 0 to 31.
|
+| image_path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The image_path entity represents the name of the executable file for the process.
|
+| current_dir | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The current_dir entity represents the current path to the executable file for the process.
|
+| creation_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The creation_time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime.
|
+| dep_enabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The dep_enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy function lpFlags.
|
+| primary_window_text | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The primary_window_text entity represents the title of the primary window of the process. See the GetWindowText function.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the process.
|
+
+______________
+
+## < registry_item >
+
+The windows registry item specifies information that can be collected about a particular registry key.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-sc:EntityItemRegistryHiveType](#EntityItemRegistryHiveType) (0..1) |
+||The hive that the registry key belongs to.
|
+| key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If the xsi:nil attribute is set to true, then the item being represented is the higher level hive or lower level name. Using xsi:nil here will result in a status of 'not collected' for this entity since the item is specific to a hive or name.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the higher level key or hive. Using xsi:nil here will result in a status of 'not collected' since the item is specific to a key or hive.
|
+| last_write_time | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The last time that the key or any of its value entries were modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on any key, with hives being classified as a type of key. When collecting only information about a registry hive or key the last write time will be the time the key or any of its entries were modified. When collecting only information about a registry name the last write time will be the time the containing key was modified. Thus when collecting information about a registry name, the last write time does not correlate directly to the specified name. See the RegQueryInfoKey function lpftLastWriteTime.
|
+| type | [win-sc:EntityItemRegistryTypeType](#EntityItemRegistryTypeType) (0..1) |
+||Specifies the type of data stored by the registry key. Please refer to the EntityItemRegistryTypeType for more information about the different possible types.
|
+| value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The value entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the datatype attribute should be set to 'int' and the value entity should represent the data as an unsigned integer. DWORD and QWORD values represnt unsigned 32-bit and 64-bit integers, respectively. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests or multiple states should be combined. Reg_multi_sz values, with no values, should be given a status of "does not exist". If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string. If the value being tested is of type REG_LINK, then the datatype attribute should be set to 'string' and the null-terminated Unicode string should be represented by the value entity.
|
+| expanded_value | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..1) |
+||For registry values of type REG_EXPAND_SZ, this entity contains the expanded value. Otherwise, it should not exist.
|
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < regkeyauditedpermissions_item >
+
+This item stores the audited access rights of a registry key that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-sc:EntityItemRegistryHiveType](#EntityItemRegistryHiveType) (0..1) |
+||This element specifies the hive of a registry key on the machine from which the SACL was retrieved.
|
+| key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies a registry key on the machine from which the SACL was retrieved. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The security identifier (SID) of the specified trustee name.
|
+| ~~trustee_name~~ | ~~[oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1~~) |
+||~~This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
~~|
+| standard_delete | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| ~~standard_synchronize~~ | ~~[win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1~~) |
+||~~The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
~~|
+| access_system_security | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Read, write, and execute access.
|
+| key_query_value | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_set_value | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_create_sub_key | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_enumerate_sub_keys | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_notify | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_create_link | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_wow64_64key | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_wow64_32key | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| key_wow64_res | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+|||
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < regkeyeffectiverights_item >
+
+This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| hive | [win-sc:EntityItemRegistryHiveType](#EntityItemRegistryHiveType) (0..1) |
+||The hive that the registry key belongs to.
|
+| key | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element describes a registry key to be gathered. Note that the hive portion of the string should not be inclueded, as this data can be found under the hive element. If the xsi:nil attribute is set to true, then the item being represented is the higher level hive.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
|
+| ~~trustee_name~~ | ~~[oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1~~) |
+||~~This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
~~|
+| standard_delete | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| ~~standard_synchronize~~ | ~~[oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1~~) |
+||~~The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
~~|
+| access_system_security | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read, write, and execute access.
|
+| key_query_value | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_set_value | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_create_sub_key | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_enumerate_sub_keys | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_notify | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_create_link | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_wow64_64key | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_wow64_32key | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| key_wow64_res | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+|||
+| windows_view | [win-sc:EntityItemWindowsViewType](#EntityItemWindowsViewType) (0..1) |
+||The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
|
+
+______________
+
+## < service_item >
+
+This item stores information about Windows services that are present on the system.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The service_name element specifies the name of the service as specified in the Service Control Manager (SCM) database.
|
+| display_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The display_name element specifies the name of the service as specified in tools such as Control Panel->Administrative Tools->Services.
|
+| description | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The description element specifies the description of the service.
|
+| service_type | [win-sc:EntityItemServiceTypeType](#EntityItemServiceTypeType) (0..unbounded) |
+||The service_type element specifies the type of the service.
|
+| start_type | [win-sc:EntityItemServiceStartTypeType](#EntityItemServiceStartTypeType) (0..1) |
+||The start_type element specifies when the service should be started.
|
+| current_state | [win-sc:EntityItemServiceCurrentStateType](#EntityItemServiceCurrentStateType) (0..1) |
+||The current_state element specifies the current state of the service.
|
+| controls_accepted | [win-sc:EntityItemServiceControlsAcceptedType](#EntityItemServiceControlsAcceptedType) (0..unbounded) |
+||The controls_accepted element specifies the control codes that a service will accept and process.
|
+| start_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The start_name element specifies the account under which the process should run.
|
+| path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The path element specifies the path to the binary of the service.
|
+| pid | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The pid element specifies the process ID of the service.
|
+| service_flag | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The service_flag element specifies if the service is in a system process that must always run (1) or if the service is in a non-system process or is not running (0). If the service is not running, the pid will be 0. Otherwise, the pid will be non-zero.
|
+| dependencies | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||The dependencies element specifies the dependencies of this service on other services.
|
+
+______________
+
+## < serviceeffectiverights_item >
+
+This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| service_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The service_name element specifies a service on the machine from which to retrieve the DACL. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid element specifies the SID that is associated with a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the DeleteService function to delete the service.
|
+| standard_read_control | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
|
+| standard_write_dac | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object's security descriptor.
|
+| standard_write_owner | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object's security descriptor.
|
+| generic_read | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
|
+| generic_write | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
|
+| generic_execute | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
|
+| service_query_conf | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
|
+| service_change_conf | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
|
+| service_query_stat | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
|
+| service_enum_dependents | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
|
+| service_start | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the StartService function to start the service.
|
+| service_stop | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the ControlService function to stop the service.
|
+| service_pause | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the ControlService function to pause or continue the service.
|
+| service_interrogate | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the ControlService function to ask the service to report its status immediately.
|
+| service_user_defined | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This permission is required to call the ControlService function to specify a user-defined control code.
|
+
+______________
+
+## < sharedresource_item >
+
+
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The share name of the resource.
|
+| shared_type | [win-sc:EntityItemSharedResourceTypeType](#EntityItemSharedResourceTypeType) (0..1) |
+||The type of the shared resource.
|
+| max_uses | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The maximum number of concurrent connections that the shared resource can accommodate.
|
+| current_uses | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number of current connections to the shared resource.
|
+| local_path | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The local path for the shared resource.
|
+| access_read_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to read data from a resource and, by default, to execute the resource.
|
+| access_write_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to write data to the resource.
|
+| access_create_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
|
+| access_exec_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to execute the resource.
|
+| access_delete_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to delete the resource.
|
+| access_atrib_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to modify the resource's attributes (such as the date and time when a file was last modified).
|
+| access_perm_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
|
+| access_all_permission | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.
|
+
+______________
+
+## < sharedresourceauditedpermissions_item >
+
+This item stores the audited access rights of a shared resource that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The netname entity specifies the name associated with a particular shared resource.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| standard_synchronize | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Read access.
|
+| generic_write | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Write access.
|
+| generic_execute | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Execute access.
|
+| generic_all | [win-sc:EntityItemAuditType](#EntityItemAuditType) (0..1) |
+||Read, write, and execute access.
|
+
+______________
+
+## < sharedresourceeffectiverights_item >
+
+This item stores the effective rights of a shared resource that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| netname | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The netname entity specifies the name associated with a particular shared resource.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
|
+| standard_delete | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to delete the object.
|
+| standard_read_control | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to read the information in the object's security descriptor, not including the information in the SACL.
|
+| standard_write_dac | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to modify the DACL in the object's security descriptor.
|
+| standard_write_owner | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to change the owner in the object's security descriptor.
|
+| standard_synchronize | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
|
+| access_system_security | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Indicates access to a system access control list (SACL).
|
+| generic_read | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read access.
|
+| generic_write | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Write access.
|
+| generic_execute | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Execute access.
|
+| generic_all | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Read, write, and execute access.
|
+
+______________
+
+## < sid_item >
+
+
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| trustee_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The security identifier (SID) of the specified trustee name.
|
+| trustee_domain | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The domain of the specified trustee name.
|
+
+______________
+
+## < sid_sid_item >
+
+
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The security identifier (SID) of the specified trustee name.
|
+| trustee_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| trustee_domain | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The domain of the specified trustee name.
|
+
+______________
+
+## < systemmetric_item >
+
+The system metric item stores the value of a particular Windows system metric.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| index | [win-sc:EntityItemSystemMetricIndexType](#EntityItemSystemMetricIndexType) (0..1) |
+||This element describes the index of a system metric entry.
|
+| value | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The value entity holds the actual value of the specified system metric index.
|
+
+______________
+
+## < uac_item >
+
+The uac_item is used to hold information about settings related to User Access Control within Windows.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| admin_approval_mode | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Admin Approval Mode for the Built-in Administrator account.
|
+| elevation_prompt_admin | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Behavior of the elevation prompt for administrators in Admin Approval Mode.
|
+| elevation_prompt_standard | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||Behavior of the elevation prompt for standard users.
|
+| detect_installations | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Detect application installations and prompt for elevation.
|
+| elevate_signed_executables | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Only elevate executables that are signed and validated.
|
+| elevate_uiaccess | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Only elevate UIAccess applications that are installed in secure locations.
|
+| run_admins_aam | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Run all administrators in Admin Approval Mode.
|
+| secure_desktop | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Switch to the secure desktop when prompting for elevation.
|
+| virtualize_write_failures | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Virtualize file and registry write failures to per-user locations.
|
+
+______________
+
+## < ~~user_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.11** :small_red_triangle:
**Reason:** Replaced by the user_sid_item. This item uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid_item, which uses trustee SIDs which are unique, should be used instead. See the user_sid_item.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+The windows user_item allows the different groups (identified by name) that a user belongs to be collected.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer_name\user_name". For built-in accounts on the system, use the user name without a domain.
|
+| enabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents whether the particular user is enabled or not.
|
+| group | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
If the specified user belongs to more than one group, then multiple group elements should exist. If the specified user is not a member of a single group, then a single group element should exist with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single group element should be included with a status of 'error'.
|
+| last_logon | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT. If the target system is a domain controller, this data is maintained separately on each backup domain controller (BDC) in the domain. To obtain an accurate value, you must query each BDC in the domain. The last logoff occurred at the time indicated by the largest retrieved value.
|
+| full_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A Unicode string that contains the full name of the user. This string can be a NULL string, or it can have any number of characters before the terminating null character.
|
+| comment | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A Unicode string that contains a comment to associate with the user account. The string can be a NULL string, or it can have any number of characters before the terminating null character.
|
+| password_age_days | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The number of full days that have elapsed since the password was last changed, meaning data calulated should be truncated. Ex: 89.5 days = 89, 90.01 = 90
|
+| lockout | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The account is currently locked out.
|
+| passwd_notreqd | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||No password is required.
|
+| dont_expire_passwd | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The password should never expire on the account.
|
+| encrypted_text_password_allowed | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The user's password is stored under reversible encryption in the Active Directory.
|
+| not_delegated | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Marks the account as "sensitive"; other users cannot act as delegates of this user account.
|
+| use_des_key_only | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
|
+| dont_require_preauth | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||This account does not require Kerberos preauthentication for logon.
|
+| password_expired | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The password expiration information. Zero if the password has not expired (and nonzero if it has).
|
+| smartcard_required | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||Requires the user to log on to the user account with a smart card.
|
+| trusted_for_delegation | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
|
+| trusted_to_authenticate_for_delegation | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The account is trusted to authenticate a user outside of the Kerberos security package and delegate that user through constrained delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assert a client's identity and authenticate as that user to specifically configured services on the network. Windows 2000: This value is not supported.
|
+
+______________
+
+## < user_sid_item >
+
+The windows user_sid_item allows the different groups (identified by SID) that a user belongs to be collected.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| user_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string the represents the SID of a particular user.
|
+| enabled | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||A boolean that represents whether the particular user is enabled or not.
|
+| group_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||A string that represents the SID of a particular group. If the specified user belongs to more than one group, then multiple group_sid elements should exist. If the specified user is not a member of a single group, then a single group_sid element should exist with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single group_sid element should be included with a status of 'error'.
|
+| last_logon | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
|
+
+______________
+
+## < userright_item >
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| userright | [win-sc:EntityItemUserRightType](#EntityItemUserRightType) (0..1) |
+||The userright entity holds a string that represents the name of a particular user right/privilege.
|
+| trustee_name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_name entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
|
+| trustee_sid | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The trustee_sid entity identifies the SID that has been granted the specified user right/privilege.
|
+
+______________
+
+## < volume_item >
+
+The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| rootpath | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
|
+| file_system | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The type of filesystem. For example FAT or NTFS.
|
+| name | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The name of the volume.
|
+| drive_type | [win-sc:EntityItemDriveTypeType](#EntityItemDriveTypeType) (0..1) |
+||The drive type of the volume.
|
+| volume_max_component_length | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The volume_max_component_length element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
|
+| serial_number | [oval-sc:EntityItemIntType](oval-system-characteristics-schema.md#EntityItemIntType) (0..1) |
+||The volume serial number.
|
+| file_case_sensitive_search | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports case-sensitive file names.
|
+| file_case_preserved_names | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system preserves the case of file names when it places a name on disk.
|
+| file_unicode_on_disk | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports Unicode in file names as they appear on disk.
|
+| file_persistent_acls | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
|
+| file_file_compression | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports file-based compression.
|
+| file_volume_quotas | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports disk quotas.
|
+| file_supports_sparse_files | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports sparse files.
|
+| file_supports_reparse_points | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports reparse points.
|
+| file_supports_remote_storage | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports remote storage.
|
+| file_volume_is_compressed | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The specified volume is a compressed volume; for example, a DoubleSpace volume.
|
+| file_supports_object_ids | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports object identifiers.
|
+| file_supports_encryption | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports the Encrypted File System (EFS).
|
+| file_named_streams | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports named streams.
|
+| file_read_only_volume | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The specified volume is read-only.
|
+| file_sequential_write_once | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports one time writes in sequential order.
|
+| file_supports_transactions | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports transaction processing.
|
+| file_supports_hard_links | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports direct links to other devices and partitions.
|
+| file_supports_extended_attributes | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports extended attributes.
|
+| file_supports_open_by_file_id | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports fileID.
|
+| file_supports_usn_journal | [oval-sc:EntityItemBoolType](oval-system-characteristics-schema.md#EntityItemBoolType) (0..1) |
+||The file system supports update sequence number journals.
|
+
+______________
+
+## < ~~wmi_item~~ >
+
+> :small_red_triangle: **Deprecated As Of Version 5.7** :small_red_triangle:
**Reason:** Replaced by the wmi57_item. This item allows for single fields to be selected from WMI. A new item was created to allow more than one field to be selected in one statement. See the wmi57_item.
**Comment:** This object has been deprecated and may be removed in a future version of the language.
+
+The wmi_item outlines information to be checked through Microsoft's WMI interface.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| namespace | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The WMI namespaces of the specific object.
|
+| wql | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
|
+| result | [oval-sc:EntityItemAnySimpleType](oval-system-characteristics-schema.md#EntityItemAnySimpleType) (0..unbounded) |
+||The result element specifies how to test objects in the result set of the specified WQL statement. Only one comparable field is allowed. So if the WQL statement look like 'SELECT name FROM ...', then a result element with a value of 'Fred' would test that value against the names returned by the WQL statement. If the WQL statement returns more than one instance of the specified field, then multiple result elements should exist to describe each instance.
|
+
+______________
+
+## < wmi57_item >
+
+The wmi57_item outlines information to be checked through Microsoft's WMI interface.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| namespace | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||The WMI namespaces of the specific object.
|
+| wql | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+||A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, all fields must be named. For example SELECT name, age FROM ... is valid, but SELECT * FROM ... is not valid. This is because the record entity supports only named fields.
|
+| result | [oval-sc:EntityItemRecordType](oval-system-characteristics-schema.md#EntityItemRecordType) (0..unbounded) |
+||The result entity holds the results of the specified WQL statement.
|
+
+______________
+
+## < wuaupdatesearcher_item >
+
+The wuaupdatesearcher_item outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft's WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. The test extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+**Extends:** [oval-sc:ItemType](oval-system-characteristics-schema.md#ItemType)
+
+| Child Elements | Type (MinOccurs..MaxOccurs) |
+|:-------------- |:--------------------------- |
+| search_criteria | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..1) |
+|||
+| update_id | [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType) (0..unbounded) |
+||The update_id entity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface's Search method. Note that multiple update identifiers can be associated with a give search criteria and thus multiple entities can exist for this item.
|
+
+______________
+
+## == EntityItemAddrTypeType ==
+
+The EntityItemAddrTypeType restricts a string value to a specific set of values that describe the different address types of interfaces. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| MIB_IPADDR_DELETED | The stated IP address is being deleted. The unsigned short value that this corresponds to is 0x0040
|
+| MIB_IPADDR_DISCONNECTED | The stated IP address is on a disconnected interface. The unsigned short value that this corresponds to is 0x0008.
|
+| MIB_IPADDR_DYNAMIC | The stated IP address is a dynamic IP address. The unsigned short value that this corresponds to is 0x0004.
|
+| MIB_IPADDR_PRIMARY | The stated IP address is a primary IP address. The unsigned short value that this corresponds to is 0x0001.
|
+| MIB_IPADDR_TRANSIENT | The stated IP address is a transient IP address. The unsigned short value that this corresponds to is 0x0080
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemAdstypeType ==
+
+The EntityItemAdstypeType restricts a string value to a specific set of values that describe the possible types associated with an Active Directory attribute. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| ADSTYPE_INVALID | The data type is invalid.
|
+| ADSTYPE_DN_STRING | The string is of Distinguished Name (path) of a directory service object.
|
+| ADSTYPE_CASE_EXACT_STRING | The string is of the case-sensitive type.
|
+| ADSTYPE_CASE_IGNORE_STRING | The string is of the case-insensitive type.
|
+| ADSTYPE_PRINTABLE_STRING | The string is displayable on the screen or in print.
|
+| ADSTYPE_NUMERIC_STRING | The string is of a numeric value to be interpreted as text.
|
+| ADSTYPE_BOOLEAN | The data is of a Boolean value.
|
+| ADSTYPE_INTEGER | The data is of an integer value.
|
+| ADSTYPE_OCTET_STRING | The string is of a byte array.
|
+| ADSTYPE_UTC_TIME | The data is of the universal time as expressed in Universal Time Coordinate (UTC).
|
+| ADSTYPE_LARGE_INTEGER | The data is of a long integer value.
|
+| ADSTYPE_PROV_SPECIFIC | The string is of a provider-specific string.
|
+| ADSTYPE_OBJECT_CLASS | Not used.
|
+| ADSTYPE_CASEIGNORE_LIST | The data is of a list of case insensitive strings.
|
+| ADSTYPE_OCTET_LIST | The data is of a list of octet strings.
|
+| ADSTYPE_PATH | The string is of a directory path.
|
+| ADSTYPE_POSTALADDRESS | The string is of the postal address type.
|
+| ADSTYPE_TIMESTAMP | The data is of a time stamp in seconds.
|
+| ADSTYPE_BACKLINK | The string is of a back link.
|
+| ADSTYPE_TYPEDNAME | The string is of a typed name.
|
+| ADSTYPE_HOLD | The data is of the Hold data structure.
|
+| ADSTYPE_NETADDRESS | The string is of a net address.
|
+| ADSTYPE_REPLICAPOINTER | The data is of a replica pointer.
|
+| ADSTYPE_FAXNUMBER | The string is of a fax number.
|
+| ADSTYPE_EMAIL | The data is of an e-mail message.
|
+| ADSTYPE_NT_SECURITY_DESCRIPTOR | The data is of Windows NT/Windows 2000 Security Descriptor as represented by a byte array.
|
+| ADSTYPE_UNKNOWN | The data is of an undefined type.
|
+| ADSTYPE_DN_WITH_BINARY | The data is of ADS_DN_WITH_BINARY used for mapping a distinguished name to a non varying GUID.
|
+| ADSTYPE_DN_WITH_STRING | The data is of ADS_DN_WITH_STRING used for mapping a distinguished name to a non-varying string value.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemAuditType ==
+
+The EntityItemAuditType restricts a string value to a specific set of values: AUDIT_NONE, AUDIT_SUCCESS, AUDIT_FAILURE, and AUDIT_SUCCESS_FAILURE. These values describe which audit records should be generated. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| AUDIT_FAILURE | The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.
|
+| AUDIT_NONE | The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.
|
+| AUDIT_SUCCESS | The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.
|
+| AUDIT_SUCCESS_FAILURE | The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemDriveTypeType ==
+
+The EntityItemDriveTypeType complex type defines the different values that are valid for the drive_type entity of a win-sc:volume_item. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| DRIVE_UNKNOWN | The DRIVE_UNKNOWN type means that drive type cannot be determined. The UINT value that this corresponds to is 0.
|
+| DRIVE_NO_ROOT_DIR | The DRIVE_NO_ROOT_DIR type means that the root path is not valid. The UINT value that this corresponds to is 1.
|
+| DRIVE_REMOVABLE | The DRIVE_REMOVABLE type means that the drive contains removable media. The UINT value that this corresponds to is 2.
|
+| DRIVE_FIXED | The DRIVE_FIXED type means that the drive contains fixed media. The UINT value that this corresponds to is 3.
|
+| DRIVE_REMOTE | The DRIVE_REMOTE type means that the drive is a remote drive (i.e. network drive). The UINT value that this corresponds to is 4.
|
+| DRIVE_CDROM | The DRIVE_CDROM type means that the drive is a CD-ROM drive. The UINT value that this corresponds to is 5.
|
+| DRIVE_RAMDISK | The DRIVE_RAMDISK type means that the drive is a RAM disk. The UINT value that this corresponds to is 6.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemFileTypeType ==
+
+The EntityItemFileTypeType restricts a string value to a specific set of values that describe the different types of files. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| FILE_TYPE_CHAR | The specified file is a character file, typically an LPT device or a console.
|
+| FILE_TYPE_DISK | The specified file is a disk file.
|
+| FILE_TYPE_PIPE | The specified file is a socket, a named pipe, or an anonymous pipe.
|
+| FILE_TYPE_REMOTE | Unused.
|
+| FILE_TYPE_UNKNOWN | Either the type of the specified file is unknown, or the function failed.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemFileAttributeType ==
+
+The EntityItemFileAttributeType restricts a string value to a specific set of values that describe the different Windows file attributes. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| FILE_ATTRIBUTE_ARCHIVE | A file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal.
|
+| FILE_ATTRIBUTE_COMPRESSED | A file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.
|
+| FILE_ATTRIBUTE_DEVICE | This value is reserved for system use.
|
+| FILE_ATTRIBUTE_DIRECTORY | The handle that identifies a directory.
|
+| FILE_ATTRIBUTE_ENCRYPTED | A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
|
+| FILE_ATTRIBUTE_HIDDEN | The file or directory is hidden. It is not included in an ordinary directory listing.
|
+| FILE_ATTRIBUTE_INTEGRITY_STREAM | The directory or user data stream is configured with integrity (only supported on ReFS volumes). It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set.
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows Server 2012.
|
+| FILE_ATTRIBUTE_NORMAL | A file that does not have other attributes set. This attribute is valid only when used alone.
|
+| FILE_ATTRIBUTE_NOT_CONTENT_INDEXED | The file or directory is not to be indexed by the content indexing service.
|
+| FILE_ATTRIBUTE_NO_SCRUB_DATA | The user data stream not to be read by the background data integrity scanner (AKA scrubber). When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes. It is not included in an ordinary directory listing.
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows 8 and Windows Server 2012.
|
+| FILE_ATTRIBUTE_OFFLINE | The data of a file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute.
|
+| FILE_ATTRIBUTE_READONLY | A file that is read-only. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.
|
+| FILE_ATTRIBUTE_REPARSE_POINT | A file or directory that has an associated reparse point, or a file that is a symbolic link.
|
+| FILE_ATTRIBUTE_SPARSE_FILE | A file that is a sparse file.
|
+| FILE_ATTRIBUTE_SYSTEM | A file or directory that the operating system uses a part of, or uses exclusively.
|
+| FILE_ATTRIBUTE_TEMPORARY | A file that is being used for temporary storage. File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed.
|
+| FILE_ATTRIBUTE_VIRTUAL | This value is reserved for system use.
|
+
+## == EntityItemInterfaceTypeType ==
+
+The EntityItemInterfaceTypeType restricts a string value to a specific set of values that describe the different types of interfaces. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| MIB_IF_TYPE_ETHERNET | The MIB_IF_TYPE_ETHERNET type is used to describe ethernet interfaces.
|
+| MIB_IF_TYPE_FDDI | The MIB_IF_TYPE_FDDI type is used to describe fiber distributed data interfaces (FDDI).
|
+| MIB_IF_TYPE_LOOPBACK | The MIB_IF_TYPE_LOOPBACK type is used to describe loopback interfaces.
|
+| MIB_IF_TYPE_OTHER | The MIB_IF_TYPE_OTHER type is used to describe unknown interfaces.
|
+| MIB_IF_TYPE_PPP | The MIB_IF_TYPE_PPP type is used to describe point-to-point protocol interfaces (PPP).
|
+| MIB_IF_TYPE_SLIP | The MIB_IF_TYPE_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
|
+| MIB_IF_TYPE_TOKENRING | The MIB_IF_TYPE_TOKENRING type is used to describe token ring interfaces..
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemNamingContextType ==
+
+The EntityItemNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different naming context found withing Active Directory. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| domain | The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
|
+| configuration | The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
|
+| schema | The schema naming context contains all of the Active Directory object definitions.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemNTUserAccountTypeType ==
+
+The EntityItemNTUserAccountTypeType restricts a string value to a specific set of values that describe the different types of accounts. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| local | Local accounts are accounts that were created directly on the machine being tested and should be in the form of machinename\username
|
+| domain | Domain accounts are accounts that were created on a domain controller and should be in the form of domain\username
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemPeTargetMachineType ==
+
+The EntityItemPeTargetMachineType enumeration identifies the valid machine targets that can be specified in the PE file header. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| IMAGE_FILE_MACHINE_UNKNOWN | The IMAGE_FILE_MACHINE_UNKNOWN type is used to indicate an unknown machine.
|
+| IMAGE_FILE_MACHINE_ALPHA | The IMAGE_FILE_MACHINE_ALPHA type is used to indicate an Alpha APX machine.
|
+| IMAGE_FILE_MACHINE_ARM | The IMAGE_FILE_MACHINE_ARM type is used to indicate an ARM little endian machine.
|
+| IMAGE_FILE_MACHINE_ALPHA64 | The IMAGE_FILE_MACHINE_ALPHA64 type is used to indicate an 64-bit Alpha APX machine.
|
+| IMAGE_FILE_MACHINE_I386 | The IMAGE_FILE_MACHINE_I386 type is used to indicate an Intel 386 machine.
|
+| IMAGE_FILE_MACHINE_IA64 | The IMAGE_FILE_MACHINE_IA64 type is used to indicate an Intel Itanium machine.
|
+| IMAGE_FILE_MACHINE_M68K | The IMAGE_FILE_MACHINE_M68K type is used to indicate an M68K machine.
|
+| IMAGE_FILE_MACHINE_MIPS16 | The IMAGE_FILE_MACHINE_MIPS16 type is used to indicate a MIPS16 machine.
|
+| IMAGE_FILE_MACHINE_MIPSFPU | The IMAGE_FILE_MACHINE_MIPSFPU type is used to indicate an MIPS machine with FPU.
|
+| IMAGE_FILE_MACHINE_MIPSFPU16 | The IMAGE_FILE_MACHINE_MIPSFPU16 type is used to indicate a MIPS16 machine with FPU.
|
+| IMAGE_FILE_MACHINE_POWERPC | The IMAGE_FILE_MACHINE_POWERPC type is used to indicate an Power PC little endian machine.
|
+| IMAGE_FILE_MACHINE_R3000 | The IMAGE_FILE_MACHINE_R3000 type is used to indicate a MIPS little endian, 0x160 big endian machine.
|
+| IMAGE_FILE_MACHINE_R4000 | The IMAGE_FILE_MACHINE_R4000 type is used to indicate a MIPS little endian machine.
|
+| IMAGE_FILE_MACHINE_R10000 | The IMAGE_FILE_MACHINE_10000 type is used to indicate a MIPS little endian machine.
|
+| IMAGE_FILE_MACHINE_SH3 | The IMAGE_FILE_MACHINE_SH3 type is used to indicate a Hitachi SH3 machine.
|
+| IMAGE_FILE_MACHINE_SH4 | The IMAGE_FILE_MACHINE_SH4 type is used to indicate a Hitachi SH4 machine.
|
+| IMAGE_FILE_MACHINE_THUMB | The IMAGE_FILE_MACHINE_THUMB type is used to indicate an ARM or Thumb ("interworking") machine.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemPeSubsystemType ==
+
+The EntityItemPeSubsystemType enumeration identifies the valid subsystem types that can be specified in the PE file header. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| IMAGE_SUBSYSTEM_UNKNOWN | The IMAGE_SUBSYSTEM_UNKNOWN type is used to indicate an unknown subsystem.
|
+| IMAGE_SUBSYSTEM_NATIVE | The IMAGE_SUBSYSTEM_NATIVE type is used to indicate that no subsystem is required.
|
+| IMAGE_SUBSYSTEM_WINDOWS_GUI | The IMAGE_SUBSYSTEM_WINDOWS_GUI type is used to indicate a Windows graphical user interface (GUI) subsystem.
|
+| IMAGE_SUBSYSTEM_WINDOWS_CUI | The IMAGE_SUBSYSTEM_WINDOWS_CUI type is used to indicate a Windows character-mode user interface (CUI) subsystem.
|
+| IMAGE_SUBSYSTEM_OS2_CUI | The IMAGE_SUBSYSTEM_OS2_CUI type is used to indicate an OS/2 CUI subsystem.
|
+| IMAGE_SUBSYSTEM_POSIX_CUI | The IMAGE_SUBSYSTEM_POSIX_CUI type is used to indicate a POSIX CUI subsystem.
|
+| IMAGE_SUBSYSTEM_WINDOWS_CE_GUI | The IMAGE_SUBSYSTEM_WINDOWS_CE_GUI type is used to indicate a Windows CE system.
|
+| IMAGE_SUBSYSTEM_EFI_APPLICATION | The IMAGE_SUBSYSTEM_EFI_APPLICATION type is used to indicate an Extensible Firmware Interface (EFI) application.
|
+| IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER | The IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER type is used to indicate a EFI driver with boot services.
|
+| IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER | The IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER type is used to indicate a EFI driver with run-time services subsystem.
|
+| IMAGE_SUBSYSTEM_EFI_ROM | The IMAGE_SUBSYSTEM_EFI_ROM type is used to indicate an EFI ROM image.
|
+| IMAGE_SUBSYSTEM_XBOX | The IMAGE_SUBSYSTEM_XBOX type is used to indicate an Xbox system.
|
+| IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION | The IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION type is used to indicate a boot application.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemProtocolType ==
+
+The EntityItemProtocolType restricts a string value to a specific set of values that describe the different available protocols. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| TCP | The port uses the Transmission Control Protocol (TCP).
|
+| UDP | The port uses the User Datagram Protocol (UDP).
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemRegistryHiveType ==
+
+The EntityItemRegistryHiveType restricts a string value to a specific set of values that describe the different registry hives. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| HKEY_CLASSES_ROOT | This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
|
+| HKEY_CURRENT_CONFIG | This registry subtree contains configuration data for the current hardware profile.
|
+| HKEY_CURRENT_USER | This registry subtree contains the user profile of the user that is currently logged into the system.
|
+| HKEY_CURRENT_USER_LOCAL_SETTINGS | Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile. This key is supported starting with Windows 7 and Windows Server 2008 R2.
|
+| HKEY_LOCAL_MACHINE | This registry subtree contains information about the local system.
|
+| HKEY_USERS | This registry subtree contains user-specific data.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemRegistryTypeType ==
+
+The EntityItemRegistryTypeType defines the different values that are valid for the type entity of a registry item. These values describe the possible types of data stored in a registry key. restricts a string value to a specific set of values that describe the different registry types. The empty string is also allowed as a valid value to support empty emlements associated with error conditions. Please note that the values identified are for the type entity and are not valid values for the datatype attribute. For information about how to encode registry data in OVAL for each of the different types, please visit the registry_item documentation.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| reg_binary | The reg_binary type is used by registry keys that specify binary data in any form.
|
+| reg_dword | The reg_dword type is used by registry keys that specify an unsigned 32-bit integer.
|
+| ~~reg_dword_little_endian~~ | ~~The reg_dword_little_endian type is used by registry keys that specify an unsigned 32-bit little-endian integer. It is designed to run on little-endian computer architectures.
~~> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.1** :small_red_triangle:
**Reason:** Defined to have same value as reg_dword.
**Comment:** This registry type enumeration value has been deprecated and may be removed in a future version of the language.
|
+| reg_dword_big_endian | The reg_dword_big_endian type is used by registry keys that specify an unsigned 32-bit big-endian integer. It is designed to run on big-endian computer architectures.
|
+| reg_expand_sz | The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").
|
+| reg_link | The reg_link type is used by the registry keys for null-terminated unicode strings. It is related to target path of a symbolic link created by the RegCreateKeyEx function.
|
+| reg_multi_sz | The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.
|
+| reg_none | The reg_none type is used by registry keys that have no defined value type.
|
+| reg_qword | The reg_qword type is used by registry keys that specify an unsigned 64-bit integer.
|
+| ~~reg_qword_little_endian~~ | ~~The reg_qword_little_endian type is used by registry keys that specify an unsigned 64-bit integer in little-endian computer architectures.
~~> :small_red_triangle: **Deprecated As Of Version 5.11.1:1.1** :small_red_triangle:
**Reason:** Defined to have same value as reg_qword.
**Comment:** This registry type enumeration value has been deprecated and may be removed in a future version of the language.
|
+| reg_sz | The reg_sz type is used by registry keys that specify a single null-terminated string.
|
+| reg_resource_list | The reg_resource_list type is used by registry keys that specify a resource list.
|
+| reg_full_resource_descriptor | The reg_full_resource_descriptor type is used by registry keys that specify a full resource descriptor.
|
+| reg_resource_requirements_list | The reg_resource_requirements_list type is used by registry keys that specify a resource requirements list.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemServiceControlsAcceptedType ==
+
+The EntityItemServiceAcceptedControlsType complex type defines the different values that are valid for the controls_accepted entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_ACCEPT_NETBINDCHANGE | The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010.
|
+| SERVICE_ACCEPT_PARAMCHANGE | The SERVICE_ACCEPT_PARAMCHANGE type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008.
|
+| SERVICE_ACCEPT_PAUSE_CONTINUE | The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_ACCEPT_PRESHUTDOWN | The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100.
|
+| SERVICE_ACCEPT_SHUTDOWN | The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004.
|
+| SERVICE_ACCEPT_STOP | The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001.
|
+| SERVICE_ACCEPT_HARDWAREPROFILECHANGE | The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020.
|
+| SERVICE_ACCEPT_POWEREVENT | The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040.
|
+| SERVICE_ACCEPT_SESSIONCHANGE | The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080.
|
+| SERVICE_ACCEPT_TIMECHANGE | The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200.
|
+| SERVICE_ACCEPT_TRIGGEREVENT | The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400.
|
+| | The empty string value is permitted here to allow for empty elements associated with error conditions.
|
+
+## == EntityItemServiceCurrentStateType ==
+
+The EntityItemServiceCurrentStateType complex type defines the different values that are valid for the current_state entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_CONTINUE_PENDING | The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000005.
|
+| SERVICE_PAUSE_PENDING | The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006.
|
+| SERVICE_PAUSED | The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007.
|
+| SERVICE_RUNNING | The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004.
|
+| SERVICE_START_PENDING | The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_STOP_PENDING | The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003.
|
+| SERVICE_STOPPED | The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001.
|
+| | The empty string value is permitted here to allow for empty elements associated with error conditions.
|
+
+## == EntityItemServiceStartTypeType ==
+
+The EntityItemServiceStartTypeType complex type defines the different values that are valid for the start_type entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_AUTO_START | The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_BOOT_START | The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000.
|
+| SERVICE_DEMAND_START | The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003.
|
+| SERVICE_DISABLED | The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004.
|
+| SERVICE_SYSTEM_START | The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001.
|
+| | The empty string value is permitted here to allow for empty elements associated with error conditions.
|
+
+## == EntityItemServiceTypeType ==
+
+The EntityItemServiceTypeType complex type defines the different values that are valid for the service_type entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SERVICE_FILE_SYSTEM_DRIVER | The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002.
|
+| SERVICE_KERNEL_DRIVER | The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001.
|
+| SERVICE_WIN32_OWN_PROCESS | The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010.
|
+| SERVICE_WIN32_SHARE_PROCESS | The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020.
|
+| SERVICE_INTERACTIVE_PROCESS | The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100.
|
+| | The empty string value is permitted here to allow for empty elements associated with error conditions.
|
+
+## == EntityItemSharedResourceTypeType ==
+
+The EntityItemSharedResourceTypeType complex type defines the different values that are valid for the type entity of a shared resource item. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed to support empty elements associated with error conditions.
+
+It is also important to note that special shared resources are those reserved for remote administration, interprocess communication, and administrative shares.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| STYPE_DISKTREE | The STYPE_DISKTREE type means that the shared resource is a disk drive. The DWORD value that this corresponds to is 0x00000000.
|
+| STYPE_DISKTREE_SPECIAL | The STYPE_DISKTREE_SPECIAL type means that the shared resource is a special disk drive. The DWORD value that this corresponds to is 0x80000000.
|
+| STYPE_DISKTREE_TEMPORARY | The STYPE_DISKTREE_TEMPORARY type means that the shared resource is a temporary disk drive. The DWORD value that this corresponds to is 0x40000000.
|
+| STYPE_DISKTREE_SPECIAL_TEMPORARY | The STYPE_DISKTREE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special disk drive. The DWORD value that this corresponds to is 0xC0000000.
|
+| STYPE_PRINTQ | The STYPE_PRINTQ type means that the shared resource is a print queue. The DWORD value that this corresponds to is 0x00000001.
|
+| STYPE_PRINTQ_SPECIAL | The STYPE_PRINTQ_SPECIAL type means that the shared resource is a special print queue. The DWORD value that this corresponds to is 0x80000001.
|
+| STYPE_PRINTQ_TEMPORARY | The STYPE_PRINTQ_TEMPORARY type means that the shared resource is a temporary print queue. The DWORD value that this corresponds to is 0x40000001.
|
+| STYPE_PRINTQ_SPECIAL_TEMPORARY | The STYPE_PRINTQ_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special print queue. The DWORD value that this corresponds to is 0xC0000001.
|
+| STYPE_DEVICE | The STYPE_DEVICE type means that the shared resource is a communication device. The DWORD value that this corresponds to is 0x00000002.
|
+| STYPE_DEVICE_SPECIAL | The STYPE_DEVICE_SPECIAL type means that the shared resource is a special communication device. The DWORD value that this corresponds to is 0x80000002.
|
+| STYPE_DEVICE_TEMPORARY | The STYPE_DEVICE_TEMPORARY type means that the shared resource is a temporary communication device. The DWORD value that this corresponds to is 0x40000002.
|
+| STYPE_DEVICE_SPECIAL_TEMPORARY | The STYPE_DEVICE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special communication device. The DWORD value that this corresponds to is 0xC0000002.
|
+| STYPE_IPC | The STYPE_IPC type means that the shared resource is a interprocess communication. The DWORD value that this corresponds to is 0x00000003.
|
+| STYPE_IPC_SPECIAL | The STYPE_IPC_SPECIAL type means that the shared resource is a special interprocess communication. The DWORD value that this corresponds to is 0x80000003.
|
+| STYPE_IPC_TEMPORARY | The STYPE_IPC_TEMPORARY type means that the shared resource is a temporary interprocess communication. The DWORD value that this corresponds to is 0x40000003.
|
+| STYPE_IPC_SPECIAL_TEMPORARY | The STYPE_IPC_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special interprocess communication. The DWORD value that this corresponds to is 0xC0000003.
|
+| | The empty string is also allowed to support empty elements associated with error conditions.
|
+
+## == EntityItemSystemMetricIndexType ==
+
+The EntityItemSystemMetricIndexType complex type defines the different values that are valid for the index entity of a system_metric item. These values describe the system metric or configuration setting to be retrieved. The empty string is also allowed to support empty elements associated with error conditions. Please note that the values identified are for the index entity and are not valid values for the datatype attribute.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SM_ARRANGE | The flags that specify how the system arranged minimized windows.
|
+| SM_CLEANBOOT | The value that specifies how the system is started.
|
+| SM_CMONITORS | The number of display monitors on a desktop.
|
+| SM_CMOUSEBUTTONS | The number of buttons on a mouse, or zero if no mouse is installed.
|
+| SM_CXBORDER | The width of a window border, in pixels. This is equivalent to the SM_CXEDGE value for windows with the 3-D look.
|
+| SM_CXCURSOR | The width of a cursor, in pixels. The system cannot create cursors of other sizes.
|
+| SM_CXDLGFRAME | This value is the same as SM_CXFIXEDFRAME.
|
+| SM_CXDOUBLECLK | The width of the rectangle around the location of a first click in a double-click sequence, in pixels.
|
+| SM_CXDRAG | The number of pixels on either side of a mouse-down point that the mouse pointer can move before a drag operation begins.
|
+| SM_CXEDGE | The width of a 3-D border, in pixels. This metric is the 3-D counterpart of SM_CXBORDER.
|
+| SM_CXFIXEDFRAME | The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
|
+| SM_CXFOCUSBORDER | The width of the left and right edges of the focus rectangle that the DrawFocusRect draws.
|
+| SM_CXFRAME | This value is the same as SM_CXSIZEFRAME.
|
+| SM_CXFULLSCREEN | The width of the client area for a full-screen window on the primary display monitor, in pixels.
|
+| SM_CXHSCROLL | The width of the arrow bitmap on a horizontal scroll bar, in pixels.
|
+| SM_CXHTHUMB | The width of the thumb box in a horizontal scroll bar, in pixels.
|
+| SM_CXICON | The default width of an icon, in pixels.
|
+| SM_CXICONSPACING | The width of a grid cell for items in large icon view, in pixels.
|
+| SM_CXMAXIMIZED | The default width, in pixels, of a maximized top-level window on the primary display monitor.
|
+| SM_CXMAXTRACK | The default maximum width of a window that has a caption and sizing borders, in pixels.
|
+| SM_CXMENUCHECK | The width of the default menu check-mark bitmap, in pixels.
|
+| SM_CXMENUSIZE | The width of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
|
+| SM_CXMIN | The minimum width of a window, in pixels.
|
+| SM_CXMINIMIZED | The width of a minimized window, in pixels.
|
+| SM_CXMINSPACING | The width of a grid cell for a minimized window, in pixels.
|
+| SM_CXMINTRACK | The minimum tracking width of a window, in pixels.
|
+| SM_CXPADDEDBORDER | The amount of border padding for captioned windows, in pixels.
|
+| SM_CXSCREEN | The width of the screen of the primary display monitor, in pixels.
|
+| SM_CXSIZE | The width of a button in a window caption or title bar, in pixels.
|
+| SM_CXSIZEFRAME | The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
|
+| SM_CXSMICON | The recommended width of a small icon, in pixels.
|
+| SM_CXSMSIZE | The width of small caption buttons, in pixels.
|
+| SM_CXVIRTUALSCREEN | The width of the virtual screen, in pixels.
|
+| SM_CXVSCROLL | The width of a vertical scroll bar, in pixels.
|
+| SM_CYBORDER | The height of a window border, in pixels.
|
+| SM_CYCAPTION | The height of a caption area, in pixels.
|
+| SM_CYCURSOR | The height of a cursor, in pixels.
|
+| SM_CYDLGFRAME | This value is the same as SM_CYFIXEDFRAME.
|
+| SM_CYDOUBLECLK | The height of the rectangle around the location of a first click in a double-click sequence, in pixels.
|
+| SM_CYDRAG | The number of pixels above and below a mouse-down point that the mouse pointer can move before a drag operation begins.
|
+| SM_CYEDGE | The height of a 3-D border, in pixels. This is the 3-D counterpart of SM_CYBORDER.
|
+| SM_CYFIXEDFRAME | The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
|
+| SM_CYFOCUSBORDER | The height of the top and bottom edges of the focus rectangle drawn by DrawFocusRect. This value is in pixels.
|
+| SM_CYFRAME | This value is the same as SM_CYSIZEFRAME.
|
+| SM_CYFULLSCREEN | The height of the client area for a full-screen window on the primary display monitor, in pixels.
|
+| SM_CYHSCROLL | The height of a horizontal scroll bar, in pixels.
|
+| SM_CYICON | The default height of an icon, in pixels.
|
+| SM_CYICONSPACING | The height of a grid cell for items in large icon view, in pixels.
|
+| SM_CYKANJIWINDOW | For double byte character set versions of the system, this is the height of the Kanji window at the bottom of the screen, in pixels.
|
+| SM_CYMAXIMIZED | The default height, in pixels, of a maximized top-level window on the primary display monitor.
|
+| SM_CYMAXTRACK | The default maximum height of a window that has a caption and sizing borders, in pixels.
|
+| SM_CYMENU | The height of a single-line menu bar, in pixels.
|
+| SM_CYMENUCHECK | The height of the default menu check-mark bitmap, in pixels.
|
+| SM_CYMENUSIZE | The height of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
|
+| SM_CYMIN | The minimum height of a window, in pixels.
|
+| SM_CYMINIMIZED | The height of a minimized window, in pixels.
|
+| SM_CYMINSPACING | The height of a grid cell for a minimized window, in pixels.
|
+| SM_CYMINTRACK | The minimum tracking height of a window, in pixels.
|
+| SM_CYSCREEN | The height of the screen of the primary display monitor, in pixels.
|
+| SM_CYSIZE | The height of a button in a window caption or title bar, in pixels.
|
+| SM_CYSIZEFRAME | The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
|
+| SM_CYSMCAPTION | The height of a small caption, in pixels.
|
+| SM_CYSMICON | The recommended height of a small icon, in pixels.
|
+| SM_CYSMSIZE | The height of small caption buttons, in pixels.
|
+| SM_CYVIRTUALSCREEN | The height of the virtual screen, in pixels. The virtual screen is the bounding rectangle of all display monitors.
|
+| SM_CYVSCROLL | The height of the arrow bitmap on a vertical scroll bar, in pixels.
|
+| SM_CYVTHUMB | The height of the thumb box in a vertical scroll bar, in pixels.
|
+| SM_DBCSENABLED | Nonzero if User32.dll supports DBCS; otherwise, 0.
|
+| SM_DEBUG | Nonzero if the debug version of User.exe is installed; otherwise, 0.
|
+| SM_DIGITIZER | Nonzero if the current operating system is Windows 7 or Windows Server 2008 R2 and the Tablet PC Input service is started; otherwise, 0. The return value is a bitmask that specifies the type of digitizer input supported by the device.
|
+| SM_IMMENABLED | Nonzero if Input Method Manager/Input Method Editor features are enabled; otherwise, 0.
|
+| SM_MAXIMUMTOUCHES | Nonzero if there are digitizers in the system; otherwise, 0.
|
+| SM_MEDIACENTER | Nonzero if the current operating system is the Windows XP, Media Center Edition, 0 if not.
|
+| SM_MENUDROPALIGNMENT | Nonzero if drop-down menus are right-aligned with the corresponding menu-bar item; 0 if the menus are left-aligned.
|
+| SM_MIDEASTENABLED | Nonzero if the system is enabled for Hebrew and Arabic languages, 0 if not.
|
+| SM_MOUSEPRESENT | Nonzero if a mouse is installed; otherwise, 0.
|
+| SM_MOUSEHORIZONTALWHEELPRESENT | Nonzero if a mouse with a horizontal scroll wheel is installed; otherwise 0.
|
+| SM_MOUSEWHEELPRESENT | Nonzero if a mouse with a vertical scroll wheel is installed; otherwise 0.
|
+| SM_NETWORK | The least significant bit is set if a network is present; otherwise, it is cleared.
|
+| SM_PENWINDOWS | Nonzero if the Microsoft Windows for Pen computing extensions are installed; zero otherwise.
|
+| SM_REMOTECONTROL | This system metric is used in a Terminal Services environment to determine if the current Terminal Server session is being remotely controlled. Its value is nonzero if the current session is remotely controlled; otherwise, 0.
|
+| SM_REMOTESESSION | This system metric is used in a Terminal Services environment. If the calling process is associated with a Terminal Services client session, the return value is nonzero. If the calling process is associated with the Terminal Services console session, the return value is 0.
|
+| SM_SAMEDISPLAYFORMAT | Nonzero if all the display monitors have the same color format, otherwise, 0.
|
+| SM_SECURE | This system metric should be ignored; it always returns 0.
|
+| SM_SERVERR2 | The build number if the system is Windows Server 2003 R2; otherwise, 0.
|
+| SM_SHOWSOUNDS | Nonzero if the user requires an application to present information visually in situations where it would otherwise present the information only in audible form; otherwise, 0.
|
+| SM_SHUTTINGDOWN | Nonzero if the current session is shutting down; otherwise, 0.
|
+| SM_SLOWMACHINE | Nonzero if the computer has a low-end (slow) processor; otherwise, 0.
|
+| SM_STARTER | Nonzero if the current operating system is Windows 7 Starter Edition, Windows Vista Starter, or Windows XP Starter Edition; otherwise, 0.
|
+| SM_SWAPBUTTON | Nonzero if the meanings of the left and right mouse buttons are swapped; otherwise, 0.
|
+| SM_TABLETPC | Nonzero if the current operating system is the Windows XP Tablet PC edition or if the current operating system is Windows Vista or Windows 7 and the Tablet PC Input service is started; otherwise, 0.
|
+| SM_XVIRTUALSCREEN | The coordinates for the left side of the virtual screen.
|
+| SM_YVIRTUALSCREEN | The coordinates for the top of the virtual screen.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
+## == EntityItemGUIDType ==
+
+The EntityItemGUIDType restricts a string value to a representation of a GUID, used for module ID. The empty string is also allowed to support empty element associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+**Pattern:** (\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}){0,}
+
+## == EntityItemCmdletVerbType ==
+
+The EntityItemCmdletVerbType restricts a string value to a set of allow cmdlet verbs. The empty string is also allowed to support empty element associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| Approve | The Approve verb confirms or agrees to the status of a resource or process.
|
+| Assert | The Assert verb affirms the state of a resource.
|
+| Compare | The Compare verb evaluates the data from one resource against the data from another resource.
|
+| Confirm | The Confirm verb acknowledges, verifies, or validates, the state of a resource or process.
|
+| Find | The Find verb looks for an object in a container that is unknown, implied, optional, or specified.
|
+| Get | The Get verb specifies an action that retrieves a resource.
|
+| Import | The Import verb creates a resource from data that is stored in a persistent data store (such as a file) or in an interchange format.
|
+| Measure | The Measure verb identifies resources that are consumed by a specified operation, or retrieves statistics about a resource.
|
+| Read | The Read verb acquires information from a source.
|
+| Request | The Request verb asks for a resource or asks for permissions.
|
+| Resolve | The Resolve verb maps a shorthand representation of a resource to a more complete representation.
|
+| Search | The Search verb creates a reference to a resource in a container.
|
+| Select | The Select verb locates a resource in a container.
|
+| Show | The Show verb makes a resource visible to the user.
|
+| Test | The Test verb verifies the operation or consistency of a resource.
|
+| Trace | The Trace verb tracks the activities of a resource.
|
+| Watch | The Watch verb continually inspects or monitors a resource for changes.
|
+| | The empty string is also allowed to support empty elements associated with error conditions.
|
+
+## == EntityItemWindowsViewType ==
+
+The EntityItemWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| 32_bit | Indicates the 32_bit windows view.
|
+| 64_bit | Indicates the 64_bit windows view.
|
+| | The empty string value is permitted here to allow for empty elements associated with error conditions.
|
+
+## == EntityItemUserRightType ==
+
+The EntityItemUserRightType restricts a string value to a specific set of values that describe the different user rights/privileges. The empty string is also allowed to support empty elements associated with error conditions.
+
+**Restricts:** [oval-sc:EntityItemStringType](oval-system-characteristics-schema.md#EntityItemStringType)
+
+| Value | Description |
+| ----- | ----------- |
+| SE_ASSIGNPRIMARYTOKEN_NAME | This privilege is required to assign the primary token of a process.
|
+| SE_AUDIT_NAME | This privilege is required to generate audit-log entries.
|
+| SE_BACKUP_NAME | This privilege is required to perform backup operations.
|
+| SE_CHANGE_NOTIFY_NAME | This privilege is required to receive notifications of changes to files or directories.
|
+| SE_CREATE_GLOBAL_NAME | This privilege is required to create named file mapping objects in the global namespace during Terminal Services sessions.
|
+| SE_CREATE_PAGEFILE_NAME | This privilege is required to create a paging file.
|
+| SE_CREATE_PERMANENT_NAME | This privilege is required to create a permanent object.
|
+| SE_CREATE_SYMBOLIC_LINK_NAME | This privilege is required to create a symbolic link.
|
+| SE_CREATE_TOKEN_NAME | This privilege is required to create a primary token.
|
+| SE_DEBUG_NAME | This privilege is required to debug and adjust the memory of a process owned by another account.
|
+| SE_ENABLE_DELEGATION_NAME | This privilege is required to mark user and computer accounts as trusted for delegation.
|
+| SE_IMPERSONATE_NAME | This privilege is required to impersonate.
|
+| SE_INC_BASE_PRIORITY_NAME | This privilege is required to increase the base priority of a process.
|
+| SE_INCREASE_QUOTA_NAME | This privilege is required to increase the quota assigned to a process.
|
+| SE_INC_WORKING_SET_NAME | This privilege is required to allocate more memory for applications that run in the context of users.
|
+| SE_LOAD_DRIVER_NAME | This privilege is required to load or unload a device driver.
|
+| SE_LOCK_MEMORY_NAME | This privilege is required to lock physical pages in memory.
|
+| SE_MACHINE_ACCOUNT_NAME | This privilege is required to create a computer account.
|
+| SE_MANAGE_VOLUME_NAME | This privilege is required to enable volume management privileges.
|
+| SE_PROF_SINGLE_PROCESS_NAME | This privilege is required to gather profiling information for a single process.
|
+| SE_RELABEL_NAME | This privilege is required to modify the mandatory integrity level of an object.
|
+| SE_REMOTE_SHUTDOWN_NAME | This privilege is required to shut down a system using a network request.
|
+| SE_RESTORE_NAME | This privilege is required to perform restore operations.
|
+| SE_SECURITY_NAME | This privilege is required to perform a number of security-related functions, such as controlling and viewing audit messages.
|
+| SE_SHUTDOWN_NAME | This privilege is required to shut down a local system.
|
+| SE_SYNC_AGENT_NAME | This privilege is required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services.
|
+| SE_SYSTEM_ENVIRONMENT_NAME | This privilege is required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
|
+| SE_SYSTEM_PROFILE_NAME | This privilege is required to gather profiling information for the entire system.
|
+| SE_SYSTEMTIME_NAME | This privilege is required to modify the system time.
|
+| SE_TAKE_OWNERSHIP_NAME | This privilege is required to take ownership of an object without being granted discretionary access.
|
+| SE_TCB_NAME | This privilege identifies its holder as part of the trusted computer base.
|
+| SE_TIME_ZONE_NAME | This privilege is required to adjust the time zone associated with the computer's internal clock.
|
+| SE_TRUSTED_CREDMAN_ACCESS_NAME | This privilege is required to access Credential Manager as a trusted caller.
|
+| SE_UNDOCK_NAME | This privilege is required to undock a laptop.
|
+| SE_UNSOLICITED_INPUT_NAME | This privilege is required to read unsolicited input from a terminal device.
|
+| SE_BATCH_LOGON_NAME | This account right is required for an account to log on using the batch logon type.
|
+| SE_DENY_BATCH_LOGON_NAME | This account right explicitly denies an account the right to log on using the batch logon type.
|
+| SE_DENY_INTERACTIVE_LOGON_NAME | This account right explicitly denies an account the right to log on using the interactive logon type.
|
+| SE_DENY_NETWORK_LOGON_NAME | This account right explicitly denies an account the right to log on using the network logon type.
|
+| SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME | This account right explicitly denies an account the right to log on remotely using the interactive logon type.
|
+| SE_DENY_SERVICE_LOGON_NAME | This account right explicitly denies an account the right to log on using the service logon type.
|
+| SE_INTERACTIVE_LOGON_NAME | This account right is required for an account to log on using the interactive logon type.
|
+| SE_NETWORK_LOGON_NAME | This account right is required for an account to log on using the network logon type.
|
+| SE_REMOTE_INTERACTIVE_LOGON_NAME | This account right is required for an account to log on remotely using the interactive logon type.
|
+| SE_SERVICE_LOGON_NAME | This account right is required for an account to log on using the service logon type.
|
+| | The empty string value is permitted here to allow for detailed error reporting.
|
+
diff --git a/guidelines/oval-support-declarations.rst b/guidelines/oval-support-declarations.rst
new file mode 100644
index 0000000..25c1689
--- /dev/null
+++ b/guidelines/oval-support-declarations.rst
@@ -0,0 +1,14 @@
+OVAL Support Declarations
+=========================
+
+Intro tbd.
+
+Declarations
+------------
+
+Listing of declarations.
+
+Updating the List
+-----------------
+
+Instructions to join, change, remove from this list.
\ No newline at end of file
diff --git a/guidelines/proposal-process/alternate-proposals.rst b/guidelines/proposal-process/alternate-proposals.rst
new file mode 100644
index 0000000..b0bcd9e
--- /dev/null
+++ b/guidelines/proposal-process/alternate-proposals.rst
@@ -0,0 +1,19 @@
+Alternate Proposals
+===================
+
+Brief description and purpose.
+
+How To
+------
+
+Step-by-step instuctions including CLI samples if appropriate.
+
+FAQs
+----
+
+Some FAQs about steps and any associated process details.
+
+Documentation Links
+-------------------
+
+Links to process docs?
\ No newline at end of file
diff --git a/guidelines/proposal-process/consensus-building.rst b/guidelines/proposal-process/consensus-building.rst
new file mode 100644
index 0000000..62bae9a
--- /dev/null
+++ b/guidelines/proposal-process/consensus-building.rst
@@ -0,0 +1,19 @@
+Consensus Building
+==================
+
+Brief description and purpose.
+
+How To
+------
+
+Step-by-step instuctions including CLI samples if appropriate.
+
+FAQs
+----
+
+Some FAQs about steps and any associated process details.
+
+Documentation Links
+-------------------
+
+Links to process docs?
\ No newline at end of file
diff --git a/guidelines/proposal-process/create-an-issue.rst b/guidelines/proposal-process/create-an-issue.rst
new file mode 100644
index 0000000..ac1fccf
--- /dev/null
+++ b/guidelines/proposal-process/create-an-issue.rst
@@ -0,0 +1,19 @@
+Create an Issue
+===============
+
+Brief description and purpose.
+
+How To
+------
+
+Step-by-step instuctions including CLI samples if appropriate.
+
+FAQs
+----
+
+Some FAQs about steps and any associated process details.
+
+Documentation Links
+-------------------
+
+Links to process docs?
\ No newline at end of file
diff --git a/guidelines/proposal-process/index.rst b/guidelines/proposal-process/index.rst
new file mode 100644
index 0000000..dc5e79f
--- /dev/null
+++ b/guidelines/proposal-process/index.rst
@@ -0,0 +1,28 @@
+Proposal Process
+================
+
+Introduction (what is the proposal process).
+
+Process Overview
+----------------
+
+High-level overview of proposal process steps with links into more detailed sections.
+
+# Create an Issue
+# Intitial Proposal
+# Alternate Proposals
+# Objections
+# Consensus Building
+# Release Process
+
+.. toctree::
+ :caption: Proposal Process
+ :maxdepth: 2
+ :hidden:
+
+ create-an-issue
+ initial-proposal
+ alternate-proposals
+ objections
+ consensus-building
+ release-process
diff --git a/guidelines/proposal-process/initial-proposal.rst b/guidelines/proposal-process/initial-proposal.rst
new file mode 100644
index 0000000..14507f3
--- /dev/null
+++ b/guidelines/proposal-process/initial-proposal.rst
@@ -0,0 +1,19 @@
+Initial Proposal
+================
+
+Brief description and purpose.
+
+How To
+------
+
+Step-by-step instuctions including CLI samples if appropriate.
+
+FAQs
+----
+
+Some FAQs about steps and any associated process details.
+
+Documentation Links
+-------------------
+
+Links to process docs?
\ No newline at end of file
diff --git a/guidelines/proposal-process/objections.rst b/guidelines/proposal-process/objections.rst
new file mode 100644
index 0000000..7143473
--- /dev/null
+++ b/guidelines/proposal-process/objections.rst
@@ -0,0 +1,19 @@
+Objections
+==========
+
+Brief description and purpose.
+
+How To
+------
+
+Step-by-step instuctions including CLI samples if appropriate.
+
+FAQs
+----
+
+Some FAQs about steps and any associated process details.
+
+Documentation Links
+-------------------
+
+Links to process docs?
\ No newline at end of file
diff --git a/guidelines/proposal-process/release-process.rst b/guidelines/proposal-process/release-process.rst
new file mode 100644
index 0000000..38a20b8
--- /dev/null
+++ b/guidelines/proposal-process/release-process.rst
@@ -0,0 +1,19 @@
+Release Process
+===============
+
+Brief description and purpose.
+
+How To
+------
+
+Step-by-step instuctions including CLI samples if appropriate.
+
+FAQs
+----
+
+Some FAQs about steps and any associated process details.
+
+Documentation Links
+-------------------
+
+Links to process docs?
\ No newline at end of file
diff --git a/guidelines/specifications.rst b/guidelines/specifications.rst
new file mode 100644
index 0000000..63011a3
--- /dev/null
+++ b/guidelines/specifications.rst
@@ -0,0 +1,8 @@
+OVAL Specifications
+===================
+
+Intro tbd.
+
+* :download:`OVAL Language Specification (.docx) <../oval-specifications/oval-language-specification.docx>`
+* :download:`OVAL UNIX Extension Specification (.docx) <../oval-specifications/oval-unix-extension-specification.docx>`
+* :download:`OVAL Windows Extension Specification (.docx) <../oval-specifications/oval-windows-extension-specification.docx>`
\ No newline at end of file
diff --git a/guidelines/terms-of-use.rst b/guidelines/terms-of-use.rst
new file mode 100644
index 0000000..f93ac07
--- /dev/null
+++ b/guidelines/terms-of-use.rst
@@ -0,0 +1 @@
+.. include:: ../terms-of-use.rst
diff --git a/guidelines/versioning.rst b/guidelines/versioning.rst
new file mode 100644
index 0000000..2d7183c
--- /dev/null
+++ b/guidelines/versioning.rst
@@ -0,0 +1,4 @@
+Versioning
+==========
+
+Details of release streams, release policies/schedules and versioning policies.
\ No newline at end of file
diff --git a/oval-schemas/aix-definitions-schema.xsd b/oval-schemas/aix-definitions-schema.xsd
new file mode 100644
index 0000000..0d7f70b
--- /dev/null
+++ b/oval-schemas/aix-definitions-schema.xsd
@@ -0,0 +1,611 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the AIX specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou and Todd Dolinsky at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ AIX Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The interim fix test is used to check information associated with different interim or emergency fixes installed on the system. The information being tested is based off the emgr -l -u VUID command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an interim_fix_object and the optional state element specifies the information to check.
+
+
+ interim_fix_test
+ interim_fix_object
+ interim_fix_state
+ interim_fix_item
+
+
+
+
+
+ - the object child element of a must reference a interim_fix_object
+
+
+ - the state child element of a must reference a interim_fix_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interim_fix_object element is used by a interim_fix_test to define the specific fix to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An interim_fix_object consists of a single vuid entity that identifies the fix to be used.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Virtually Unique ID. A combination of time and cpuid, this ID can be used to differentiate fixes that are otherwise identical.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interim_fix_state element defines the different information associated with a specific interim fix installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Virtually Unique ID. A combination of time and cpuid, this ID can be used to differentiate fixes that are otherwise identical.
+
+
+
+
+ Each efix that is installed on a given system has a unique efix label.
+
+
+
+
+ Describes the efix package.
+
+
+
+
+ The the emergency fix state.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileset_test is used to check information associated with different filesets installed on the system. The information used by this test is modeled after the /usr/bin/lslpp -l command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+
+ fileset_test
+ fileset_object
+ fileset_state
+ fileset_item
+
+
+
+
+
+ - the object child element of a fileset_test must reference a fileset_object
+
+
+ - the state child element of a fileset_test must reference a fileset_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileset_object element is used by a fileset_test to define the fileset to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A fileset_object consists of a single flstinst entity that identifies the fileset to be used.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The flstinst entity represents the fileset name we want to check. For example, if we want to check the status of the fileset 'bos.rte', we can use fileset test and the flstinst entity will be 'bos.rte' or 'bot.*' or etc.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileset_state element defines the different information associated with filesets installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Represents the name of a fileset.
+
+
+
+
+ Maintenance level (also known as version in Solaris or Linux) of a fileset. For example, "5.3.0.10" is the level for 'bos.txt.tfs' fileset in one AIX machine.
+
+
+
+
+ This gives the state of a fileset. The state can be 'APPLIED', 'APPLYING','BROKEN', 'COMMITTED', 'EFIX LOCKED', 'OBSOLETE', 'COMMITTING','REJECTING'. See the manpage of the 'lslpp' command more information.
+
+
+
+
+ Short description of a fileset.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fix test is used to check information associated with different fixes installed on the system. The information being tested is based off the /usr/sbin/instfix -iavk command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an fix_object and the optional state element specifies the information to check.
+
+
+ fix_test
+ fix_object
+ fix_state
+ fix_item
+
+
+
+
+
+ - the object child element of a fix_test must reference a fix_object
+
+
+ - the state child element of a fix_test must reference a fix_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fix_object element is used by a fix test to define the specific fix to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A fix object consists of a single apar_number entity that identifies the fix to be used.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ APAR is the short for 'Authorized Program Analysis Report'. APAR identifies and describes a software product defect. An APAR number can obtain a PTF (Program Temporary Fix) for the defect, if a PTF is available. An example of an apar_number is 'IY78751', it includes two alphabetic characters and a 5-digit integer.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fix_state element defines the different information associated with a specific fix installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ APAR is the short for 'Authorized Program Analysis Report'. APAR identifies and describes a software product defect. An APAR number can obtain a PTF (Program Temporary Fix) for the defect, if a PTF is available. An example of an apar_number is 'IY78751', it includes two alphabetic characters and a 5-digit integer.
+
+
+
+
+ The abstract of an APAR. For instance, 'LL syas rXct are available even when not susea' is the abstract of APAR 'IY78751'.
+
+
+
+
+ The symptom text related to an APAR. For example, the symptom text for 'IY75211' is 'Daylight savings change for year 2007 and beyond'.
+
+
+
+
+ The installation status of files associated with the APAR. This cannot be got from the output of the instfix command directly. The last line of the output is 'All filesets for XXXXXXX were found', or 'Not all filesets for XXXXXXX were found' or 'No filesets which have fixes for XXXXXXX are currently installed.'. These can be translated to the correct value as defined by the EntityStateFixInstallationStatusType.
+
+
+
+
+
+
+
+
+
+
+
+
+ The no test is used to check information related to the /usr/sbin/no command and the parameters it manages. The no command sets or displays current or next boot values for network tuning parameters. The information being tested is based off the /usr/sbin/no -o command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a no_object and the optional state element specifies the value to check for.
+
+
+
+ - the object child element of a must reference a no_object
+
+
+ - the state child element of a must reference a no_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The no_object element is used by a no_test to define the specific parameter to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A no_object consists of a single tunable entity that identifies the parameter to be looked at.
+
+
+
+
+
+
+
+
+
+
+ The tunable entity holds the name of the tunable parameter to be queried by the /usr/sbin/no command. Examples include ip_forwarding and tcp_keepalive_interval.
+
+
+
+
+
+
+
+
+
+
+
+
+ The no_state element defines the different information associated with a specific call to /usr/sbin/no. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The tunable entity is used to check the name of the tunable parameter that was used by the /usr/sbin/no command. Examples include ip_forwarding and tcp_keepalive_interval.
+
+
+
+
+ The value entity defines the value to check against the tunable parameter being examined.
+
+
+
+
+
+
+
+
+
+
+
+
+ The oslevel test reveals information about the release and maintenance level of AIX operating system. This information can be retrieved by the /usr/bin/oslevel -r command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an oslevel_object and the optional state element specifies the metadata to check.
+
+
+
+ - the object child element of a oslevel_test must reference a oslevel_object
+
+
+ - the state child element of a oslevel_test must reference a oslevel_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The oslevel_object element is used by an oslevel test to define those objects to be evaluated based on a specified state. There is actually only one object relating to oslevel and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check oslevel will reference the same oslevel_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The oslevel_state element defines the information about maintenance level (system version). Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the maintenance level (system version) of current AIX operating system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateFilesetStateType complex type defines the different values that are valid for the state entity of a fileset state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the state entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The specified fileset is installed on the system. The APPLIED state means that the fileset can be rejected with the installp command and the previous level of the fileset restored. This state is only valid for Version 4 fileset updates and 3.2 migrated filesets.
+
+
+
+
+ An attempt was made to apply the specified fileset, but it did not complete successfully, and cleanup was not performed.
+
+
+
+
+ The specified fileset or fileset update is broken and should be reinstalled before being used.
+
+
+
+
+ The specified fileset is installed on the system. The COMMITTED state means that a commitment has been made to this level of the software. A committed fileset update cannot be rejected, but a committed fileset base level and its updates (regardless of state) can be removed or deinstalled by the installp command.
+
+
+
+
+ An attempt was made to commit the specified fileset, but it did not complete successfully, and cleanup was not performed.
+
+
+
+
+ The specified fileset was installed sucessfully and locked by the interim fix (interim fix) manager.
+
+
+
+
+ The specified fileset was installed with an earlier version of the operating system but has been replaced by a repackaged (renamed) newer version. Some of the files that belonged to this fileset have been replaced by versions from the repackaged fileset.
+
+
+
+
+ An attempt was made to reject the specified fileset, but it did not complete successfully, and cleanup was not performed.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateFixInstallationStatusType complex type defines the different values that are valid for the installation_status entity of a fix_state state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the installation_status entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ All filesets for XXXXXXX were found
+
+
+
+
+ Not all filesets for XXXXXXX were found
+
+
+
+
+ No filesets which have fixes for XXXXXXX are currently installed.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateInterimFixStateType complex type defines the different values that are valid for the state entity of a interim_fix_state state. Please refer to the AIX documentation of Emergency Fix States. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the state entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The efix was installed with a standard installation, and successfully completed the last installation operation.
+
+
+
+
+ The efix was installed with a mount installation operation, and successfully completed the last installation or mount operation.
+
+
+
+
+ The efix was installed with a mount installation operation and one or more efix files were unmounted in a previous emgr command operation.
+
+
+
+
+ An unrecoverable error occurred during an installation or removal operation. The status of the efix is unreliable.
+
+
+
+
+ The efix is in the process of installing.
+
+
+
+
+ The efix was installed successfully and requires a reboot to fully integrate into the target system.
+
+
+
+
+ The efix is in the process of being removed.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/aix-system-characteristics-schema.xsd b/oval-schemas/aix-system-characteristics-schema.xsd
new file mode 100644
index 0000000..fd518c0
--- /dev/null
+++ b/oval-schemas/aix-system-characteristics-schema.xsd
@@ -0,0 +1,308 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the AIX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou and Todd Dolinsky at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ AIX System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ From emgr -l -u VUID Command. See instfix manpage for specific fields.
+
+
+
+
+
+
+
+ Virtually Unique ID. A combination of time and cpuid, this ID can be used to differentiate fixes that are otherwise identical.
+
+
+
+
+ Each efix that is installed on a given system has a unique efix label.
+
+
+
+
+ Describes the efix package.
+
+
+
+
+ The the emergency fix state.
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of /usr/bin/lslpp -l FilesetName. See lslpp manpage for specific fields.
+
+
+
+
+
+
+
+ Represents the name of the fileset being checked.
+
+
+
+
+ Maintenance level (also known as version in Solaris or Linux) of the fileset. For example, "5.3.0.10" is the level for 'bos.txt.tfs' fileset in one AIX machine.
+
+
+
+
+ This gives the state of the fileset being checked. The state can be 'APPLIED', 'APPLYING','BROKEN', 'COMMITTED', 'EFIX LOCKED', 'OBSOLETE', 'COMMITTING','REJECTING'. See the manpage of the 'lslpp' command more information.
+
+
+
+
+ Short description of the fileset being checked.
+
+
+
+
+
+
+
+
+
+
+
+
+ From /usr/sbin/instfix -iavk APARNum Command. See instfix manpage for specific fields.
+
+
+
+
+
+
+
+ APAR is the short for 'Authorized Program Analysis Report'. APAR identifies and describes a software product defect. An APAR number can obtain a PTF (Program Temporary Fix) for the defect, if a PTF is available. An example of an apar_number is 'IY78751', it includes two alphabetic characters and a 5-digit integer.
+
+
+
+
+ The abstract of the APAR being checked. For instance, 'LL syas rXct are available even when not susea' is the abstract of APAR 'IY78751'.
+
+
+
+
+ The symptom text related to the APAR being checked. For example, the symptom text for 'IY75211' is 'Daylight savings change for year 2007 and beyond'.
+
+
+
+
+ The installation status of files associated with the APAR.
+
+
+
+
+
+
+
+
+
+
+
+
+ The no_item is used to hold information related to the /usr/sbin/no command and the tunable parameters it manages. Currently, /usr/sbin/no is used to configure network tuning parameters. The /usr/sbin/no command sets or displays current or next boot values for network tuning parameters. The /usr/sbin/no command queries the named parameter, retrieves the value associated with the specified parameter, and displays it.
+
+
+
+
+
+
+
+ The name of the target parameter to be queried by the /usr/sbin/no command. Examples include ip_forwarding and tcp_keepalive_interval.
+
+
+
+
+ The value entity defines the value assigned to the tunable parameter being examined.
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about the release and maintenance level of AIX operating system. This information can be retrieved by the /usr/bin/oslevel -r command.
+
+
+
+
+
+
+
+ This is the maintenance level (system version) of current AIX operating system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateFilesetStateType complex type defines the different values that are valid for the state entity of a fileset state. The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+ The specified fileset is installed on the system. The APPLIED state means that the fileset can be rejected with the installp command and the previous level of the fileset restored. This state is only valid for Version 4 fileset updates and 3.2 migrated filesets.
+
+
+
+
+ An attempt was made to apply the specified fileset, but it did not complete successfully, and cleanup was not performed.
+
+
+
+
+ The specified fileset or fileset update is broken and should be reinstalled before being used.
+
+
+
+
+ The specified fileset is installed on the system. The COMMITTED state means that a commitment has been made to this level of the software. A committed fileset update cannot be rejected, but a committed fileset base level and its updates (regardless of state) can be removed or deinstalled by the installp command.
+
+
+
+
+ An attempt was made to commit the specified fileset, but it did not complete successfully, and cleanup was not performed.
+
+
+
+
+ The specified fileset was installed sucessfully and locked by the interim fix (interim fix) manager.
+
+
+
+
+ The specified fileset was installed with an earlier version of the operating system but has been replaced by a repackaged (renamed) newer version. Some of the files that belonged to this fileset have been replaced by versions from the repackaged fileset.
+
+
+
+
+ An attempt was made to reject the specified fileset, but it did not complete successfully, and cleanup was not performed.
+
+
+
+
+
+
+
+
+ The EntityStateFixInstallationStatusType defines the different values that are valid for the installation_status entity of a fix_state item. The empty string is also allowed as a valid value to support empty emlements associated with error conditions.
+
+
+
+
+
+ All filesets for XXXXXXX were found
+
+
+
+
+ Not all filesets for XXXXXXX were found
+
+
+
+
+ No filesets which have fixes for XXXXXXX are currently installed.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemInterimFixStateType complex type defines the different values that are valid for the state entity of a interim_fix_state state. Please refer to the AIX documentation of Emergency Fix States. The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+ The efix was installed with a standard installation, and successfully completed the last installation operation.
+
+
+
+
+ The efix was installed with a mount installation operation, and successfully completed the last installation or mount operation.
+
+
+
+
+ The efix was installed with a mount installation operation and one or more efix files were unmounted in a previous emgr command operation.
+
+
+
+
+ An unrecoverable error occurred during an installation or removal operation. The status of the efix is unreliable.
+
+
+
+
+ The efix is in the process of installing.
+
+
+
+
+ The efix was installed successfully and requires a reboot to fully integrate into the target system.
+
+
+
+
+ The efix is in the process of being removed.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/android-definitions-schema.xsd b/oval-schemas/android-definitions-schema.xsd
new file mode 100644
index 0000000..75836bb
--- /dev/null
+++ b/oval-schemas/android-definitions-schema.xsd
@@ -0,0 +1,1612 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Android specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Android Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The appmanager_test is used to verify the applications installed on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a appmanager_object and the optional state element specifies the data to check.
+
+
+ appmanager_test
+ appmanager_object
+ appmanager_state
+ appmanager_item
+
+
+
+
+
+ - the object child element of an appmanager_test must reference an appmanager_object
+
+
+ - the state child element of an appmanager_test must reference an appmanager_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The appmanager_object element is used by a appmanager_test to define the required application properties to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Name of the package.
+
+
+
+
+ Hexadecimal string of the signing certificate corresponding with the key used to sign the application package. Only the actual signing certificate should be included, not CA certificates in the chain (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+ The appmanager_state element defines the application settings.
+
+
+
+
+
+
+
+ Name of the application.
+
+
+
+
+ Linux userid assigned to the application. (In some cases multiple applications can share a userid.)
+
+
+
+
+ One element for each group id that the application belongs to.
+
+
+
+
+ Name of the package.
+
+
+
+
+ Data directory assigned to the application.
+
+
+
+
+ Application version.
+
+
+
+
+ True if the application is enabled.
+
+
+
+
+ One element for each permission granted to the application.
+
+
+
+
+ Directory where the application's native libraries (if any) have been installed.
+
+
+
+
+ Hexadecimal string of the signing certificate corresponding with the key used to sign the application package. Only the actual signing certificate should be included, not CA certificates in the chain (if applicable).
+
+
+
+
+ Time at which the app was first installed, expressed in milliseconds since January 1, 1970 00:00:00 UTC.
+
+
+
+
+ Time at which the app was last updated, expressed in milliseconds since January 1, 1970 00:00:00 UTC.
+
+
+
+
+ From ApplicationInfo.sourceDir, the full path to the location of the publicly available parts of the application package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The bluetooth_test is used to check the status of bluetooth settings on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a bluetooth_object and the optional state element specifies the data to check.
+
+
+ bluetooth_test
+ bluetooth_object
+ bluetooth_state
+ bluetooth_item
+
+
+
+
+
+ - the object child element of an bluetooth_test must reference an bluetooth_object
+
+
+ - the state child element of an bluetooth_test must reference an bluetooth_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bluetooth_object element is used by a bluetooth test to define those objects to be evaluated based on a specified state. Any OVAL Test written to check bluetooth settings status will reference the same bluetooth_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The bluetooth_state element defines the bluetooth general settings status.
+
+
+
+
+
+
+
+ True if device Bluetooth is currently in discoverable mode.
+
+
+
+
+ True if device Bluetooth is currently enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ The camera_test is used to check camera-related information.
+
+
+ camera_test
+ camera_object
+ camera_state
+ camera_item
+
+
+
+
+
+ - the object child element of a camera_test must reference a camera_object
+
+
+ - the state child element of a camera_test must reference a camera_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The camera_object element is used by a camera test to define those objects to evaluate based on a camera state.
+
+
+
+
+
+
+
+
+
+ The camera_state element contains a single entity that is used to check the status of the camera.
+
+
+
+
+
+
+
+ If true, then a policy is being enforced disabling use of the camera. The policy is only available in Android 4.0 and up (and potentially on older Android devices if specifically added by the device vendor).
+
+
+
+
+
+
+
+
+
+
+
+
+ The certificate_test is used to check the certificates installed on the device.
+
+
+ certificate_test
+ certificate_object
+ certificate_state
+ certificate_item
+
+
+
+
+
+ - the object child element of a certificate_test must reference a certificate_object
+
+
+ - the state child element of a certificate_test must reference a certificate_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The certificate_object element is used by a certificate test to define those objects to evaluate based on a certificate state.
+
+
+
+
+
+
+
+
+
+ The certificate_state element contains a single entity that is used to check the status of the certificates.
+
+
+
+
+
+
+
+ Hexadecimal string of each certificate in the OS's trusted certificate store, including both certificates installed by the system and by users. System trusted certificates that were disabled by the user are not included here.
+
+
+
+
+
+
+
+
+
+
+
+
+ The devicesettings_test is used to check the status of various settings on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a devicesettings_object and the optional state element specifies the data to check.
+
+
+ devicesettings_test
+ devicesettings_object
+ devicesettings_state
+ devicesettings_item
+
+
+
+
+
+ - the object child element of an devicesettings_test must reference an devicesettings_object
+
+
+ - the state child element of an devicesettings_test must reference an devicesettings_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The devicesettings_object element is used by a device settings test to define those objects to be evaluated based on a specified state. Any OVAL Test written to check device settings will reference the same devicesettings_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The devicesettings_state element defines the device settings.
+
+
+
+
+
+
+
+ True if Android Debug Bridge (USB debugging) is enabled.
+
+
+
+
+ True if mock locations and location provider status can be injected into Android's Location Manager.
+
+
+
+
+ True if applications can be installed from "unknown sources".
+
+
+
+
+ One element per application that holds device administrator access. Contains the application's package name.
+
+
+
+
+ True if the user prefers the date and time to be automatically fetched from the network.
+
+
+
+
+ True if the user prefers the time zone to be automatically fetched from the network.
+
+
+
+
+ True if USB mass storage is enabled on the device, otherwise false.
+
+
+
+
+
+
+
+
+
+
+
+
+ The encryption_test is used to check the encryption status on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a encryption_object and the optional state element references a encryption_state that specifies the information to check.
+
+
+ encryption_test
+ encryption_object
+ encryption_state
+ encryption_item
+
+
+
+
+
+ - the object child element of a encryption_test must reference a encryption_object
+
+
+ - the state child element of a encryption_test must reference a encryption_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The encryption_object element is used by a encryption test to define those objects to evaluated based on a specified state. Any OVAL Test written to check encryption settings will reference the same encryption_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The encryption_state element defines the encryption settings configured on the device.
+
+
+
+
+
+
+
+ True if a policy is in place requiring the device storage to be encrypted. (android.app.admin.DevicePolicyManager.getStorageEncryption())
+
+
+
+
+ The current status of device encryption. (android.app.admin.DevicePolicyManager.getStorageEncryptionStatus()) Either ENCRYPTION_STATUS_UNSUPPORTED, ENCRYPTION_STATUS_INACTIVE, ENCRYPTION_STATUS_ACTIVATING, or ENCRYPTION_STATUS_ACTIVE as documented in the Android SDK's DevicePolicyManager class.
+
+
+
+
+
+
+
+
+
+
+
+
+ The locationservice_test is used to check the status of location based services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a locationservice_object and the optional state element specifies the data to check.
+
+
+ locationservice_test
+ locationservice_object
+ locationservice_state
+ locationservice_item
+
+
+
+
+
+ - the object child element of an locationservice_test must reference an locationservice_object
+
+
+ - the state child element of an locationservice_test must reference an locationservice_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The locationservice_object element is used by a location service test to define those objects to evaluated based on a specified state. Any OVAL Test written to check location based services status will reference the same locationservice_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The locationservice_state element defines the location based services status.
+
+
+
+
+
+
+
+ A boolean value indicating whether the GPS location provider is enabled.
+
+
+
+
+ A boolean value indicating whether the network location provider is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ The network_test is used to check the status of network preferences on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a network_object and the optional state element specifies the data to check.
+
+
+ network_test
+ network_object
+ network_state
+ network_item
+
+
+
+
+
+ - the object child element of an network_test must reference an network_object
+
+
+ - the state child element of an network_test must reference an network_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The network_object element is used by a network test to define those objects to be evaluated based on a specified state. Any OVAL Test written to check network preference will reference the same network_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The network_state element defines the network preferences.
+
+
+
+
+
+
+
+ True if airplane mode is enabled on the device.
+
+
+
+
+ True if NFC is enabled on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+ The password test is used to check specific policy associated with passwords and the device screen lock. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a password_object and the optional state element specifies the metadata to check.
+
+
+ password_test
+ password_object
+ password_state
+ password_item
+
+
+
+
+
+ - the object child element of a password_test must reference a password_object
+
+
+ - the state child element of a password_test must reference a password_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The password_object element is used by a password test to define those objects to evaluated based on a specified state. Any OVAL Test written to check password policy will reference the same password_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The password_state element specifies the various policies associated with passwords and the device screen lock. A password test will reference a specific instance of this state that defines the exact settings that need to be evaluated.
+
+
+
+
+
+
+
+ Maximum number of failed user authentications before device wipe. Zero means there is no policy in place.
+
+
+
+
+ Specifies the length of password history maintained (passwords in the history cannot be reused). Zero means there is no policy in place.
+
+
+
+
+ The current minimum required password quality required by device policy. Represented as a string corresponding with a valid Android password quality, currently one of: PASSWORD_QUALITY_ALPHABETIC PASSWORD_QUALITY_ALPHANUMERIC PASSWORD_QUALITY_BIOMETRIC_WEAK PASSWORD_QUALITY_COMPLEX PASSWORD_QUALITY_NUMERIC PASSWORD_QUALITY_SOMETHING PASSWORD_QUALITY_UNSPECIFIED
+
+
+
+
+ Minimum length of characters password must have. This constraint is only imposed if the password quality is one of PASSWORD_QUALITY_NUMERIC, PASSWORD_QUALITY_ALPHABETIC, PASSWORD_QUALITY_ALPHANUMERIC, or PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of letters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of lower case letters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of non-letter characters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of numeric characters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of symbol characters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of upper case letters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Gets the current password expiration timeout policy, in milliseconds. Zero means there is no policy in place.
+
+
+
+
+ When true, the most recently keyed in password character is shown to the user on the screen (the previously entered characters are masked out). When false, all keyed in password characters are immediately masked out. This setting is manageable by the device user through the device settings.
+
+
+
+
+ When true, the current device password is compliant with the password policy. (If the policy was recently established, it is possible that a password compliant with the policy may not yet be in place.)
+
+
+
+
+ The number of times the user has failed at entering a password since the last successful password entry.
+
+
+
+
+ The current policy for the highest screen lock timeout the user is allowed to specify. 0 indicates no restriction. (The user may still specify lower values in the device settings.)
+
+
+
+
+ The current policy for lockscreen widgets as retrieved by DevicePolicyManager.getKeyguardDisabledFeatures. May be set to one of KEYGUARD_DISABLE_FEATURES_ALL, KEYGUARD_DISABLED_FEATURES_NONE, KEYGUARD_DISABLE_SECURE_CAMERA, or KEYGUARD_DISABLE_WIDGETS_ALL. Only available in Android 4.2 and up.
+
+
+
+
+
+
+
+
+
+
+
+
+ The syste_details test is used to get system hardware and operating system information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a systemdetails_object and the optional state element specifies the data to check.
+
+
+ systemdetails_test
+ systemdetails_object
+ systemdetails_state
+ systemdetails_item
+
+
+
+
+
+ - the object child element of systemdetails_test must reference systemdetails_object
+
+
+ - the state child element of an systemdetails_test must reference an systemdetails_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdetails_object element is used by a systemdetails test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information.
+
+
+
+
+
+
+
+
+
+ The systemdetails_state element defines the information about the hardware and the operating system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The hardware model, as provided by android.os.Build.HARDWARE using the Android SDK.
+
+
+
+
+ The device manufacturer, as provided by android.os.Build.MANUFACTURER using the Android SDK.
+
+
+
+
+ The device model identifier, as provided by android.os.Build.MODEL using the Android SDK.
+
+
+
+
+ The product name, as provided by android.os.Build.PRODUCT using the Android SDK.
+
+
+
+
+ The name of the instruction set of native code, as provided by android.os.Build.CPU_ABI using the Android SDK.
+
+
+
+
+ The name of the second instruction set of native code, as provided by android.os.Build.CPU_ABI2 using the Android SDK.
+
+
+
+
+ Build fingerprint, as provided by android.os.Build.FINGERPRINT using the Android SDK.
+
+
+
+
+ Operating system version code, as provided by android.os.Build.VERSION.CODENAME using the Android SDK.
+
+
+
+
+ Operating system build number, as provided by android.os.Build.VERSION.INCREMENTAL using the Android SDK.
+
+
+
+
+ Operating system release name, as provided by android.os.Build.VERSION.RELEASE using the Android SDK.
+
+
+
+
+ Operating system SDK number, as provided by android.os.Build.VERSION.SDK_INT using the Android SDK.
+
+
+
+
+ True if the device provides a hardware backed cryptographic keystore (a hardware keystore prevents exporting private keys or directly exposing private keys to the OS), otherwise false.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wifi_test is used to check the status of general Wi-Fi settings on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wifi_object and the optional state element specifies the data to check.
+
+
+ wifi_test
+ wifi_object
+ wifi_state
+ wifi_item
+
+
+
+
+
+ - the object child element of an wifi_test must reference an wifi_object
+
+
+ - the state child element of an wifi_test must reference an wifi_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The wifi_object element is used by a wifi test to define those objects to evaluated based on a specified state. Any OVAL Test written to check wifi settings status will reference the same wifi_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The wifi_state element defines the wifi general settings status.
+
+
+
+
+
+
+
+ True if Wi-Fi is currently enabled on the device.
+
+
+
+
+ True if the Wi-Fi network availability notification setting is currently enabled on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wifinetwork_test is used to check information about the configured Wi-Fi networks on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wifinetwork_object and the optional state element specifies the data to check.
+
+
+ wifinetwork_test
+ wifinetwork_object
+ wifinetwork_state
+ wifinetwork_item
+
+
+
+
+
+ - the object child element of an wifinetwork_test must reference an wifinetwork_object
+
+
+ - the state child element of an wifinetwork_test must reference an wifinetwork_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The wifinetwork_object element is used by a wifinetwork_test to define the SSID of the Wi-Fi to verify security settings. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The network's SSID to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wifinetwork_state element defines the Wi-Fi network settings status.
+
+
+
+
+
+
+
+ The network's SSID.
+
+
+
+
+ BSSID. The value is a string in the format of an Ethernet MAC address.
+
+
+
+
+ The set of authentication protocols supported by this configuration.
+
+
+
+
+ The set of group ciphers supported by this configuration.
+
+
+
+
+ The set of key management protocols supported by this configuration.
+
+
+
+
+ The set of pairwise ciphers for WPA supported by this configuration.
+
+
+
+
+ The set of security protocols supported by this configuration.
+
+
+
+
+ This is a network that does not broadcast its SSID.
+
+
+
+
+ The ID number that the supplicant uses to identify this network configuration entry.
+
+
+
+
+ Priority determines the preference given to a network by wpa_supplicant when choosing an access point with which to associate.
+
+
+
+
+ The current status of this network configuration entry.
+
+
+
+
+
+
+
+
+
+
+
+
+ The telephony_test is used to check Telephony characteristics of system.
+
+
+ telephony_test
+ telephony_object
+ telephony_state
+ telephony_item
+
+
+
+
+
+ - the object child element of a telephony_test must reference a telephony_object
+
+
+ - the state child element of a telephony_test must reference a telephony_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The telephony_object element is used by a telephony test to define those objects to evaluate based on a telephony manager state.
+
+
+
+
+
+
+
+
+
+ The telephony_state element contains a single entity that is used to check the status of the telephony manager state.
+
+
+
+
+
+
+
+ Value indicates the radio technology(network type) currently in use, for data transmission.
+
+
+
+
+ The ISO country code equivalent for the SIM provider's country code.
+
+
+
+
+ The MCC+MNC(mobile country code + mobile network code) of the provider of the SIM. It contains 5 or 6 decimal digits.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateEncryptionStatusType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Encryption is not supported
+
+
+
+
+ Encryption is active.
+
+
+
+
+ Encryption is supported but is not currently active.
+
+
+
+
+ Encryption is not currently active, but is currently being activated.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateKeyguardDisabledFeaturesType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Widgets are enabled in keyguard
+
+
+
+
+ Disable all keyguard widgets
+
+
+
+
+ Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
+
+
+
+
+ Disable all current and future keyguard customizations
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateNetworkType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The network type is unknown
+
+
+
+
+ Current network is GPRS
+
+
+
+
+ Current network is EDGE
+
+
+
+
+ Current network is UMTS
+
+
+
+
+ Current network is CDMA
+
+
+
+
+ Current network is EVDO-0
+
+
+
+
+ Current network is EVDO-A
+
+
+
+
+ Current network is 1xRTT
+
+
+
+
+ Current network is HSDPA
+
+
+
+
+ Current network is HSUPA
+
+
+
+
+ Current network is HSPA
+
+
+
+
+ Current network is IDEN
+
+
+
+
+ Current network is EVDO-B
+
+
+
+
+ Current network is LTE
+
+
+
+
+ Current network is EHRPD
+
+
+
+
+ Current network is HSPAP
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePasswordQualityType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The password must contain alphabetic (or other symbol) characters
+
+
+
+
+ The password must contain both numeric and alphabetic (or other symbol) characters
+
+
+
+
+ This policy allows for low-security biometric recognition technology
+
+
+
+
+ The password must contain at least a letter, a numerical digit, and a special symbol
+
+
+
+
+ The password must contain at least numeric characters
+
+
+
+
+ This policy requires some kind of password, but doesn't care what it is
+
+
+
+
+ There are no password policy requirements
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWifiAuthAlgorithmType complex type restricts a string value to a specific set of values that name WiFi authentication algorithms. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ LEAP/Network EAP (only used with LEAP)
+
+
+
+
+ Open System authentication (required for WPA/WPA2)
+
+
+
+
+ Shared Key authentication (requires static WEP keys)
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWifiCurrentStatusType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The network we are currently connected to
+
+
+
+
+ Supplicant will not attempt to use this network
+
+
+
+
+ Supplicant will consider this network available for association
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWifiGroupCipherType complex type restricts a string value to a specific set of values that name Wi-Fi group ciphers (android.net.wifi.WifiConfiguration.GroupCipher). The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]; Constant Value: 3 (0x00000003)
+
+
+
+
+ Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]; Constant Value: 2 (0x00000002)
+
+
+
+
+ WEP (Wired Equivalent Privacy) with 104-bit key; Constant Value: 1 (0x00000001)
+
+
+
+
+ WEP (Wired Equivalent Privacy) with 40-bit key (original 802.11); Constant Value: 0 (0x00000000)
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWifiKeyMgmtType complex type restricts a string value to a specific set of values that name Wi-Fi key management schemes (from android.net.wifi.WifiConfiguration.KeyMgmt). The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ IEEE 802.1X using EAP authentication and (optionally) dynamically generated WEP keys.
+
+
+
+
+ WPA is not used; plaintext or static WEP could be used.
+
+
+
+
+ WPA using EAP authentication.
+
+
+
+
+ WPA pre-shared key.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWifiPairwiseCipherType complex type restricts a string value to a specific set of values that name Wi-Fi recognized pairwise ciphers for WPA (from android.net.wifi.WifiConfiguration.PairwiseCipher). The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
+
+
+
+
+ Use only Group keys (deprecated)
+
+
+
+
+ Temporal Key Integrity Protocol [IEEE802.11i/D7.0]
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWifiProtocolType complex type restricts a string value to a specific set of values that name Wi-Fi recognized security protocols (from android.net.wifi.WifiConfiguration.Protocol). The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ WPA2/IEEE 802.11i
+
+
+
+
+ WPA/IEEE 802.11i/D3.0
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/android-system-characteristics-schema.xsd b/oval-schemas/android-system-characteristics-schema.xsd
new file mode 100644
index 0000000..452210f
--- /dev/null
+++ b/oval-schemas/android-system-characteristics-schema.xsd
@@ -0,0 +1,995 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Android specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Android System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ This item stores information about applications installed on the device.
+
+
+
+
+
+
+
+ Name of the application.
+
+
+
+
+ Linux userid assigned to the application. (In some cases multiple applications can share a userid.)
+
+
+
+
+ One element for each group id that the application belongs to.
+
+
+
+
+ Name of the package.
+
+
+
+
+ Data directory assigned to the application.
+
+
+
+
+ Application version.
+
+
+
+
+ True if the application is enabled.
+
+
+
+
+ One element for each permission granted to the application.
+
+
+
+
+ Directory where the application's native libraries (if any) have been installed.
+
+
+
+
+ Hexadecimal string of the signing certificate corresponding with the key used to sign the application package. Only the actual signing certificate should be included, not CA certificates in the chain (if applicable).
+
+
+
+
+ Time at which the app was first installed, expressed in milliseconds since January 1, 1970 00:00:00 UTC.
+
+
+
+
+ Time at which the app was last updated, expressed in milliseconds since January 1, 1970 00:00:00 UTC.
+
+
+
+
+ From ApplicationInfo.sourceDir, the full path to the location of the publicly available parts of the application package.
+
+
+
+
+
+
+
+
+
+
+
+
+ This holds information about device Bluetooth settings.
+
+
+
+
+
+
+
+ True if device Bluetooth is currently in discoverable mode.
+
+
+
+
+ True if device Bluetooth is currently enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item is used to check camera-related information.
+
+
+
+
+
+
+
+ If true, then a policy is being enforced disabling use of the camera. The policy is only available in Android 4.0 and up (and potentially on older Android devices if specifically added by the device vendor).
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores information about the certificates installed on the device.
+
+
+
+
+
+
+
+ Hexadecimal string of each certificate in the OS's trusted certificate store, including both certificates installed by the system and by users. System trusted certificates that were disabled by the user are not included here.
+
+
+
+
+
+
+
+
+
+
+
+
+ This holds information about miscellaneous device settings.
+
+
+
+
+
+
+
+ True if Android Debug Bridge (USB debugging) is enabled.
+
+
+
+
+ True if mock locations and location provider status can be injected into Android's Location Manager.
+
+
+
+
+ True if applications can be installed from "unknown sources".
+
+
+
+
+ One element per application that holds device administrator access. Contains the application's package name.
+
+
+
+
+ True if the user prefers the date and time to be automatically fetched from the network.
+
+
+
+
+ True if the user prefers the time zone to be automatically fetched from the network.
+
+
+
+
+ True if USB mass storage is enabled on the device, otherwise false.
+
+
+
+
+
+
+
+
+
+
+
+
+ Device encryption information.
+
+
+
+
+
+
+
+ True if a policy is in place requiring the device storage to be encrypted. (android.app.admin.DevicePolicyManager.getStorageEncryption())
+
+
+
+
+ The current status of device encryption. (android.app.admin.DevicePolicyManager.getStorageEncryptionStatus()) Either ENCRYPTION_STATUS_UNSUPPORTED, ENCRYPTION_STATUS_INACTIVE, ENCRYPTION_STATUS_ACTIVATING, or ENCRYPTION_STATUS_ACTIVE as documented in the Android SDK's DevicePolicyManager class.
+
+
+
+
+
+
+
+
+
+
+
+
+ This holds information about location based service status.
+
+
+
+
+
+
+
+ A boolean value indicating whether the GPS location provider is enabled.
+
+
+
+
+ A boolean value indicating whether the network location provider is enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ This holds information about networks configured and their preference.
+
+
+
+
+
+
+
+ True if airplane mode is enabled.
+
+
+
+
+ True if NFC is enabled on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specific policy items associated with passwords and the device screen lock.
+
+
+
+
+
+
+
+ Maximum number of failed user authentications before device wipe. Zero means there is no policy in place.
+
+
+
+
+ Specifies the length of password history maintained (passwords in the history cannot be reused). Zero means there is no policy in place.
+
+
+
+
+ The current minimum required password quality required by device policy. Represented as a string corresponding with a valid Android password quality, currently one of: PASSWORD_QUALITY_ALPHABETIC PASSWORD_QUALITY_ALPHANUMERIC PASSWORD_QUALITY_BIOMETRIC_WEAK PASSWORD_QUALITY_COMPLEX PASSWORD_QUALITY_NUMERIC PASSWORD_QUALITY_SOMETHING PASSWORD_QUALITY_UNSPECIFIED
+
+
+
+
+ Minimum length of characters password must have. This constraint is only imposed if the password quality is one of PASSWORD_QUALITY_NUMERIC, PASSWORD_QUALITY_ALPHABETIC, PASSWORD_QUALITY_ALPHANUMERIC, or PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of letters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of lower case letters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of non-letter characters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of numeric characters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of symbol characters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Minimum number of upper case letters password must have. This constraint is only imposed if the password quality is PASSWORD_QUALITY_COMPLEX.
+
+
+
+
+ Gets the current password expiration timeout policy, in milliseconds. Zero means there is no policy in place.
+
+
+
+
+ When true, the most recently keyed in password character is shown to the user on the screen (the previously entered characters are masked out). When false, all keyed in password characters are immediately masked out. This setting is manageable by the device user through the device settings.
+
+
+
+
+ When true, the current device password is compliant with the password policy. (If the policy was recently established, it is possible that a password compliant with the policy may not yet be in place.)
+
+
+
+
+ The number of times the user has failed at entering a password since the last successful password entry.
+
+
+
+
+ The current policy for the highest screen lock timeout the user is allowed to specify. 0 indicates no restriction. (The user may still specify lower values in the device settings.)
+
+
+
+
+ The current policy for lockscreen widgets as retrieved by DevicePolicyManager.getKeyguardDisabledFeatures. May be set to one of KEYGUARD_DISABLE_FEATURES_ALL, KEYGUARD_DISABLED_FEATURES_NONE, KEYGUARD_DISABLE_SECURE_CAMERA, or KEYGUARD_DISABLE_WIDGETS_ALL. Only available in Android 4.2 and up.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores information about the Operating System and hardware.
+
+
+
+
+
+
+
+ The hardware model, as provided by android.os.Build.HARDWARE using the Android SDK.
+
+
+
+
+ The device manufacturer, as provided by android.os.Build.MANUFACTURER using the Android SDK.
+
+
+
+
+ The device model identifier, as provided by android.os.Build.MODEL using the Android SDK.
+
+
+
+
+ The product name, as provided by android.os.Build.PRODUCT using the Android SDK.
+
+
+
+
+ The name of the instruction set of native code, as provided by android.os.Build.CPU_ABI using the Android SDK.
+
+
+
+
+ The name of the second instruction set of native code, as provided by android.os.Build.CPU_ABI2 using the Android SDK.
+
+
+
+
+ Build fingerprint, as provided by android.os.Build.FINGERPRINT using the Android SDK.
+
+
+
+
+ Operating system version code, as provided by android.os.Build.VERSION.CODENAME using the Android SDK.
+
+
+
+
+ Operating system build number, as provided by android.os.Build.VERSION.INCREMENTAL using the Android SDK.
+
+
+
+
+ Operating system release name, as provided by android.os.Build.VERSION.RELEASE using the Android SDK.
+
+
+
+
+ Operating system SDK number, as provided by android.os.Build.VERSION.SDK_INT using the Android SDK.
+
+
+
+
+ True if the device provides a hardware backed cryptographic keystore (a hardware keystore prevents exporting private keys or directly exposing private keys to the OS), otherwise false.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item holds information about general Wi-Fi settings.
+
+
+
+
+
+
+
+ True if Wi-Fi is currently enabled on the device.
+
+
+
+
+ True if the Wi-Fi network availability notification setting is currently enabled on the device.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item holds information about the configured Wi-Fi networks on the device.
+
+
+
+
+
+
+
+ BSSID. The value is a string in the format of an Ethernet MAC address.
+
+
+
+
+ The network's SSID.
+
+
+
+
+ The set of authentication protocols supported by this configuration.
+
+
+
+
+ The set of group ciphers supported by this configuration.
+
+
+
+
+ The set of key management protocols supported by this configuration.
+
+
+
+
+ The set of pairwise ciphers for WPA supported by this configuration.
+
+
+
+
+ The set of security protocols supported by this configuration.
+
+
+
+
+ This is a network that does not broadcast its SSID.
+
+
+
+
+ The ID number that the supplicant uses to identify this network configuration entry.
+
+
+
+
+ Priority determines the preference given to a network by wpa_supplicant when choosing an access point with which to associate.
+
+
+
+
+ The current status of this network configuration entry, either CURRENT, DISABLED, or ENABLED per android.net.wifi.WifiConfiguration.Status.
+
+
+
+
+
+
+
+
+
+
+
+
+ The telephony_item element contains a single entity that is used to check the status of the telephony manager Item.
+
+
+
+
+
+
+
+ A constant String value indicating the radio technology (network type) currently in use on the device for data transmission.
+
+
+
+
+ The ISO country code equivalent for the SIM provider's country code.
+
+
+
+
+ the MCC+MNC (mobile country code + mobile network code) of the provider of the SIM. It contains 5 or 6 decimal digits.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemEncryptionStatusType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ Encryption is not supported
+
+
+
+
+ Encryption is active.
+
+
+
+
+ Encryption is supported but is not currently active.
+
+
+
+
+ Encryption is not currently active, but is currently being activated.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemKeyguardDisabledFeaturesType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ Widgets are enabled in keyguard
+
+
+
+
+ Disable all keyguard widgets
+
+
+
+
+ Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
+
+
+
+
+ Disable all current and future keyguard customizations
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemNetworkType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The network type is unknown
+
+
+
+
+ Current network is GPRS
+
+
+
+
+ Current network is EDGE
+
+
+
+
+ Current network is UMTS
+
+
+
+
+ Current network is CDMA
+
+
+
+
+ Current network is EVDO-0
+
+
+
+
+ Current network is EVDO-A
+
+
+
+
+ Current network is 1xRTT
+
+
+
+
+ Current network is HSDPA
+
+
+
+
+ Current network is HSUPA
+
+
+
+
+ Current network is HSPA
+
+
+
+
+ Current network is IDEN
+
+
+
+
+ Current network is EVDO-B
+
+
+
+
+ Current network is LTE
+
+
+
+
+ Current network is EHRPD
+
+
+
+
+ Current network is HSPAP
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemPasswordQualityType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The password must contain alphabetic (or other symbol) characters
+
+
+
+
+ The password must contain both numeric and alphabetic (or other symbol) characters
+
+
+
+
+ This policy allows for low-security biometric recognition technology
+
+
+
+
+ The password must contain at least a letter, a numerical digit, and a special symbol
+
+
+
+
+ The password must contain at least numeric characters
+
+
+
+
+ This policy requires some kind of password, but doesn't care what it is
+
+
+
+
+ There are no password policy requirements
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWifiAuthAlgorithmType complex type restricts a string value to a specific set of values that name WiFi authentication algorithms. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ LEAP/Network EAP (only used with LEAP)
+
+
+
+
+ Open System authentication (required for WPA/WPA2)
+
+
+
+
+ Shared Key authentication (requires static WEP keys)
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWifiCurrentStatusType complex type restricts a string value to a specific set of values. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The network we are currently connected to
+
+
+
+
+ Supplicant will not attempt to use this network
+
+
+
+
+ Supplicant will consider this network available for association
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWifiGroupCipherType complex type restricts a string value to a specific set of values that name Wi-Fi group ciphers. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]; Constant Value: 3 (0x00000003)
+
+
+
+
+ Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]; Constant Value: 2 (0x00000002)
+
+
+
+
+ WEP (Wired Equivalent Privacy) with 104-bit key; Constant Value: 1 (0x00000001)
+
+
+
+
+ WEP (Wired Equivalent Privacy) with 40-bit key (original 802.11); Constant Value: 0 (0x00000000)
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWifiKeyMgmtType complex type restricts a string value to a specific set of values that name Wi-Fi key management schemes (from android.net.wifi.WifiConfiguration.KeyMgmt). The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ IEEE 802.1X using EAP authentication and (optionally) dynamically generated WEP keys.
+
+
+
+
+ WPA is not used; plaintext or static WEP could be used.
+
+
+
+
+ WPA using EAP authentication.
+
+
+
+
+ WPA pre-shared key.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWifiPairwiseCipherType complex type restricts a string value to a specific set of values that name Wi-Fi recognized pairwise ciphers for WPA (from android.net.wifi.WifiConfiguration.PairwiseCipher). The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
+
+
+
+
+ Use only Group keys (deprecated)
+
+
+
+
+ Temporal Key Integrity Protocol [IEEE802.11i/D7.0]
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWifiProtocolType complex type restricts a string value to a specific set of values that name Wi-Fi recognized security protocols (from android.net.wifi.WifiConfiguration.Protocol). The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ WPA2/IEEE 802.11i
+
+
+
+
+ WPA/IEEE 802.11i/D3.0
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/apache-definitions-schema.xsd b/oval-schemas/apache-definitions-schema.xsd
new file mode 100644
index 0000000..985a77e
--- /dev/null
+++ b/oval-schemas/apache-definitions-schema.xsd
@@ -0,0 +1,137 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Apache specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Apache Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The httpd test is used to check the version of an installed httpd binary. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an httpd_test and the optional state element specifies the data to check.
+
+
+ httpd_test
+ httpd_object
+ httpd_state
+ httpd_item
+
+
+
+
+ 5.8
+ The httpd_test does not specify how to detect instances of httpd and cannot be reasonably specified to allow for products to detect all instances of httpd across platforms, packaging systems, and typical user compiled and configured installations. Without a proper definition of how to identify instances of httpd products will not reliably produce consistent assessment results because they will naturally utilize different approaches to locating instances of httpd which will lead to differences in the set of collected instances of https.
+ This test has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a httpd_test must reference a httpd_object
+
+
+ - the state child element of a httpd_test must reference a httpd_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The httpd_object element is used by a httpd test to define the different httpd binary installed on a system. There is actually only one object relating to this and it is the collection of all httpd binaries. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same httpd_object which is basically an empty object element. A tool that implements the httpd_test and collects the httpd_object must know how to find all the httpd binaries on the system and verify that they are in fact httpd binaries.
+
+
+ 5.8
+ The httpd_object does not specify how to detect instances of httpd and cannot be reasonably specified to allow for products to detect all instances of httpd across platforms, packaging systems, and typical user compiled and configured installations. Without a proper definition of how to identify instances of httpd products will not reliably produce consistent assessment results because they will naturally utilize different approaches to locating instances of httpd which will lead to differences in the set of collected instances of https.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The httpd_state element defines information associated with a specific httpd binary.
+
+
+ 5.8
+ The httpd_state does not specify how to detect instances of httpd and cannot be reasonably specified to allow for products to detect all instances of httpd across platforms, packaging systems, and typical user compiled and configured installations. Without a proper definition of how to identify instances of httpd products will not reliably produce consistent assessment results because they will naturally utilize different approaches to locating instances of httpd which will lead to differences in the set of collected instances of https.
+ This state has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a httpd binary on the system.
+
+
+
+
+ The binary_name element specifies the name of the file. If the xsi:nil attribute is set to true, then the object being specified is the higher level path. In this case, the binary_name element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, says to collect every file under a given path.
+
+
+
+
+ The version entity is used to check the version of the httpd binary. The datatype for the version entity is 'version' which means the value should be a delimited set of numbers. It is obtained by running 'httpd -v'.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/apache-system-characteristics-schema.xsd b/oval-schemas/apache-system-characteristics-schema.xsd
new file mode 100644
index 0000000..57551f7
--- /dev/null
+++ b/oval-schemas/apache-system-characteristics-schema.xsd
@@ -0,0 +1,69 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Apache specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Apache System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The httpd item holds information about a installed Apache HTTPD binary. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+ 5.8
+ The httpd_item does not specify how to detect instances of httpd and cannot be reasonably specified to allow for products to detect all instances of httpd across platforms, packaging systems, and typical user compiled and configured installations. Without a proper definition of how to identify instances of httpd products will not reliably produce consistent assessment results because they will naturally utilize different approaches to locating instances of httpd which will lead to differences in the set of collected instances of https.
+ This item has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a httpd binary found on the system.
+
+
+
+
+ The name of the httpd binary.
+
+
+
+
+ The version entity holds the version of the specified httpd binary.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/apple-ios-definitions-schema.xsd b/oval-schemas/apple-ios-definitions-schema.xsd
new file mode 100644
index 0000000..1e127ac
--- /dev/null
+++ b/oval-schemas/apple-ios-definitions-schema.xsd
@@ -0,0 +1,535 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Apple iOS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core Definition Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+ See public documentation at https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
+
+ Apple iOS Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The globalrestrictions_test is used to check the status of the global restrictions in place on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a globalrestrictions_object and the optional state element specifies the data to check.
+
+
+ globalrestrictions_test
+ globalrestrictions_object
+ globalrestrictions_state
+ globalrestrictions_item
+
+
+
+
+
+ - the object child element of a globalrestrictions_test must reference a globalrestrictions_object
+
+
+ - the state child element of a globalrestrictions_test must reference a globalrestrictions_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The globalrestrictions_object element is used by a global restrictions test to define those objects to be evaluated based on a specified state. Any OVAL Test written to check global restrictions status will reference the same globalrestrictions_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ Information on global restrictions in place on the device
+
+
+
+
+
+
+
+ Optional. Supervised only. If set to false, account modification is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, AirDrop is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, changes to cellular data usage for apps are disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications.
+
+
+
+
+ Optional. When false, disables Siri. Defaults to true.
+
+
+
+
+ Optional. Supervised only. When false, prevents Siri from querying user-generated content from the web. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, the user is unable to use Siri when the device is locked. Defaults to true. This restriction is ignored if the device does not have a passcode set. Available only in iOS 5.1 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, iBookstore will be disabled. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. Supervised only prior to iOS 6.1. If set to false, the user will not be able to download media from the iBookstore that has been tagged as erotica. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs.
+
+
+
+
+ Optional. When false, disables backing up the device to iCloud. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. When false, disables document and key-value syncing to iCloud. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. If false, disables keychain syncing to iCloud. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Available only in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.
+
+
+
+
+ Optional. Supervised only. If set to false, changes to Find My Friends are disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, prevents Touch ID from unlocking a device. Available in iOS 7 and later.
+
+
+
+
+ Optional. Supervised only. When false, Game Center is disabled and its icon is removed from the Home screen. Default is true. Available only in iOS 6.0 and later.
+
+
+
+
+ Supervised only. If set to false, host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later.
+
+
+
+
+ Optional. If set to false, the Notifications view in Notification Center on the lock screen is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If set to false, the Today view in Notification Center on the lock screen is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, documents in managed apps and accounts only open in other managed apps and accounts. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If set to false, documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, over-the-air PKI updates are disabled. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If set to false, Passbook notifications will not be shown on the lock screen. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, disables Photo Stream. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. When false, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips.
+
+
+
+
+ Optional. When false, users are unable to save a screenshot of the display.
+
+
+
+
+ Optional. If set to false, Shared Photo Stream will be disabled. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, the user is prohibited from installing configuration profiles and certificates interactively. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. When false, disables voice dialing.
+
+
+
+
+ Optional. When false, the YouTube application is disabled and its icon is removed from the Home screen. This key is ignored in iOS 6 and later because the YouTube app is not provided.
+
+
+
+
+ Optional. When false, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content.
+
+
+
+
+ Optional. If present, allows the identified apps to autonomously enter Single App Mode. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When true, encrypts all backups.
+
+
+
+
+ Optional. When true, forces user to enter their iTunes password for each transaction. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. If true, limits ad tracking. Default is false. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, Safari auto-fill is disabled. Defaults to true.
+
+
+
+
+
+
+
+
+
+
+
+
+ The passcodepolicy_test is used to check the status of the passcode policy in place on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a passcodepolicy_object and the optional state element specifies the data to check.
+
+
+ passcodepolicy_test
+ passcodepolicy_object
+ passcodepolicy_state
+ passcodepolicy_item
+
+
+
+
+
+ - the object child element of a passcodepolicy_test must reference a passcodepolicy_object
+
+
+ - the state child element of a passcodepolicy_test must reference a passcodepolicy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The passcodepolicy_object element is used by a passcode policy test to define those objects to be evaluated based on a specified state. Any OVAL Test written to check passcode policy status will reference the same passcodepolicy_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ Passcode Policy Items from public Apple Configuration Profile Reference
+
+
+
+
+
+
+
+ Optional. Default true. Determines whether a simple passcode is allowed. A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to "1".
+
+
+
+
+ Optional. Default false. Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality.
+
+
+
+
+ Optional. Default 11. Allowed range [2...11]. Specifies the number of allowed failed attempts to enter the passcode at the device's lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked.
+
+
+
+
+ Optional. Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered. In OS X, this will be translated to screensaver settings.
+
+
+
+
+ Optional. Default Infinity. Specifies the number of days for which the passcode can remain unchanged. After this number of days, the user is forced to change the passcode before the device is unlocked.
+
+
+
+
+ Optional. Default 0. Specifies the minimum number of complex characters that a passcode must contain. A "complex" character is a character other than a number or a letter.
+
+
+
+
+ Optional. Default 0. Specifies the minimum overall length of the passcode. This parameter is independent of the also optional minComplexChars argument.
+
+
+
+
+ Optional. Default false. Specifies whether the user must enter alphabetic characters ("abcd"), or if numbers are sufficient.
+
+
+
+
+ Optional. When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50.
+
+
+
+
+ Optional. The maximum grace period, in minutes, to unlock the phone without entering a passcode. Default is 0, that is no grace period, which requires a passcode immediately. In OS X, this will be translated to screensaver settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The profile_test is used to check the status of the profiles in place on the device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a profile_object and the optional state element specifies the data to check.
+
+
+ profile_test
+ profile_object
+ profile_state
+ profile_item
+
+
+
+
+
+ - the object child element of a profile_test must reference a profile_object
+
+
+ - the state child element of a profile_test must reference a profile_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The profile_object element is used by a profile test to define those objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added.
+
+
+
+
+ A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique.
+
+
+
+
+
+
+
+
+
+
+
+
+ Represents information about each configuration profile installed on the device.
+
+
+
+
+
+
+
+ Optional. Set to true if there is a removal passcode.
+
+
+
+
+ Optional. Set to true if the profile is encrypted.
+
+
+
+
+ Optional. Contains information about each payload inside the configuration profile.
+
+
+
+
+ Optional. A description of the profile, shown on the Detail screen for the profile.
+
+
+
+
+ Optional. A human-readable name for the profile. This value is displayed on the Detail screen. It does not have to be unique.
+
+
+
+
+ A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added.
+
+
+
+
+ Optional. A human-readable string containing the name of the organization that provided the profile.
+
+
+
+
+ Optional. If present and set to true, the user cannot delete the profile (unless the profile has a removal password and the user provides it).
+
+
+
+
+ A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique.
+
+
+
+
+ The version number of the profile format. This describes the version of the configuration profile as a whole, not of the individual profiles within it. Currently, this value should be 1.
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/apple-ios-system-characteristics-schema.xsd b/oval-schemas/apple-ios-system-characteristics-schema.xsd
new file mode 100644
index 0000000..d5af2f5
--- /dev/null
+++ b/oval-schemas/apple-ios-system-characteristics-schema.xsd
@@ -0,0 +1,373 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Apple iOS specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+ See public documentation at https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
+
+ Apple iOS System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Information on global restrictions in place on the device derived from Apple's public Configuration Profile reference documentation
+
+
+
+
+
+
+
+ Optional. Supervised only. If set to false, account modification is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, AirDrop is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, changes to cellular data usage for apps are disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications.
+
+
+
+
+ Optional. When false, disables Siri. Defaults to true.
+
+
+
+
+ Optional. Supervised only. When false, prevents Siri from querying user-generated content from the web. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, the user is unable to use Siri when the device is locked. Defaults to true. This restriction is ignored if the device does not have a passcode set. Available only in iOS 5.1 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, iBookstore will be disabled. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. Supervised only prior to iOS 6.1. If set to false, the user will not be able to download media from the iBookstore that has been tagged as erotica. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photographs.
+
+
+
+
+ Optional. When false, disables backing up the device to iCloud. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. When false, disables document and key-value syncing to iCloud. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. If false, disables keychain syncing to iCloud. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, this prevents the device from automatically submitting diagnostic reports to Apple. Defaults to true. Available only in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.
+
+
+
+
+ Optional. Supervised only. If set to false, changes to Find My Friends are disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, prevents Touch ID from unlocking a device. Available in iOS 7 and later.
+
+
+
+
+ Optional. Supervised only. When false, Game Center is disabled and its icon is removed from the Home screen. Default is true. Available only in iOS 6.0 and later.
+
+
+
+
+ Supervised only. If set to false, host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later.
+
+
+
+
+ Optional. If set to false, the Notifications view in Notification Center on the lock screen is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If set to false, the Today view in Notification Center on the lock screen is disabled. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, documents in managed apps and accounts only open in other managed apps and accounts. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If set to false, documents in unmanaged apps and accounts will only open in other unmanaged apps and accounts. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If false, over-the-air PKI updates are disabled. Default is true. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. If set to false, Passbook notifications will not be shown on the lock screen. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, disables Photo Stream. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. When false, the Safari web browser application is disabled and its icon removed from the Home screen. This also prevents users from opening web clips.
+
+
+
+
+ Optional. When false, users are unable to save a screenshot of the display.
+
+
+
+
+ Optional. If set to false, Shared Photo Stream will be disabled. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. Supervised only. If set to false, the user is prohibited from installing configuration profiles and certificates interactively. This will default to true. Available in iOS 6.0 and later.
+
+
+
+
+ Optional. When false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. When false, disables voice dialing.
+
+
+
+
+ Optional. When false, the YouTube application is disabled and its icon is removed from the Home screen. This key is ignored in iOS 6 and later because the YouTube app is not provided.
+
+
+
+
+ Optional. When false, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content.
+
+
+
+
+ Optional. If present, allows the identified apps to autonomously enter Single App Mode. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When true, encrypts all backups.
+
+
+
+
+ Optional. When true, forces user to enter their iTunes password for each transaction. Available in iOS 5.0 and later.
+
+
+
+
+ Optional. If true, limits ad tracking. Default is false. Available only in iOS 7.0 and later.
+
+
+
+
+ Optional. When false, Safari auto-fill is disabled. Defaults to true.
+
+
+
+
+
+
+
+
+
+
+
+
+ Passcode Policy Items from public Apple Configuration Profile Reference
+
+
+
+
+
+
+
+ Optional. Default true. Determines whether a simple passcode is allowed. A simple passcode is defined as containing repeated characters, or increasing/decreasing characters (such as 123 or CBA). Setting this value to false is synonymous to setting minComplexChars to "1".
+
+
+
+
+ Optional. Default false. Determines whether the user is forced to set a PIN. Simply setting this value (and not others) forces the user to enter a passcode, without imposing a length or quality.
+
+
+
+
+ Optional. Default 11. Allowed range [2...11]. Specifies the number of allowed failed attempts to enter the passcode at the device's lock screen. Once this number is exceeded, the device is locked and must be connected to its designated iTunes in order to be unlocked.
+
+
+
+
+ Optional. Default Infinity. Specifies the number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system. Once this limit is reached, the device is locked and the passcode must be entered. In OS X, this will be translated to screensaver settings.
+
+
+
+
+ Optional. Default Infinity. Specifies the number of days for which the passcode can remain unchanged. After this number of days, the user is forced to change the passcode before the device is unlocked.
+
+
+
+
+ Optional. Default 0. Specifies the minimum number of complex characters that a passcode must contain. A "complex" character is a character other than a number or a letter.
+
+
+
+
+ Optional. Default 0. Specifies the minimum overall length of the passcode. This parameter is independent of the also optional minComplexChars argument.
+
+
+
+
+ Optional. Default false. Specifies whether the user must enter alphabetic characters ("abcd"), or if numbers are sufficient.
+
+
+
+
+ Optional. When the user changes the passcode, it has to be unique within the last N entries in the history. Minimum value is 1, maximum value is 50.
+
+
+
+
+ Optional. The maximum grace period, in minutes, to unlock the phone without entering a passcode. Default is 0, that is no grace period, which requires a passcode immediately. In OS X, this will be translated to screensaver settings.
+
+
+
+
+
+
+
+
+
+
+
+
+ Represents information about each configuration profile installed on the device.
+
+
+
+
+
+
+
+ Optional. Set to true if there is a removal passcode.
+
+
+
+
+ Optional. Set to true if the profile is encrypted.
+
+
+
+
+ Optional. Contains information about each payload inside the configuration profile.
+
+
+
+
+ Optional. A description of the profile, shown on the Detail screen for the profile.
+
+
+
+
+ Optional. A human-readable name for the profile. This value is displayed on the Detail screen. It does not have to be unique.
+
+
+
+
+ A reverse-DNS style identifier (com.example.myprofile, for example) that identifies the profile. This string is used to determine whether a new profile should replace an existing one or should be added.
+
+
+
+
+ Optional. A human-readable string containing the name of the organization that provided the profile.
+
+
+
+
+ Optional. If present and set to true, the user cannot delete the profile (unless the profile has a removal password and the user provides it).
+
+
+
+
+ A globally unique identifier for the payload. The actual content is unimportant, but it must be globally unique.
+
+
+
+
+ The version number of the profile format. This describes the version of the configuration profile as a whole, not of the individual profiles within it. Currently, this value should be 1.
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/asa-definitions-schema.xsd b/oval-schemas/asa-definitions-schema.xsd
new file mode 100644
index 0000000..555eb5a
--- /dev/null
+++ b/oval-schemas/asa-definitions-schema.xsd
@@ -0,0 +1,1480 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Cisco ASA specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+ Thanks to Omar Santos and Panos Kampanakis of Cisco for providing these tests.
+
+ Cisco ASA Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The acl test is used to check the properties of specific output lines from an ACL configuration.
+
+
+ acl_test
+ acl_object
+ acl_state
+ acl_item
+
+
+
+
+
+
+ - the object child element of a acl_test must reference a acl_object
+
+
+
+ - the state child element of a acl_test must reference a acl_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl_object element is used by an acl_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An acl object consists of a an acl name and an IP version entity that is the name and the IP protocol version of the access-list to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the ACL.
+
+
+
+
+ The IP version of the ACL.
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl_state element defines the different information that can be used to evaluate the result of a specific ACL configuration. This includes the name of ths ACL and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the ACL.
+
+
+
+
+ The IP version of the ACL (i.e. IPv4 or IPv6 or both for UACLs).
+
+
+
+
+ The feature where the ACL is used.
+
+
+
+
+ The name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface.
+
+
+
+
+ The direction the ACL is applied by using the access-group command. Inbound access lists apply to traffic as it enters an interface.
+
+
+
+
+ The value returned with all config lines of the ACL.
+
+
+
+
+ The value returned with one ACL config line at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ The class_map test is used to check the properties of specific output lines from an MPF class-map configuration.
+
+
+ class_map_test
+ class_map_object
+ class_map_state
+ class_map_item
+
+
+
+
+
+ - the object child element of an class_map_test must reference an class_map_object
+
+
+ - the state child element of an class_map_test must reference an class_map_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The class_map_object element is used by an class_map test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A class_map object consists of a name entity that is the name of the ASA 'class-map' configuration to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The MPF class-map name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The class_map_state element defines the different information that can be used to evaluate the result of a specific 'class-map' ASA command. This includes the name, the type, the inspection type, the match type, the match commands, the policy-map or class-map it is used and the action in the policy-map. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the class-map.
+
+
+
+
+ The type of the 'class-map nameX type' command.
+
+
+
+
+ The inspection type of the class-map ('class-map nameX type inspect').
+
+
+
+
+ The 'match-all' or 'match-any' type of the class-map. ASA defaults to 'match-any'.
+
+
+
+
+ The 'match' commands in the class-map.
+
+
+
+
+ The name of the class-map (for nested class-maps) that this class-map is used in.
+
+
+
+
+ The name of the policy-map that this class-map is used in.
+
+
+
+
+ The command that identifies the action for the class. For example that could be 'inspect protocolX', 'drop' or 'police 1000' or 'set connection advanced-options tcpmapX'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface test is used to check for the existence of a particular interface on the Cisco ASA device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a interface_object and the optional state element specifies the data to check.
+
+
+ interface_test
+ interface_object
+ interface_state
+ interface_item
+
+
+
+
+
+ - the object child element of an interface_test must reference an interface_object
+
+
+ - the state child element of an interface_test must reference an interface_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_object element is used by an interface_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An interface_object consists of a name entity that is the name of the ASA interface to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_state element defines the different information that can be used to evaluate the result of a specific ASA interface. This includes the name, status, and address information about the interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+ Proxy arp enabled on the interface. The default is true.
+
+
+
+
+ Interface is shut down.
+
+
+
+
+ The interface hardware (MAC) address.
+
+
+
+
+ The interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ The interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ The ingress or egress IPv4 ACL name applied on the interface.
+
+
+
+
+ The ingress or egress IPv6 ACL name applied on the interface.
+
+
+
+
+ The ingress or egress UACL name applied on the interface.
+
+
+
+
+ The crypto map name applied to the interface.
+
+
+
+
+ The IPv4 uRPF command under the interface.
+
+
+
+
+ The IPv6 uRPF command under the interface.
+
+
+
+
+ The uRPF command under the interface.
+
+
+ 5.11.1:1.1
+ This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_test is used to check the properties of specific output lines from a SHOW command, such as SHOW RUNNING-CONFIG. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check.
+
+
+ line_test
+ line_object
+ line_state
+ line_item
+
+
+
+
+
+ - the object child element of a line_test must reference a line_object
+
+
+ - the state child element of a line_test must reference a line_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_object element is used by a line_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A line object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The policy_map test is used to check the properties of specific output lines from an policy-map ASA configuration.
+
+
+ policy_map_test
+ policy_map_object
+ policy_map_state
+ policy_map_item
+
+
+
+
+
+ - the object child element of an policy_map_test must reference an policy_map_object
+
+
+ - the state child element of an policy_map_test must reference an policy_map_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The policy_map_object element is used by an policy_map test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A policy_map object consists of a name entity that is the name of the ASA 'policy-map' configuration to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The MPF policy-map name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The policy_map_state element defines the different information that can be used to evaluate the result of a 'policy-map' ASA configuration. This includes the policy-map name, the inspection type, the paremeters, the match and action commands, the policy-map it is used in and the service-policy that applies it. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The policy-map name.
+
+
+
+
+ The inspection type of the class-map.
+
+
+
+
+ The parameter commands of the policy-map.
+
+
+
+
+ The in-line match command and the action in the policy-map seperated by delimeter '_-_'. For example an http inspect policy-map could have 'match body regex regexnameX' and the action be 'drop'. Then this element would be 'body regex regexnameX_-_drop'.
+
+
+
+
+ The name of policy-map that includes the policy-map('policy-map type inspect' in this case) or the service-policy that applies the policy-map (non 'type inspect' in this case). For example, the former could be when a http inspection policy-map policymapnameX is used in a policy-map policymapnameY as its 'inspect http policymapnameX' command. The latter could be when policymapnameY is applied globally with 'service-policy policymapnameY global'. There is no chance where a policy-map can be used in both a policy-map and a service policy at the same time.
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_policy test is used to check the properties of specific output lines from an MPF service-policy configuration.
+
+
+ service_policy_test
+ service_policy_object
+ service_policy_state
+ service_policy_item
+
+
+
+
+
+ - the object child element of an service_policy_test must reference an service_policy_object
+
+
+ - the state child element of an service_policy_test must reference an service_policy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_policy_object element is used by an service_policy test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A service_policy object consists of a name entity that is the name of the ASA 'service-policy' configurate to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The MPF service-policy name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_policy_state element defines the different information that can be used to evaluate service-policy ASA configuration. This includes the service-policy name, where it is applied and the interface it is applied (if applicable). Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The service-policy name.
+
+
+
+
+ Where he service-policy is applied.
+
+
+
+
+ The interface the service-policy is applied (of the 'applied' element has value "INTERFACE').
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_host test is used to check the properties of specific output lines from an SNMP configuration.
+
+
+ snmp_host_test
+ snmp_host_object
+ snmp_host_state
+ snmp_host_item
+
+
+
+
+
+ - the object child element of an snmp_host_test must reference an snmp_host_object
+
+
+ - the state child element of an snmp_host_test must reference an snmp_host_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_host_object element is used by an snmp_host test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmp_host object consists of a host entity that is the host of the 'snmp host' ASA command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP host address or hostname.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_host_state element defines the different information that can be used to evaluate the result of a specific 'snmp host' ASA command. This includes the host and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The interface configured for the host.
+
+
+
+
+ The SNMP host address or hostname.
+
+
+
+
+ The community SNMPv3 user configured for the host.
+
+
+
+
+ The SNMP version.
+
+
+
+
+ SNMP polls enabled for the host.
+
+
+
+
+ SNMP traps enabled for the host.
+
+
+
+
+ SNMP port configured for the host.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_user test is used to check the properties of specific output lines from an SNMP user configuration.
+
+
+ snmp_user_test
+ snmp_user_object
+ snmp_user_state
+ snmp_user_item
+
+
+
+
+
+ - the object child element of an snmp_user_test must reference an snmp_user_object
+
+
+ - the state child element of an snmp_user_test must reference an snmp_user_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_user_object element is used by an snmp_user test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmp_user object consists of a name entity that is the name of the SNMP user to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP user name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_user_state element defines the different information that can be used to evaluate the result of a specific 'show snmp-serveruser' ASA command. This includes the user name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP user name.
+
+
+
+
+ The SNMP group the user belongs to.
+
+
+
+
+ The SNMP encryption type for the user (for SNMPv3).
+
+
+
+
+ The SNMP authentication type for the user (for SNMPv3).
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_group test is used to check the properties of specific output lines from an SNMP group configuration.
+
+
+ snmp_group_test
+ snmp_group_object
+ snmp_group_state
+ snmp_group_item
+
+
+
+
+
+ - the object child element of an snmp_group_test must reference an snmp_group_object
+
+
+ - the state child element of an snmp_group_test must reference an snmp_group_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_group_object element is used by an snmp_group test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmp_group object consists of a name entity that is the name of the SNMP group to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP group name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_group_state element defines the different information that can be used to evaluate the result of a specific 'snmp-server group' ASA command. This includes the user name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP group name.
+
+
+
+
+ The SNMPv3 security configured for the group.
+
+
+
+
+
+
+
+
+
+
+
+
+ The tcp_map test is used to check the properties of specific output lines from a tcp-map ASA configuration.
+
+
+ tcp_map_test
+ tcp_map_object
+ tcp_map_state
+ tcp_map_item
+
+
+
+
+
+ - the object child element of an service_policy_test must reference an service_policy_object
+
+
+ - the state child element of an service_policy_test must reference an service_policy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The tcp-map_object element is used by an tcp_map test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A service_policy object consists of a name entity that is the name of the ASA 'tcp-map' configuration to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The MPF tcp-map name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The tcp_map_state element defines the different information that can be used to evaluate the result of a specific 'tcp-map' ASA configuration. This includes the tcp-map name and its configured options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The tcp-map name.
+
+
+
+
+ The configured commends in the tcp-map. These could include TCP options, flags and other options of the tcp-map.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version test is used to check the version of the ASA operating system. It is based off of the SHOW VERSION command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+
+ - the object child element of a version_test must reference a version_object
+
+
+ - the state child element of a version_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version test to define the different version information associated with a ASA system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The version_state element defines the version information held within a Cisco ASA software release. The asa_release element specifies the whole ASA version information. The asa_major_release, asa_minor_release and asa_build elements specify seperated parts of ASA software version information. For instance, if the ASA version is 8.4(2.3)49, then asa_release is 8.4(2.3)49, asa_major_release is 8.4, asa_minor_release is 2.3 and asa_build is 49. See the SHOW VERSION command within ASA for more information.
+
+
+
+
+
+
+
+ The asa_release element specifies the whole ASA version information.
+
+
+
+
+ The asa_major_release is the dotted version that starts a version string. For example the asa_release 8.4(2.3)49 has a asa_major_release of 8.4.
+
+
+
+
+ The asa_minor_release is the dotted version that starts a version string. For example the asa_release 8.4(2.3)49 has a asa_minor_release of 2.3.
+
+
+
+
+ The asa_build is an integer. For example the asa_release 8.4(2.3)49 has a asa_build of 49.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectAccessListIPVersionType complex type restricts a string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values describe if an ACL is for IPv4 or IPv6 or both for UACLs in a Cisco ASA configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+
+ The EntityStateAccessListIPVersionType complex type restricts a string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values describe if an ACL is for IPv4 or IPv6 or both for UACLs in a Cisco ASA configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAccessListUseType complex type restricts a string value to a specific set of values: INTERFACE, INTERFACE_CP (control plane interface ACL), CRYPTO_MAP_MATCH, CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, NONE. These values describe the ACL use in a Cisco ASA configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAccessListInterfaceDirectionType complex type restricts a string value to a specific set of values: IN, OUT. These values describe the inbound or outbound ACL direction on an interface in a Cisco ASA configuration. These values are defined with the access-group command. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateClassMapType complex type restricts a string value to a specific set of values: INSPECT, REGEX, MANAGEMENT. These values describe the MPF class-map types in Cisco ASA MPF configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateInspectionType complex type restricts a string value to a specific set of values. These values describe the MPF inspection types of class-map and policy-map configurations in Cisco ASA MPF configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateApplyServicePolicyType complex type restricts a string value to a specific set of values: GLOBAL, INTERFACE. These values describe where a service-policy is applied in a Cisco ASA MPF configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateMatchType complex type restricts a string value to a specific set of values: ANY, ALL. These values describe the match type of a class-map in a Cisco ASA MPF configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPVersionStringType complex type restricts a string value to a specific set of values: 1, 2c, 3. These values describe the SNMP version in a Cisco ASA configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPSecLevelStringType complex type restricts a string value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe the SNMP security level (encryption, Authentication, None) in a Cisco ASA SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPAuthStringType complex type restricts a string value to a specific set of values: MD5, SHA. These values describe the authentication algorithm in a Cisco ASA SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPPrivStringType complex type restricts a string value to a specific set of values: DES, 3DES, AES128, AES192, and AES256. These values describe the encryption algorithm in a Cisco ASA SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/asa-system-characteristics-schema.xsd b/oval-schemas/asa-system-characteristics-schema.xsd
new file mode 100644
index 0000000..1c69b1a
--- /dev/null
+++ b/oval-schemas/asa-system-characteristics-schema.xsd
@@ -0,0 +1,746 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Cisco ASA specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+ Thanks to Omar Santos and Panos Kampanakis of Cisco for providing these tests.
+
+ Cisco ASA System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Stores command that are part of a asa configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example OSPF has a router item and should not also be stored in a acl_item.
+
+
+
+
+
+
+
+ Element with the name of the ACL.
+
+
+
+
+ Element with the IP version of the ACL.
+
+
+
+
+ Element with the feature where the ACL is used. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.
+
+
+
+
+ Element with the name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.
+
+
+
+
+ Element with the direction the ACL is applied to an interface using the access-group command.
+
+
+
+
+ Element with the value returned with all config lines of the ACL.
+
+
+
+
+ Element with the value returned with one ACL config line at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about the MPF class-map configuration in ASA. That information includes the name, the type, the inspection type, the match type, the match commands, the policy-map or class-map it is used and the action in the policy-map.
+
+
+
+
+
+
+
+ element with the name of the
+ class-map.
+
+
+
+
+ Element with the type of the 'class-map nameX type' command.
+
+
+
+
+ Element with the inspection type of the class-map ('class-map type inspect' command).
+
+
+
+
+ Element with the 'match-all' or 'match-any' type of the class-map. ASA's defaults to 'match-any'.
+
+
+
+
+ Element with the match command in the class-map.
+
+
+
+
+ Element with the name of the class-map (for nested class-maps) that this class-map is used in.
+
+
+
+
+ Element with the name of the policy-map that this class-map is used in.
+
+
+
+
+ Element with the command that identifies the action for the class. For example that could be 'inspect protocolX', 'drop' or 'police 1000' or 'set connection advanced-options tcpmapX'.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about interfaces on an Cisco ASA device.
+
+
+
+
+
+
+
+ Element with the interface name.
+
+
+
+
+ Element that is true if the proxy_arp command is enabled on the interface. The default is true.
+
+
+
+
+ Element that is true if the interface is shut down. The default is false.
+
+
+
+
+ Element with the interface hardware (MAC) address.
+
+
+
+
+ Element with the interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ Element with the interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ Element with the ingress or egress IPv4 ACL name applied on the interface.
+
+
+
+
+ Element with the ingress or egress IPv6 ACL name applied on the interface.
+
+
+
+
+ Element with the ingress or egress UACL name applied on the interface.
+
+
+
+
+ Element with the crypto map name applied to the interface.
+
+
+
+
+ Element with the uRPF command for IPv4 under the interface.
+
+
+
+
+ Element with the uRPF command for IPv6 under the interface.
+
+
+
+
+ Element with the uRPF command under the interface.
+
+
+ 5.11.1:1.1
+ This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores the configuration information associated with the evaluation of a SHOW sub-command on Cisco ASA. This includes the name of ths sub-command and the corresponding config line.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about a policy-map configuration in ASA. That information includes the policy-map name, the inspection type, the paremeters, the match and action commands, the policy-map it is used in and the service-policy that applies it.
+
+
+
+
+
+
+
+ Element with the policy-map name.
+
+
+
+
+ Element with the inspection type of the class-map.
+
+
+
+
+ Element with the parameter commands of the policy-map.
+
+
+
+
+ Element with the in-line match command and the action in the policy-map seperated by delimeter '_-_'. For example an http inspect policy-map could have 'match body regex regexnameX' and the action be 'drop'. Then this element would be 'body regex regexnameX_-_drop'.
+
+
+
+
+ Element with the name of policy-map that includes the policy-map('policy-map type inspect' in this case) or the serice-policy that applies the policy-map (non 'type inspect' in this case). For example, the former could be when a http inspection policy-map policymapnameX is used in a policy-map policymapnameY as its 'inspect http policymapnameX' command. The latter could be when policymapnameY is applied globally with 'service-policy policymapnameY global'. There is no chance where a policy-map can be used in both a policy-map and a service policy at the same time.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an MPF service-policy configuration in ASA. That information includes the service-policy name, where it is applied and the interface it is applied (if applicable).
+
+
+
+
+
+
+
+ Element with the service-policy name.
+
+
+
+
+ Element with where the service-policy is applied.
+
+
+
+
+ Element with the interface the service-policy is applied (of the 'applied' element has value "INTERFACE').
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about the SNMP host configuration in ASA. That information includes the host, the community or user strings, the SNMP version, the snmp security (if the SNMP version is SNMPv3) and the SNMP traps.
+
+
+
+
+
+
+
+ Element with the interface configured for the host.
+
+
+
+
+ Element with the SNMP host address or hostname.
+
+
+
+
+ Element with the community sting or SNMPv3 user configured for the host.
+
+
+
+
+ Element with the SNMP version.
+
+
+
+
+ Element used for when the SNMP polls are enabled for the host.
+
+
+
+
+ Element used for when the SNMP polls are enabled for the host.
+
+
+
+
+ Element used for the SNMP port configured for the host.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP user configuration in ASA. That information includes the user name, the SNMP group he belongs to, the SNMP version, the IPv4 or IPv6 ACL it is applied to, the Security Level and the Authentication type that apply to the user (for SNMPv3).
+
+
+
+
+
+
+
+ Element with the SNMP user name.
+
+
+
+
+ Element with the SNMP group the user belongs to.
+
+
+
+
+ Element with the SNMP encryption type for the user (for SNMPv3).
+
+
+
+
+ Element with the SNMP authentication type for the user (for SNMPv3).
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP group configuration in ASA. That information includes the group name, the SNMP version, the IPv4 or IPv6 ACL it is applied to and the read, write and/or notify views applied to the group.
+
+
+
+
+
+
+
+ Element with the SNMP group name.
+
+
+
+
+ Element with the SNMPv3 security configure for the group.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about MPF tcp-map configuration in ASA. That information includes the tcp-map name and its configured options.
+
+
+
+
+
+
+
+ Element with the tcp-map name.
+
+
+
+
+ Element with the configured commends in the tcp-map. These could include TCP options, flags and other options of the tcp-map.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores the version information held within a Cisco ASA software release. The asa_release element specifies the whole ASA version information. The asa_major_release, asa_minor_release and asa_build elements specify seperated parts of ASA software version information. For instance, if the ASA version is 8.4(2.3)49, then asa_release is 8.4(2.3)49, asa_major_release is 8.4, asa_minor_release is 2.3 and asa_build is 49. See the SHOW VERSION command within ASA for more information.
+
+
+
+
+
+
+
+ The asa_release element specifies the whole ASA version information.
+
+
+
+
+ The asa_major_release is the dotted version that starts a version string. For example the asa_release 8.4(2.3)49 has a asa_major_release of 8.4.
+
+
+
+
+ The asa_minor_release is the dotted version that starts a version string. For example the asa_release 8.4(2.3)49 has a asa_minor_release of 2.3.
+
+
+
+
+ The asa_build is an integer. For example the asa_release 8.4(2.3)49 has a asa_build of 49.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemAccessListIPVersionType complex type restricts a
+ string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values
+ describe if an ACL is for IPv4 or both for UACLs or IPv6 in a Cisco asa
+ configuration. The empty string is also allowed to support empty element associated
+ with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemAccessListUseType complex type restricts a string
+ value to a specific set of values: INTERFACE, INTERFACE_CP (control plane interface
+ ACL), CRYPTO_MAP_MATCH, CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, NONE. These
+ values describe the ACL use in a Cisco asa configuration. The empty string is also
+ allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemAccessListInterfaceDirectionType complex type
+ restricts a string value to a specific set of values: IN, OUT. These values describe
+ the inbound or outbound ACL direction on an interface in a Cisco ASA configuration.
+ The empty string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemClassMapType complex type restricts a string
+ value to a specific set of values: INSPECT, REGEX, MANAGEMENT. These values describe
+ the MPF class-map types in Cisco ASA MPF configurations. The empty string is also
+ allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemInspectionType complex type restricts a string
+ value to a specific set of values. These values describe the MPF inspection types of
+ class-map and policy-map configurations in Cisco ASA MPF configurations. The empty
+ string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemApplyServicePolicyType complex type restricts a
+ string value to a specific set of values: GLOBAL, INTERFACE. These values describe
+ where a service-policy is applied in a Cisco ASA MPF configuration. The empty string
+ is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemMatchType complex type restricts a string value
+ to a specific set of values: ANY, ALL. These values describe the match type of a
+ class-map in a Cisco ASA MPF configuration. The empty string is also allowed to
+ support empty element associated with error conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPVersionStringType complex type restricts a
+ string value to a specific set of values: 1, 2c, 3. These values describe the SNMP
+ version in a Cisco ASA configuration. The empty string is also allowed to support
+ empty element associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPSecLevelStringType complex type restricts a
+ string value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe
+ the SNMP security level (encryption, Authentication, None) in a Cisco ASA SNMPv3
+ related configurations. The empty string is also allowed to support empty element
+ associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPAuthStringType complex type restricts a
+ string value to a specific set of values: MD5, SHA. These values describe the
+ authentication algorithm in a Cisco ASA SNMPv3 related configurations. The empty
+ string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPPrivStringType complex type restricts a
+ string value to a specific set of values: DES, 3DES, AES128, AES192, and AES256.
+ These values describe the encryption algorithm in a Cisco ASA SNMPv3 related
+ configurations. The empty string is also allowed to support empty element associated
+ with error conditions.
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
diff --git a/oval-schemas/catos-definitions-schema.xsd b/oval-schemas/catos-definitions-schema.xsd
new file mode 100644
index 0000000..0c9e289
--- /dev/null
+++ b/oval-schemas/catos-definitions-schema.xsd
@@ -0,0 +1,458 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Cisco CatOS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here
+ This schema was originally developed by Yuzheng Zhou and Eric Grey at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ CatOS Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The line_test is used to check the properties of specific output lines from a SHOW command, such as show running-config. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check.
+
+
+ line_test
+ line_object
+ line_state
+ line_item
+
+
+
+
+
+ - the object child element of a line_test must reference a line_object
+
+
+ - the state child element of a line_test must reference a line_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_object element is used by a line_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A line_object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The module test reveals module information in Cisco Catalyst switches. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a module_object and the optional state element specifies the metadata to check.
+ The module_test is based off the SHOW MODULE command. Having a separate module_test, as opposed to a general command_test, enables running an evaluation based on OVAL without having interactive command access to the device.
+
+
+ module_test
+ module_object
+ module_state
+ module_item
+
+
+
+
+
+ - the object child element of a module_test must reference a module_object
+
+
+ - the state child element of a module_test must reference a module_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The module_object element is used by a module test to specify the module to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions schema.
+ A module object consists of a single module_number entity that identifies the module to be used.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A number that identifies the a specific module.
+
+
+
+
+
+
+
+
+
+
+
+
+ The module_state element defines the module information held within a Cisco Catalyst switch. The module_number, type, and model element specifies the number, type and model of the module respectively. The software_major_release, software_individual_release and software_version_id elements specify the software version information of the module. For instance, if the software version is 8.5(4c)GLX, then software_major_release is 8.5GLX, software_individual_release is 4 and software_version_id is c. Similarly, the hardware_major_release, hardware_individual_release, firmware_major_release and firmware_individual_release elements reveal the hardware and firmware version information of the module.
+
+
+
+
+
+
+
+ A number that identifies the a specific module.
+
+
+
+
+ The type of module.
+
+
+
+
+ The model of a module.
+
+
+
+
+ The major relase of the software of a module to check for.
+
+
+
+
+ The individual release of the software of the module to check for.
+
+
+
+
+ The vesion id of the software of a module to check for.
+
+
+
+
+ The hardware major release of a module to check for.
+
+
+
+
+ The hardware individual release of a module to check for.
+
+
+
+
+ The major release of the firmware of a module to check for.
+
+
+
+
+ The individual release of the firmware of a module to check for.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version55_test is used to check the version of the Cisco CatOS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+ The required information of version55_test can be got via a SHOW VERSION command. The separated version55_test enables an evaluation based on OVAL without having interactive command access to the device.
+
+
+ version55_test
+ version55_object
+ version55_state
+ version_item
+
+
+
+
+
+ - the object child element of a version55_test must reference a version55_object
+
+
+ - the state child element of a version55_test must reference a version55_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version55_object element is used by a version55_test to define the different version information associated with a Cisco CatOS system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version5_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The version55_state element defines the version information held within a Cisco CatOS software release. The switch_series element specifies the Catalyst switch series. The image_name element specifies the name of the CatOS image. The catos_release element specifies the software version information of the module.
+
+
+
+
+
+
+
+ The switch_series entity defines a target Catalyst switch series to check for. Each version of CatOS traditionally has target a specific Catalyst series of switches.
+
+
+
+
+ The image_name entity defines a name of a CatOS image to check for.
+
+
+
+
+ The catos_release entity defines a release version of CatOS to check for.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version test is used to check the version of the Cisco CatOS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+ The required information of version_test can be got via a SHOW VERSION command. The separated version_test enables an evaluation based on OVAL without having interactive command access to the device.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+ 5.5
+ Replaced by the version55_test. Due to the fact it's not clear on how to separate the CatOS version, it was decided that the catos_major_release, catos_individual_release, and catos_version_id entities would be combined into a new single entity catos_release. A new test was created to reflect these changes. See the version55_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a version_test must reference a version_object
+
+
+ - the state child element of a version_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version test to define the different version information associated with a Cisco CatOS system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+
+ 5.5
+ Replaced by the version55_object. Due to the fact it's not clear on how to separate the CatOS version, it was decided that the catos_major_release, catos_individual_release, and catos_version_id entities would be combined into a new single entity catos_release. A new object was created to reflect these changes. See the version55_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_state element defines the version information held within a Cisco CatOS software release. The swtich_series element specifies the Catalyst switch series. The image_name element specifies the name of the CatOS image. The catos_major_release, catos_individual_release and catos_version_id elements specify the software version information of the module. For instance, if the CatOS version is 8.5(4c)GLX, then catos_major_release is 8.5GLX, catos_individual_release is 4 and catos_version_id is c.
+
+
+ 5.5
+ Replaced by the version55_state. Due to the fact it's not clear on how to separate the CatOS version, it was decided that the catos_major_release, catos_individual_release, and catos_version_id entities would be combined into a new single entity catos_release. A new state was created to reflect these changes. See the version55_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ A Catalyst switch series to check for.
+
+
+
+
+ The name of a CatOS image to check for.
+
+
+
+
+ The major release of CatOS to check for.
+
+
+
+
+ The individual release of CatOS to check for.
+
+
+
+
+ The version id of Cat OS to check for.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/catos-system-characteristics-schema.xsd b/oval-schemas/catos-system-characteristics-schema.xsd
new file mode 100644
index 0000000..cee1f21
--- /dev/null
+++ b/oval-schemas/catos-system-characteristics-schema.xsd
@@ -0,0 +1,197 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Cisco CatOS specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ CatOS System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Stores the properties of specific lines in the catos config file.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores results from SHOW MODULE command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores results from SHOW VERSION command.
+
+
+
+
+
+
+
+ The switch_series entity specifies the target Catalyst switch series for the given version of CatOS.
+
+
+
+
+ The image_name entity specifies the name of the CatOS image.
+
+
+
+
+ The catos_release entity specifies the release version of CatOS.
+
+
+
+
+
+
+ 5.5
+ Due to the fact it's not clear on how to separate the CatOS version, it was decided that the catos_major_release, catos_individual_release, and catos_version_id entities would be combined into a new single entity catos_release. Therefore, the catos_major_release entity is no longer needed.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+
+
+ 5.5
+ Due to the fact it's not clear on how to separate the CatOS version, it was decided that the catos_major_release, catos_individual_release, and catos_version_id entities would be combined into a new single entity catos_release. Therefore, the catos_individual_release entity is no longer needed.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+
+
+ 5.5
+ Due to the fact it's not clear on how to separate the CatOS version, it was decided that the catos_major_release, catos_individual_release, and catos_version_id entities would be combined into a new single entity catos_release. Therefore, the catos_version_id entity is no longer needed.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/esx-definitions-schema.xsd b/oval-schemas/esx-definitions-schema.xsd
new file mode 100644
index 0000000..c7a9db4
--- /dev/null
+++ b/oval-schemas/esx-definitions-schema.xsd
@@ -0,0 +1,561 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the VMware ESX server specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou and Todd Dolinsky at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ VMware ESX server Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The patch56_test reveals the installation status of a specific patch or patches in VMware ESX Server. This information can be retrieved by the "esxupdate query" command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a patch56_object and the optional state element referencing a patch56_state specifies the metadata to check.
+ Note that different from previous versions, ESX Server 3.0.3 and ESX Server 3.5 use the following patch naming convention: {ProductName}{VersionNumber}-{BundleID}-{Classification}{SupportLevel}. Please refer to http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_esxupdate.pdf for more detailed information.
+
+
+ patch56_test
+ patch56_object
+ patch56_state
+ patch_item
+
+
+
+
+
+ - the object child element of a patch56_test must reference a patch56_object
+
+
+ - the state child element of a patch56_test must reference a patch56_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch56_object element is used by a patch56_test to define those objects to be evaluated against a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A patch56_object consists of a single patch_name entity that identifies the patch to be checked.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch name entity indetifies a specific patch or set of patches to be checked on the system. For example: ESX-200603 or ESX350-200904401-BG. The value of this entity should correspond to the values returned under the "name" column of the "esxupdate query" command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch56_state element defines the different information that can be used to evaluate the specified VMware ESX Serer patch. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The patch_name entity indetifies the name of a patch to test for. For example: ESX-200603 or ESX350-200904401-BG. The value of this entity should correspond to the values returned under the "name" column of the "esxupdate query" command.
+
+
+
+
+ The knowledge_base_id entity specifies a given knowledge base article identifier number. This entity is valid for ESX versions 3.0.2 and earlier. It is comprised of the numerical string at the end of the patch name. For example, the patch ESX-200603 would have a knowledge base identifier of 200603.
+
+
+
+
+ The bundle_id entity specifies a unique ID for the patch. This entity is valid for ESX version 3.0.3 and version 3.5 and is comprised of the year and month the bundle was released and a 3-digit unique ID. It is in the format YYYYMM###. For example, the first patch released in January 2008 might have a BundleID of 200801001.
+
+
+
+
+ The classification entity specifies the type of patch. It can be one of: B - bug, U - update, S - security, or R - roll-up. This entity is valid for ESX version 3.0.3 and later.
+
+
+
+
+ The support_level entity specifies a support level to test for. If can be one of: G - GA patch, H - hot patch, D - debugging patch, or C - custom patch. This entity is valid for ESX version 3.0.3 and later.
+
+
+
+
+ The status entity specifies an installation status of a patch to test for. A value of 'true' is used to signify that a given patch is intalled.
+
+
+
+
+
+
+
+
+
+ The Patch56Behaviors complex type defines a number of behaviors that allow a more detailed definition of the patch56_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'supersedence' specifies that the object should also match any superseding patches to the one being specified. In other words, if set to True the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
+
+
+
+
+
+
+
+
+
+
+
+ The patch test reveals the installation status of a specific patch in the VMware ESX server. This information can be retrieved by the "esxupdate query | grep ESX-xxxxxxx" command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a patch_object and the optional state element specifies the metadata to check.
+
+
+ patch_test
+ patch_object
+ patch_state
+ patch_item
+
+
+
+
+ 5.6
+ Replaced by the patch56_test. The deprecated patch_test has a bug where the patch name entity is defined as a string in the object yet is defined as an int in the state. Additional state entities have also been added to the new patch56_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a patch_test must reference a patch_object
+
+
+ - the state child element of a patch_test must reference a patch_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch_object element is used by a patch test to define those objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A patch_object consists of a single patch_number entity that identifies the patch to be checked.
+
+
+ 5.6
+ Replaced by the patch56_object. The deprecated patch_test has a bug where the patch name entity is defined as a string in the object yet is defined as an int in the state. Additional state entities have also been added to the new patch56_test.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch_number entity identifies the patch to be checked. Many of the security bulletins for VMWARE ESX Server contain non-numerical characters in the patch number, therefore this entity has a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+ The patch_state element defines the information about a specific patch. The patch_number element identifies this patch, and the status element reveals the installation status of this patch in the VMware ESX server. For instance, after the "esxupdate query | grep ESX-2559638" command is run, the result is either a string similar to "ESX-2559638 15:27:17 04/05/07 Update info rpm for ESX 3.0.1." or empty.
+
+
+ 5.6
+ Replaced by the patch56_state. The deprecated patch_test has a bug where the patch name entity is defined as a string in the object yet is defined as an int in the state. Additional state entities have also been added to the new patch56_test.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ This is the patch number of a specific patch which will be checked in current VMware ESX server. Many of the security bulletins for VMWARE ESX Server contain non-numerical characters in the patch nubmer, therefore this entity has a datatype of string.
+
+
+
+
+ This is the installation status of a specific patch in current VMware ESX server.
+
+
+
+
+
+
+
+
+
+ The PatchBehaviors complex type defines a number of behaviors that allow a more detailed definition of the patch_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+ 5.6
+ Replaced by Patch56Behaviors. The deprecated patch_test has a bug where the patch name entity is defined as a string in the object yet is defined as an int in the state. Additional state entities have also been added to the new patch56_test.
+ These behaviors have been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+ 'supersedence' specifies that the object should also match any superseding patches to the one being specified. In other words, if set to True the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
+
+
+
+
+
+
+
+
+
+
+
+ The version test reveals information about the release and build version of the VMware ESX server. This information can be retrieved by the "vmware -v" command or by checking the /proc/vmware/version file. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the metadata to check.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+
+ - the object child element of a version_test must reference a version_object
+
+
+ - the state child element of a version_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version test to define those objects to be evaluated based on a specified state. There is actually only one object relating to version and this is the ESX server as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The version_state element defines the information about the release and build version. The release and build elements specify the release and build information of the VMware ESX server respectively. For instance, if the output of "vmware -v" command is "VMware ESX Server 3.0.1 build-39823", then release is equal to "3.0.1" and build is equal to "39823".
+
+
+
+
+
+
+
+ This is the release version of current VMware ESX server.
+
+
+
+
+ This is the build version of current VMware ESX server.
+
+
+
+
+
+
+
+
+
+
+
+
+ The visdkmanagedobject_test is used to check information about Managed Objects in the VMware Infrastructure. This test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a visdkmanagedobject _object and the optional state element specifies the metadata to check.
+ This test has been introduced to enable standardized automated assessments of configuration settings in cloud computing components. All aspects of the VMware cloud can be considered in this test due to the VMware Infrastructure. Whether it is a Virutal Machine, a Host System, or even a Data Center, properties are defined in ways that can be enumerated in a common methodology. The VI SDK Programming Guide located at http://www.vmware.com/support/developer/vc-sdk/visdk400pubs/sdk40programmingguide.pdf serves as a great resource. Chapter 3 discusses the Managed Entities enumerated in the behaviors.
+ There are several Managed Entities in the VMware Infrastructure which have been enumerated in ViSdkManagedEntityBehaviors to enable interpreters to execute efficient interrogations. This test is designed for an interpreter to access Managed Entity properties (settings) via the VI SDK webservice. An example use case is to interrogate all virtual machines to ensure that a particular security setting is enabled. Some properties serve to configure the Virtual Machine, while others can be used to identify. For example, sets and filters can be used to create a set of all Virtual Machines where bridged networking is employed, and then perform an OVAL state evaluation against each of those Virtual Machines. This concept applies to all properties across all Managed Entities. Use the ViSdkManagedEntityBehaviors to avoid enumerating all Managed Objects when only one type should be considered.
+
+
+ visdkmanagedobject_test
+ visdkmanagedobject_object
+ visdkmanagedobject_state
+ visdkmanagedobject_item
+
+
+
+
+
+ - the object child element of a visdkmanagedobject_test must reference a visdkmanagedobject_object
+
+
+ - the state child element of a visdkmanagedobject_test must reference a visdkmanagedobject_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The visdkmanagedobject_object element is used by the visdkmanagedobject_test to define those objects to be evaluated based on a specified state.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The property entity holds a string that represents the object path path and name of a particular setting for the Managed Entity. In the VMware Infrastructure SDK, property names are case-sensitive and thus case must be correct relative to the properties in the SDK. For example, a Virtual Machine might have ethernet0.connectionType of 'bridged'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The visdkmanagedobject_state elements enumerates the different properties a Managed Entity might have. Managed Entities have the same object structure. However, fields within that object structure will be blank (null) if they do not apply to that Managed Entity.
+
+
+
+
+
+
+
+ The property entity holds a string that represents the object path and name of a particular setting for the Managed Entity. In the VMware Infrastructure SDK, property names are case-sensitive and thus case must be correct relative to the properties in the SDK. For example, a Virtual Machine might have ethernet0.connectionType of 'bridged'.
+
+
+
+
+ The value entity holds a string that represents a value that's associated with the specified setting for the Managed Entity. Some properties will return an array of values. In such cases consider each value individually and then make final evaluation based on the entity_check attribute.
+
+
+
+
+
+
+
+
+
+ The ViSdkManagedEntityBehaviors complex type defines a number of behaviors that allow a more detailed definition of the visdkmanagedobject_object being specified. Note that using these behaviors is *highly* encouraged because enumerating all Managed Objects in an inventory hierarchy could cause performance problems. Interpreters should enumerate only the entities specified by the behavior prior to set/filter logic and evaluation.
+
+
+
+ The 'managed_entity_type' defines the type of managed object from which the property and value should be collected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateClassificationType complex type restricts a string value to a specific set of values that describe the classification of a given ESX Server patch. The empty string is also allowed to support an empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Bug patches fix minor flaws that affect product functionality or behavior. Bug patches are optional. Before they are applied, one should determine whether they are necessary for your environment.
+
+
+
+
+ Roll‐up patches contain any number of bundles for ESX Server 3.0.3 or ESX Server 3.5 hosts. They can contain bug patches, update patches, and security patches. They do not contain upgrade bundles for minor releases or update bundles for maintenance releases.
+
+
+
+
+ Security patches fix one or more potential security vulnerabilities in the product. They should be implemented immediately to prevent the vulnerabilities from being exploited.
+
+
+
+
+ Update patches can contain new driver updates and small non‐intrusive enhancements. Before they are applied, one should determine whether they are necessary for your environment.
+
+
+
+
+ The empty string is also allowed to support an empty element associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSupportLevelType complex type restricts a string value to a specific set of values that describe the support level of a given ESX Server patch. The empty string is also allowed to support an empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Custom patches are special fixes provided to a customer. They are usually specific to customer's environment, and are most likely not required by customers not reporting the issue. Custom patches have been tested in the customer's environment.
+
+
+
+
+ Debugging patches are released to all customers and are used by VMware to troubleshoot complex product issues. They can contain debug messages and code, and drivers. Debugging patches usually require VMware assistance to install.
+
+
+
+
+ GA patches are released to all customers and have been thoroughly tested. They contain fixes for ESX Server 3 software issues.
+
+
+
+
+ Hot patches are released to specific customers for solving critical problems specific to their environment. They contain fixes for security issues or problems that can potentially cause data loss or severe service disruptions. Hot patches should be implemented immediately.
+
+
+
+
+ The empty string is also allowed to support an empty element associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/esx-system-characteristics-schema.xsd b/oval-schemas/esx-system-characteristics-schema.xsd
new file mode 100644
index 0000000..a4076b0
--- /dev/null
+++ b/oval-schemas/esx-system-characteristics-schema.xsd
@@ -0,0 +1,210 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the VMware ESX server specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou and Todd Dolinsky at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ VMware ESX server System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Installation information about a specific patch in the VMware ESX server. This information can be retrieved by the "esxupdate query | grep ESX-xxxxxxx" command.
+
+
+
+
+
+
+
+ This is the patch number which identifies the patch being checked in current VMware ESX server. Many of the security bulletins for VMWARE ESX Server contain non-numerical characters in the patch number, therefore this entity has a datatype of string.
+
+
+ 5.6
+ The deprecated patch_test has a bug where the patch name entity is defined as a string in the object yet is defined as an int in the state. Additional state entities have also been added to the new patch56_test.
+ This item has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The patch_name entity indetifies the name of the patch. For example: ESX-200603 or ESX350-200904401-BG. The value of this entity should correspond to the values returned under the "name" column of the "esxupdate query" command.
+
+
+
+
+ The knowledge_base_id entity specifies the knowledge base article identifier number associated with a given patch from ESX versions 3.0.2 and earlier. It is comprised of the numerical string at the end of the patch name. For example, the patch ESX-200603 would have a knowledge base identifier of 200603. For patches from ESX version 3.0.3 and later, the patch name uses a different format and does not include the knowledge base id. This entity should be marked with a status of 'does not exist' in those cases.
+
+
+
+
+ The bundle_id entity specifies the unique ID for the patch. Note that for version 3.0.3 and version 3.5 this is comprised of the year and month the bundle was released and a 3-digit unique ID. It is in the format YYYYMM###. For example, the first patch released in January 2008 might have a BundleID of 200801001. For patches from ESX version 3.0.2 and earlier, this entity should be marked with a status of 'does not exist' since patch name has a different format and doesn't include a bundle id.
+
+
+
+
+ The classification entity specifies the type of patch. It can be one of: B - bug, U - update, S - security, or R - roll-up. For patches from ESX version 3.0.2 and earlier, this entity should be marked with a status of 'does not exist' since patch name has a different format and doesn't include a classification.
+
+
+
+
+ The support_level entity specifies the support level of the patch. If can be one of: G - GA patch, H - hot patch, D - debugging patch, or C - custom patch. For patches from ESX version 3.0.2 and earlier, this entity should be marked with a status of 'does not exist' since patch name has a different format and doesn't include a support level.
+
+
+
+
+ This is the installtaion status of the specific patch.
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about the release and build version of VMware ESX server. This information can be retrieved by the "vmware -v" command or by checking the /proc/vmware/version file.
+
+
+
+
+
+
+
+ This is the release of current VMware ESX server.
+
+
+
+
+ This is the build version of current VMware ESX server.
+
+
+
+
+
+
+
+
+
+
+
+
+ The visdkmanagedobject_item is used to represent information about Managed Objects in the VMware Infrastructure.
+
+
+
+
+
+
+
+ The property entity holds a string that represents the object path and name of a particular setting for the Managed Entity. In the VMware Infrastructure SDK, property names are case-sensitive and thus case must be correct relative to the properties in the SDK. For example, a Virtual Machine might have ethernet0.connectionType of 'bridged'.
+
+
+
+
+ The value entity holds a string that represents a value that's associated with the specified setting for the Managed Entity. Some properties will return an array of values. In such cases consider each value individually and then make final evaluation based on the entity_check attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemClassificationType complex type restricts a string value to a specific set of values that describe the classification of a given ESX Server patch. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ Bug patches fix minor flaws that affect product functionality or behavior. Bug patches are optional. Before they are applied, one should determine whether they are necessary for your environment.
+
+
+
+
+ Roll‐up patches contain any number of bundles for ESX Server 3.0.3 or ESX Server 3.5 hosts. They can contain bug patches, update patches, and security patches. They do not contain upgrade bundles for minor releases or update bundles for maintenance releases.
+
+
+
+
+ Security patches fix one or more potential security vulnerabilities in the product. They should be implemented immediately to prevent the vulnerabilities from being exploited.
+
+
+
+
+ Update patches can contain new driver updates and small non‐intrusive enhancements. Before they are applied, one should determine whether they are necessary for your environment.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSupportLevelType complex type restricts a string value to a specific set of values that describe the support level of a given ESX Server patch. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ Custom patches are special fixes provided to a customer. They are usually specific to customer's environment, and are most likely not required by customers not reporting the issue. Custom patches have been tested in the customer's environment.
+
+
+
+
+ Debugging patches are released to all customers and are used by VMware to troubleshoot complex product issues. They can contain debug messages and code, and drivers. Debugging patches usually require VMware assistance to install.
+
+
+
+
+ GA patches are released to all customers and have been thoroughly tested. They contain fixes for ESX Server 3 software issues.
+
+
+
+
+ Hot patches are released to specific customers for solving critical problems specific to their environment. They contain fixes for security issues or problems that can potentially cause data loss or severe service disruptions. Hot patches should be implemented immediately.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/evaluation-ids.xsd b/oval-schemas/evaluation-ids.xsd
new file mode 100644
index 0000000..446417a
--- /dev/null
+++ b/oval-schemas/evaluation-ids.xsd
@@ -0,0 +1,36 @@
+
+
+
+ This schema defines an xml format for inputing a set of OVAL Definition ids into the reference OVAL Interpreter for evaluation.
+
+ OVAL Definition Interpreter - Evaluation Id Schema
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+ The evaluation-definition-ids element is the root the Document. Its purpose is to bind together the a set of definition elements.
+
+
+
+
+
+ Each definition represents the id of a definition to be evaluated.
+
+
+
+
+
+
+ Enforce uniqueness amongst the definition ids found in the document.
+
+
+
+
+
+
diff --git a/oval-schemas/freebsd-definitions-schema.xsd b/oval-schemas/freebsd-definitions-schema.xsd
new file mode 100644
index 0000000..4caf059
--- /dev/null
+++ b/oval-schemas/freebsd-definitions-schema.xsd
@@ -0,0 +1,159 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the FreeBSD specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ FreeBSD Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+
+ The port info test is used to check the properties of a component of a FreeBSD system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an portinfo_object and the optional state element specifies the data to check.
+
+
+ portinfo_test
+ portinfo_object
+ portinfo_state
+ portinfo_item
+
+
+
+
+
+ - the object child element of a portinfo_test must reference an portinfo_object
+
+
+ - the state child element of a portinfo_test must reference an portinfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The portinfo_object element is used by a port info test to define the specific FreeBSD package to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A port info object consists of a single pkginst element that identifies a specific package.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The portinfo_state element defines the different information that can be used to evaluate the specified package. This includes the name, category, version, vendor, and description. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a package.
+
+
+
+
+
+
+
+
+
+ The version of a package.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/freebsd-system-characteristics-schema.xsd b/oval-schemas/freebsd-system-characteristics-schema.xsd
new file mode 100644
index 0000000..b2a2f4d
--- /dev/null
+++ b/oval-schemas/freebsd-system-characteristics-schema.xsd
@@ -0,0 +1,88 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the FreeBSD specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ FreeBSD System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/hpux-definitions-schema.xsd b/oval-schemas/hpux-definitions-schema.xsd
new file mode 100644
index 0000000..63d2e31
--- /dev/null
+++ b/oval-schemas/hpux-definitions-schema.xsd
@@ -0,0 +1,859 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the HP-UX specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ HP-UX Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ From /usr/bin/getconf. See getconf manpage for specific fields
+
+
+ getconf_test
+ getconf_object
+ getconf_state
+ getconf_item
+
+
+
+
+
+ - the object child element of an getconf_test must reference an getconf_object
+
+
+ - the state child element of an getconf_test must reference an getconf_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the parameter name to check.
+
+
+
+
+ This is the pathname to check. Note that pathname is optional in the getconf call. A nil pathname ( empty wth attribute xsi:nil='true') in OVAL should be interpreted as if it was not supplied to the getconf call.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the parameter name to check
+
+
+
+
+ This is the pathname to check. Note that pathname is optional in the getconf call. A nil pathname in OVAL should be interpreted as if it was not supplied to the getconf call.
+
+
+
+
+ The output produced by the getconf command.
+
+
+
+
+
+
+
+
+
+
+
+
+ From /usr/bin/ndd. See ndd manpage for specific fields
+
+
+ ndd_test
+ ndd_object
+ ndd_state
+ ndd_item
+
+
+
+
+
+ - the object child element of an ndd_test must reference an ndd_object
+
+
+ - the state child element of an ndd_test must reference an ndd_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the device to examine.
+
+
+
+
+ The name of the parameter, For example, ip_forwarding.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the device to examine.
+
+
+
+
+ The name of the parameter, For example, ip_forwarding.
+
+
+
+
+ The value of the named parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+ From /usr/sbin/swlist -l patch PHxx_yyyyy. See swlist manpage for specific fields
+
+
+ patch53_test
+ patch53_object
+ patch53_state
+ patch_item
+
+
+
+
+
+ - the object child element of an patch53_test must reference an patch53_object
+
+
+ - the state child element of an patch53_test must reference an patch53_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HP-UX patch names begin with 'PH'
+
+
+
+
+ The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
+
+
+
+
+ The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HP-UX patch names begin with 'PH'
+
+
+
+
+ The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
+
+
+
+
+ The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch
+
+
+
+
+
+
+
+
+
+ The Patch53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the patch53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'supersedence' specifies that the object should also match any superseding patches to the one being specified. In other words, if set to True the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
+
+
+
+
+
+
+
+
+
+
+
+ From /usr/sbin/swlist -l patch PHxx_yyyyy. See swlist manpage for specific fields
+
+
+ patch_test
+ patch_object
+ patch_state
+ patch_item
+
+
+
+
+ 5.3
+ Replaced by the patch53_test. The patch_name entity was removed from the patch_object element, and replaced with the swtype, area_patched, and patch_base entities, because the patch_name element can be constructed from the swtype, area_patched, and patch_base entities. Likewise, the patch_name entity was removed from the patch_state element for the same reason. Also, a behaviors entity was added to the patch_object to allow the object to match both the original patch and any superseding patches. A new test was created to reflect these changes. See the patch53_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an patch_test must reference an patch_object
+
+
+ - the state child element of an patch_test must reference an patch_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.3
+ Replaced by the patch53_object. The patch_name entity was removed from the patch_object element, and replaced with the swtype, area_patched, and patch_base entities, because the patch_name element can be constructed from the swtype, area_patched, and patch_base entities. Also, a behaviors entity was added to the patch_object to allow the object to match both the original patch and any superseding patches. A new object was created to reflect these changes. See the patch53_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the patch name to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.3
+ Replaced by the patch53_state. The patch_name entity was removed from the patch_state element, and replaced with the swtype, area_patched, and patch_base entities, because the patch_name element can be constructed from the swtype, area_patched, and patch_base entities. A new state was created to reflect these changes. See the patch53_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ This is the patch name to check
+
+
+
+
+ HP-UX patch names begin with 'PH'
+
+
+
+
+ The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
+
+
+
+
+ The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of /usr/sbin/swlist command. Note: A quick way to check for the installation of a specific fileset is to use the command 'swlist -a version -l fileset filesetname'. See manpage for swlist for explanation of additional command options.
+
+
+ swlist_test
+ swlist_object
+ swlist_state
+ swlist_item
+
+
+
+
+
+ - the object child element of an swlist_test must reference an swlist_object
+
+
+ - the state child element of an swlist_test must reference an swlist_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the name of the bundle or fileset to check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the name of the bundle or fileset to check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This test allows for analysis of account settings in trusted HP-UX installations
+
+
+ trusted_test
+ trusted_object
+ trusted_state
+ trusted_item
+
+
+
+
+
+ - the object child element of an trusted_test must reference an trusted_object
+
+
+ - the state child element of an trusted_test must reference an trusted_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the name of the user being checked.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the name of the user being checked
+
+
+
+
+ The user's ID
+
+
+
+
+ This is the encrypted version of the user's password
+
+
+
+
+ The Account owner for pseudo-users
+
+
+
+
+ Boot authorization
+
+
+
+
+ getprpwaid uses the audit ID rather than the UID
+
+
+
+
+
+
+
+
+
+ Minimum time between password changes
+
+
+
+
+ Maximum password length in characters
+
+
+
+
+ Password expiration time in seconds
+
+
+
+
+ Trusted lifetime, after which the account is locked
+
+
+
+
+ Time of last successful password change
+
+
+
+
+ Time of last unsuccessful password change
+
+
+
+
+ Absolute account lifetime in seconds
+
+
+
+
+ Maximum time allowed between logins before the account is locked
+
+
+
+
+ The time in seconds before expiration when a warning will appear
+
+
+
+
+ Who can change this user's password
+
+
+
+
+ Allows user to use system-generated passwords
+
+
+
+
+ Whether a triviality check is performed on user-generated passwords
+
+
+
+
+ Determines if null passwords are allowed for this account
+
+
+
+
+ Allows password generator to use random printable ASCII characters
+
+
+
+
+ Allows password generator to use random letters
+
+
+
+
+ Specifies the times when the user may login to this account
+
+
+
+
+ The user ID of the user who last changed the password on the user's account, if it was not the account owner
+
+
+
+
+ The time of the last successful login using this account
+
+
+
+
+ The time of the last unsuccessful login using this account
+
+
+
+
+ The terminal or remote host associated with the last successful login to the account
+
+
+
+
+ The terminal or remote hosts associated with the last unsuccessful login to the account
+
+
+
+
+ The number of unsuccessful login attempts since that last successful login
+
+
+
+
+ The maximum number of unsuccessful login attempts before the account is locked
+
+
+
+
+ Indicates whether the administrative lock on the account is set
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/hpux-system-characteristics-schema.xsd b/oval-schemas/hpux-system-characteristics-schema.xsd
new file mode 100644
index 0000000..64cc9fc
--- /dev/null
+++ b/oval-schemas/hpux-system-characteristics-schema.xsd
@@ -0,0 +1,353 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the HP-UX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ HP-UX System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ These items contain getconf items.
+
+
+
+
+
+
+
+ This is the parameter name to check
+
+
+
+
+ This is the pathname to check
+
+
+
+
+ The output produced by the getconf command.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item represents data collected by the ndd command.
+
+
+
+
+
+
+
+ The name of the device for which the parameter was collected.
+
+
+
+
+ The name of a parameter for example, ip_forwarding
+
+
+
+
+ The observed value of the named parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+ From /usr/sbin/swlist -l patch PHxx_yyyyy. See swlist manpage for specific fields
+
+
+
+
+
+
+
+ This is the patch name to check.
+
+
+
+
+ HP-UX patch names begin with 'PH'
+
+
+
+
+ The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
+
+
+
+
+ The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch.
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of /usr/sbin/swlist command. Note: A quick way to check for the installation of a specific fileset is to use the command 'swlist -a version -l fileset filesetname'. See manpage for swlist for explanation of additional command options.
+
+
+
+
+
+
+
+ This is the name of the bundle or fileset to check.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ These items contain account settings for trusted HP-UX installations.
+
+
+
+
+
+
+
+ This is the name of the user being checked
+
+
+
+
+ The user's ID
+
+
+
+
+ This is the encrypted version of the user's password
+
+
+
+
+ The Account owner for pseudo-users
+
+
+
+
+ Boot authorization
+
+
+
+
+ getprpwaid uses the audit ID rather than the UID
+
+
+
+
+
+
+
+
+
+ Minimum time between password changes
+
+
+
+
+ Maximum password length in characters
+
+
+
+
+ Password expiration time in seconds
+
+
+
+
+ Trusted lifetime, after which the account is locked
+
+
+
+
+ Time of last successful password change
+
+
+
+
+ Time of last unsuccessful password change
+
+
+
+
+ Absolute account lifetime in seconds
+
+
+
+
+ Maximum time allowed between logins before the account is locked
+
+
+
+
+ The time in seconds before expiration when a warning will appear
+
+
+
+
+ Who can change this user's password
+
+
+
+
+ Allows user to use system-generated passwords
+
+
+
+
+ Whether a triviality check is performed on user-generated passwords
+
+
+
+
+ Determines if null passwords are allowed for this account
+
+
+
+
+ Allows password generator to use random printable ASCII characters
+
+
+
+
+ Allows password generator to use random letters
+
+
+
+
+ Specifies the times when the user may login to this account
+
+
+
+
+ The user ID of the user who last changed the password on the user's account, if it was not the account owner
+
+
+
+
+ The time of the last successful login using this account
+
+
+
+
+ The time of the last unsuccessful login using this account
+
+
+
+
+ The terminal or remote host associated with the last successful login to the account
+
+
+
+
+ The terminal or remote hosts associated with the last unsuccessful login to the account
+
+
+
+
+ The number of unsuccessful login attempts since that last successful login
+
+
+
+
+ The maximum number of unsuccessful login attempts before the account is locked
+
+
+
+
+ Indicates whether the administrative lock on the account is set
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/independent-definitions-schema.xsd b/oval-schemas/independent-definitions-schema.xsd
new file mode 100644
index 0000000..d27c6cf
--- /dev/null
+++ b/oval-schemas/independent-definitions-schema.xsd
@@ -0,0 +1,2879 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the tests found in Open Vulnerability and Assessment Language (OVAL) that are independent of a specific piece of software. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Independent Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+
+ The family_test element is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a family_object and the optional state element specifies the metadata to check.
+
+
+ family_test
+ family_object
+ family_state
+ family_item
+
+
+
+
+
+ - the object child element of a family_test must reference a family_object
+
+
+ - the state child element of a family_test must reference a family_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The family_object element is used by a family test to define those objects to evaluate based on a specified state. There is actually only one object relating to family and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check the family will reference the same family_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The family_state element contains a single entity that is used to check the family associated with the system. The family is a high-level classification of system types.
+
+
+
+
+
+
+
+ This element describes the high-level system OS type to test against. Please refer to the definition of the EntityFamilyType for more information about the possible values..
+
+
+
+
+
+
+
+
+
+
+
+
+ The file hash test is used to check the hashes associated with a specified file. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a filehash_object and the optional state element specifies the different hashes to check.
+
+
+ filehash_test
+ filehash_object
+ filehash_state
+ filehash_item
+
+
+
+
+ 5.8
+ Replaced by the filehash58_test.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a filehash_test must reference a filesha1_object
+
+
+ - the state child element of a filehash_test must reference a filesha1_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filehash_object element is used by a file hash test to define the specific file(s) to be evaluated. The filehash_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A filehash_object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+ 5.8
+ Replaced by the filehash58_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filehash_state element contains entities that are used to check the file path, name, and the different hashes associated with a specific file.
+
+
+ 5.8
+ Replaced by the filehash58_state.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+
+ The md5 element is the md5 hash of the file.
+
+
+
+
+ The sha1 element is the sha1 hash of the file.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ The file hash test is used to check a specific hash type associated with a specified file. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a filehash58_object and the optional state element specifies an expected hash value.
+
+
+ filehash58_test
+ filehash58_object
+ filehash58_state
+ filehash58_item
+
+
+
+
+
+ - the object child element of a filehash58_test must reference a filehash58_object
+
+
+ - the state child element of a filehash58_test must reference a filehash58_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filehash58_object element is used by a file hash test to define the specific file(s) to be evaluated. The filehash58_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A filehash58_object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path entity specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename entity specifies the name of the file.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+ The hash_type entity specifies the hash algorithm to use when collecting the hash for each of the specifed files.
+
+
+
+
+
+
+
+
+
+
+
+
+ The filehash58_state element contains entities that are used to check the file path, name, hash_type, and hash associated with a specific file.
+
+
+
+
+
+
+
+ The filepath entity specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path entity specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename entity specifies the name of the file.
+
+
+
+
+ The hash_type entity specifies the hash algorithm to use when collecting the hash for each of the specifed files.
+
+
+
+
+ The hash entity specifies the result of applying the hash algorithm to the file.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ The environmentvariable_test element is used to check an environment variable found on the system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a environmentvariable_object and the optional state element specifies the metadata to check.
+
+
+ environmentvariable_test
+ environmentvariable_object
+ environmentvariable_state
+ environmentvariable_item
+
+
+
+
+ 5.8
+ Replaced by the environmentvariable58_test.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an environmentvariable_test must reference a environmentvariable_object
+
+
+ - the state child element of an environmentvariable_test must reference a environmentvariable_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The environmentvariable_object element is used by an environment variable test to define the specific environment variable(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.8
+ Replaced by the environmentvariable58_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ This element describes the name of an environment variable.
+
+
+
+
+
+
+
+
+
+
+ The environmentvariable_state element contains two entities that are used to check the name of the specified environment variable and the value associated with it.
+
+
+ 5.8
+ Replaced by the environmentvariable58_state.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ This element describes the name of an environment variable.
+
+
+
+
+ The actual value of the specified environment variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The environmentvariable58_test element is used to check an environment variable for the specified process, which is identified by its process ID, on the system . It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a environmentvariable_object and the optional state element specifies the metadata to check.
+
+
+ environmentvariable58_test
+ environmentvariable58_object
+ environmentvariable58_state
+ environmentvariable58_item
+
+
+
+
+
+ - the object child element of an environmentvariable58_test must reference a environmentvariable58_object
+
+
+ - the state child element of an environmentvariable58_test must reference a environmentvariable58_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The environmentvariable58_object element is used by an environmentvariable58_test to define the specific environment variable(s) and process IDs to be evaluated. If a tool is unable to collect the environment variables of another process, an error must be reported. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The process ID of the process from which the environment variable should be retrieved. If the xsi:nil attribute is set to true, the process ID shall be the tool's running process; for scanners with no process ID (e.g., an agentless network scanner), no corresponding items will exist.
+
+
+
+
+ This element describes the name of an environment variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The environmentvariable58_state element contains three entities that are used to check the name of the specified environment variable, the process ID of the process from which the environment variable was retrieved, and the value associated with the environment variable.
+
+
+
+
+
+
+
+ The process ID of the process from which the environment variable was retrieved.
+
+
+
+
+ This element describes the name of an environment variable.
+
+
+
+
+ The actual value of the specified environment variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The LDAP test is used to check information about specific entries in an LDAP directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an ldap_object and the optional state element, ldap_state, specifies the metadata to check.
+
+
+ ldap_test
+ ldap_object
+ ldap_state
+ ldap_item
+
+
+
+
+
+ - the object child element of an ldap_test must reference an ldap_object
+
+
+ - the state child element of an ldap_test must reference an ldap_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ldap_object element is used by an LDAP test to define the objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+
+
+ Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix.
+
+
+
+
+ Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative distinguished name.
+
+
+
+
+
+
+
+
+
+
+
+ The ldap_state element defines the different information that can be used to evaluate the specified entries in an LDAP directory. An ldap_test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified LDAP attribute.
+
+
+
+
+
+
+
+
+
+ The LdapBehaviors complex type defines a number of behaviors that allow a more detailed definition of the ldap_object being specified.
+
+
+
+ 'scope' defines the depth from the base distinguished name to which the search should occur. The base distinguished name is the starting point of the search and is composed of the specified suffix and relative distinguished name. A value of 'BASE' indicates to search only the entry at the base distinguished name, a value of 'ONE' indicates to search all entries one level under the base distinguished name - but NOT including the base distinguished name, and a value of 'SUBTREE' indicates to search all entries at all levels under, and including, the specified base distinguished name. The default value is 'BASE'.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The LDAP test is used to check information about specific entries in an LDAP directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an ldap57_object and the optional state element, ldap57_state, specifies the metadata to check.
+ Note that this test supports complex values that are in the form of a record. For simple (string based) value collection see the ldap_test.
+
+
+ ldap57_test
+ ldap57_object
+ ldap57_state
+ ldap57_item
+
+
+
+
+ 5.11.2
+ Use the original ldap_test. The ldap57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated LdaptypeTypes. Use the original ldap_test instead.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an ldap57_test must reference an ldap57_object
+
+
+ - the state child element of an ldap57_test must reference an ldap57_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ldap57_object element is used by an LDAP test to define the objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ Note that this object supports complex values that are in the form of a record. For simple (string based) value collection see the ldap_object.
+
+
+ 5.11.2
+ Use the original ldap_object. The ldap57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated LdaptypeTypes. Use the original ldap_test instead.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix.
+
+
+
+
+ Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative distinguished name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The ldap57_state element defines the different information that can be used to evaluate the specified entries in an LDAP directory. An ldap57_test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+ Note that this state supports complex values that are in the form of a record. For simple (string based) value collection see the ldap_state.
+
+
+ 5.11.2
+ Use the original ldap_state. The ldap57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated LdaptypeTypes. Use the original ldap_test instead.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+
+
+
+
+ Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified LDAP attribute. Note that while an LDAP attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an LDAP attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the 'record' datatype. As a result, the name of the LDAP attribute will be used to uniquely identify the field and satisfy this requirement.
+
+
+
+ - datatype attribute for the value entity of a ldap57_state must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql test is used to check information stored in a database. It is often the case that applications store configuration settings in a database as opposed to a file. This test has been designed to enable those settings to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check.
+
+
+ sql_test
+ sql_object
+ sql_state
+ sql_item
+
+
+
+
+ 5.7
+ Replaced by the sql57_test. This test allows for single fields to be selected from a database. A new test was created to allow more than one field to be selected in one statement. See the sql57_test.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a sql_test must reference a sql_object
+
+
+ - the state child element of a sql_test must reference a sql_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql_object element is used by a sql test to define the specific database and query to be evaluated. Connection information is supplied allowing the tool to connect to the desired database and a query is supplied to call out the desired setting. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.7
+ Replaced by the sql57_object. This object allows for single fields to be selected from a database. A new object was created to allow more than one field to be selected in one statement. See the sql57_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The engine entity defines the specific database engine to use. Any tool looking to collect information about this object will need to know the engine in order to use the appropriate drivers to establish a connection.
+
+
+
+ - operation attribute for the engine entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ The version entity defines the specific version of the database engine to use. This is also important in determining the correct driver to use for establishing a connection.
+
+
+
+ - operation attribute for the version entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ The connection_string entity defines specific connection parameters to be used in connecting to the database. This will help a tool connect to the correct database.
+
+
+
+ - operation attribute for the connection_string entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ The sql entity defines a query used to identify the object(s) to test against. Any valid SQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
+
+
+
+ - operation attribute for the sql entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql_state element contains two entities that are used to check the name of the specified field and the value associated with it.
+
+
+ 5.7
+ Replaced by the sql57_state. This state allows for single fields to be selected from a database. A new state was created to allow more than one field to be selected in one statement. See the sql57_state.
+ This state has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The engine entity defines a specific database engine.
+
+
+
+
+ The version entity defines a specific version of a given database engine.
+
+
+
+
+ The connection_string entity defines a set of parameters that help identify the connection to the database.
+
+
+
+
+ the sql entity defines a query used to identify the object(s) to test against.
+
+
+
+
+ The result entity specifies how to test objects in the result set of the specified SQL statement. Only one comparable field is allowed. So if the SQL statement look like 'SELECT name FROM ...', then a result entity with a value of 'Fred' would test the set of 'name' values returned by the SQL statement against the value 'Fred'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql test is used to check information stored in a database. It is often the case that applications store configuration settings in a database as opposed to a file. This test has been designed to enable those settings to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check.
+
+
+ sql57_test
+ sql57_object
+ sql57_state
+ sql57_item
+
+
+
+
+
+ - the object child element of a sql57_test must reference a sql57_object
+
+
+ - the state child element of a sql57_test must reference a sql57_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql57_object element is used by a sql test to define the specific database and query to be evaluated. Connection information is supplied allowing the tool to connect to the desired database and a query is supplied to call out the desired setting. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The engine entity defines the specific database engine to use. Any tool looking to collect information about this object will need to know the engine in order to use the appropriate drivers to establish a connection.
+
+
+
+ - operation attribute for the engine entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ The version entity defines the specific version of the database engine to use. This is also important in determining the correct driver to use for establishing a connection.
+
+
+
+ - operation attribute for the version entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ The connection_string entity defines specific connection parameters to be used in connecting to the database. This will help a tool connect to the correct database.
+
+
+
+ - operation attribute for the connection_string entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ The sql entity defines a query used to identify the object(s) to test against. Any valid SQL query is usable with one exception, all fields must be named in the SELECT portion of the query. For example, SELECT name, number FROM ... is valid. However, SELECT * FROM ... is not valid. This is because the record element in the state and item require a unique field name value to ensure that any query results can be evaluated consistently.
+
+
+
+ - operation attribute for the sql entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql57_state element contains two entities that are used to check the name of the specified field and the value associated with it.
+
+
+
+
+
+
+
+ The engine entity defines a specific database engine.
+
+
+
+
+ The version entity defines a specific version of a given database engine.
+
+
+
+
+ The connection_string entity defines a set of parameters that help identify the connection to the database.
+
+
+
+
+ the sql entity defines a query used to identify the object(s) to test against.
+
+
+
+
+ The result entity specifies how to test objects in the result set of the specified SQL statement.
+
+
+
+ - datatype attribute for the result entity of a sql57_state must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent54_test element is used to check the contents of a text file (aka a configuration file) by looking at individual blocks of text. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a textfilecontent54_object and the optional state element specifies the metadata to check.
+
+
+ textfilecontent54_test
+ textfilecontent54_object
+ textfilecontent54_state
+ textfilecontent_item
+
+
+
+
+
+ - the object child element of a textfilecontent54_test must reference a textfilecontent54_object
+
+
+ - the state child element of a textfilecontent54_test must reference a textfilecontent54_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent54_object element is used by a textfilecontent_test to define the specific block(s) of text of a file(s) to be evaluated. The textfilecontent54_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename entity specifies the name of a file.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+ The pattern entity defines a chunk of text in a file and is represented using a regular expression. A subexpression (using parentheses) can call out a piece of the text block to test. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. The value of the subexpression can then be tested using the subexpression entity of a textfilecontent54_state. Note that if the pattern, starting at the same point in the file, matches more than one block of text, then it matches the longest. For example, given a file with abcdefxyzxyzabc, then the pattern abc(.*)xyz would match the block abcdefxyzxyz. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
+ Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
+
+
+
+ - operation attribute for the pattern entity of a textfilecontent54_object should be 'pattern match'
+
+
+
+
+
+
+
+ The instance entity calls out a specific match of the pattern. It can have both positive and negative values. If the value is positive, the index of the specific match of the pattern is counted from the beginning of the set of matches of that pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. For positive values, the 'less than' and 'less than or equals' operations imply the the object is operating only on positive values. Frequently, this entity will be defined as 'greater than or equals' 1, which results in the object representing the set of all matches of the pattern.
+ Negative values are used to simplify collection of pattern match occurrences counting backwards from the last match. To find the last match, use an instance of -1; the penultimate match is found using an instance value of -2, and so on. For negative values, the 'greater than' and 'greater than or equals' operations imply the object is operating only on negative values. For example, searching for instances greater than or equal to -2 would yield only the last two maches.
+ Note that the main purpose of the instance item entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file, and they will always have positive values.
+
+
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent54_state element contains entities that are used to check the file path and name, as well as the text block in question and the value of the subexpressions.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename entity represents the name of a file.
+
+
+
+
+ The pattern entity represents a regular expression that is used to define a block of text.
+
+
+
+
+ The instance entity calls out a specific match of the pattern. This can only be a positive integer.
+
+
+
+ - the value of instance must be greater than one
+
+
+
+
+
+
+
+ The text entity represents the block of text that matched the specified pattern.
+
+
+
+
+ The subexpression entity represents a value to test against the subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, this value is tested against all of them. For example, if the pattern abc(.*)mno(.*)xyp was supplied, and the state specifies a subexpression value of enabled, then the test would check that both (or at least one, none, etc. depending on the entity_check attribute) of the subexpressions have a value of enabled.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+ The Textfilecontent54Behaviors complex type defines a number of behaviors that allow a more detailed definition of the textfilecontent54_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+ The Textfilecontent54Behaviors extend the ind-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+
+
+
+
+ 'ignore_case' indicates whether case should be considered when matching system values against the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 'i' modifier: if true, case will be ignored. If false, case will not be ignored. The default is false.
+
+
+
+
+ 'multiline' enables multiple line semantics in the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 'm' modifier: if true, the '^' and '$' metacharacters will match both at the beginning/end of a string, and immediately after/before newline characters. If false, they will match only at the beginning/end of a string. The default is true.
+
+
+
+
+ 'singleline' enables single line semantics in the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 's' modifier: if true, the '.' metacharacter will match newlines. If false, it will not. The default is false.
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent_test element is used to check the contents of a text file (aka a configuration file) by looking at individual lines. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a textfilecontent_object and the optional state element specifies the metadata to check.
+
+
+ textfilecontent_test
+ textfilecontent_object
+ textfilecontent_state
+ textfilecontent_item
+
+
+
+
+ 5.4
+ Replaced by the textfilecontent54_test. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new test was created to reflect these changes. See the textfilecontent54_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a textfilecontent_test must reference a textfilecontent_object
+
+
+ - the state child element of a textfilecontent_test must reference a textfilecontent_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent_object element is used by a text file content test to define the specific line(s) of a file(s) to be evaluated. The textfilecontent_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.4
+ Replaced by the textfilecontent54_object. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new object was created to reflect these changes. See the textfilecontent54_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+ The line element represents a line in the file and is represented using a regular expression. A single subexpression can be called out using parentheses. The value of this subexpression can then be checked using a textfilecontent_state.
+ Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
+
+
+
+ - operation attribute for the line entity of a textfilecontent_object should be 'pattern match'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent_state element contains entities that are used to check the file path and name, as well as the line in question and the value of the specific subexpression.
+
+
+ 5.4
+ Replaced by the textfilecontent54_state. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new state was created to reflect these changes. See the textfilecontent54_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file.
+
+
+
+
+ The line element represents a line in the file that was collected.
+
+
+
+
+ Each subexpression in the regular expression of the line element is then tested against the value specified in the subexpression element.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ An unknown_test acts as a placeholder for tests whose implementation is unknown. This test always evaluates to a result of 'unknown'. Any information that is known about the test should be held in the notes child element that is available through the extension of the abstract test element. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. Note that for an unknown_test, the required check attribute that is part of the extended TestType should be ignored during evaluation and hence can be set to any valid value.
+
+
+
+
+
+
+
+
+
+
+
+
+ The variable test allows the value of a variable to be compared to a defined value. As an example one might use this test to validate that a variable being passed in from an external source falls within a specified range. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a variable_object and the optional state element specifies the value to check.
+
+
+ variable_test
+ variable_object
+ variable_state
+ variable_item
+
+
+
+
+
+ - the object child element of a variable_test must reference a variable_object
+
+
+ - the state child element of a variable_test must reference a variable_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The id of the variable you want.
+
+
+
+ - var_ref attribute for the var_ref entity of a variable_object is prohibited.
+
+
+
+
+
+ - referenced variable not found. The var_ref entity must hold a variable id that exists in the document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The variable_state element contains two entities that are used to check the var_ref of the specified varible and the value associated with it.
+
+
+
+
+
+
+
+ The id of the variable.
+
+
+
+ - var_ref attribute for the var_ref entity of a variable_state is prohibited.
+
+
+
+
+
+ - referenced variable not found. The var_ref entity must hold a variable id that exists in the document.
+
+
+
+
+
+
+
+ The value of the variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The xmlfilecontent_test element is used to explore the contents of an xml file. This test allows specific pieces of an xml document specified using xpath to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a xmlfilecontent_object and the optional state element specifies the metadata to check.
+
+
+ xmlfilecontent_test
+ xmlfilecontent_object
+ xmlfilecontent_state
+ xmlfilecontent_item
+
+
+
+
+
+ - the object child element of a xmlfilecontent_test must reference a xmlfilecontent_object
+
+
+ - the state child element of a xmlfilecontent_test must reference a xmlfilecontent_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xmlfilecontent_object element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. The xmlfilecontent_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+ Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity.
+
+
+
+ - operation attribute for the xpath entity of a xmlfilecontent_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xmlfilecontent_state element contains entities that are used to check the file path and name, as well as the xpath used and the value of the this xpath.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+
+ Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of a set of files or file related items to collect. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+ 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.
+ Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+ 'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything. Also note that on Windows, the 'symlink' value is equivalent to the 'junction' recurse value in win-def:FileBehaviors.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_direction' defines the direction to recurse, either 'up' to parent directories, or 'down' into child directories. The default value is 'none' for no recursion.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, on Windows, if the path specified was "C:\", you would search only the C: drive, not other filesystems mounted to descendant paths. Similarly, on UNIX, if the path specified was "/", you would search only the filesystem mounted there, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.
+ Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications.
+
+
+
+
+
+
+
+
+
+
+
+ 64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to specify which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+ Note that the values have the following meaning: '64_bit' – Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' – Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between the OVAL Items that are collected in the 32-bit or 64-bit views.
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectEngineType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a valid database engine. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ The access value describes the Microsoft Access database engine.
+
+
+
+
+ The db2 value describes the IBM DB2 database engine.
+
+
+
+
+ The cache value describes the InterSystems Cache database engine.
+
+
+
+
+ The firebird value describes the Firebird database engine.
+
+
+
+
+ The firstsql value describes the FirstSQL database engine.
+
+
+
+
+ The foxpro value describes the Microsoft FoxPro database engine.
+
+
+
+
+ The informix value describes the IBM Informix database engine.
+
+
+
+
+ The ingres value describes the Ingres database engine.
+
+
+
+
+ The interbase value describes the Embarcadero Technologies InterBase database engine.
+
+
+
+
+ The lightbase value describes the Light Infocon LightBase database engine.
+
+
+
+
+ The maxdb value describes the SAP MaxDB database engine.
+
+
+
+
+ The monetdb value describes the MonetDB SQL database engine.
+
+
+
+
+ The mimer value describes the Mimer SQL database engine.
+
+
+
+
+ The mysql value describes the MySQL database engine.
+
+
+
+
+ The oracle value describes the Oracle database engine.
+
+
+
+
+ The paradox value describes the Paradox database engine.
+
+
+
+
+ The pervasive value describes the Pervasive PSQL database engine.
+
+
+
+
+ The postgre value describes the PostgreSQL database engine.
+
+
+
+
+ The sqlbase value describes the Unify SQLBase database engine.
+
+
+
+
+ The sqlite value describes the SQLite database engine.
+
+
+
+
+ The sqlserver value describes the Microsoft SQL database engine.
+
+
+
+
+ The sybase value describes the Sybase database engine.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateEngineType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a valid database engine. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ The access value describes the Microsoft Access database engine.
+
+
+
+
+ The db2 value describes the IBM DB2 database engine.
+
+
+
+
+ The cache value describes the InterSystems Cache database engine.
+
+
+
+
+ The firebird value describes the Firebird database engine.
+
+
+
+
+ The firstsql value describes the FirstSQL database engine.
+
+
+
+
+ The foxpro value describes the Microsoft FoxPro database engine.
+
+
+
+
+ The informix value describes the IBM Informix database engine.
+
+
+
+
+ The ingres value describes the Ingres database engine.
+
+
+
+
+ The interbase value describes the Embarcadero Technologies InterBase database engine.
+
+
+
+
+ The lightbase value describes the Light Infocon LightBase database engine.
+
+
+
+
+ The maxdb value describes the SAP MaxDB database engine.
+
+
+
+
+ The monetdb value describes the MonetDB SQL database engine.
+
+
+
+
+ The mimer value describes the Mimer SQL database engine.
+
+
+
+
+ The mysql value describes the MySQL database engine.
+
+
+
+
+ The oracle value describes the Oracle database engine.
+
+
+
+
+ The paradox value describes the Paradox database engine.
+
+
+
+
+ The pervasive value describes the Pervasive PSQL database engine.
+
+
+
+
+ The postgre value describes the PostgreSQL database engine.
+
+
+
+
+ The sqlbase value describes the Unify SQLBase database engine.
+
+
+
+
+ The sqlite value describes the SQLite database engine.
+
+
+
+
+ The sqlserver value describes the Microsoft SQL database engine.
+
+
+
+
+ The sybase value describes the Sybase database engine.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateFamilyType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a high-level family of system operating system. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ The android value describes the Android mobile operating system.
+
+
+
+
+ The apple_ios value describes the iOS mobile operating system.
+
+
+
+
+ The asa value describes the Cisco ASA security devices.
+
+
+
+
+ The catos value describes the Cisco CatOS operating system.
+
+
+
+
+ The ios value describes the Cisco IOS operating system.
+
+
+
+
+ The iosxe value describes the Cisco IOS-XE operating system.
+
+
+
+
+ The junos value describes the Juniper JunOS operating system.
+
+
+
+
+ The macos value describes the Mac operating system.
+
+
+
+
+ The pixos value describes the Cisco PIX operating system.
+
+
+
+
+ The undefined value is to be used when the desired family is not available.
+
+
+
+
+ The unix value describes the UNIX operating system.
+
+
+
+
+ The vmware_infrastructure value describes VMWare Infrastructure.
+
+
+
+
+ The windows value describes the Microsoft Windows operating system.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectHashTypeType complex type restricts a string value to a specific set of values that specify the different hash algorithms that are supported. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ The MD5 hash algorithm.
+
+
+
+
+ The SHA-1 hash algorithm.
+
+
+
+
+ The SHA-224 hash algorithm.
+
+
+
+
+ The SHA-256 hash algorithm.
+
+
+
+
+ The SHA-384 hash algorithm.
+
+
+
+
+ The SHA-512 hash algorithm.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateHashTypeType complex type restricts a string value to a specific set of values that specify the different hash algorithms that are supported. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ The MD5 hash algorithm.
+
+
+
+
+ The SHA-1 hash algorithm.
+
+
+
+
+ The SHA-224 hash algorithm.
+
+
+
+
+ The SHA-256 hash algorithm.
+
+
+
+
+ The SHA-384 hash algorithm.
+
+
+
+
+ The SHA-512 hash algorithm.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectVariableRefType complex type defines a string object entity that has a valid OVAL variable id as the value. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+
+
+
+
+ The EntityStateVariableRefType complex type defines a string state entity that has a valid OVAL variable id as the value. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+
+
+
+
+ The EntityStateLdaptypeType complex type restricts a string value to a specific set of values that specify the different types of information that an ldap attribute can represent. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ ACI Item, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.1
+
+
+
+
+ Access Point, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.2
+
+
+
+
+ Attribute Type Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.3
+
+
+
+
+ Audio, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.4
+
+
+
+
+ Binary, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.5
+
+
+
+
+ Bit String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.6
+
+
+
+
+ Boolean, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.7
+
+
+
+
+ Certificate, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.8
+
+
+
+
+ Certificate List, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.9
+
+
+
+
+ Certificate Pair, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.10
+
+
+
+
+ Country String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.11
+
+
+
+
+ DN, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.12
+
+
+
+
+ Data Quality Syntax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.13
+
+
+
+
+ Delivery Method, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.14
+
+
+
+
+ Directory String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.15
+
+
+
+
+ DIT Content Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.16
+
+
+
+
+ DIT Structure Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.17
+
+
+
+
+ DL Submit Permission, corresponding to OID Y 1.3.6.1.4.1.1466.115.121.1.18
+
+
+
+
+ DSA Quality Syntax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.19
+
+
+
+
+ DSE Type, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.20
+
+
+
+
+ Enhanced Guide, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.21
+
+
+
+
+ Facsimile Telephone Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.22
+
+
+
+
+ Fax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.23
+
+
+
+
+ Generalized Time, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.24
+
+
+
+
+ Guide, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.25
+
+
+
+
+ IA5 String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.26
+
+
+
+
+ INTEGER, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.27
+
+
+
+
+ JPEG, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.28
+
+
+
+
+ LDAP Syntax Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.54
+
+
+
+
+ LDAP Schema Definition, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.56
+
+
+
+
+ LDAP Schema Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.57
+
+
+
+
+ Master And Shadow Access Points, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.29
+
+
+
+
+ Matching Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.30
+
+
+
+
+ Matching Rule Use Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.31
+
+
+
+
+ Mail Preference, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.32
+
+
+
+
+ MHS OR Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.33
+
+
+
+
+ Modify Rights, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.55
+
+
+
+
+ Name And Optional UID, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.34
+
+
+
+
+ Name Form Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.35
+
+
+
+
+ Numeric String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.36
+
+
+
+
+ Object Class Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.37
+
+
+
+
+ Octet String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.40
+
+
+
+
+ OID, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.38
+
+
+
+
+ Other Mailbox, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.39
+
+
+
+
+ Postal Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.41
+
+
+
+
+ Protocol Information, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.42
+
+
+
+
+ Presentation Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.43
+
+
+
+
+ Printable String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.44
+
+
+
+
+ Substring Assertion, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.58
+
+
+
+
+ Subtree Specification, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.45
+
+
+
+
+ Supplier Information, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.46
+
+
+
+
+ Supplier Or Consumer, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.47
+
+
+
+
+ Supplier And Consumer, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.48
+
+
+
+
+ Supported Algorithm, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.49
+
+
+
+
+ Telephone Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.50
+
+
+
+
+ Teletex Terminal Identifier, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.51
+
+
+
+
+ Telex Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.52
+
+
+
+
+ UTC Time, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.53
+
+
+
+
+ The data is of a time stamp in seconds.
+
+
+ 5.7
+ This value was accidently carried over from the win-def:EntityStateAdstypeType as it was used as a template for the ind-def:EntityStateLdaptypeType.
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: ldap_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The data is of an e-mail message.
+
+
+ 5.7
+ This value was accidently carried over from the win-def:EntityStateAdstypeType as it was used as a template for the ind-def:EntityStateLdaptypeType.
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: ldap_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
+
+
+
+
+
+ Indicates the 32_bit windows view.
+
+
+
+
+ Indicates the 64_bit windows view.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/independent-system-characteristics-schema.xsd b/oval-schemas/independent-system-characteristics-schema.xsd
new file mode 100644
index 0000000..202e1a0
--- /dev/null
+++ b/oval-schemas/independent-system-characteristics-schema.xsd
@@ -0,0 +1,1207 @@
+
+
+
+
+ This document outlines the items of the OVAL System Characteristics XML schema that are independent of any specific family or platform. Each iten is an extention of a basic System Characteristics item defined in the core System Characteristics XML schema.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Independent System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ This element stores high level system OS type, otherwise known as the family.
+
+
+
+
+
+
+
+ This element describes the high level system OS type, otherwise known as the family.
+
+
+
+
+
+
+
+
+
+
+
+
+ This element stores the different hash values associated with a specific file.
+
+
+ 5.8
+ Replaced by the filehash58_item which allows the hash algorithm to be specified when collecting data. See the filehash58_item.
+ This item has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file.
+
+
+
+
+ The md5 hash of the file
+
+
+
+
+ The sha1 hash of the file
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ This element stores a hash value associated with a specific file.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file.
+
+
+
+
+ Identifier for the hash algorithm used to calculate the hash.
+
+
+
+
+ The result of applying the hash algorithm to the file.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores information about environment variables and their values.
+
+
+ 5.8
+ Replaced by the environmentvariable58_item. This item allows the hash algorithm to be specified. See the filehash58_item.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ This element describes the name of an environment variable.
+
+
+
+
+ The actual value of the specified environment variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores information about an environment variable, the process ID of the process from which it was retrieved, and its corresponding value.
+
+
+
+
+
+
+
+ The process ID of the process from which the environment variable was retrieved.
+
+
+
+
+ This element describes the name of an environment variable.
+
+
+
+
+ The actual value of the specified environment variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ This element holds information about specific entries in the LDAP directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
+
+
+
+
+ The relative_dn field is used to uniquely identify an item inside the specified suffix. It contains all of the parts of the item's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the item being represented is the higher level suffix.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified LDAP attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+ This element holds information about specific entries in the LDAP directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+ 5.11.2
+ Use the original ldap_item. The ldap57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated LdaptypeTypes. Use the original ldap_test instead.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
+
+
+
+
+ The relative_dn field is used to uniquely identify an item inside the specified suffix. It contains all of the parts of the item's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the item being represented is the higher level suffix.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified LDAP attribute. Note that while an LDAP attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an LDAP attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field(s) which is a requirement for fields in the 'record' datatype. As a result, the name of the LDAP attribute will be used to uniquely identify the field(s) and satisfy this requirement. If the LDAP attribute contains a single value, the 'record' will have a single field identified by the name of the LDAP attribute. If the LDAP attribute contains an array of values, the 'record' will have multiple fields all identified by the name of the LDAP attribute.
+
+
+
+ - datatype attribute for the value entity of a ldap57_item must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql_item outlines information collected from a database via an SQL query.
+
+
+ 5.7
+ Replaced by the sql57_item. This item allows for single fields to be selected from a database. A new item was created to allow more than one field to be selected in one statement. See the sql57_item.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ The engine entity identifies the specific database engine used to connect to the database.
+
+
+
+
+ The version entity identifies the version of the database engine used to connect to the database.
+
+
+
+
+ The connection_string entity defines connection parameters used to connect to the specific database.
+
+
+
+
+ The sql entity holds the specific query used to identify the object(s) in the database.
+
+
+
+
+ The result entity specifies the result(s) of the given SQL query against the database.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sql57_item outlines information collected from a database via an SQL query.
+
+
+
+
+
+
+
+ The engine entity identifies the specific database engine used to connect to the database.
+
+
+
+
+ The version entity identifies the version of the database engine used to connect to the database.
+
+
+
+
+ The connection_string entity defines connection parameters used to connect to the specific database.
+
+
+
+
+ The sql entity holds the specific query used to identify the object(s) in the database.
+
+
+
+
+ The result entity holds the results of the specified SQL statement.
+
+
+
+ - datatype attribute for the result entity of a sql57_item must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The textfilecontent_item looks at the contents of a text file (aka a configuration file) by looking at individual lines.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename entity specifies the name of the file (without the path) that is being represented.
+
+
+
+
+ The pattern entity represents a regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist inbetween. Note that if the pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
+
+
+
+
+ The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file.
+
+
+
+ - the value of instance must be greater than one
+
+
+
+
+
+
+
+ The line element represents a line in the file and is represented using a regular expression.
+
+
+ 5.4
+ Due to the fact that the TextFileContent54_test supports multi-line pattern matching, the line entity is no longer needed.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The text entity represents the block of text that matched the specified pattern.
+
+
+
+
+ The subexpression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. Note that the textfilecontent_state in the definition schema only allows a single subexpression entity. This means that the test will check that all (or at least one, none, etc.) the subexpressions pass the same check. This means that the order of multiple subexpression entities in the item does not matter.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores information about OVAL Variables and their values.
+
+
+
+
+
+
+
+ The id of the variable.
+
+
+
+
+ The value of the variable. If a variable represents and array of values, then multiple value elements should exist.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking the contents of an xml file.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+
+ Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemEngineType complex type defines a string entity value that is restricted to an enumeration. Each valid entry in the enumeration is a valid database engine.
+
+
+
+
+
+ The access value describes the Microsoft Access database engine.
+
+
+
+
+ The db2 value describes the IBM DB2 database engine.
+
+
+
+
+ The cache value describes the InterSystems Cache database engine.
+
+
+
+
+ The firebird value describes the Firebird database engine.
+
+
+
+
+ The firstsql value describes the FirstSQL database engine.
+
+
+
+
+ The foxpro value describes the Microsoft FoxPro database engine.
+
+
+
+
+ The informix value describes the IBM Informix database engine.
+
+
+
+
+ The ingres value describes the Ingres database engine.
+
+
+
+
+ The interbase value describes the Embarcadero Technologies InterBase database engine.
+
+
+
+
+ The lightbase value describes the Light Infocon LightBase database engine.
+
+
+
+
+ The maxdb value describes the SAP MaxDB database engine.
+
+
+
+
+ The monetdb value describes the MonetDB SQL database engine.
+
+
+
+
+ The mimer value describes the Mimer SQL database engine.
+
+
+
+
+ The mysql value describes the MySQL database engine.
+
+
+
+
+ The oracle value describes the Oracle database engine.
+
+
+
+
+ The paradox value describes the Paradox database engine.
+
+
+
+
+ The pervasive value describes the Pervasive PSQL database engine.
+
+
+
+
+ The postgre value describes the PostgreSQL database engine.
+
+
+
+
+ The sqlbase value describes the Unify SQLBase database engine.
+
+
+
+
+ The sqlite value describes the SQLite database engine.
+
+
+
+
+ The sqlserver value describes the Microsoft SQL database engine.
+
+
+
+
+ The sybase value describes the Sybase database engine.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemFamilyType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a high-level family of system operating system.
+
+
+
+
+
+ The android value describes the Android mobile operating system.
+
+
+
+
+ The apple_ios value describes the iOS mobile operating system.
+
+
+
+
+ The asa value describes the Cisco ASA security devices.
+
+
+
+
+ The catos value describes the Cisco CatOS operating system.
+
+
+
+
+ The ios value describes the Cisco IOS operating system.
+
+
+
+
+ The iosxe value describes the Cisco IOS-XE operating system.
+
+
+
+
+ The junos value describes the Juniper JunOS operating system.
+
+
+
+
+ The macos value describes the Mac operating system.
+
+
+
+
+ The pixos value describes the Cisco PIX operating system.
+
+
+
+
+ The undefined value is to be used when the desired family is not available.
+
+
+
+
+ The unix value describes the UNIX operating system.
+
+
+
+
+ The vmware_infrastructure value describes VMWare Infrastructure.
+
+
+
+
+ The windows value describes the Microsoft Windows operating system.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemHashTypeType complex type restricts a string value to a specific set of values that specify the different hash algorithms that are supported. The empty string is also allowed to support empty elements associated with variable references.
+
+
+
+
+
+ The MD5 hash algorithm.
+
+
+
+
+ The SHA-1 hash algorithm.
+
+
+
+
+ The SHA-224 hash algorithm.
+
+
+
+
+ The SHA-256 hash algorithm.
+
+
+
+
+ The SHA-384 hash algorithm.
+
+
+
+
+ The SHA-512 hash algorithm.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemVariableRefType complex type defines a string item entity that has a valid OVAL variable id as the value.
+
+
+
+
+
+
+
+
+
+ The EntityItemLdaptypeType complex type restricts a string value to a specific set of values that specify the different types of information that an ldap attribute can represent. The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+ ACI Item, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.1
+
+
+
+
+ Access Point, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.2
+
+
+
+
+ Attribute Type Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.3
+
+
+
+
+ Audio, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.4
+
+
+
+
+ Binary, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.5
+
+
+
+
+ Bit String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.6
+
+
+
+
+ Boolean, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.7
+
+
+
+
+ Certificate, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.8
+
+
+
+
+ Certificate List, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.9
+
+
+
+
+ Certificate Pair, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.10
+
+
+
+
+ Country String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.11
+
+
+
+
+ DN, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.12
+
+
+
+
+ Data Quality Syntax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.13
+
+
+
+
+ Delivery Method, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.14
+
+
+
+
+ Directory String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.15
+
+
+
+
+ DIT Content Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.16
+
+
+
+
+ DIT Structure Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.17
+
+
+
+
+ DL Submit Permission, corresponding to OID Y 1.3.6.1.4.1.1466.115.121.1.18
+
+
+
+
+ DSA Quality Syntax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.19
+
+
+
+
+ DSE Type, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.20
+
+
+
+
+ Enhanced Guide, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.21
+
+
+
+
+ Facsimile Telephone Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.22
+
+
+
+
+ Fax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.23
+
+
+
+
+ Generalized Time, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.24
+
+
+
+
+ Guide, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.25
+
+
+
+
+ IA5 String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.26
+
+
+
+
+ INTEGER, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.27
+
+
+
+
+ JPEG, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.28
+
+
+
+
+ LDAP Syntax Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.54
+
+
+
+
+ LDAP Schema Definition, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.56
+
+
+
+
+ LDAP Schema Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.57
+
+
+
+
+ Master And Shadow Access Points, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.29
+
+
+
+
+ Matching Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.30
+
+
+
+
+ Matching Rule Use Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.31
+
+
+
+
+ Mail Preference, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.32
+
+
+
+
+ MHS OR Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.33
+
+
+
+
+ Modify Rights, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.55
+
+
+
+
+ Name And Optional UID, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.34
+
+
+
+
+ Name Form Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.35
+
+
+
+
+ Numeric String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.36
+
+
+
+
+ Object Class Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.37
+
+
+
+
+ Octet String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.40
+
+
+
+
+ OID, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.38
+
+
+
+
+ Other Mailbox, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.39
+
+
+
+
+ Postal Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.41
+
+
+
+
+ Protocol Information, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.42
+
+
+
+
+ Presentation Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.43
+
+
+
+
+ Printable String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.44
+
+
+
+
+ Substring Assertion, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.58
+
+
+
+
+ Subtree Specification, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.45
+
+
+
+
+ Supplier Information, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.46
+
+
+
+
+ Supplier Or Consumer, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.47
+
+
+
+
+ Supplier And Consumer, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.48
+
+
+
+
+ Supported Algorithm, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.49
+
+
+
+
+ Telephone Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.50
+
+
+
+
+ Teletex Terminal Identifier, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.51
+
+
+
+
+ Telex Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.52
+
+
+
+
+ UTC Time, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.53
+
+
+
+
+ The data is of a time stamp in seconds.
+
+
+ 5.7
+ This value was accidently carried over from the win-sc:EntityItemAdstypeType as it was used as a template for the ind-sc:EntityItemLdaptypeType.
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: ldap_item ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The data is of an e-mail message.
+
+
+ 5.7
+ This value was accidently carried over from the win-sc:EntityItemAdstypeType as it was used as a template for the ind-sc:EntityItemLdaptypeType.
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: ldap_item ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
+
+
+
+
+
+ Indicates the 32_bit windows view.
+
+
+
+
+ Indicates the 64_bit windows view.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/ios-definitions-schema.xsd b/oval-schemas/ios-definitions-schema.xsd
new file mode 100644
index 0000000..f7021a4
--- /dev/null
+++ b/oval-schemas/ios-definitions-schema.xsd
@@ -0,0 +1,2375 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the IOS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ IOS Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The acl test is used to check the properties of specific output lines from an ACL configuration.
+
+
+ acl_test
+ acl_object
+ acl_state
+ acl_item
+
+
+
+
+
+ - the object child element of a acl_test must reference a acl_object
+
+
+ - the state child element of a acl_test must reference a acl_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl_object element is used by an acl test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An acl object consists of a an acl name and an IP version entity that is the name and the IP protocol version of the access-list to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the ACL.
+
+
+
+
+ The IP version of the ACL.
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl_state element defines the different information that can be used to evaluate the result of a specific ACL configuration. This includes the name of ths ACL and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the ACL.
+
+
+
+
+ The IP version of the ACL.
+
+
+
+
+ The feature where the ACL is used.
+
+
+
+
+ The name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface.
+
+
+
+
+ The direction the ACL is applied on an interface.
+
+
+
+
+ The value returned with all config lines of the ACL.
+
+
+
+
+ The value returned with one ACL config line at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgpneighbor test is used to check the bgp neighbpr properties of bgp instances instances in IOS.
+
+
+ bgpneighbor_test
+ bgpneighbor_object
+ bgpneighbor_state
+ bgpneighbor_item
+
+
+
+
+
+ - the object child element of a bgpneighbor_test must reference a bgpneighbor_object
+
+
+ - the state child element of a bgpneighbor_test must reference a bgpneighbor_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgpneighbor_object element is used by a bgpneighbor test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A bgpneighbor object consists of a neighbor entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgp neighbor.
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgpneighbor_state element defines the different information that can be used to evaluate the result of a bgp neighbor configuration. This includes the neighbor and the password option, if configured. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The bgp neighbor.
+
+
+
+
+ The bgp authentication password, if configured. If Encryption type is configured it should be included in the password string. For example '0 cisco123'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The global test is used to check for the existence of a particular line in the ios config file under the global context. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a global_object and the optional state element specifies the data to check.
+
+
+ global_test
+ global_object
+ global_state
+ global_item
+
+
+
+
+
+ - the object child element of a global_test must reference a global_object
+
+
+ - the state child element of a global_test must reference a global_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The global_object element is used by a global test to define the object to be evaluated. For the most part this object checks for existence and is used without a state comparision. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The global_command entity identifies a specific line in the ios config file under the global context.
+
+
+
+
+
+
+
+
+
+
+
+
+ The global_state element defines the different information that can be found in the ios config file under the global context. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The global_command entity identifies a specific line in the ios config file under the global context.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface test is used to check for the existence of a particular interface on the Cisco IOS device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a interface_object and the optional state element specifies the data to check.
+
+
+ interface_test
+ interface_object
+ interface_state
+ interface_item
+
+
+
+
+
+ - the object child element of an interface_test must reference an interface_object
+
+
+ - the state child element of an interface_test must reference an interface_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_object element is used by an interface_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An interface_object consists of a name entity that is the name of the IOS interface to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_state element defines the different information that can be used to evaluate the result of a specific IOS interface. This includes the name, status, and address information about the interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+
+
+
+
+
+ Directed broadcast command enabled on the interface. The default is false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11
+ This entity has been deprecated because the ip_directed_broadcast_command has been updated to support a boolean value and this entity can be represented with a value of 'false'.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Element that is true if the proxy_arp command is enabled on the interface. The default is true.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element that is true if the interface is shut down. The default is false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface hardware (MAC) address.
+
+
+
+
+ The interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ The interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ The ingress or egress IPv4 ACL name applied on the interface.
+
+
+
+
+ The ingress or egress IPv6 ACL name applied on the interface.
+
+
+
+
+ The crypto map name applied to the interface.
+
+
+
+
+ The IPv4 uRPF command under the interface.
+
+
+
+
+ The IPv6 uRPF command under the interface.
+
+
+
+
+ The uRPF command under the interface.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+
+
+
+
+ The switchport trunk encapsulation option configured on the interface (if applicable).
+
+
+
+
+ The switchport mode option configured on the interface (if applicable).
+
+
+
+
+ The trunk native vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The access vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The vlans that are trunked configured on the interface (if applicable).
+
+
+
+
+ The vlans that are pruned from the trunk (if applicable).
+
+
+
+
+ The switchport port-security commands configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+ The line test is used to check the properties of specific output lines from a SHOW command, such as show running-config. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check.
+
+
+ line_test
+ line_object
+ line_state
+ line_item
+
+
+
+
+
+ - the object child element of a line_test must reference a line_object
+
+
+ - the state child element of a line_test must reference a line_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_object element is used by a line test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A line object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The router test is used to check the properties of specific output lines from a router configurated instance in IOS.
+
+
+ router_test
+ router_object
+ router_state
+ router_item
+
+
+
+
+
+ - the object child element of a router_test must reference a router_object
+
+
+ - the state child element of a router_test must reference a router_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The router_object element is used by a router test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A router object consists of a router protocol and router identifier entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The routing protocol of the router instance.
+
+
+
+
+ The IOS router id.
+
+
+
+
+
+
+
+
+
+
+
+
+ The router_state element defines the different information that can be used to evaluate the result of a specific router command. This includes the protocol of the router instance, the id, the networks, bgp neighbor, ospf authentication area commands and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The routing protocol of the router instance. If there are more than one router configurations, for example ospf instances, different objects should be created for each.
+
+
+
+
+ The IOS router id
+
+
+
+
+ The subnet in the network command of the router instance. The area can be included in the string for OSPF.
+
+
+
+
+ The BGP neighbors, if applicable.
+
+
+
+
+ The OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The value returned with all config lines of the router instance.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routing protocol authentication interface test is used to check the properties of routing protocol authentication configured under interfaces in IOS.
+
+
+ routingprotocolauthintf_test
+ routingprotocolauthintf_object
+ routingprotocolauthintf_state
+ routingprotocolauthintf_item
+
+
+
+
+
+ - the object child element of a routingprotocolauthintf_test must reference a routingprotocolauthintf_object
+
+
+ - the state child element of a routingprotocolauthintf_test must reference a routingprotocolauthintf_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingprotocolauthintf_object element is used by a routingprotocolauthintf test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A routingprotocolauthintf object consists of an interface and the routing protocol that is authenticated entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+ The routing protocol.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingprotocolauthintf_state element defines the different information that can be used to evaluate the result of a specific routing protocol interface authentication configurations. This includes the interface, the protocol, the id, the authentication type, the ospf area, the key chain command and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+ The routing protocol.
+
+
+
+
+ The routing protocol id, if applicable.
+
+
+
+
+ The routing protocol authentication type.
+
+
+
+
+ The OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the key chain, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The section test is used to check the properties of specific output lines from a configuration section.
+
+
+ section_test
+ section_object
+ section_state
+ section_item
+
+
+
+
+
+ - the object child element of a section_test must reference a section_object
+
+
+ - the state child element of a section_test must reference a section_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The section_object element is used by a section test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A section object consists of a section_command entity that is the name of a section command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a section command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The section_state element defines the different information that can be used to evaluate the result of a specific section command. This includes the name of ths section_command and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the section command.
+
+
+
+
+ The value returned with all config lines of the section.
+
+
+
+
+ The value returned with one config line of the section at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ Tests if lines under the global context associated with snmp that have a specifiec access list or community name.
+
+
+ snmp_test
+ snmp_object
+ snmp_state
+ snmp_item
+
+
+
+
+
+ - the object child element of a snmp_test must reference a snmp_object
+
+
+ - the state child element of a snmp_test must reference a snmp_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmp_object element is used by a snmp test to define those objects to evaluated based on a specified state. There is actually only one object relating to snmp and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check snmp will reference the same snmp_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpcommunity test is used to check the properties of specific output lines from an SNMP configuration.
+
+
+ snmpcommunity_test
+ snmpcommunity_object
+ snmpcommunity_state
+ snmpcommunity_item
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpcommunity_object element is used by an snmpcommunity test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An snmpcommunity object consists of a community name entity to be tested.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP community name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpcommunity_state element defines the different information that can be used to evaluate the result of a specific 'snmp community' IOS command. This includes the community name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP community name.
+
+
+
+
+ The view that restricts the OIDs of this community.
+
+
+
+
+ The read-write privileges of the community.
+
+
+
+
+ The IPv4 ACL name applied to the community.
+
+
+
+
+ The IPv6 ACL name applied to the community.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpgroup test is used to check the properties of specific output lines from an SNMP group configuration.
+
+
+ snmpgroup_test
+ snmpgroup_object
+ snmpgroup_state
+ snmpgroup_item
+
+
+
+
+
+ - the object child element of an snmpgroup_test must reference an snmpgroup_object
+
+
+ - the state child element of an snmpgroup_test must reference an snmpgroup_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpgroup_object element is used by an snmpgroup test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmpgroup object consists of a name entity that is the name of the SNMP group to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP group name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpgroup_state element defines the different information that can be used to evaluate the result of a specific 'snmp-server group' IOS command. This includes the user name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP group name.
+
+
+
+
+ The SNMP version of the group.
+
+
+
+
+ The SNMPv3 security configured for the group.
+
+
+
+
+ The IPv4 ACL name applied to the group.
+
+
+
+
+ The IPv6 ACL name applied to the group.
+
+
+
+
+ The SNMP read view applied to the group.
+
+
+
+
+ The SNMP write view applied to the group.
+
+
+
+
+ The SNMP notify view applied to the group.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmphost test is used to check the properties of specific output lines from an SNMP configuration.
+
+
+ snmphost_test
+ snmphost_object
+ snmphost_state
+ snmphost_item
+
+
+
+
+
+ - the object child element of an snmphost_test must reference an snmphost_object
+
+
+ - the state child element of an snmphost_test must reference an snmphost_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmphost_object element is used by an snmphost test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmphost object consists of a host entity that is the host of the 'snmp host' IOS command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP host address or hostname.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmphost_state element defines the different information that can be used to evaluate the result of a specific 'snmp host' IOS command. This includes the host and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP host address or hostname.
+
+
+
+
+ The community string or SNMPv3 user configured for the host.
+
+
+
+
+ The SNMP version.
+
+
+
+
+ The SNMPv3 security configured for the host.
+
+
+
+
+ The SNMP traps configured.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpuser test is used to check the properties of specific output lines from an SNMP user configuration.
+
+
+ snmpuser_test
+ snmpuser_object
+ snmpuser_state
+ snmpuser_item
+
+
+
+
+
+ - the object child element of an snmpuser_test must reference an snmpuser_object
+
+
+ - the state child element of an snmpuser_test must reference an snmpuser_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpuser_object element is used by an snmpuser test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmpuser object consists of a name entity that is the name of the SNMP user to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP user name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpuser_state element defines the different information that can be used to evaluate the result of a specific 'show snmp user' IOS command. This includes the user name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP user name.
+
+
+
+
+ The SNMP group the user belongs to.
+
+
+
+
+ The SNMP version of the user.
+
+
+
+
+ The IPv4 ACL name applied to the user.
+
+
+
+
+ The IPv6 ACL name applied to the user.
+
+
+
+
+ The SNMP encryption type for the user (for SNMPv3).
+
+
+
+
+ The SNMP authentication type for the user (for SNMPv3).
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpview test is used to check the properties of specific output lines from an SNMP view configuration.
+
+
+ snmpview_test
+ snmpview_object
+ snmpview_state
+ snmpview_item
+
+
+
+
+
+ - the object child element of an snmpview_test must reference an snmpview_object
+
+
+ - the state child element of an snmpview_test must reference an snmpview_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpview_object element is used by an snmpview test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmpview object consists of a name entity that is the name of the SNMP view to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP view name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpview_state element defines the different information that can be used to evaluate the result of a specific 'snmp-server view' IOS command. This includes the view name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP view name.
+
+
+
+
+ The SNMP MIB family of the view.
+
+
+
+
+ It is true if the included option is used in the view.
+
+
+
+
+
+
+
+
+
+
+
+
+ The tclsh test is used to check tclsh information of the IOS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a tclsh_object and the optional state element specifies the data to check.
+
+
+ tclsh_test
+ tclsh_object
+ tclsh_state
+ tclsh_item
+
+
+
+
+
+ - the object child element of a tclsh_test must reference a tclsh_object
+
+
+ - the state child element of a tclsh_test must reference a tclsh_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The tclsh_object element is used by a tclsh test to define those objects to evaluated based on a specified state. There is actually only one object relating to tchlsh and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check tclsh will reference the same tclsh_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The tclsh_state element defines information about TCLSH. This includes the available entity which describes whether TCLSH is available on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This boolean entity describes whether TCLSH is available on the system. A value of true means that TCLSH is available.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version55_test is used to check the version of the IOS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+
+ version55_test
+ version55_object
+ version55_state
+ version_item
+
+
+
+
+
+ - the object child element of a version55_test must reference a version_object
+
+
+ - the state child element of a version55_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version55_object element is used by a version55_test to define the different version information associated with an IOS system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version55_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The version55_state element defines the version information held within a Cisco IOS Train. A Cisco IOS train is a vehicle for delivering releases that evolve from a common code base.
+
+
+
+
+
+
+
+ The major_version entity is used to check the major version piece of the version string. The value is an integer and in the example 12.4(9)T0a the major version is '12'.
+
+
+
+
+ The minor_version entity is used to check the minor version piece of the version string. The value is an integer and in the example 12.4(9)T0a the minor version is '4'.
+
+
+
+
+ The release entity is used to check the release piece of the version string. The value is an integer and in the example 12.4(9)T0a the release is '9'.
+
+
+
+
+ The train_identifier entity is used to check the type of train represented in the version string. The value is a string and in the example 12.4(9)T0a the train identifier is 'T'. The following explaination from Wikipedia should help explain the different train identifiers. Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting. The 'mainline' train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are released only to address bugs in the product. The previous technology train becomes the source for the current mainline train--for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release. The 'T' (Technology) train, gets new features and bug fixes throughout its life, and is therefore less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.) The 'S' (Service Provider) train, runs only on the company's core router products and is heavily customized for Service Provider customers. The 'E' (Enterprise) train, is customized for implementation in enterprise environments. The 'B' (broadband) train, support internet based broadband features. The 'XA', 'Xb' ... (special functionality) train, needs to be documented. There are other trains from time to time, designed for specific needs -- for example, the 12.0AA train contained new code required for Cisco's AS5800 product.
+
+
+
+
+ The rebuild entity is used to check the rebuild piece of the version string. The value is an integer and in the example 12.4(9)T0a the rebuild is '0'. Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk.
+
+
+
+
+ The subrebuild entity is used to check the subrebuild piece of the version string. The value is a string and in the example 12.4(9)T0a the subrebuild is 'a'.
+
+
+
+
+ The mainline_rebuild entity is used to check the mainline rebuild piece of the version string. The mainline rebuild is just a regular rebuild release against the mainline operating system release (e.g. the branch of development that would typically be called "the trunk" that isn't associated with a train). Since there is no train identifier to stick the rebuild release after, they stick a alphabetic character inside the parens holding the maintenance release number. For example, 12.4(5b) is the second rebuild of the 12.4(5) maintenance release.
+
+
+
+
+ The version_string entity is used to check the raw string output of a 'show version' command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version test is used to check the version of the IOS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+ 5.5
+ Replaced by the version55_test. Additional IOS version components were added to the version_state in order to support a wider range of IOS version strings. Also, the major_release and train_number entities were removed from the version_state element. A new test was created to reflect these changes. See the version55_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a version_test must reference a version_object
+
+
+ - the state child element of a version_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version test to define the different version information associated with an IOS system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+
+ 5.5
+ Replaced by the version55_object. Additional IOS version components were added to the version_state in order to support a wider range of IOS version strings. Also, the major_release and train_number entities were removed from the version_state element. A new object was created to reflect these changes. See the version55_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_state element defines the version information held within a Cisco IOS Train. A Cisco IOS train is a vehicle for delivering releases that evolve from a common code base.
+
+
+ 5.5
+ Replaced by the version55_state. Additional IOS version components were added to the version_state in order to support a wider range of IOS version strings. Also, the major_release and train_number entities were removed from this version_state element. A new state was created to reflect these changes. See the version55_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The major_release is a combination of train and rebuild information and is used by Cisco advisories to identify major releases.
+
+
+
+
+ The train number is the dotted version that starts a version string. For example the version string 12.2(3)T has a train number of 12.2.
+
+
+
+
+ The train identifier is the type of Train. For example the version string 12.2(3)T has a train identifier of T. Please see the EntityStateVersionTrainIdentifierType for more information about the different train identifiers.
+
+
+
+
+ The version is the raw string output of a 'show version' command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectAccessListIPVersionType complex type restricts
+ a string value to a specific set of values: IPV4, IPV6. These values
+ describe if an ACL is for IPv4 or IPv6 in a Cisco IOS configuration. The
+ empty string is also allowed to support empty element associated with
+ variable references. Note that when using pattern matches and variables care
+ must be taken to ensure that the regular expression and variable values
+ align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectRoutingProtocolType complex type restricts a
+ string value to a specific set of values: EIGRP, OSPF, BGP, RIP, RIPV2,
+ ISIS. These values describe the routing protocol used in a Cisco IOS
+ configuration. The empty string is also allowed to support empty element
+ associated with variable references. Note that when using pattern matches
+ and variables care must be taken to ensure that the regular expression and
+ variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+
+ The EntityStateAccessListInterfaceDirectionType complex type
+ restricts a string value to a specific set of values: IN, OUT. These values
+ describe the inbound or outbound ACL direction on an interface in a Cisco
+ IOS configuration. The empty string is also allowed to support empty element
+ associated with variable references. Note that when using pattern matches
+ and variables care must be taken to ensure that the regular expression and
+ variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRoutingProtocolType complex type restricts a
+ string value to a specific set of values: IPV4, IPV6. These values describe
+ if an ACL is for IPv4 or IPv6 in a Cisco IOS configuration. The empty string
+ is also allowed to support empty element associated with variable
+ references. Note that when using pattern matches and variables care must be
+ taken to ensure that the regular expression and variable values align with
+ the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAccessListUseType complex type restricts a
+ string value to a specific set of values: INTERFACE, CRYPTO_MAP_MATCH,
+ CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, VTY. These values describe
+ the ACL use in a Cisco IOS configuration. The empty string is also allowed
+ to support empty element associated with variable references. Note that when
+ using pattern matches and variables care must be taken to ensure that the
+ regular expression and variable values align with the enumerated
+ values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The EntityStateSimpleBaseType check_existence attribute serves the same purpose as this enumeration value.
+ This AccessListUseType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: acl_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRoutingAuthTypeStringType complex type restricts a string value to a specific set of values: CLEARTEXT, MESSAGE_DIGEST. These values describe the routing protocol authentication types used in a Cisco IOS configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The NULL authentication area type is never declared in an interface ip ospf command context.
+ This RoutingAuthTypeStringType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: routingprotocolauthintf_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRoutingProtocolType complex type restricts a string value to a specific set of values: EIGRP, OSPF, BGP, RIP, RIPV2, ISIS. These values describe the routing protocol used in a Cisco IOS configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+ The EntityStateSNMPVersionStringType complex type restricts a string value to a specific set of values: 1, 2c, 3. These values describe the SNMP version in a Cisco IOS configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPVersionStringType complex type restricts a string value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe the SNMP security level (encryption, Authentication, None) in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPModeStringType complex type restricts a string value to a specific set of values: RO, RW. These values describe the SNMP mode (read-only, read-write) in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPAuthStringType complex type restricts a string value to a specific set of values: MD5, SHA. These values describe the authentication algorithm in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPPrivStringType complex type restricts a string value to a specific set of values: DES, 3DES, AES. These values describe the encryption algorithm in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectRoutingProtocolType complex type restricts a string value to a specific set of values: DYNAMIC, TRUNK, ACCESS. These values describe the interface switchport mode types in IOS. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateTrainIdentifierType complex type restricts a string value to a specific set of values. These values describe the possible types of trains in a Cisco IOS release. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+ 5.5
+ Additional IOS version components were added to the version_state in order to support a wider range of IOS version strings. Also, the train_number entity, which uses this enumeration, was removed from the version_state element. As a result, this enumeration is no longer needed.
+ This enumeration has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+ The mainline Train consolidates releases and fixes defects. Inherits features from the parent T train, and does not add additional features.
+
+
+
+
+ Introduces new features and fixes defects.
+
+
+
+
+ Consolidates 12.1E, 12.2 mainline, and 12.0S, which supports high-end backbone routing, and fixes defects.
+
+
+
+
+ Targets enterprise core and SP edge, supports advanced QoS, voice, security, and firewall, and fixes defects.
+
+
+
+
+ Supports broadband features and fixes defects.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateTrunkEncapType complex type restricts a string value to a specific set of values: DOT1Q, ISL, NEGOTIATE. These values describe the interface trunk encapsulation types on an interfaces in IOS. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
diff --git a/oval-schemas/ios-system-characteristics-schema.xsd b/oval-schemas/ios-system-characteristics-schema.xsd
new file mode 100644
index 0000000..16e8fd3
--- /dev/null
+++ b/oval-schemas/ios-system-characteristics-schema.xsd
@@ -0,0 +1,1113 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the IOS specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ IOS Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Stores command that are part of a IOS configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example BGP has a router item and should not also be stored in a acl_item.
+
+
+
+
+
+
+
+ Element with the name of the ACL.
+
+
+
+
+ Element with the IP version of the ACL.
+
+
+
+
+ Element with the feature where the ACL is used. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.
+
+
+
+
+ Element with the name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.
+
+
+
+
+ Element with the direction the ACL is applied on an interface.
+
+
+
+
+ Element with the value returned with all config lines of the ACL.
+
+
+
+
+ Element with the value returned with one ACL config line at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about bgp neighbors configured in bgp instances.
+
+
+
+
+
+
+
+ Element with the bgp neighbor.
+
+
+
+
+ Element with the bgp authentication password, if configured. If Encryption type is configured it should be included in the password string. For example '0 cisco123'.
+
+
+
+
+
+
+
+
+
+
+
+
+ Sotres information about the existence of a particular line in the ios config file under the global context.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_item represents an IOS interface and its configuration options.
+
+
+
+
+
+
+
+ Element with the interface name.
+
+
+
+
+ Element that is true if the directed broadcast command is enabled on the interface. The default is false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11
+ This entity has been deprecated because the ip_directed_broadcast_command has been updated to support a boolean value and this entity can be represented with a value of 'false'.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Element that is true if the proxy_arp command is enabled on the interface. The default is true.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element that is true if the interface is shut down. The default is false.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the interface hardware (MAC) address.
+
+
+
+
+ Element with the interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ Element with the interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ Element with the ingress or egress IPv4 ACL name applied on the interface.
+
+
+
+
+ Element with the ingress or egress IPv6 ACL name applied on the interface.
+
+
+
+
+ Element with the crypto map name applied to the interface.
+
+
+
+
+ Element with the uRPF command for IPv4 under the interface.
+
+
+
+
+ Element with the uRPF command for IPv6 under the interface.
+
+
+
+
+ Element with the uRPF command under the interface.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+
+
+
+
+ Element with the switchport trunk encapsulation option configured on the interface (if applicable).
+
+
+
+
+ Element with the switchport mode option configured on the interface (if applicable).
+
+
+
+
+ Element with the trunk native vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the access vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the vlans that are trunked configured on the interface (if applicable).
+
+
+
+
+ Element with the vlans that are pruned from the trunk (if applicable).
+
+
+
+
+ Element with the switchport port-security commands configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores the properties of specific lines in the ios config file.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores commands that are part of a IOS 'router' command configuration. For example 'router bgp 123'.
+
+
+
+
+
+
+
+ Element with the routing protocol.
+
+
+
+
+ Element with the IOS router id.
+
+
+
+
+ Element with the subnet in the network command of the router instance. The area can be included in the string for OSPF.
+
+
+
+
+ Element with the BGP neighbors, if applicable.
+
+
+
+
+ Element with the OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with all config lines of the router.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information for routing protocol authentication configured under specific interfaces.
+
+
+
+
+
+
+
+ Element with the interface.
+
+
+
+
+ Element with the routing protocol.
+
+
+
+
+ Element with the routing protocol id.
+
+
+
+
+ Element with the routing protocol authentication type.
+
+
+
+
+ Element with the OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the name of the key chain, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores command that are part of a IOS configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example BGP has a router item and should not also be stored in a section_item.
+
+
+
+
+
+
+
+ The name of the section command.
+
+
+
+
+ Element with all config lines of the section.
+
+
+
+
+ Element with one config line of the section at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores results from collecting lines under the global context associated with snmp.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP community configuration in IOS. That information includes the community name, the view (if it applies) name, the read-write mode and the ACLs names applied.
+
+
+
+
+
+
+
+ Element with the SNMP community name.
+
+
+
+
+ Element with the view that restricts the OIDs of this community.
+
+
+
+
+ Element with the read-write privileges of the community.
+
+
+
+
+ Element with the IPv4 ACL name applied to the community.
+
+
+
+
+ Element with the IPv6 ACL name applied to the community.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP group configuration in IOS. That information includes the group name, the SNMP version, the IPv4 or IPv6 ACL it is applied toand the read, write and/or notify views applied to the group.
+
+
+
+
+
+
+
+ Element with the SNMP group name.
+
+
+
+
+ Element with the SNMP version of the group.
+
+
+
+
+ Element with the SNMPv3 security configure for the group.
+
+
+
+
+ Element with the IPv4 ACL name applied to the group.
+
+
+
+
+ Element with the IPv6 ACL name applied to the group.
+
+
+
+
+ Element with the SNMP read view applied to the group.
+
+
+
+
+ Element with the SNMP write view applied to the group.
+
+
+
+
+ Element with the SNMP notify view applied to the group.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about the SNMP host configuration in IOS. That information includes the host, the community or user strings, the SNMP version, the snmp security (if the SNMP version is SNMPv3) and the SNMP traps.
+
+
+
+
+
+
+
+ Element with the SNMP host address or hostname.
+
+
+
+
+ Element with the community string or SNMPv3 user configured for the host.
+
+
+
+
+ Element with the SNMP version.
+
+
+
+
+ Element with the SNMPv3 security configure for the host.
+
+
+
+
+ Element with the SNMP traps configured.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP user configuration in IOS. That information includes the user name, the SNMP group he belongs to, the SNMP version, the IPv4 or IPv6 ACL it is applied to, the Security Level and the Authentication type that apply to the user (for SNMPv3).
+
+
+
+
+
+
+
+ Element with the SNMP user name.
+
+
+
+
+ Element with the SNMP group the user belongs to.
+
+
+
+
+ Element with the SNMP version of the user.
+
+
+
+
+ Element with the IPv4 ACL name applied to the user.
+
+
+
+
+ Element with the IPv6 ACL name applied to the user.
+
+
+
+
+ Element with the SNMP encryption type for the user (for SNMPv3).
+
+
+
+
+ Element with the SNMP authentication type for the user (for SNMPv3).
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP view configuration in IOS. That information includes the view name, the mib_family that the view uses and the included or excluded option of the mib family in the view.
+
+
+
+
+
+
+
+ Element with the SNMP view name.
+
+
+
+
+ Element with the SNMP MIB family of the view.
+
+
+
+
+ Element that is true if the included option is used in the view.
+
+
+
+
+
+
+
+
+
+
+
+
+ The tclsh item holds information about the availability of tcl on the IOS operating system. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ This boolean entity describes whether TCLSH is available on the system. A value of true means that TCLSH is available. Per Cisco documentation, the accepted way to see if the device supports tcl functionality is to enter the tcl shell. If the attempt results in a tcl prompt then the device supports tclsh and has it enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_item holds information about the version of the IOS operating system. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The major_release is a combination of train and rebuild information and is used by Cisco advisories to identify major releases.
+
+
+ 5.5
+ Additional IOS version components were added to the version_state in order to support a wider range of IOS version strings. Also, the major_release entity was removed from the version_state element resulting in its deprecation.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The train number is the dotted version that starts a version string. For example the version string 12.2(3)T has a train number of 12.2.
+
+
+ 5.5
+ Additional IOS version components were added to the version_state in order to support a wider range of IOS version strings. Also, the train_number entity was removed from the version_state element resulting in its deprecation.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The major_version entity specifies the major version piece of the version string. The value is an integer and in the example 12.4(9)T0a the major version is '12'.
+
+
+
+
+ The minor_version entity specifies the minor version piece of the version string. The value is an integer and in the example 12.4(9)T0a the minor version is '4'.
+
+
+
+
+ The release entity specifies the release piece of the version string. The value is an integer and in the example 12.4(9)T0a the release is '9'.
+
+
+
+
+ The train identifier is the type of Train. For example the version string 12.2(3)T has a train identifier of T. Please see the EntityItemTrainIdentifierType for more information about the different train identifiers.
+ The train_identifier entity specifies the type of train represented in the version string. The value is a string and in the example 12.4(9)T0a the train identifier is 'T'. The following explaination from Wikipedia should help explain the different train identifiers. Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting. The 'mainline' train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are released only to address bugs in the product. The previous technology train becomes the source for the current mainline train--for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release. The 'T' (Technology) train, gets new features and bug fixes throughout its life, and is therefore less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.) The 'S' (Service Provider) train, runs only on the company's core router products and is heavily customized for Service Provider customers. The 'E' (Enterprise) train, is customized for implementation in enterprise environments. The 'B' (broadband) train, support internet based broadband features. The 'XA', 'Xb' ... (special functionality) train, needs to be documented. There are other trains from time to time, designed for specific needs -- for example, the 12.0AA train contained new code required for Cisco's AS5800 product.
+
+
+
+
+ The rebuild entity specifies the rebuild piece of the version string The value is an integer and in the example 12.4(9)T0a the rebuild is '0'. Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk.
+
+
+
+
+ The subrebuild entity specifies the subrebuild piece of the version string. The value is a string and in the example 12.4(9)T0a the subrebuild is 'a'.
+
+
+
+
+ The mainline_rebuild entity specifies the mainline rebuild piece of the version string. The mainline rebuild is just a regular rebuild release against the mainline operating system release (e.g. the branch of development that would typically be called "the trunk" that isn't associated with a train). Since there is no train identifier to stick the rebuild release after, they stick a alphabetic character inside the parens holding the maintenance release number. For example, 12.4(5b) is the second rebuild of the 12.4(5) maintenance release.
+
+
+
+
+ The version entity holds the raw string output of a 'show version' command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemAccessListInterfaceDirectionType complex type
+ restricts a string value to a specific set of values: IN, OUT. These values
+ describe the inbound or outbound ACL direction on an interface in a Cisco IOS
+ configuration. The empty string is also allowed to support empty elements
+ associated with error conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRoutingProtocolType complex type restricts a string
+ value to a specific set of values: IPV4, IPV6. These values describe if an ACL
+ is for IPv4 or IPv6 in a Cisco IOS configuration. The empty string is also
+ allowed to support empty elements associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemAccessListUseType complex type restricts a string
+ value to a specific set of values: INTERFACE, CRYPTO_MAP_MATCH, CLASS_MAP_MATCH,
+ ROUTE_MAP_MATCH, IGMP_FILTER, VTY. These values describe the ACL use in a Cisco
+ IOS configuration. The empty string is also allowed to support empty elements
+ associated with error conditions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The EntityStateSimpleBaseType check_existence attribute serves the same purpose as this enumeration value.
+ This AccessListUseType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRoutingAuthTypeStringType complex type restricts a string value to a specific set of values: CLEARTEXT, MESSAGE_DIGEST. These values describe the routing protocol authentication types used in a Cisco IOS configuration. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The NULL authentication area type is never declared in an interface ip ospf command context.
+ This RoutingAuthTypeStringType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRoutingProtocolType complex type restricts a string value to a specific set of values: EIGRP, OSPF, BGP, RIP, RIPV2, ISIS. These values describe the routing protocol used in a Cisco IOS configuration. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSNMPVersionStringType complex type restricts a string value to a specific set of values: 1, 2c, 3. These values describe the SNMP version in a Cisco IOS configuration. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSNMPVersionStringType complex type restricts a string value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe the SNMP security level (encryption, Authentication, None) in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSNMPModeStringType complex type restricts a string value to a specific set of values: RO, RW. These values describe the SNMP mode (read-only, read-write) in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSNMPAuthStringType complex type restricts a string value to a specific set of values: MD5, SHA. These values describe the authentication algorithm in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSNMPPrivStringType complex type restricts a string value to a specific set of values: DES, 3DES, AES. These values describe the encryption algorithm in a Cisco IOS SNMPv3 related configurations. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRoutingProtocolType complex type restricts a string value to a specific set of values: DYNAMIC, TRUNK, ACCESS. These values describe the interface switchport mode types in IOS. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemTrunkEncapType complex type restricts a string value to a specific set of values: DOT1Q, ISL, NEGOTIATE. These values describe the interface trunk encapsulation types on an interfaces in IOS. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/iosxe-definitions-schema.xsd b/oval-schemas/iosxe-definitions-schema.xsd
new file mode 100644
index 0000000..4583b71
--- /dev/null
+++ b/oval-schemas/iosxe-definitions-schema.xsd
@@ -0,0 +1,2044 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the IOS-XE specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+ Thanks to Omar Santos and Panos Kampanakis of Cisco for providing this test.
+
+ IOS-XE Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The global test is used to check for the existence of a particular line in the IOS-XE config file under the global context. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a global_object and the optional state element specifies the data to check.
+
+
+ global_test
+ global_object
+ global_state
+ global_item
+
+
+
+
+
+ - the object child element of a global_test must reference a global_object
+
+
+ - the state child element of a global_test must reference a global_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The global_object element is used by a global test to define the object to be evaluated. For the most part this object checks for existence and is used without a state comparision. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The global_command entity identifies a specific line in the IOS-XE config file under the global context.
+
+
+
+
+
+
+
+
+
+
+
+
+ The global_state element defines the different information that can be found in the IOS-XE config file under the global context. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The global_command entity identifies a specific line in the IOS-XE config file under the global context.
+
+
+
+
+
+
+
+
+
+
+
+
+ The line test is used to check the properties of specific output lines from a SHOW command, such as show running-config. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check.
+
+
+ line_test
+ line_object
+ line_state
+ line_item
+
+
+
+
+
+ - the object child element of a line_test must reference a line_object
+
+
+ - the state child element of a line_test must reference a line_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_object element is used by a line test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A line object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_test is used to check the version of the IOS-XE operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+
+ - the object child element of a version_test must reference a version_object
+
+
+ - the state child element of a version_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version_test to define the different version information associated with an IOS-XE system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The version_state element defines the version information held within a Cisco IOS-XE Train. A Cisco IOS-XE train is a vehicle for delivering releases that evolve from a common code base.
+
+
+
+
+
+
+
+ The platform that is running the IOS-XE software. For example if could be asr1000.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot be reliably collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it cannot be reliably collected.
+
+
+
+
+
+
+
+ The routing processor running the IOS-XE software.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot be reliably collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it cannot be reliably collected.
+
+
+
+
+
+
+
+ The consolidated IOS-XE packages in the image. For example it could be adventservicesk9.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot be reliably collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it cannot be reliably collected.
+
+
+
+
+
+
+
+ The entire IOS-XE version string, for example, '03.13.02.S'.
+
+
+
+
+ The major version piece of the version string. The value is an integer, and in the example 03.13.02.S the major_release is '3'
+
+
+
+
+ The minor release piece of the version string. The value is an integer, and in the example 03.13.02.S the release is '13'
+
+
+
+
+ The rebuild piece of the version string. The value is an integer, and in the example 03.13.02.S the rebuild is '2'
+
+
+
+
+ The train piece of the version string. The value is a string, and in the example 03.13.02.S the train is 'S'
+
+
+
+
+ The IOS release the IOS-XE was derived from. The value is a string and in the example ASR1000rp1-ipbasek9.03.04.02.122-33.SR.bin the ios_release version is '122-33'
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+
+
+
+
+ The IOS release the IOS-XE was derived from. The value is an integer and in the example ASR1000rp1-ipbasek9.03.04.02.122-33.SR.bin the ios_release version is 'SR'
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface test is used to check for the existence of a particular interface on the Cisco IOS-XE device. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a interface_object and the optional state element specifies the data to check.
+
+
+ interface_test
+ interface_object
+ interface_state
+ interface_item
+
+
+
+
+
+ - the object child element of an interface_test must reference an interface_object
+
+
+ - the state child element of an interface_test must reference an interface_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_object element is used by an interface_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An interface_object consists of a name entity that is the name of the IOS-XE interface to be tested.
+
+
+
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_state element defines the different information that can be used to evaluate the result of a specific IOS-XE interface. This includes the name, status, and address information about the interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+ Directed broadcast command enabled on the interface. The default is false.
+
+
+
+
+ Proxy arp enabled on the interface. The default is true.
+
+
+
+
+ Interface is shut down.
+
+
+
+
+ The interface hardware (MAC) address.
+
+
+
+
+ The interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ The interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ The ingress or egress IPv4 ACL name applied on the interface.
+
+
+
+
+ The ingress or egress IPv6 ACL name applied on the interface.
+
+
+
+
+ The crypto map name applied to the interface.
+
+
+
+
+ The IPv4 uRPF command under the interface.
+
+
+
+
+ The IPv6 uRPF command under the interface.
+
+
+
+
+ The uRPF command under the interface.
+
+
+ 5.11.1:1.1
+ This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+
+
+
+
+ The switchport trunk encapsulation option configured on the interface (if applicable).
+
+
+
+
+ The switchport mode option configured on the interface (if applicable).
+
+
+
+
+ The trunk native vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The access vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The vlans that are trunked configured on the interface (if applicable).
+
+
+
+
+ The vlans that are pruned from the trunk (if applicable).
+
+
+
+
+ The switchport port-security commands configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+ The section test is used to check the properties of specific output lines from a configuration section.
+
+
+ section_test
+ section_object
+ section_state
+ section_item
+
+
+
+
+
+ - the object child element of a section_test must reference a section_object
+
+
+ - the state child element of a section_test must reference a section_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The section_object element is used by a section test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A section object consists of a section_command entity that is the name of a section command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a section command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The section_state element defines the different information that can be used to evaluate the result of a specific section command. This includes the name of ths section_command and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the section command.
+
+
+
+
+ The value returned with all config lines of the section.
+
+
+
+
+ The value returned with one config line of the section at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ The router test is used to check the properties of specific output lines from a router configurated instance in IOS-XE.
+
+
+ router_test
+ router_object
+ router_state
+ router_item
+
+
+
+
+
+ - the object child element of a router_test must reference a router_object
+
+
+ - the state child element of a router_test must reference a router_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The router_object element is used by a router test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A router object consists of a router protocol and router identifier entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The routing protocol of the router instance.
+
+
+
+
+ The IOS-XE router id.
+
+
+
+
+
+
+
+
+
+
+
+
+ The router_state element defines the different information that can be used to evaluate the result of a specific router command. This includes the protocol of the router instance, the id, the networks, bgp neighbor, ospf authentication area commands and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The routing protocol of the router instance. If there are more than one router configurations, for example ospf instances, different objects should be created for each.
+
+
+
+
+ The IOS-XE router id
+
+
+
+
+ The subnet in the network command of the router instance. The area can be included in the string for OSPF.
+
+
+
+
+ The BGP neighbors, if applicable.
+
+
+
+
+ The OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The value returned with all config lines of the router instance.
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgpneighbor test is used to check the bgp neighbpr properties of bgp instances instances in IOS.
+
+
+ bgpneighbor_test
+ bgpneighbor_object
+ bgpneighbor_state
+ bgpneighbor_item
+
+
+
+
+
+ - the object child element of a bgpneighbor_test must reference a bgpneighbor_object
+
+
+ - the state child element of a bgpneighbor_test must reference a bgpneighbor_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgpneighbor_object element is used by a bgpneighbor test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A bgpneighbor object consists of a neighbor entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgp neighbor.
+
+
+
+
+
+
+
+
+
+
+
+
+ The bgpneighbor_state element defines the different information that can be used to evaluate the result of a bgp neighbor configuration. This includes the neighbor and the password option, if configured. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The bgp neighbor.
+
+
+
+
+ The bgp authentication password, if configured. If Encryption type is configured it should be included in the password string. For example '0 cisco123'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routing protocol authentication interface test is used to check the properties of routing protocol authentication configured under interfaces in IOS.
+
+
+ routingprotocolauthintf_test
+ routingprotocolauthintf_object
+ routingprotocolauthintf_state
+ routingprotocolauthintf_item
+
+
+
+
+
+ - the object child element of a routingprotocolauthintf_test must reference a routingprotocolauthintf_object
+
+
+ - the state child element of a routingprotocolauthintf_test must reference a routingprotocolauthintf_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingprotocolauthintf_object element is used by a routingprotocolauthintf test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A routingprotocolauthintf object consists of an interface and the routing protocol that is authenticated entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+ The routing protocol.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingprotocolauthintf_state element defines the different information that can be used to evaluate the result of a specific routing protocol interface authentication configurations. This includes the interface, the protocol, the id, the authentication type, the ospf area, the key chain command and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The interface name.
+
+
+
+
+ The routing protocol.
+
+
+
+
+ The routing protocol id, if applicable.
+
+
+
+
+ The routing protocol authentication type.
+
+
+
+
+ The OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the key chain, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl test is used to check the properties of specific output lines from an ACL configuration.
+
+
+ acl_test
+ acl_object
+ acl_state
+ acl_item
+
+
+
+
+
+ - the object child element of a acl_test must reference a acl_object
+
+
+ - the state child element of a acl_test must reference a acl_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl_object element is used by an acl test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An acl object consists of a an acl name and an IP version entity that is the name and the IP protocol version of the access-list to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the ACL.
+
+
+
+
+ The IP version of the ACL.
+
+
+
+
+
+
+
+
+
+
+
+
+ The acl_state element defines the different information that can be used to evaluate the result of a specific ACL configuration. This includes the name of ths ACL and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the ACL.
+
+
+
+
+ The IP version of the ACL.
+
+
+
+
+ The feature where the ACL is used.
+
+
+
+
+ The name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface.
+
+
+
+
+ The direction the ACL is applied on an interface.
+
+
+
+
+ The value returned with all config lines of the ACL.
+
+
+
+
+ The value returned with one ACL config line at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmphost test is used to check the properties of specific output lines from an SNMP configuration.
+
+
+ snmphost_test
+ snmphost_object
+ snmphost_state
+ snmphost_item
+
+
+
+
+
+ - the object child element of an snmphost_test must reference an snmphost_object
+
+
+ - the state child element of an snmphost_test must reference an snmphost_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmphost_object element is used by an snmphost test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmphost object consists of a host entity that is the host of the 'snmp host' IOS-XE command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP host address or hostname.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmphost_state element defines the different information that can be used to evaluate the result of a specific 'snmp host' IOS-XE command. This includes the host and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP host address or hostname.
+
+
+
+
+ The community string or SNMPv3 user configured for the host.
+
+
+
+
+ The SNMP version.
+
+
+
+
+ The SNMPv3 security configured for the host.
+
+
+
+
+ The SNMP traps configured.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpcommunity test is used to check the properties of specific output lines from an SNMP configuration.
+
+
+ snmpcommunity_test
+ snmpcommunity_object
+ snmpcommunity_state
+ snmpcommunity_item
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpcommunity_object element is used by an snmpcommunity test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An snmpcommunity object consists of a community name entity to be tested.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP community name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpcommunity_state element defines the different information that can be used to evaluate the result of a specific 'snmp community' IOS-XE command. This includes the community name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP community name.
+
+
+
+
+ The view that restricts the OIDs of this community.
+
+
+
+
+ The read-write privileges of the community.
+
+
+
+
+ The IPv4 ACL name applied to the community.
+
+
+
+
+ The IPv6 ACL name applied to the community.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpuser test is used to check the properties of specific output lines from an SNMP user configuration.
+
+
+ snmpuser_test
+ snmpuser_object
+ snmpuser_state
+ snmpuser_item
+
+
+
+
+
+ - the object child element of an snmpuser_test must reference an snmpuser_object
+
+
+ - the state child element of an snmpuser_test must reference an snmpuser_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpuser_object element is used by an snmpuser test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmpuser object consists of a name entity that is the name of the SNMP user to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP user name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpuser_state element defines the different information that can be used to evaluate the result of a specific 'show snmp user' IOS-XE command. This includes the user name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP user name.
+
+
+
+
+ The SNMP group the user belongs to.
+
+
+
+
+ The SNMP version of the user.
+
+
+
+
+ The IPv4 ACL name applied to the user.
+
+
+
+
+ The IPv6 ACL name applied to the user.
+
+
+
+
+ The SNMP encryption type for the user (for SNMPv3).
+
+
+
+
+ The SNMP authentication type for the user (for SNMPv3).
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpgroup test is used to check the properties of specific output lines from an SNMP group configuration.
+
+
+ snmpgroup_test
+ snmpgroup_object
+ snmpgroup_state
+ snmpgroup_item
+
+
+
+
+
+ - the object child element of an snmpgroup_test must reference an snmpgroup_object
+
+
+ - the state child element of an snmpgroup_test must reference an snmpgroup_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpgroup_object element is used by an snmpgroup test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmpgroup object consists of a name entity that is the name of the SNMP group to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP group name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpgroup_state element defines the different information that can be used to evaluate the result of a specific 'snmp-server group' IOS-XE command. This includes the user name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP group name.
+
+
+
+
+ The SNMP version of the group.
+
+
+
+
+ The SNMPv3 security configured for the group.
+
+
+
+
+ The IPv4 ACL name applied to the group.
+
+
+
+
+ The IPv6 ACL name applied to the group.
+
+
+
+
+ The SNMP read view applied to the group.
+
+
+
+
+ The SNMP write view applied to the group.
+
+
+
+
+ The SNMP notify view applied to the group.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpview test is used to check the properties of specific output lines from an SNMP view configuration.
+
+
+ snmpview_test
+ snmpview_object
+ snmpview_state
+ snmpview_item
+
+
+
+
+
+ - the object child element of an snmpview_test must reference an snmpview_object
+
+
+ - the state child element of an snmpview_test must reference an snmpview_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpview_object element is used by an snmpview test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A snmpview object consists of a name entity that is the name of the SNMP view to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SNMP view name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The snmpview_state element defines the different information that can be used to evaluate the result of a specific 'snmp-server view' IOS-XE command. This includes the view name and the corresponding options. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The SNMP view name.
+
+
+
+
+ The SNMP MIB family of the view.
+
+
+
+
+ It is true if the included option is used in the view.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectAccessListIPVersionType complex type restricts a string value to a specific set of values: IPV4, IPV6. These values describe if an ACL is for IPv4 or IPv6 in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectRoutingProtocolType complex type restricts a string value to a specific set of values: EIGRP, OSPF, BGP, RIP, RIPV2, ISIS. These values describe the routing protocol used in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateTrunkEncapType complex type restricts a string value to a specific set of values: DOT1Q, ISL, NEGOTIATE. These values describe the interface trunk encapsulation types on an interfaces in IOS. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSwitchportModeType complex type restricts a string value to a specific set of values: DYNAMIC, TRUNK, ACCESS. These values describe the interface switchport mode types in IOS. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRoutingProtocolType complex type restricts a string value to a specific set of values: EIGRP, OSPF, BGP, RIP, RIPV2, ISIS. These values describe the routing protocol used in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRoutingAuthTypeStringType complex type restricts a string value to a specific set of values: CLEARTEXT, MESSAGE_DIGEST. These values describe the routing protocol authentication types used in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The NULL authentication area type is never declared in an interface ip ospf command context.
+ This RoutingAuthTypeStringType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: routingprotocolauthintf_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPVersionStringType complex type restricts a string value to a specific set of values: 1, 2c, 3. These values describe the SNMP version in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPSecLevelStringType complex type restricts a string value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe the SNMP security level (encryption, Authentication, None) in a Cisco IOS-XE SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPModeStringType complex type restricts a string value to a specific set of values: RO, RW. These values describe the SNMP mode (read-only, read-write) in a Cisco IOS-XE SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPAuthStringType complex type restricts a string value to a specific set of values: MD5, SHA. These values describe the authentication algorithm in a Cisco IOS-XE SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSNMPPrivStringType complex type restricts a string value to a specific set of values: DES, 3DES, AES. These values describe the encryption algorithm in a Cisco IOS-XE SNMPv3 related configurations. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAccessListIPVersionType complex type restricts a string value to a specific set of values: IPV4, IPV6. These values describe if an ACL is for IPv4 or IPv6 in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAccessListUseType complex type restricts a string value to a specific set of values: INTERFACE, CRYPTO_MAP_MATCH, CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, VTY. These values describe the ACL use in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The EntityStateSimpleBaseType check_existence attribute serves the same purpose as this enumeration value.
+ This AccessListUseType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: acl_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAccessListInterfaceDirectionType complex type restricts a string value to a specific set of values: IN, OUT. These values describe the inbound or outbound ACL direction on an interface in a Cisco IOS-XE configuration. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/iosxe-system-characteristics-schema.xsd b/oval-schemas/iosxe-system-characteristics-schema.xsd
new file mode 100644
index 0000000..cf2b1cf
--- /dev/null
+++ b/oval-schemas/iosxe-system-characteristics-schema.xsd
@@ -0,0 +1,1071 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the IOS-XE specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+ Thanks to Omar Santos and Panos Kampanakis of Cisco for providing this test.
+
+ IOS-XE System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Sotres information about the existence of a particular line in the IOS-XE config file under the global context
+
+
+
+
+
+
+
+ The global_command entity identifies a specific line in the IOS-XE config file under the global context.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores the properties of specific lines in the IOS-XE config file.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_item holds information about the version of the IOS-XE operating system. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The platform entity specifies the platform that is running the IOS-XE software. For example if could be asr1000.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot reliably be collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it cannot be reliably collected.
+
+
+
+
+
+
+
+ The rp entity specifies the routing processor running the IOS-XE software.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot reliably be collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it cannot be reliably collected.
+
+
+
+
+
+
+
+ The pkg entity specifies the consolidated IOS-XE packages in the image. For example it could be adventservicesk9.
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot reliably be collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it cannot be reliably collected.
+
+
+
+
+
+
+
+ The train entity specifies the entire IOS-XE version string, for example, '03.13.02.S'.
+
+
+
+
+ The major_release entity specifies the major version piece of the version string. The value is an integer and in the example 03.13.02.S the major_release is '3'.
+
+
+
+
+ The release entity specifies the release piece of the version string. The value is an integer and in the example 03.13.02.S the release version is '13'.
+
+
+
+
+ The rebuild entity specifies the release piece of the version string. The value is an integer and in the example 03.13.02.S the rebuild is '2'.
+
+
+
+
+ The train entity specifies the train piece of the version string. The value is a string and in the example 03.13.02.S the train is 'S'.
+
+
+
+
+ The ios_release entity specifies the IOS release the IOS-XE was derived from. The value is an string and in the example ASR1000rp1-ipbasek9.03.04.02.122-33.SR.bin the ios_release version is '122-33'
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+
+
+
+
+ The ios_train entity specifies the IOS release the IOS-XE was derived from. The value is an integer and in the example ASR1000rp1-ipbasek9.03.04.02.122-33.SR.bin the ios_release version is 'SR'
+
+
+ 5.11.2:1.0
+ This entity has been deprecated because it cannot reliably be collected.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it is irrelevant to the IOS-XE version.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores command that are part of a IOS-XE configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example BGP has a router item and should not also be stored in a section_item.
+
+
+
+
+
+
+
+ The name of the section command.
+
+
+
+
+ Element with all config lines of the section
+
+
+
+
+ Element with one config line of the section at a time
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_item represents an IOS-XE interface and its configuration options.
+
+
+
+
+
+
+
+ Element with the interface name.
+
+
+
+
+ Element that is true if the directed broadcast command is enabled on the interface. The default is false.
+
+
+
+
+ Element that is true if the proxy_arp command is enabled on the interface. The default is true.
+
+
+
+
+ Element that is true if the interface is shut down. The default is false.
+
+
+
+
+ Element with the interface hardware (MAC) address.
+
+
+
+
+ Element with the interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ Element with the interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration.
+
+
+
+
+ Element with the ingress or egress IPv4 ACL name applied on the interface.
+
+
+
+
+ Element with the ingress or egress IPv6 ACL name applied on the interface.
+
+
+
+
+ Element with the crypto map name applied to the interface.
+
+
+
+
+ Element with the uRPF command for IPv4 under the interface.
+
+
+
+
+ Element with the uRPF command for IPv6 under the interface.
+
+
+
+
+ Element with the uRPF command under the interface.
+
+
+ 5.11.1:1.1
+ This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+ Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities.
+
+
+
+
+
+
+
+ Element with the switchport trunk encapsulation option configured on the interface (if applicable).
+
+
+
+
+ Element with the switchport mode option configured on the interface (if applicable).
+
+
+
+
+ Element with the trunk native vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the access vlan configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the vlans that are trunked configured on the interface (if applicable).
+
+
+
+
+ Element with the vlans that are pruned from the trunk (if applicable).
+
+
+
+
+ Element with the switchport port-security commands configured on the interface (if applicable).
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores commands that are part of a IOS-XE 'router' command configuration. For example 'router bgp 123'.
+
+
+
+
+
+
+
+ Element with the routing protocol.
+
+
+
+
+ Element with the IOS-XE router id.
+
+
+
+
+ Element with the subnet in the network command of the router instance. The area can be included in the string for OSPF.
+
+
+
+
+ Element with the BGP neighbors, if applicable.
+
+
+
+
+ Element with the OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with all config lines of the router.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about bgp neighbors configured in bgp instances.
+
+
+
+
+
+
+
+ Element with the bgp neighbor.
+
+
+
+
+ Element with the bgp authentication password, if configured. If Encryption type is configured it should be included in the password string. For example '0 cisco123'.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information for routing protocol authentication configured under specific interfaces.
+
+
+
+
+
+
+
+ Element with the interface.
+
+
+
+
+ Element with the routing protocol.
+
+
+
+
+ Element with the routing protocol id.
+
+
+
+
+ Element with the routing protocol authentication type.
+
+
+
+
+ Element with the OSPF area that is authenticated, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Element with the name of the key chain, if applicable.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores command that are part of a IOS-XE configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example BGP has a router item and should not also be stored in a acl_item.
+
+
+
+
+
+
+
+ Element with the name of the ACL.
+
+
+
+
+ Element with the IP version of the ACL.
+
+
+
+
+ Element with the feature where the ACL is used. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.
+
+
+
+
+ Element with the name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created.
+
+
+
+
+ Element with the direction the ACL is applied on an interface.
+
+
+
+
+ Element with the value returned with all config lines of the ACL.
+
+
+
+
+ Element with the value returned with one ACL config line at a time.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about the SNMP host configuration in IOS. That information includes the host, the community or user strings, the SNMP version, the snmp security (if the SNMP version is SNMPv3) and the SNMP traps.
+
+
+
+
+
+
+
+ Element with the SNMP host address or hostname.
+
+
+
+
+ Element with the community string or SNMPv3 user configured for the host.
+
+
+
+
+ Element with the SNMP version.
+
+
+
+
+ Element with the SNMPv3 security configure for the host.
+
+
+
+
+ Element with the SNMP traps configured.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP community configuration in IOS. That information includes the community name, the view (if it applies) name, the read-write mode and the ACLs names applied.
+
+
+
+
+
+
+
+ Element with the SNMP community name.
+
+
+
+
+ Element with the view that restricts the OIDs of this community.
+
+
+
+
+ Element with the read-write privileges of the community.
+
+
+
+
+ Element with the IPv4 ACL name applied to the community.
+
+
+
+
+ Element with the IPv6 ACL name applied to the community
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP user configuration in IOS. That information includes the user name, the SNMP group he belongs to, the SNMP version, the IPv4 or IPv6 ACL it is applied to, the Security Level and the Authentication type that apply to the user (for SNMPv3).
+
+
+
+
+
+
+
+ Element with the SNMP user name.
+
+
+
+
+ Element with the SNMP group the user belongs to.
+
+
+
+
+ Element with the SNMP version of the user.
+
+
+
+
+ Element with the IPv4 ACL name applied to the user.
+
+
+
+
+ Element with the IPv6 ACL name applied to the user.
+
+
+
+
+ Element with the SNMP encryption type for the user (for SNMPv3).
+
+
+
+
+ Element with the SNMP authentication type for the user (for SNMPv3).
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP group configuration in IOS. That information includes the group name, the SNMP version, the IPv4 or IPv6 ACL it is applied toand the read, write and/or notify views applied to the group.
+
+
+
+
+
+
+
+ Element with the SNMP group name.
+
+
+
+
+ Element with the SNMP version of the group.
+
+
+
+
+ Element with the SNMPv3 security configure for the group.
+
+
+
+
+ Element with the IPv4 ACL name applied to the group.
+
+
+
+
+ Element with the IPv6 ACL name applied to the group.
+
+
+
+
+ Element with the SNMP read view applied to the group.
+
+
+
+
+ Element with the SNMP write view applied to the group.
+
+
+
+
+ Element with the SNMP notify view applied to the group.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores information about an SNMP view configuration in IOS. That information includes the view name, the mib_family that the view uses and the included or excluded option of the mib family in the view.
+
+
+
+
+
+
+
+ Element with the SNMP view name.
+
+
+
+
+ Element with the SNMP MIB family of the view.
+
+
+
+
+ Element that is true if the included option is used in the view.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemTrunkEncapType complex type restricts a string value to
+ a specific set of values: DOT1Q, ISL, NEGOTIATE. These values describe the interface
+ trunk encapsulation types on an interfaces in IOS. The empty string is also allowed
+ to support empty element associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityObjectRoutingProtocolType complex type restricts a string
+ value to a specific set of values: DYNAMIC, TRUNK, ACCESS. These values describe the
+ interface switchport mode types in IOS. The empty string is also allowed to support
+ empty element associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemRoutingProtocolType complex type restricts a string
+ value to a specific set of values: EIGRP, OSPF, BGP, RIP, RIPV2, ISIS. These values
+ describe the routing protocol used in a Cisco IOS-XE configuration. The empty string
+ is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemRoutingAuthTypeStringType complex type restricts a
+ string value to a specific set of values: CLEARTEXT, MESSAGE_DIGEST. These
+ values describe the routing protocol authentication types used in a Cisco IOS-XE
+ configuration. The empty string is also allowed to support empty element associated
+ with error conditions.
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The NULL authentication area type is never declared in an interface ip ospf command context.
+ This RoutingAuthTypeStringType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPVersionStringType complex type restricts a string
+ value to a specific set of values: 1, 2c, 3. These values describe the SNMP version
+ in a Cisco IOS-XE configuration. The empty string is also allowed to support empty
+ element associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPVersionStringType complex type restricts a string
+ value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe the
+ SNMP security level (encryption, Authentication, None) in a Cisco IOS-XE SNMPv3
+ related configurations. The empty string is also allowed to support empty element
+ associated with error conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPModeStringType complex type restricts a string
+ value to a specific set of values: RO, RW. These values describe the SNMP mode
+ (read-only, read-write) in a Cisco IOS-XE SNMPv3 related configurations. The empty
+ string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPAuthStringType complex type restricts a string
+ value to a specific set of values: MD5, SHA. These values describe the
+ authentication algorithm in a Cisco IOS-XE SNMPv3 related configurations. The empty
+ string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSNMPPrivStringType complex type restricts a string
+ value to a specific set of values: DES, 3DES, AES. These values describe the
+ encryption algorithm in a Cisco IOS-XE SNMPv3 related configurations. The empty
+ string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemRoutingProtocolType complex type restricts a string
+ value to a specific set of values: IPV4, IPV6. These values describe if an ACL is
+ for IPv4 or IPv6 in a Cisco IOS-XE configuration. The empty string is also allowed
+ to support empty element associated with error conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemAccessListUseType complex type restricts a string value
+ to a specific set of values: INTERFACE, CRYPTO_MAP_MATCH, CLASS_MAP_MATCH,
+ ROUTE_MAP_MATCH, IGMP_FILTER, VTY. These values describe the ACL use in a Cisco
+ IOS-XE configuration. The empty string is also allowed to support empty element
+ associated with error conditions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11.2:1.0
+ The EntityStateSimpleBaseType check_existence attribute serves the same purpose as this enumeration value.
+ This AccessListUseType enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemAccessListInterfaceDirectionType complex type restricts
+ a string value to a specific set of values: IN, OUT. These values describe the
+ inbound or outbound ACL direction on an interface in a Cisco IOS-XE configuration.
+ The empty string is also allowed to support empty element associated with error
+ conditions.
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
diff --git a/oval-schemas/junos-definitions-schema.xsd b/oval-schemas/junos-definitions-schema.xsd
new file mode 100644
index 0000000..29b7712
--- /dev/null
+++ b/oval-schemas/junos-definitions-schema.xsd
@@ -0,0 +1,483 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Junos-specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by David Solin at jOVAL.org. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Junos Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+
+ The XML config test is used to perform XPATH queries against the JunOS XML configuration file. The JunOS XML configuration file can be retrieved using the command "show configuration | display xml". It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a xml_config_object and the optional state element specifies the data to check.
+
+
+ xml_config_test
+ xml_config_object
+ xml_config_state
+ xml_config_item
+
+
+
+
+
+ - the object child element of a xml_config_test must reference a xml_config_object
+
+
+ - the state child element of a xml_config_test must reference a xml_config_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xml_config_object element is used by an XML config test to define the object to be evaluated. For the most part this object checks for existence and is used without a state comparision. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ An XPATH 1.0 expression that should be evaluated against the XML configuration file. Any valid XPATH 1.0 statement is usable with one exception, at most one field may be identified in the XPATH. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
+
+
+
+ - operation attribute for the xpath entity of a xml_config_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xml_config_state element defines the different information that can be used to evaluate the result of an XPATH query against the XML configuration file. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ An XPATH 1.0 expression that was evaluated against the XML config file.
+
+
+
+
+ The result of the evaluation of the XPATH expression against the XML config file.
+
+
+
+
+
+
+
+
+
+
+
+
+ The show test is used to check the properties of specific output lines from a SHOW command, such as "show configuration". It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a show_object and the optional state element specifies the data to check.
+
+
+ show_test
+ show_object
+ show_state
+ show_item
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The show_object element is used by a show test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command to be tested.
+
+
+
+
+
+
+
+
+
+
+
+
+ The show_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of the sub-command and the corresponding config output. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command. This may consist of multiple lines of information, whose raw form will be captured by the item.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_test is used to check the version of components of the JunOS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version_test to define the different version information associated with a JunOS system.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the JunOS component whose version should be retrieved.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_state element defines the version information held by a JunOS component.
+
+
+
+
+
+
+
+ The name of the JunOS component whose version should be retrieved.
+
+
+
+
+ The raw release version string for the component, e.g., 12.2R6.1 or 12.1X44-D10.4.
+
+
+
+
+ The part of the release version of the component corresponding to the year in which the release occurred. For example, the major value for 12.2R6.1 would be '12'.
+
+
+
+
+ The part of the release version of the component corresponding to the quarter in which the release occurred. For example, the minor value for 12.2R6.1 would be '2'.
+
+
+
+
+ The release type embedded in the version of the component. For example, the type value for 12.2R6.1 is 'R'.
+
+
+
+
+ The build number of the component's version. For example, the revision for 12.2R6.1 has a build number of '6'; 12.1X44-D10.4 has a build number of '44'.
+
+
+
+
+ A maintenance_release value can appear in an R-type service release or an X-type release (where it takes the value of the D-number). For example, version 14.2R3-S4.5 has a maintenance_release of '4'. For version 10.4S4.2, the maintenance_release entity would have a status of 'does not exist'. For version 12.1X44-D10.4, the maintenance_release entity value would be '10'.
+
+
+
+
+ The spin number of the component. For example, 12.2R6.1 has a spin value of '1'; 12.1X44-D10.4 has a spin value of '4'.
+
+
+
+
+ The build date of the component, specified in milliseconds since the Epoch (midnight, January 1, 1970 GMT).
+
+
+
+
+
+
+
+
+
+
+
+
+ The XML show test is used to check the properties of specific output from an XML SHOW command, such as "show configuration | display xml". It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a xml_show_object and the optional state element specifies the data to check.
+
+
+ xml_show_test
+ xml_show_object
+ xml_show_state
+ xml_show_item
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xml_show_object element is used by an XML show test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command to be tested.
+
+
+
+
+ An XPATH 1.0 expression that should be evaluated against the XML data resulting from the XML show subcommand. Any valid XPATH 1.0 statement is usable with one exception, at most one field may be identified in the XPATH. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
+
+
+
+ - operation attribute for the xpath entity of a xml_show_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xml_show_state element defines the different information that can be used to evaluate the result of a specific XML SHOW sub-command. This includes the name of the sub-command, the XPATH and the corresponding XPATH query result. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of a SHOW sub-command to be tested.
+
+
+
+
+ An XPATH 1.0 expression that should be evaluated against the XML data resulting from the XML show subcommand.
+
+
+
+
+ The result of the evaluation of the XPATH expression against the XML data returned from the XML show subcommand.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateJunosReleaseTypeType complex type defines the different values that are valid for the release_type entity of a system_metric state. These values describe the release type specified in the raw version string.
+
+
+
+
+
+ Indicates a normal release.
+
+
+
+
+ Indicates an internal release.
+
+
+
+
+ Indicates a feature release.
+
+
+
+
+ Indicates a service release.
+
+
+
+
+ Indicates a beta release.
+
+
+
+
+ Indicates an exception release (e.g., every release of the SRX branch so far).
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/junos-system-characteristics-schema.xsd b/oval-schemas/junos-system-characteristics-schema.xsd
new file mode 100644
index 0000000..6ddfdb3
--- /dev/null
+++ b/oval-schemas/junos-system-characteristics-schema.xsd
@@ -0,0 +1,213 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Junos-specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ This schema was originally developed by David Solin at jOVAL.org. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Junos System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Stores information about the existence of a particular XPATH query result from the JunOS XML config file.
+
+
+
+
+
+
+
+ An XPATH 1.0 expression that was evaluated against the XML config file.
+
+
+
+
+ The result of the evaluation of the XPATH expression against the XML config file.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores the resulting configuration data provided by the execution of a specific show command.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command. This may consist of multiple lines of information.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_item holds information about the version of a particular component of the JunOS operating system. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The name of the JunOS component whose version should be retrieved.
+
+
+
+
+ The raw release version string for the component, e.g., 12.2R6.1 or 12.1X44-D10.4.
+
+
+
+
+ The part of the release version of the component corresponding to the year in which the release occurred. For example, the major value for 12.2R6.1 would be '12'.
+
+
+
+
+ The part of the release version of the component corresponding to the quarter in which the release occurred. For example, the minor value for 12.2R6.1 would be '2'.
+
+
+
+
+ The release type embedded in the version of the component. For example, the type value for 12.2R6.1 is 'R'.
+
+
+
+
+ The build number of the component's version. For example, the revision for 12.2R6.1 has a build number of '6'; 12.1X44-D10.4 has a build number of '44'.
+
+
+
+
+ A maintenance_release value can appear in an R-type service release or an X-type release (where it takes the value of the D-number). For example, version 14.2R3-S4.5 has a maintenance_release of '4'. For version 10.4S4.2, the maintenance_release entity would have a status of 'does not exist'. For version 12.1X44-D10.4, the maintenance_release entity value would be '10'.
+
+
+
+
+ The spin number of the component. For example, 12.2R6.1 has a spin value of '1'; 12.1X44-D10.4 has a spin value of '4'.
+
+
+
+
+ The build date of the component, specified in milliseconds since the Epoch (midnight, January 1, 1970 GMT).
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores the result of the application of an XPATH query applied to the JunOS configuration data provided by the execution of a specific show command, which has been piped to "display xml".
+
+
+
+
+
+
+
+ The name of a SHOW sub-command to be tested.
+
+
+
+
+ An XPATH 1.0 expression that should be evaluated against the XML data resulting from the XML show subcommand.
+
+
+
+
+ The result of the evaluation of the XPATH expression against the XML data returned from the XML show subcommand.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemJunosReleaseTypeType complex type defines the different values that are valid for the release_type entity of a system_metric state. These values describe the release type specified in the raw version string.
+
+
+
+
+
+ Indicates a normal release.
+
+
+
+
+ Indicates an internal release.
+
+
+
+
+ Indicates a feature release.
+
+
+
+
+ Indicates a service release.
+
+
+
+
+ Indicates a beta release.
+
+
+
+
+ Indicates an exception release (e.g., every release of the SRX branch so far).
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
diff --git a/oval-schemas/linux-definitions-schema.xsd b/oval-schemas/linux-definitions-schema.xsd
new file mode 100644
index 0000000..d08ce41
--- /dev/null
+++ b/oval-schemas/linux-definitions-schema.xsd
@@ -0,0 +1,2865 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Linux specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Linux Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The AppArmor Status Test is used to check properties representing the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an apparmorstatus_object and the optional state element specifies the data to check.
+
+
+ apparmorstatus_test
+ apparmorstatus_object
+ apparmorstatus_state
+ apparmorstatus_item
+
+
+
+
+
+ - the object child element of a apparmorstatus_test must reference a apparmorstatus_object
+
+
+ - the state child element of a apparmorstatustest must reference a apparmorstatus_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The apparmorstatus_object element is used by an apparmorstatus test to define the different information about the current AppArmor polciy. There is actually only one object relating to AppArmor Status and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check AppArmor status will reference the same apparmorstatus_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The AppArmor Status Item displays various information about the current AppArmor policy. This item maps the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Displays the number of loaded profiles
+
+
+
+
+ Displays the number of profiles in enforce mode
+
+
+
+
+ Displays the number of profiles in complain mode
+
+
+
+
+ Displays the number of processes which have profiles defined
+
+
+
+
+ Displays the number of processes in enforce mode
+
+
+
+
+ Displays the number of processes in complain mode
+
+
+
+
+ Displays the number of processes which are unconfined but have a profile defined
+
+
+
+
+
+
+
+
+
+
+
+
+ The dpkginfo test is used to check information for a given DPKG package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dpkginfo_object and the optional state element specifies the data to check.
+
+
+ dpkginfo_test
+ dpkginfo_object
+ dpkginfo_state
+ dpkginfo_item
+
+
+
+
+
+ - the object child element of an dpkginfo_test must reference an dpkginfo_object
+
+
+ - the state child element of an dpkginfo_test must reference an dpkginfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The dpkginfo_object element is used by a dpkginfo test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A dpkginfo object consists of a single name entity that identifies the package being checked.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The dpkginfo_state element defines the different information that can be used to evaluate the specified DPKG package. This includes the architecture, epoch number, release, and version numbers. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the DPKG package name to check.
+
+
+
+
+ This is the architecture for which the package was built, like : i386, ppc, sparc, noarch.
+
+
+
+
+ This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by dpkg) the string '(none)' should be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION.
+
+
+
+ Warning: There are differences in the algorithms for how the version strings of Debian and RPM packages are compared. As a result, a new debian_evr_string datatype was added to the OVAL Language and should be used, for this entity, instead of the evr_string datatype.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The iflisteners_test is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. Furthermore, only applications bound to an ethernet interface should be collected. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an iflisteners_object and the optional iflisteners_state element specifies the data to check.
+
+
+ iflisteners_test
+ iflisteners_object
+ iflisteners_state
+ iflisteners_item
+
+
+
+
+
+ - the object child element of an iflisteners_test must reference an iflisteners_object
+
+
+ - the state child element of an iflisteners_test must reference an iflisteners_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The iflisteners_object element is used by an iflisteners_test to define the specific interface to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_name entity specifies the name of the interface (eth0, eth1, fw0, etc.) to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The iflisteners_state element defines the different information that can be used to evaluate the specified applications that are listening on interfaces on the system. This includes the interface name, protocol, hardware address, program name, pid, and user id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the name of the interface (eth0, eth1, fw0, etc.).
+
+
+
+
+ This is the physical layer protocol used by the AF_PACKET socket.
+
+
+
+
+ This is the hardware address associated with the interface.
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ The pid is the process ID of a specific process.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ The inet listening servers test is used to check what applications are listening on the network. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). It is generally using the parsed output of running the command netstat -tuwlnpe with root privilege. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetlisteningservers_object and the optional state element specifies the data to check.
+
+
+ inetlisteningservers_test
+ inetlisteningservers_object
+ inetlisteningservers_state
+ inetlisteningserver_item
+
+
+
+
+
+ - the object child element of an inetlisteningservers_test must reference an inetlisteningservers_object
+
+
+ - the state child element of an inetlisteningservers_test must reference an inetlisteningservers_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningservers_object element is used by an inet listening servers test to define the specific protocol-address-port to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An inet listening servers object consists of three entities. The first identifies a specific IP address. The second entity represents a certain port number. While the third identifies the protocol.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The protocol entity defines a certain transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ This is the IP address of the network interface on which an application listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which an application would listen. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will be represented by its own object.
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The protocol entity defines the specific transport-layer protocol, in lowercase: tcp or udp, associated with the inet listening server.
+
+
+
+
+ This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port number associated with the inet listening server.
+
+
+
+
+ This is the IP address and network port number associated with the inet listening server, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, the value will be 0.
+
+
+
+
+ This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ The pid is the process ID of a specific process.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ The partition_test is used to check the information associated with partitions on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a partition_object and the optional state element references a partition_state that specifies the information to check.
+
+
+ partition_test
+ partition_object
+ partition_state
+ partition_item
+
+
+
+
+
+ - the object child element of a partition_test must reference a partition_object
+
+
+ - the state child element of a partition_test must reference a partition_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The partition_object is used by a partition_test to define which partitions on the local system should be collected. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The mount_point element specifies the mount points of the partitions that should be collected from the local system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The partition_state element defines the different information associated with a partition. This includes the name, filesystem type, mount options, total space, space used, and space left. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The mount_point element contains a string that represents the mount point of a partition on the local system.
+
+
+
+
+ The device element contains a string that represents the name of the device.
+
+
+
+
+ The uuid element contains a string that represents the universally unique identifier associated with a partition.
+
+
+
+
+ The fs_type element contains a string that represents the type of filesystem on a partition.
+
+
+
+
+ The mount_options element contains a string that represents the mount options associated with a partition.
+ Implementation note: not all mount options are visible in /etc/mtab or /proc/mounts. A complete source of additional mount options is the f_flag field of 'struct statvfs'. See statvfs(2). /etc/fstab may have additional mount options, but it need not contain all mounted filesystems, so it MUST NOT be relied upon. Implementers MUST be sure to get all mount options in some way.
+
+
+
+
+ The total_space element contains an integer that represents the total number of physical blocks on a partition.
+
+
+
+
+ The space_used element contains an integer that represents the number of physical blocks used on a partition.
+
+
+
+
+ The space_left element contains an integer that represents the number of physical blocks left on a partition available to be used by privileged users.
+
+
+
+
+ The space_left_for_unprivileged_users element contains an integer that represents the number of physical blocks remaining on a partition that are available to be used by unprivileged users.
+
+
+
+
+ The block_size element contains an integer that represents the actual byte size of each physical block on the partition's block device. This is the same block size used to compute the total_space, space_used, and space_left.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpminfo_test is used to check the RPM header information for a given RPM package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpminfo_object and the optional state element specifies the data to check.
+
+
+ rpminfo_test
+ rpminfo_object
+ rpminfo_state
+ rpminfo_item
+
+
+
+
+
+ - the object child element of an rpminfo_test must reference an rpminfo_object
+
+
+ - the state child element of an rpminfo_test must reference an rpminfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpminfo_object element is used by a rpm info test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A rpm info object consists of a single name entity that identifies the package being checked.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpminfo_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
+
+
+
+
+ This field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to separate the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
+
+
+
+
+ This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The 'gpg-pubkey' virtual package on RedHat and CentOS should use the string '(none)' for the architecture to construct the extended_name.
+
+
+
+
+ This field contains the absolute path of a file or directory included in the rpm.
+
+
+
+
+
+
+
+
+
+ The RpmInfoBehaviors complex type defines a set of behaviors for controlling what data, for installed rpms, is collected. This behavior aligns with the rpm command.
+
+
+
+ 'filepaths', when true, this behavior means collect all filepaths (directory and file information) from the rpm database for the package.
+
+
+
+
+
+
+
+
+ The rpmverify_test is used to verify the integrity of installed RPMs. This test aligns with the rpm -V command for verifying RPMs. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpmverify_object and the optional state element specifies the data to check.
+
+
+ rpmverify_test
+ rpmverify_object
+ rpmverify_state
+ rpmverify_item
+
+
+
+
+ 5.10
+ Replaced by the rpmverifyfile_test and the rpmverifypackage_test. The rpmverify_test was split into two tests to distinguish between the verification of the files in an rpm and the verification of an rpm as a whole. By making this distinction, content authoring is simplified and information is no longer duplicated across items. See the rpmverifyfile_test and rpmverifypackage_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an rpmverify_test must reference an rpmverify_object
+
+
+ - the state child element of an rpmverify_test must reference an rpmverify_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpmverify_object element is used by a rpmverify_test to define a set of files within a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+ 5.10
+ Replaced by the rpmverifyfile_object and rpmverifypackage_object. The rpmverify_test was split into two tests to distinguish between the verification of the files in an rpm and the verification of an rpm as a whole. By making this distinction, content authoring is simplified and information is no longer duplicated across items. See the rpmverifyfile_object and rpmverifypackage_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpmverify_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.10
+ Replaced by the rpmverifyfile_state and rpmverifypackage_state. The rpmverify_test was split into two tests to distinguish between the verification of the files in an rpm and the verification of an rpm as a whole. By making this distinction, content authoring is simplified and information is no longer duplicated across items. See the rpmverifyfile_state and rpmverifypackage_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+ The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The configuration_file entity represents the configuration file attribute marker that may be present on a file.
+
+
+
+
+ The documentation_file entity represents the documenation file attribute marker that may be present on a file.
+
+
+
+
+ The ghost_file entity represents the ghost file attribute marker that may be present on a file.
+
+
+
+
+ The license_file entity represents the license file attribute marker that may be present on a file.
+
+
+
+
+ The readme_file entity represents the readme file attribute marker that may be present on a file.
+
+
+
+
+
+
+
+
+
+ The RpmVerifyBehaviors complex type defines a set of behaviors that for controlling how installed rpms are verified. These behaviors align with the verify-options of the rpm command with the addition of two behaviors that will indicate that a file with a given attribute marker should not be collected.
+
+
+ 5.10
+ Replaced by the RpmVerifyFileBehaviors and the RpmVerifyPackageBehaviors. The RpmVerifyBehaviors complex type is used by the rpmverify_test which was split into two tests to distinguish between the verification of the files in an rpm and the verification of an rpm as a whole. By making this distinction, content authoring is simplified and information is no longer duplicated across items. The new tests utilize the RpmVerifyFileBehaviors and RpmVerifyPackageBehaviors complex types, and as a result, the RpmVerifyBehaviors complex type is no longer needed.
+ This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+ 'nodeps' when true this behavior means, don't verify dependencies of packages.
+
+
+
+
+ 'nodigest' when true this behavior means, don't verify package or header digests when reading.
+
+
+
+
+ 'nofiles' when true this behavior means, don't verify any attributes of package files.
+
+
+
+
+ 'noscripts' when true this behavior means, don't execute the %verifyscript scriptlet (if any).
+
+
+
+
+ 'nosignature' when true this behavior means, don't verify package or header signatures when reading.
+
+
+
+
+ 'nolinkto' when true this behavior means, don't verify symbolic links attribute.
+
+
+
+
+ 'nomd5' when true this behavior means, don't verify the file md5 attribute.
+
+
+
+
+ 'nosize' when true this behavior means, don't verify the file size attribute.
+
+
+
+
+ 'nouser' when true this behavior means, don't verify the file owner attribute.
+
+
+
+
+ 'nogroup' when true this behavior means, don't verify the file group owner attribute.
+
+
+
+
+ 'nomtime' when true this behavior means, don't verify the file mtime attribute.
+
+
+
+
+ 'nomode' when true this behavior means, don't verify the file mode attribute.
+
+
+
+
+ 'nordev' when true this behavior means, don't verify the file rdev attribute.
+
+
+
+
+ 'noconfigfiles' when true this behavior means, skip files that are marked with the %config attribute marker.
+
+
+
+
+ 'noghostfiles' when true this behavior means, skip files that are maked with %ghost attribute marker.
+
+
+
+
+
+
+
+
+ The rpmverifyfile_test is used to verify the integrity of the individual files in installed RPMs. This test aligns with the rpm -V command for verifying RPMs. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpmverifyfile_object and the optional state element specifies the data to check.
+
+
+ rpmverifyfile_test
+ rpmverifyfile_object
+ rpmverifyfile_state
+ rpmverifyfile_item
+
+
+
+
+
+ - the object child element of an rpmverifyfile_test must reference an rpmverifyfile_object
+
+
+ - the state child element of an rpmverifyfile_test must reference an rpmverifyfile_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpmverifyfile_object element is used by a rpmverifyfile_test to define a set of files within a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpmverifyfile_state element defines the different information that can be used to determine if a set of files within a set of RPMs passed verification. This includes the architecture, epoch number, version numbers, and the verification of various file attributes. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+ This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
+
+
+
+
+ The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+ 5.11.1:1.1
+ Replaced by the filedigest_differs entity.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+ The filedigest_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. This replaces the md5_differs entity due to naming changes for verification and reporting options.
+
+
+
+
+ The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The configuration_file entity represents the configuration file attribute marker that may be present on a file.
+
+
+
+
+ The documentation_file entity represents the documenation file attribute marker that may be present on a file.
+
+
+
+
+ The ghost_file entity represents the ghost file attribute marker that may be present on a file.
+
+
+
+
+ The license_file entity represents the license file attribute marker that may be present on a file.
+
+
+
+
+ The readme_file entity represents the readme file attribute marker that may be present on a file.
+
+
+
+
+
+
+
+
+
+ The RpmVerifyFileBehaviors complex type defines a set of behaviors that for controlling how the individual files in installed rpms are verified. These behaviors align with the verify-options of the rpm command with the addition of two behaviors that will indicate that a file with a given attribute marker should not be collected.
+
+
+
+ 'nolinkto' when true this behavior means, don't verify symbolic links attribute.
+
+
+
+
+ 'nomd5' when true this behavior means, don't verify the file md5 attribute.
+
+
+ 5.11.1:1.1
+ Replaced by the nofiledigest RpmVerifyFileBehaviors option.
+ This Behavior has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+ 'nosize' when true this behavior means, don't verify the file size attribute.
+
+
+
+
+ 'nouser' when true this behavior means, don't verify the file owner attribute.
+
+
+
+
+ 'nogroup' when true this behavior means, don't verify the file group owner attribute.
+
+
+
+
+ 'nomtime' when true this behavior means, don't verify the file mtime attribute.
+
+
+
+
+ 'nomode' when true this behavior means, don't verify the file mode attribute.
+
+
+
+
+ 'nordev' when true this behavior means, don't verify the file rdev attribute.
+
+
+
+
+ 'noconfigfiles' when true this behavior means, skip files that are marked with the %config attribute marker.
+
+
+
+
+ 'noghostfiles' when true this behavior means, skip files that are maked with %ghost attribute marker.
+
+
+
+
+ 'nofiledigest' when true this behavior means, don't verify the file digest attribute.
+
+
+
+
+ 'nocaps' when true this behavior means, don't verify the presence of file capabilities.
+
+
+
+
+
+
+
+
+ The rpmverifypackage_test is used to verify the integrity of installed RPMs. This test aligns with the rpm -V command for verifying RPMs. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpmverifypackage_object and the optional state element specifies the data to check.
+
+
+ rpmverifypackage_test
+ rpmverifypackage_object
+ rpmverifypackage_state
+ rpmverifypackage_item
+
+
+
+
+
+ - the object child element of an rpmverifypackage_test must reference an rpmverifypackage_object
+
+
+ - the state child element of an rpmverifypackage_test must reference an rpmverifypackage_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpmverifypackage_object element is used by a rpmverify_test to define a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+
+
+
+
+
+
+
+
+ The rpmverifypackage_state element defines the different information that can be used to verify the integrity of installed rpms. This includes the architecture, epoch number, version numbers, verification of variuos attributes of an rpm. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
+
+
+
+
+ The dependency_check_passed entity indicates whether or not the dependency check passed. If the dependency check is not performed, due to the 'nodeps' behavior, this entity must not be collected.
+
+
+
+
+ The digest_check_passed entity indicates whether or not the verification of the package or header digests passed. If the digest check is not performed, due to the 'nodigest' behavior, this entity must not be collected.
+
+
+ 5.11
+ The digest_check_passed entity can not be collected as implemented, and has become irrelevant.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the 'noscripts' behavior, this entity must not be collected.
+
+
+
+
+ The signature_check_passed entity indicates whether or not the verification of the package or header signatures passed. If the signature check is not performed, due to the 'nosignature' behavior, this entity must not be collected.
+
+
+ 5.11
+ The signature_check_passed entity can not be collected as implemented, and has become irrelevant.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The RpmVerifyPackageBehaviors complex type defines a set of behaviors that for controlling how installed rpms are verified. These behaviors align with the verify-options of the rpm command.
+
+
+
+ 'nodeps' when true this behavior means, don't verify dependencies of packages.
+
+
+
+
+ 'nodigest' when true this behavior means, don't verify package or header digests when reading.
+
+
+ 5.11
+ The nodigest behavior has become irrelevant since the element it impacts has been deprecated.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED BEHAVIOR: ID:
+
+
+
+
+
+
+
+ 'noscripts' when true this behavior means, don't execute the %verifyscript scriptlet (if any).
+
+
+
+
+ 'nosignature' when true this behavior means, don't verify package or header signatures when reading.
+
+
+ 5.11
+ The nosignature behavior has become irrelevant since the element it impacts has been deprecated.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED BEHAVIOR: ID:
+
+
+
+
+
+
+
+
+
+
+
+ The selinuxboolean_test is used to check the current and pending status of a SELinux boolean. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a selinuxboolean_object and the optional state element references a selinuxboolean_state that specifies the metadata to check.
+
+
+ selinuxboolean_test
+ selinuxboolean_object
+ selinuxboolean_state
+ selinuxboolean_item
+
+
+
+
+
+ - the object child element of an selinuxboolean_test must reference an selinuxboolean_object
+
+
+ - the state child element of an selinuxboolean_test must reference an selinuxboolean_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The selinuxboolean_object element is used by an selinuxboolean_test to define the items to evaluate based on a specified state.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the SELinux boolean.
+
+
+
+
+
+
+
+
+
+
+
+
+ The selinuxboolean_state element defines the different information that can be used to evaluate the specified SELinux boolean. This includes SELinux boolean's current and pending status. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SELinux boolean.
+
+
+
+
+ The current_status entity represents the current state of the specified SELinux boolean.
+
+
+
+
+ The pending_status entity represents the pending state of the specified SELinux boolean.
+
+
+
+
+
+
+
+
+
+
+
+
+ The selinuxsecuritycontext_test is used to check the security context of a file or process on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a selinuxsecuritycontext_object and the optional state element references a selinuxsecuritycontext_state that specifies the metadata to check.
+
+
+ selinuxsecuritycontext_test
+ selinuxsecuritycontext_object
+ selinuxsecuritycontext_state
+ selinuxsecuritycontext_item
+
+
+
+
+
+ - the object child element of an selinuxsecuritycontext_test must reference an selinuxsecuritycontext_object
+
+
+ - the state child element of an selinuxsecuritycontext_test must reference an selinuxsecuritycontext_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The selinuxsecuritycontext_object element is used by an selinuxsecuritycontext_test to define the security contexts of files and processes to collect from the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth, recurse, and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+ The pid entity is the process ID of the process. If the xsi:nil attribute is set to true, the process ID shall be the tool's running process.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The selinuxsecuritycontext_state element defines the different information that can be used to evaluate the specified SELinux security context. This includes SELinux security context's user, type role, low sensitivity, low category, high sensitivity, high category, raw low sensitivity, raw low category, raw high sensitivity, and raw high category. This state follows the SELinux security context structure: user:role:type:low_sensitivity[:low_category]- high_sensitivity [:high_category]. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
+
+
+
+
+ This is the process ID of the process.
+
+
+
+
+ The user element specifies the SELinux user that either created the file or started the process.
+
+
+
+
+ The role element specifies the types that a process may transition to (domain transitions). Note that this entity is not relevant for files and will always have a value of object_r.
+
+
+
+
+ The type element specifies the domain in which the file is accessible or the domain in which a process executes.
+
+
+
+
+ The low_sensitivity element specifies the current sensitivity of a file or process.
+
+
+
+
+ The low_category element specifies the set of categories associated with the low sensitivity.
+
+
+
+
+ The high_sensitivity element specifies the maximum range for a file or the clearance for a process.
+
+
+
+
+ The high_category element specifies the set of categories associated with the high sensitivity.
+
+
+
+
+ The rawlow_sensitivity element specifies the current sensitivity of a file or process but in its raw context.
+
+
+
+
+ The rawlow_category element specifies the set of categories associated with the low sensitivity but in its raw context.
+
+
+
+
+ The rawhigh_sensitivity element specifies the maximum range for a file or the clearance for a process but in its raw context.
+
+
+
+
+ The rawhigh_category element specifies the set of categories associated with the high sensitivity but in its raw context.
+
+
+
+
+
+
+
+
+
+
+
+
+ The slackware package info test is used to check information associated with a given Slackware package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a slackwarepkginfo_object and the optional state element specifies the data to check.
+
+
+ slackwarepkginfo_test
+ slackwarepkginfo_object
+ slackwarepkginfo_state
+ slackwarepkginfo_item
+
+
+
+
+
+ - the object child element of an slackwarepkginfo_test must reference an slackwarepkginfo_object
+
+
+ - the state child element of an slackwarepkginfo_test must reference an slackwarepkginfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The slackwarepkginfo_object element is used by a slackware package info test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A slackware package info object consists of a single name entity that identifies the package being checked.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The slackwarepkginfo_state element defines the different information that can be used to evaluate the specified package. This includes the version, architecture, and revision. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the version number of the package.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdunitdependency_test is used to retrieve information about dependencies of a single systemd unit in the form of a list. This list contains all dependencies, including transitive dependencies. For more information see the output generated by systemctl list-dependencies --plain $unit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a systemdunitdependency_object and the optional state element specifies the data to check.
+
+
+ systemdunitdependency_test
+ systemdunitdependency_object
+ systemdunitdependency_state
+ systemdunitdependency_item
+
+
+
+
+
+ - the object child element of a systemdunitdependency_test must reference a systemdunitdependency_object
+
+
+ - the state child element of a systemdunitdependency_test must reference a systemdunitdependency_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdunitdependency_object element is used by a systemdunitdependency_test to define the specific units to check the dependencies of. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdunitdependency_state element holds dependencies of a specific systemd unit. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
+
+
+
+
+ The dependency entity refers to the name of a unit that was confirmed to be a dependency of the given unit.
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdunitproperty_test is used to retrieve information about systemd units in form of properties. For more information see the output generated by systemctl show $unit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a systemdunitproperty_object and the optional state element specifies the data to check.
+
+
+ systemdunitproperty_test
+ systemdunitproperty_object
+ systemdunitproperty_state
+ systemdunitproperty_item
+
+
+
+
+
+ - the object child element of a systemdunitproperty_test must reference a systemdunitproperty_object
+
+
+ - the state child element of a systemdunitproperty_test must reference a systemdunitproperty_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdunitproperty_object element is used by a systemdunitproperty_test to define the specific unit and property combination to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
+
+
+
+
+ The property entity refers to the systemd unit property that we are interested in.
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemdunitproperty_state element holds information about properties of a specific systemd unit. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
+
+
+
+
+ The name of the property associated with a systemd unit.
+
+
+
+
+ The value of the property associated with a systemd unit.
+
+
+
+
+
+
+
+
+
+
+
+
+ The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of a set of files or file related items to collect. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+ 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.
+ Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+ 'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything. Also note that this behavior does not apply to Windows systems since they do not support symbolic links. On Windows systems the 'recurse' behavior is always equivalent to directories.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_direction' defines the direction to recurse, either 'up' to parent directories, or 'down' into child directories. The default value is 'none' for no recursion.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, if the path specified was "/", you would search only the filesystem mounted there, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.
+ Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ 'pass' indicates that the test passed and is equivalent to the '.' value reported by the rpm -V command.
+
+
+
+
+ 'fail' indicates that the test failed and is equivalent to a bold charcter in the test result string reported by the rpm -V command.
+
+
+
+
+ 'not performed' indicates that the test could not be performed and is equivalent to the '?' value reported by the rpm -V command.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateProtocolType complex type restricts a string value to the set of physical layer protocols used by AF_PACKET sockets. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Ethernet loopback packet.
+
+
+
+
+ Xerox PUP packet.
+
+
+
+
+ Xerox PUP Address Transport packet.
+
+
+
+
+ Internet protocol packet.
+
+
+
+
+ CCITT X.25 packet.
+
+
+
+
+ Address resolution packet.
+
+
+
+
+ G8BPQ AX.25 ethernet packet.
+
+
+
+
+ Xerox IEEE802.3 PUP packet.
+
+
+
+
+ Xerox IEEE802.3 PUP address transport packet.
+
+
+
+
+ DEC assigned protocol.
+
+
+
+
+ DEC DNA Dump/Load.
+
+
+
+
+ DEC DNA Remote Console.
+
+
+
+
+ DEC DNA Routing.
+
+
+
+
+ DEC LAT.
+
+
+
+
+ DEC Diagnostics.
+
+
+
+
+ DEC Customer use.
+
+
+
+
+ DEC Systems Comms Arch.
+
+
+
+
+ Reverse address resolution packet.
+
+
+
+
+ Appletalk DDP.
+
+
+
+
+ Appletalk AARP.
+
+
+
+
+ 802.1Q VLAN Extended Header.
+
+
+
+
+ IPX over DIX.
+
+
+
+
+ IPv6 over bluebook.
+
+
+
+
+ Slow Protocol. See 802.3ad 43B.
+
+
+
+
+ Web-cache coordination protocol.
+
+
+
+
+ PPPoE discovery messages.
+
+
+
+
+ PPPoE session messages.
+
+
+
+
+ MPLS Unicast traffic.
+
+
+
+
+ MPLS Multicast traffic.
+
+
+
+
+ MultiProtocol Over ATM.
+
+
+
+
+ Frame-based ATM Transport over Ethernet.
+
+
+
+
+ ATA over Ethernet.
+
+
+
+
+ TIPC.
+
+
+
+
+ Dummy type for 802.3 frames.
+
+
+
+
+ Dummy protocol id for AX.25.
+
+
+
+
+ Every packet.
+
+
+
+
+ 802.2 frames.
+
+
+
+
+ Internal only.
+
+
+
+
+ DEC DDCMP: Internal only
+
+
+
+
+ Dummy type for WAN PPP frames.
+
+
+
+
+ Dummy type for PPP MP frames.
+
+
+
+
+ Dummy type for Atalk over PPP.
+
+
+
+
+ Localtalk pseudo type.
+
+
+
+
+ 802.2 frames.
+
+
+
+
+ Mobitex.
+
+
+
+
+ Card specific control frames.
+
+
+
+
+ Linux-IrDA.
+
+
+
+
+ Acorn Econet.
+
+
+
+
+ HDLC frames.
+
+
+
+
+ 1A for ArcNet.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/linux-system-characteristics-schema.xsd b/oval-schemas/linux-system-characteristics-schema.xsd
new file mode 100644
index 0000000..a7625b9
--- /dev/null
+++ b/oval-schemas/linux-system-characteristics-schema.xsd
@@ -0,0 +1,1406 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Linux specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Linux System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The AppArmor Status Item displays various information about the current AppArmor policy. This item maps the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. Each item extends the standard ItemType as defined in the oval-system-characteristics-schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ Displays the number of loaded profiles
+
+
+
+
+ Displays the number of profiles in enforce mode
+
+
+
+
+ Displays the number of profiles in complain mode
+
+
+
+
+ Displays the number of processes which have profiles defined
+
+
+
+
+ Displays the number of processes in enforce mode
+
+
+
+
+ Displays the number of processes in complain mode
+
+
+
+
+ Displays the number of processes which are unconfined but have a profile defined
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores DPKG package info.
+
+
+
+
+
+
+
+ This is the pakage name to check.
+
+
+
+
+ This is the architecture for which the DPKG was built, like : i386, ppc, sparc, noarch.
+
+
+
+
+ This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by dpkg) the string '(none)' should be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION.
+
+
+
+ Warning: There are differences in the algorithms for how the version strings of Debian and RPM packages are compared. As a result, a new debian_evr_string datatype was added to the OVAL Language and should be used, for this entity, instead of the evr_string datatype.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ An iflisteners_item stores the results of checking for applications that are bound to an interface on the system. Only applications that are bound to an ethernet interface should be collected.
+
+
+
+
+
+
+
+ This is the name of the interface (eth0, eth1, fw0, etc.).
+
+
+
+
+ This is the physical layer protocol used by the AF_PACKET socket.
+
+
+
+
+ This is the hardware address associated with the interface.
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the process ID of the process. The process in question is that of the program communicating on the network.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ An inet listening server item stores the results of checking for network servers currently active on a system. It holds information pertaining to a specific protocol-address-port combination.
+
+
+
+
+
+
+
+ This is the transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ This is the IP address associated with the inet listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which the program listens.
+
+
+
+
+ This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this value will be 0.
+
+
+
+
+ This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the process ID of the process. The process in question is that of the program communicating on the network.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ The partition_item stores information about a partition on the local system.
+
+
+
+
+
+
+
+ The mount_point element contains a string that represents the mount point of a partition on the local system.
+
+
+
+
+ The device element contains a string that represents the name of the device.
+
+
+
+
+ The uuid element contains a string that represents the universally unique identifier associated with a partition.
+
+
+
+
+ The fs_type element contains a string that represents the type of filesystem on a partition.
+
+
+
+
+ The mount_options element contains a string that represents a mount option associated with a partition on the local system.
+ Implementation note: not all mount options are visible in /etc/mtab or /proc/mounts. A complete source of additional mount options is the f_flag field of 'struct statvfs'. See statvfs(2). /etc/fstab may have additional mount options, but it need not contain all mounted filesystems, so it MUST NOT be relied upon. Implementers MUST be sure to get all mount options in some way.
+
+
+
+
+ The total_space element contains an integer that represents the total number of physical blocks on a partition.
+
+
+
+
+ The space_used element contains an integer that represents the number of physical blocks used on a partition.
+
+
+
+
+ The space_left element contains an integer that represents the number of physical blocks left on a partition available to be used by privileged users.
+
+
+
+
+ The space_left_for_unprivileged_users element contains an integer that represents the number of physical blocks remaining on a partition that are available to be used by unprivileged users.
+
+
+
+
+ The block_size element contains an integer representing the actual byte size of each physical block on the partition's block device. This is the same block size used to compute the total_space, space_used, and space_left.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores rpm info.
+
+
+
+
+
+
+
+ This is the pakage name to check.
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build, changed by the vendor/builder. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.
+
+
+
+
+ This field contains the PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
+
+
+
+
+ This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The 'gpg-pubkey' virtual package on RedHat and CentOS should use the string '(none)' for the architecture to construct the extended_name.
+
+
+
+
+ This field contains the absolute path of a file or directory included in the rpm.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores rpm verification results similar to what is produced by the rpm -V command.
+
+
+ 5.10
+ Replaced by the rpmverifyfile_item and rpmverifypackage_item. The rpmverify_item was split into two items to distinguish between the verification of the files in an rpm and the verification of an rpm as a whole. By making this distinction, content authoring is simplified and information is no longer duplicated across items. See the rpmverifyfile_item and rpmverifypackage_item.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+ The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The configuration_file entity represents the configuration file attribute marker that may be present on a file.
+
+
+
+
+ The documentation_file entity represents the documenation file attribute marker that may be present on a file.
+
+
+
+
+ The ghost_file entity represents the ghost file attribute marker that may be present on a file.
+
+
+
+
+ The license_file entity represents the license file attribute marker that may be present on a file.
+
+
+
+
+ The readme_file entity represents the readme file attribute marker that may be present on a file.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the verification results of the individual files in an rpm similar to what is produced by the rpm -V command.
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+ This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
+
+
+
+
+ The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+ 5.11.1:1.1
+ Replaced by the filedigest_differs entity.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+ The filedigest_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. This replaces the md5_differs entity due to naming changes for verification and reporting options.
+
+
+
+
+ The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file.
+
+
+
+
+ The configuration_file entity represents the configuration file attribute marker that may be present on a file.
+
+
+
+
+ The documentation_file entity represents the documenation file attribute marker that may be present on a file.
+
+
+
+
+ The ghost_file entity represents the ghost file attribute marker that may be present on a file.
+
+
+
+
+ The license_file entity represents the license file attribute marker that may be present on a file.
+
+
+
+
+ The readme_file entity represents the readme file attribute marker that may be present on a file.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the rpm verification results of an rpm similar to what is produced by the rpm -V command.
+
+
+
+
+
+
+
+ This is the package name to check.
+
+
+
+
+ This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the release number of the build, changed by the vendor/builder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
+
+
+
+
+ This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
+
+
+
+
+ The dependency_check_passed entity indicates whether or not the dependency check passed. If the dependency check is not performed, due to the 'nodeps' behavior, this entity must not be collected.
+
+
+
+
+ The digest_check_passed entity indicates whether or not the verification of the package or header digests passed. If the digest check is not performed, due to the 'nodigest' behavior, this entity must not be collected.
+
+
+ 5.11
+ The digest_check_passed item entity can not be collected as implemented, and has become irrelevant.
+ This item entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the 'noscripts' behavior, this entity must not be collected.
+
+
+
+
+ The signature_check_passed entity indicates whether or not the verification of the package or header signatures passed. If the signature check is not performed, due to the 'nosignature' behavior, this entity must not be collected.
+
+
+ 5.11
+ The signature_check_passed item entity can not be collected as implemented, and has become irrelevant.
+ This item entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This item describes the current and pending status of a SELinux boolean. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The name of the SELinux boolean.
+
+
+
+
+ The current_status entity indicates current state of the specified SELinux boolean.
+
+
+
+
+ The pending_status entity indicates the pending state of the specified SELinux boolean.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item describes the SELinux security context of a file or process on the local system. This item follows the SELinux security context structure: user:role:type:low_sensitivity[:low_category]- high_sensitivity [:high_category]. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
+
+
+
+
+ This is the process ID of the process.
+
+
+
+
+ The user element specifies the SELinux user that either created the file or started the process.
+
+
+
+
+ The role element specifies the types that a process may transition to (domain transitions). Note that this entity is not relevant for files and will always have a value of object_r.
+
+
+
+
+ The type element specifies the domain in which the file is accessible or the domain in which a process executes.
+
+
+
+
+ The low_sensitivity element specifies the current sensitivity of a file or process.
+
+
+
+
+ The low_category element specifies the set of categories associated with the low sensitivity.
+
+
+
+
+ The high_sensitivity element specifies the maximum range for a file or the clearance for a process.
+
+
+
+
+ The high_category element specifies the set of categories associated with the high sensitivity.
+
+
+
+
+ The rawlow_sensitivity element specifies the current sensitivity of a file or process but in its raw context.
+
+
+
+
+ The rawlow_category element specifies the set of categories associated with the low sensitivity but in its raw context.
+
+
+
+
+ The rawhigh_sensitivity element specifies the maximum range for a file or the clearance for a process but in its raw context.
+
+
+
+
+ The rawhigh_category element specifies the set of categories associated with the high sensitivity but in its raw context.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item describes info related to Slackware packages. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ This is the pakage name to check.
+
+
+
+
+ This is the version number of the pakage.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the architecture the package is designed for.
+
+
+
+
+ This is the revision of the package.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the dependencies of the systemd unit. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
+
+
+
+
+ The dependency entity refers to the name of a unit that was confirmed to be a dependency of the given unit.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the properties and values of a systemd unit.
+
+
+
+
+
+
+
+ The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
+
+
+
+
+ The name of the property associated with a systemd unit.
+
+
+
+
+ The value of the property associated with a systemd unit. Exactly one value shall be used for all property types except dbus arrays - each array element shall be represented by one value.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ 'pass' indicates that the test passed and is equivalent to the '.' value reported by the rpm -V command.
+
+
+
+
+ 'fail' indicates that the test failed and is equivalent to a bold charcter in the test result string reported by the rpm -V command.
+
+
+
+
+ 'not performed' indicates that the test could not be performed and is equivalent to the '?' value reported by the rpm -V command.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityStateProtocolType complex type restricts a string value to the set of physical layer protocols used by AF_PACKET sockets. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Ethernet loopback packet.
+
+
+
+
+ Xerox PUP packet.
+
+
+
+
+ Xerox PUP Address Transport packet.
+
+
+
+
+ Internet protocol packet.
+
+
+
+
+ CCITT X.25 packet.
+
+
+
+
+ Address resolution packet.
+
+
+
+
+ G8BPQ AX.25 ethernet packet.
+
+
+
+
+ Xerox IEEE802.3 PUP packet.
+
+
+
+
+ Xerox IEEE802.3 PUP address transport packet.
+
+
+
+
+ DEC assigned protocol.
+
+
+
+
+ DEC DNA Dump/Load.
+
+
+
+
+ DEC DNA Remote Console.
+
+
+
+
+ DEC DNA Routing.
+
+
+
+
+ DEC LAT.
+
+
+
+
+ DEC Diagnostics.
+
+
+
+
+ DEC Customer use.
+
+
+
+
+ DEC Systems Comms Arch.
+
+
+
+
+ Reverse address resolution packet.
+
+
+
+
+ Appletalk DDP.
+
+
+
+
+ Appletalk AARP.
+
+
+
+
+ 802.1Q VLAN Extended Header.
+
+
+
+
+ IPX over DIX.
+
+
+
+
+ IPv6 over bluebook.
+
+
+
+
+ Slow Protocol. See 802.3ad 43B.
+
+
+
+
+ Web-cache coordination protocol.
+
+
+
+
+ PPPoE discovery messages.
+
+
+
+
+ PPPoE session messages.
+
+
+
+
+ MPLS Unicast traffic.
+
+
+
+
+ MPLS Multicast traffic.
+
+
+
+
+ MultiProtocol Over ATM.
+
+
+
+
+ Frame-based ATM Transport over Ethernet.
+
+
+
+
+ ATA over Ethernet.
+
+
+
+
+ TIPC.
+
+
+
+
+ Dummy type for 802.3 frames.
+
+
+
+
+ Dummy protocol id for AX.25.
+
+
+
+
+ Every packet.
+
+
+
+
+ 802.2 frames.
+
+
+
+
+ Internal only.
+
+
+
+
+ DEC DDCMP: Internal only
+
+
+
+
+ Dummy type for WAN PPP frames.
+
+
+
+
+ Dummy type for PPP MP frames.
+
+
+
+
+ Dummy type for Atalk over PPP.
+
+
+
+
+ Localtalk pseudo type.
+
+
+
+
+ 802.2 frames.
+
+
+
+
+ Mobitex.
+
+
+
+
+ Card specific control frames.
+
+
+
+
+ Linux-IrDA.
+
+
+
+
+ Acorn Econet.
+
+
+
+
+ HDLC frames.
+
+
+
+
+ 1A for ArcNet.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/macos-definitions-schema.xsd b/oval-schemas/macos-definitions-schema.xsd
new file mode 100644
index 0000000..b206e40
--- /dev/null
+++ b/oval-schemas/macos-definitions-schema.xsd
@@ -0,0 +1,2861 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the MacOS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The MacOS Definition Schema was initially developed by The Center for Internet Security. Many thanks to their contributions to OVAL and the security community.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ MacOS Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ User account information (username, uid, gid, etc.) See netinfo(5) for field information, niutil(1) for retrieving it. As of Mac OS 10.5, niutil(1) is no longer available, however, the same functionality can be obtained using dscl(1). Specifically, the command 'dscl . -list /Users' can be used to list all users and the command 'dscl . -read /Users/some_user passwd uid gid realname home shell' can be used to retrieve the attributes associated with an account.
+
+
+ accountinfo_test
+ accountinfo_object
+ accountinfo_state
+ accountinfo_item
+
+
+
+
+
+ - the object child element of an accountinfo_test must reference an accountinfo_object
+
+
+ - the state child element of an accountinfo_test must reference an accountinfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The accountinfo_object element is used by an accountinfo_test to define the object(s) to be evaluated. This object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An accountinfo_object consists of a single username that identifies the account from which to gather information.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the user of the account to gather information from.
+
+
+
+
+
+
+
+
+
+
+
+
+ The accountinfo_state element defines the different information that can be used to evaluate the specified accounts. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Specifies the user of the account to gather information from.
+
+
+
+
+ Obfuscated (*****) or encrypted password for this user.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
+
+
+
+
+ Group ID of this account.
+
+
+
+
+ User's real name, aka gecos field of /etc/passwd.
+
+
+
+
+ The home directory for this user account.
+
+
+
+
+ The login shell for this user account.
+
+
+
+
+
+
+
+
+
+
+
+
+ The authorizationdb_test is used to check the properties of the plist-style XML output from the "security authorizationdb read >right-name<" command, for reading information about rights authorizations on MacOSX. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an authorizationdb_object and the optional state element specifies the data to check.
+
+
+ authorizationdb_test
+ authorizationdb_object
+ authorizationdb_state
+ authorizationdb_item
+
+
+
+
+
+ - the object child element of a authorizationdb_test must reference an authorizationdb_object
+
+
+ - the state child element of a authorizationdb_test must reference an authorizationdb_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The authorizationdb_object element is used by an authorizationdb_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An authorizationdb_object consists of a right_name entity that contains the name of the right to be read from the authorization dabatase. The resulting plist data can be queried using the xpath entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the right name to be queried (read) from the authorization database.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
+
+
+
+ - operation attribute for the xpath entity of an authorizationdb_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The authorizationdb_state element defines a value used to evaluate the result of a specific authorizationdb_object item.
+
+
+
+
+
+
+
+ Specifies the right_name used to create the object.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found.
+
+
+
+
+
+
+
+
+
+
+
+
+ The corestorage_test is used to check the properties of the plist-style XML output from the "diskutil cs list -plist" command, for reading information about the CoreStorage setup on MacOSX. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an corestorage_object and the optional state element specifies the data to check.
+
+
+ corestorage_test
+ corestorage_object
+ corestorage_state
+ corestorage_item
+
+
+
+
+
+ - the object child element of a corestorage_test must reference an corestorage_object
+
+
+ - the state child element of a corestorage_test must reference an corestorage_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The corestorage_object element is used by an corestorage_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An corestorage_object consists of a uuid entity that contains the UUID of the volume whose information should be read (i.e., 'diskutil cs info -plist [UUID]'). The resulting plist data can be queried using the xpath entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the UUID of the volume about which the plist information should be retrieved.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
+
+
+
+ - operation attribute for the xpath entity of an corestorage_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The corestorage_state element defines a value used to evaluate the result of a specific corestorage_object item.
+
+
+
+
+
+
+
+ Specifies the UUID of the volume about which the plist information was retrieved.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found.
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskutil_test is used to verify packages on a Mac OS system. The information used by this test is modeled after the diskutil command's verifyPermissions option. On MacOS X 10.11 and later, this option was replaced by the repair_packages command. For more information, see diskutil(8) or repair_packages(8). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a diskutil_object and the optional diskutil_state element specifies the data to check.
+
+
+ diskutil_test
+ diskutil_object
+ diskutil_state
+ diskutil_item
+
+
+
+
+
+
+ - the object child element of a diskutil_test must reference a diskutil_object
+
+
+
+ - the state child element of a diskutil_test must reference a diskutil_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskutil_object element is used by a diskutil_test to define the volumes containing packages to be verified on a Mac OS system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The device entity is a string that represents the name of a volume containing system packages that is mounted on a Mac OS system to verify. Please see diskutil(8) or repair_packages(8) for instructions on how to specify the volume.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskutil_state element defines the different verification information associated with a disk on a Mac OS system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The device entity is a string that represents the volume on a Mac OS system to verify. Please see diskutil(8) or repair_packages(8) for instructions on how to specify the device.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory on the specified device.
+
+
+
+
+ Has the actual user read permission changed from the expected user read permission?
+
+
+
+
+ Has the actual user write permission changed from the expected user write permission?
+
+
+
+
+ Has the actual user exec permission changed from the expected user exec permission?
+
+
+
+
+ Has the actual group read permission changed from the expected group read permission?
+
+
+
+
+ Has the actual group write permission changed from the expected group write permission?
+
+
+
+
+ Has the actual group exec permission changed from the expected group exec permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+ Has the actual others write permission changed from the expected others write permission?
+
+
+
+
+ Has the actual others exec permission changed from the expected others exec permission?
+
+
+
+
+ Has the actual user changed from the expected user?
+
+
+
+
+ The actual user of the file/directory.
+
+
+
+
+ The expected user of the file/directory.
+
+
+
+
+ Has the actual group changed from the expected group?
+
+
+
+
+ The actual group of the file/directory.
+
+
+
+
+ The expected group of the file/directory.
+
+
+
+
+ Has the actual symlink changed from the expected symlink?
+
+
+
+
+ The actual symlink of the file/directory.
+
+
+
+
+ The expected symlink of the file/directory.
+
+
+
+
+
+
+
+
+
+
+
+
+ The gatekeeper_test is used to check the status of Gatekeeper and any unsigned applications that have been granted execute permission.
+
+
+ gatekeeper_test
+ gatekeeper_object
+ gatekeeper_state
+ gatekeeper_item
+
+
+
+
+
+ - the object child element of a gatekeeper_test must reference an gatekeeper_object
+
+
+ - the state child element of a gatekeeper_test must reference an gatekeeper_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The gatekeeper_object is a singleton used to access information about Gatekeeper.
+
+
+
+
+
+
+
+
+
+ The gatekeeper_state element makes it possible to make assertions about Gatekeeper's operational status and unsigned applications that have been granted execute permission.
+
+
+
+
+
+
+
+ The status of Gatekeeper assessments.
+
+
+
+
+ The path to an unsigned application folder to which Gatekeeper has granted execute permission.
+
+
+
+
+
+
+
+
+
+
+
+
+ This test's purpose is generally used to check if an application is listening on the network, either for a new connection or as part of an ongoing connection. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). It is generally speaking the parsed output of running the command netstat -tuwlnpe with root privilege.
+
+
+ inetlisteningservers_test
+ inetlisteningservers_object
+ inetlisteningservers_state
+ inetlisteningserver_item
+
+
+
+
+ 5.10
+ The inetlisteningservers_test has been deprecated and replaced by the inetlisteningserver510_test. The name of an application cannot be used to uniquely identify an application that is listening on the network. As a result, the inetlisteningserver510_object utilizes the protocol, local_address, and local_port entities to uniquely identify an application listening on the network. Please see the inetlisteningserver510_test for additional information.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an inetlisteningservers_test must reference an inetlisteningservers_object
+
+
+ - the state child element of an inetlisteningservers_test must reference an inetlisteningservers_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningservers_object element is used by an inetlisteningserver test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.10
+ The inetlisteningservers_object has been deprecated and replaced by the inetlisteningserver510_object. The name of an application cannot be used to uniquely identify an application that is listening on the network. As a result, the inetlisteningserver510_object utilizes the protocol, local_address, and local_port entities to uniquely identify an application listening on the network. Please see the inetlisteningserver510_object for additional information.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.10
+ The inetlisteningservers_state has been deprecated and replaced by the inetlisteningserver510_state. The name of an application cannot be used to uniquely identify an application that is listening on the network. As a result, the inetlisteningserver510_object utilizes the protocol, local_address, and local_port entities to uniquely identify an application listening on the network. Please see the inetlisteningserver510_state for additional information.
+
+
+
+
+
+
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this test.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
+
+
+
+
+ This is the process ID of the process. The process in question is that of the program communicating on the network.
+
+
+
+
+ This is the transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningserver510_test is used to check if an application is listening on the network, either for a new connection or as part of an ongoing connection. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). One method for retrieving the required information is by parsing the output of the command 'lsof -i -P -n -l' with root privileges.
+
+
+ inetlisteningserver510_test
+ inetlisteningserver510_object
+ inetlisteningserver510_state
+ inetlisteningserver510_item
+
+
+
+
+
+ - the object child element of an inetlisteningserver510_test must reference an inetlisteningserver510_object
+
+
+ - the state child element of an inetlisteningserver510_test must reference an inetlisteningserver510_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningserver510_object element is used by an inetlisteningserver510_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The protocol entity defines a certain transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ This is the IP address of the network interface on which an application listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which an application would listen. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will be represented by its own object.
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetlisteningserver510_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this test.
+
+
+
+
+ This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
+
+
+
+
+ This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the process ID of the process. The process in question is that of the program communicating on the network.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ The keychain_test is used to check the properties of the plist-style XML output from the "security show-keychain-info >keychain<" command, for reading information about keychain settings on MacOSX. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an keychain_object and the optional state element specifies the data to check.
+
+
+ keychain_test
+ keychain_object
+ keychain_state
+ keychain_item
+
+
+
+
+
+ - the object child element of a keychain_test must reference an keychain_object
+
+
+ - the state child element of a keychain_test must reference an keychain_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The keychain_object element is used by an corestorage_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A keychain_object consists of a keychain (name) entity that contains the name of the keychain whose settings will be queried.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the filepath of the keychain to be queried. The default keychain for a user is normally located at ~/Library/Keychains/login.keychain.
+
+
+
+
+
+
+
+
+
+
+
+
+ The keychain_state element defines a value used to evaluate the result of a specific keychain_object item.
+
+
+
+
+
+
+
+ Specifies the filepath of the keychain used to create the object.
+
+
+
+
+ Specifies whether the keychain is configured to lock when the computer sleeps.
+
+
+
+
+ Specifies the inactivity timeout (in seconds) for the keychain, or 0 if there is no timeout.
+
+
+
+
+
+
+
+
+
+
+
+
+ The launchd_test is used to check the status of daemons/agents loaded via the launchd service. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a launchd_object and the optional state element specifies the data to check.
+
+
+ launchd_test
+ launchd_object
+ launchd_state
+ launchd_item
+
+
+
+
+
+ - the object child element of a launchd_test must reference an launchd_object
+
+
+ - the state child element of a launchd_test must reference an launchd_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The launchd_object element is used by a launchd_test to define the daemon/agent to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A launchd_object consists of a label (name) entity that contains the name of the agent/daemon whose attributes will be queried.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the deamon to be queried.
+
+
+
+
+
+
+
+
+
+
+
+
+ The launchd_state element defines a value used to evaluate the result of a specific launchd_object item.
+
+
+
+
+
+
+
+ Specifies the name of the agent/daemon used to create the object.
+
+
+
+
+ Specifies the process ID of the daemon (if any).
+
+
+
+
+ Specifies the last exit code of the daemon (if any), or if $lt; 0, indicates the negative of the signal that interrupted processing. For example, a value of -15 would indicate that the job was terminated via a SIGTERM.
+
+
+
+
+
+
+
+
+
+
+
+
+ This test pulls data from the 'nvram -p' output.
+
+
+ nvram_test
+ nvram_object
+ nvram_state
+ nvram_item
+
+
+
+
+
+ - the object child element of an nvram_test must reference an nvram_object
+
+
+ - the state child element of an nvram_test must reference an nvram_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The nvram_object element is used by a nvram test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This test pulls data from the 'nvram -p' output.
+
+
+
+
+
+
+
+ This specifies the nvram variable to check.
+
+
+
+
+ This is the value of the associated nvram variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist_test is used to check the value(s) associated with property list preference keys. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a plist_object and the optional plist_state element specifies the data to check.
+
+
+ plist_test
+ plist_object
+ plist_state
+ plist_item
+
+
+
+
+ 5.10
+ Replaced by the plist510_test. This test references the plist_object which does not contain an instance entity. As a result, it is not possible to differentiate between two preference keys that have the same name using the plist_object. The plist510_test was added to address this deficiency. See the plist510_test.
+ This test has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a plist_test must reference a plist_object
+
+
+ - the state child element of a plist_test must reference a plist_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist_object element is used by a plist_test to define the preference keys to collect and where to look for them. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.10
+ Replaced by the plist510_object. This object does not contain an instance entity. As a result, it is not possible to differentiate between two preference keys that have the same name using this object. The plist510_object was added to address this deficiency. See the plist510_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The preference key to check. If the xsi:nil attribute is set to 'true', the plist does not have any keys associated with it (i.e. it is not a CFDictionary) and the default value of the plist will be collected.
+
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). A directory cannot be specified as a filepath.
+
+
+
+
+ - operation attribute for the filepath entity of a plist_object should be 'equals'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist_state element defines the different information that can be used to evaluate the specified property list preference key. This includes the preference key, application identifier, filepath, type, as well as the preference key's value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.10
+ Replaced by the plist510_state. This state is used in conjunction with the plist_object which does not contain an instance entity. As a result, it is not possible to differentiate between two preference keys that have the same name using the plist_object. The plist510_state was added to address this deficiency. See the plist510_state.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The preference key to check.
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist).
+
+
+
+
+ The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file.
+
+
+
+
+ The type of the preference key.
+
+
+
+
+ The value of the preference key.
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist510_test is used to check the value(s) associated with property list preference keys. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a plist510_object and the optional plist510_state element specifies the data to check.
+
+
+ plist510_test
+ plist510_object
+ plist510_state
+ plist_item
+
+
+
+
+ 5.11.2:1.0
+ Replaced by the plist511_test. This test references the plist_object which cannot express the context hierarchy required to differentiate between nodes with identical names. As a result, it is not possible to address a particular node when the order of their parent nodes is indeterminate. The plist511_test was added to address this deficiency. See the plist511_test.
+ This test has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a plist510_test must reference a plist510_object
+
+
+ - the state child element of a plist510_test must reference a plist510_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist510_object element is used by a plist510_test to define the preference keys to collect and where to look for them. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.11.2:1.0
+ Replaced by the plist511_object. This object cannot express the context hierarchy required to differentiate between nodes with identical names. As a result, it is not possible to address a particular node when the order of their parent nodes is indeterminate. The plist511_object was added to address this deficiency. See the plist511_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The preference key to check. If the xsi:nil attribute is set to 'true', the plist does not have any keys associated with it (i.e. it is not a CFDictionary) and the default value of the plist will be collected.
+
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ - key entity must not be nil when the app_id entity is used because preferences require a key.
+
+
+
+
+
+
+
+ The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). A directory cannot be specified as a filepath.
+
+
+
+
+ - operation attribute for the filepath entity of a plist510_object should be 'equals'
+
+
+
+
+
+
+
+
+ The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file.
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist510_state element defines the different information that can be used to evaluate the specified property list preference key. This includes the preference key, application identifier, filepath, type, as well as the preference key's value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.11.2:1.0
+ Replaced by the plist511_state. This state is used in conjunction with the plist510_object which cannot express the context hierarchy required to differentiate between nodes with identical names. As a result, it is not possible to address a particular node when the order of their parent nodes is indeterminate. The plist511_state was added to address this deficiency. See the plist511_state.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The preference key to check.
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist).
+
+
+
+
+ The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file.
+
+
+
+
+ The type of the preference key.
+
+
+
+
+ The value of the preference key.
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist511_test is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a plist511_object and the optional plist511_state element specifies the data to check.
+
+
+ plist511_test
+ plist511_object
+ plist511_state
+ plist_item
+
+
+
+
+
+ - the object child element of a plist511_test must reference a plist511_object
+
+
+ - the state child element of a plist511_test must reference a plist511_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist511_object element is used by a plist511_test to define the preference keys to collect and where to look for them. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. /Library/Preferences/com.apple.TimeMachine.plist). A directory cannot be specified as a filepath.
+
+
+
+
+ - operation attribute for the filepath entity of a plist511_object should be 'equals'
+
+
+
+
+
+
+
+
+
+ Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of item entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity.
+
+
+
+ - operation attribute for the xpath entity of a plist_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist511_state element defines the different information that can be used to evaluate the specified property list preference key. This includes the preference key, application identifier, filepath, type, as well as the preference key's value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist).
+
+
+
+
+ Specifies an XPath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value of the preference key.
+
+
+
+
+
+
+
+
+
+
+
+
+ This test pulls data from the 'pwpolicy -getpolicy' output. The actual values get stored under /var/db/netinfo/local.nidb/ in a Store.# file. Is this test actually needed, or can the text file content test be used instead?
+
+
+ pwpolicy_test
+ pwpolicy_object
+ pwpolicy_state
+ pwpolicy_item
+
+
+
+
+ 5.9
+ Replaced by the pwpolicy59_test. The username, userpass, and directory_node entities in the pwpolicy_object, pwpolicy_state, and pwpolicy_item were underspecified and as a result their meaning was uncertain. A new test was created to resolve this issue. See the pwpolicy59_test.
+ This test has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an pwpolicy_test must reference an pwpolicy_object
+
+
+ - the state child element of an pwpolicy_test must reference an pwpolicy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The pwpolicy_object element is used by a pwpolicy_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.9
+ Replaced by the pwpolicy59_object. The username, userpass, and directory_node entities in the pwpolicy_object were underspecified and as a result their meaning was uncertain. A new object was created to resolve this issue. See the pwpolicy59_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ - operation attribute for the username entity of a pwpolicy_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+ - operation attribute for the userpass entity of a pwpolicy_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+ - operation attribute for the directory_node entity of a pwpolicy_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.9
+ Replaced by the pwpolicy59_state. The username, userpass, and directory_node entities in the pwpolicy_state were underspecified and as a result their meaning was uncertain. A new state was created to resolve this issue. See the pwpolicy59_state.
+ This state has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Maximum number of characters allowed in a password.
+
+
+
+
+ Maximum number of failed logins before the account is locked.
+
+
+
+
+ Minimum number of characters allowed in a password.
+
+
+
+
+ Defines if the password is allowed to be the same as the username or not.
+
+
+
+
+ Defines if the password must contain an alphabetical character or not.
+
+
+
+
+ Defines if the password must contain an numeric character or not.
+
+
+
+
+
+
+
+
+
+
+
+
+ This test retrieves password policy data from the 'pwpolicy -getpolicy -u target_user [-a username] [-p userpass] [-n directory_node]' output where username, userpass, and directory_node are optional. Please see the 'pwpolicy' man page for additional information.
+
+
+ pwpolicy59_test
+ pwpolicy59_object
+ pwpolicy59_state
+ pwpolicy59_item
+
+
+
+
+
+ - the object child element of an pwpolicy59_test must reference an pwpolicy59_object
+
+
+ - the state child element of an pwpolicy59_test must reference an pwpolicy59_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The pwpolicy59_object element is used by a pwpolicy59_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The target_user element specifies the user whose password policy information should be collected. If an operation other than equals is specified, the users on the system should be enumerated and the 'pwpolicy' command should be issued for each user that matches the target_user element. If the xsi:nil attribute is set to true, the global policy should be retrieved.
+
+
+
+
+ The username element specifies the username of the authenticator. If the xsi:nil attribute is set to true, authentication to the directory node will not be performed (i.e. the '-a' and '-p' command line options will not be specified when issuing the 'pwpolicy' command) and the xsi:nil attribute of the userpass element should also be set to true.
+
+
+
+ - userpass entity must be nil when username entity is nil
+
+
+
+
+
+
+
+ The userpass element specifies the password of the authenticator as specified by the username element. If the xsi:nil attribute is set to true, authentication to the directory node will not be performed (i.e. the '-a' and '-p' command line options will not be specified when issuing the 'pwpolicy' command) and the xsi:nil attribute of the username element should also be set to true.
+
+
+
+ - operation attribute for the userpass entity of a pwpolicy59_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+ - username entity must be nil when userpass entity is nil
+
+
+
+
+
+
+
+ The directory_node element specifies the directory node that you would like to retrieve the password policy information from. If the xsi:nil attribute is set to true, the default directory node is used (i.e. the '-n' command line option will not be specified when issuing the 'pwpolicy' command).
+
+
+
+ - operation attribute for the directory_node entity of a pwpolicy59_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The pwpolicy59_state element defines the different information that can be used to evaluate the password policy for the target user in the specified directory node. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The target_user element specifies the user whose password policy information should be collected.
+
+
+
+
+ The username element specifies the username of the authenticator.
+
+
+
+
+ The userpass element specifies the password of the authenticator as specified by the username element.
+
+
+
+
+ The directory_node element specifies the directory node that you would like to retrieve the password policy information from.
+
+
+
+
+ Maximum number of characters allowed in a password.
+
+
+
+
+ Maximum number of failed logins before the account is locked.
+
+
+
+
+ Minimum number of characters allowed in a password.
+
+
+
+
+ Defines if the password is allowed to be the same as the username or not.
+
+
+
+
+ Defines if the password must contain an alphabetical character or not.
+
+
+
+
+ Defines if the password must contain an numeric character or not.
+
+
+
+
+ Maximum number of minutes until the password must be changed.
+
+
+
+
+ Minimum number of minutes between password changes.
+
+
+
+
+ Defines if the password must contain upper and lower case characters or not.
+
+
+
+
+ Defines if the password must contain a symbol character or not.
+
+
+
+
+ Number of minutes after login has been disabled due to too many failed login attempts to wait before reenabling login.
+
+
+
+
+ 0 = user can reuse the current pass-word, 1 = user cannot reuse the current password, 2-15 = user cannot reuse the last n passwords.
+
+
+
+
+ If true, the user can change the password.
+
+
+
+
+ If true, user is required to change password on the date in expirationDateGMT
+
+
+
+
+ If true, user's account is disabled on the date in hardExpireDateGMT
+
+
+
+
+ Date for the password to expire, format is: mm/dd/yyyy. NOTE: The pwpolicy command returns the year as a two digit value, but OVAL uses four digit years; the pwpolicy value is converted to an OVAL compatible value.
+
+
+
+
+ Date for the user's account to be disabled, format is: mm/dd/yyyy. NOTE: The pwpolicy command returns the year as a two digit value, but OVAL uses four digit years; the pwpolicy value is converted to an OVAL compatible value.
+
+
+
+
+ User's account is disabled after this interval
+
+
+
+
+ User's account is disabled if it is not accessed by this interval
+
+
+
+
+ If true, the user will be prompted for a new password at the next authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rlimit_test is used to check system resource limits for launchd. It is a singleton object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The state element specifies the system setup elements to check.
+
+
+ rlimit_test
+ rlimit_object
+ rlimit_state
+ rlimit_item
+
+
+
+
+
+ - the object child element of a rlimit_test must reference an rlimit_object
+
+
+ - the state child element of a rlimit_test must reference an rlimit_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rlimit_object is a singleton used to access resource limit information.
+
+
+
+
+
+
+
+
+
+ The rlimit_state element makes it possible to make assertions about the resource limits for launchd.
+ A resource limit is specified as a soft (current) limit and a hard (max) limit. When a soft limit is exceeded a process may receive a signal (for example, if the cpu time or file size is exceeded), but it will be allowed to con-tinue continue tinue execution until it reaches the hard limit (or modifies its resource limit).
+ For any 'unlimited' resource, the entity will have the status of 'does not exist'.
+
+
+
+
+
+
+
+ The maximum amount of cpu time (in seconds) to be used by each process.
+
+
+
+
+ cpu hard limit.
+
+
+
+
+ The largest size (in bytes) file that may be created.
+
+
+
+
+ filesize hard limit.
+
+
+
+
+ The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.
+
+
+
+
+ data hard limit.
+
+
+
+
+ The maximum size (in bytes) of the stack segment for a process; this defines how far a program's stack segment may be extended. Stack extension is performed automatically by the system.
+
+
+
+
+ stack hard limit.
+
+
+
+
+ The largest size (in bytes) core file that may be created.
+
+
+
+
+ core hard limit.
+
+
+
+
+ The maximum size (in bytes) to which a process's resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.
+
+
+
+
+ rss hard limit.
+
+
+
+
+ The maximum size (in bytes) which a process may lock into memory using the mlock(2) function.
+
+
+
+
+ memlock hard limit.
+
+
+
+
+ The maximum number of simultaneous processes for this user id.
+
+
+
+
+ maxproc hard limit.
+
+
+
+
+ The maximum number of open files for this process.
+
+
+
+
+ maxfiles hard limit.
+
+
+
+
+
+
+
+
+
+
+
+
+ The softwareupdate_test is used to check the status of automatic software updates on MacOSX. It is a singleton object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The state element specifies the softwareupdate elements to check.
+
+
+ softwareupdate_test
+ softwareupdate_object
+ softwareupdate_state
+ softwareupdate_item
+
+
+
+
+
+ - the object child element of a softwareupdate_test must reference an softwareupdate_object
+
+
+ - the state child element of a softwareupdate_test must reference an softwareupdate_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The softwareupdate_object is a singleton used to access automatic software update information.
+
+
+
+
+
+
+
+
+
+ The softwareupdate_state element makes it possible to make assertions about the state of automatic software updates.
+
+
+
+
+
+
+
+ Specifies whether automatic checking is enabled (true).
+
+
+
+
+ Specifies the title string for an available (not installed) software update.
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemprofiler_test is used to check the properties of the plist-style XML output from the "system_profiler -xml <data type>" command, for reading information about system inventory data on MacOSX. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an systemprofiler_object and the optional state element specifies the data to check.
+
+
+ systemprofiler_test
+ systemprofiler_object
+ systemprofiler_state
+ systemprofiler_item
+
+
+
+
+
+ - the object child element of a systemprofiler_test must reference an systemprofiler_object
+
+
+ - the state child element of a systemprofiler_test must reference an systemprofiler_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemprofiler_object element is used by an systemprofiler_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An systemprofiler_object consists of a data_type entity that contains the name of the datatype that was probed by the system_profiler utility. The resulting plist data can be queried using the xpath entity.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The data_type entity provides the datatype value that is desired.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
+
+
+
+ - operation attribute for the xpath entity of an systemprofiler_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemprofiler_state element defines a value used to evaluate the result of a specific systemprofiler_object item.
+
+
+
+
+
+
+
+ The data_type entity provides the datatype value that is desired.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found.
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemsetup_test is used to check systemsetup properties. It is a singleton object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The state element specifies the system setup elements to check.
+
+
+ systemsetup_test
+ systemsetup_object
+ systemsetup_state
+ systemsetup_item
+
+
+
+
+
+ - the object child element of a systemsetup_test must reference an systemsetup_object
+
+
+ - the state child element of a systemsetup_test must reference an systemsetup_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The systemsetup_object is a singleton used to access system setup information.
+
+
+
+
+
+
+
+
+
+ The systemsetup_state element makes it possible to make assertions about system setup settings.
+
+
+
+
+
+
+
+ Specifies the name of the time zone.
+
+
+
+
+ Specifies weather the machine is using network time.
+
+
+
+
+ Specifies the network time server.
+
+
+
+
+ Specifies the computer sleep inactivity timer, or 0 for never.
+
+
+
+
+ Specifies the display sleep inactivity timer, or 0 for never.
+
+
+
+
+ Specifies the hard disk sleep inactivity timer, or 0 for never.
+
+
+
+
+ Specifies whether the computer will wake up if the modem is accessed.
+
+
+
+
+ Specifies whether the computer will wake up if the network is accessed.
+
+
+
+
+ Specifies whether the computer will restart after freezing.
+
+
+
+
+ Specifies whether the power button can be used to cause the computer to sleep.
+
+
+
+
+ Specifies whether remote logins are allowed.
+
+
+
+
+ Specifies whether remote Apple events are enabled.
+
+
+
+
+ Specifies the computer's name.
+
+
+
+
+ Specifies the startup disk.
+
+
+
+
+ Specifies the number of seconds the computer waits to start up after a power failure.
+
+
+
+
+ Specifies whether the keyboard is locked when the closure lock is engaged.
+
+
+
+
+ Specifies the kernel boot architecture setting.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectDataTypeType complex type defines the different values that are valid for the data_type entity of a system_profiler object. These values describe the system_profiler XML data to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the data_type entity and are not valid values for the datatype attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateDataTypeType complex type defines the different values that are valid for the data_type entity of a system_profiler state. These values describe the system_profiler XML data to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the data_type entity and are not valid values for the datatype attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The actual permission is more restrictive than the expected permission.
+
+
+
+
+ The actual permission is less restrictive than the expected permission.
+
+
+
+
+ The actual permission is the same as the expected permission.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePlistTypeType complex type restricts a string value to the seven values CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray, and CFDictionary that specify the datatype of the value associated with a property list preference key. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+ 5.11.2:1.0
+ Used only by the deprecated plist_state and plist510_state.
+ This enumeration has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+
+ The CFString type is used to describe a preference key that has a string value. The OVAL string datatype should be used to represent CFString values.
+
+
+
+
+ The CFNumber type is used to describe a preference key that has a integer or float value. The OVAL int and float datatypes should be used, as appropriate, to represent CFNumber values.
+
+
+
+
+ The CFBoolean type is used to describe a preference key that has a boolean value. The OVAL boolean datatype should be used to represent CFBoolean values.
+
+
+
+
+ The CFDate type is used to describe a preference key that has a date value. The OVAL string datatype should be used to represent CFDate values.
+
+
+
+
+ The CFData type is used to describe a preference that has a base64-encoded binary value. The OVAL string datatype should be used to represent CFData values.
+
+
+
+
+ The CFArray type is used to describe a preference key that has a collection of values. This is represented as multiple value entities.
+
+
+
+
+ The CFDictionary type is used to describe a preference key that has a collection of key-value pairs. Note that the collection of CFDictionary values is not supported. If an attempt is made to collect a CFDictionary value, an error should be reported.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/macos-system-characteristics-schema.xsd b/oval-schemas/macos-system-characteristics-schema.xsd
new file mode 100644
index 0000000..5310606
--- /dev/null
+++ b/oval-schemas/macos-system-characteristics-schema.xsd
@@ -0,0 +1,1233 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the MacOS specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The MacOS System Characteristics Schema was initially developed by The Center for Internet Security. Many thanks to their contributions to OVAL and the security community.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ MacOS System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ This item stores sser account information (username, uid, gid, etc.).
+
+
+
+
+
+
+
+ The user associated with the information collected.
+
+
+
+
+ Obfuscated (*****) or encrypted password for this user.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
+
+
+
+
+ Group ID of this account.
+
+
+
+
+ User's real name, aka gecos field of /etc/passwd.
+
+
+
+
+ The home directory for this user account.
+
+
+
+
+ The login shell for this user account.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking the contents of an authorizationdb right.
+
+
+
+
+
+
+
+ Specifies the right_name in which the item is specified.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking the contents of the CoreStorage XML plist information.
+
+
+
+
+
+
+
+ Specifies the UUID of the volume about which the plist information was retrieved.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
+
+
+
+
+
+
+
+
+
+
+
+
+ The diskutil_item holds verification information about an individual disk on a Mac OS system. Each diskutil_item contains a device, filepath, and details on how the actual permissions, ownerships and link targets differ from the expected values. For more information, see diskutil(8) or repair_packages(8). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The device entity is a string that represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device.
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory on the specified device.
+
+
+
+
+ Has the actual user read permission changed from the expected user read permission?
+
+
+
+
+ Has the actual user write permission changed from the expected user write permission?
+
+
+
+
+ Has the actual user exec permission changed from the expected user exec permission?
+
+
+
+
+ Has the actual group read permission changed from the expected group read permission?
+
+
+
+
+ Has the actual group write permission changed from the expected group write permission?
+
+
+
+
+ Has the actual group exec permission changed from the expected group exec permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+ Has the actual others write permission changed from the expected others write permission?
+
+
+
+
+ Has the actual others exec permission changed from the expected others exec permission?
+
+
+
+
+ Has the actual user changed from the expected user?
+
+
+
+
+ The actual user of the file/directory.
+
+
+
+
+ The expected user of the file/directory.
+
+
+
+
+ Has the actual group changed from the expected group?
+
+
+
+
+ The actual group of the file/directory.
+
+
+
+
+ The expected group of the file/directory.
+
+
+
+
+ Has the actual symlink changed from the expected symlink?
+
+
+
+
+ The actual symlink of the file/directory.
+
+
+
+
+ The expected symlink of the file/directory.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking the settings of the Gatekeeper.
+
+
+
+
+
+
+
+ The status of Gatekeeper assessments.
+
+
+
+
+ The path to an unsigned application folder to which Gatekeeper has granted execute permission.
+
+
+
+
+
+
+
+
+
+
+
+
+ An inet listening server item stores the results of checking for network servers currently active on a system.
+
+
+ 5.10
+ The inetlisteningserver_item has been deprecated and replaced by the inetlisteningserver510_item. The name of an application cannot be used to uniquely identify an application that is listening on the network. As a result, the inetlisteningserver510_object utilizes the protocol, local_address, and local_port entities to uniquely identify an application listening on the network. Please see the inetlisteningserver510_item for additional information.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this item.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
+
+
+
+
+ This is the process ID of the process. The process in question is that of the program communicating on the network.
+
+
+
+
+ This is the transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ An inet listening server item stores the results of checking for network servers currently active on a system.
+
+
+
+
+
+
+
+ This is the transport-layer protocol, in lowercase: tcp or udp.
+
+
+
+
+ This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this item.
+
+
+
+
+ This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the name of the communicating program.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
+
+
+
+
+ This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the process ID of the process. The process in question is that of the program communicating on the network.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking the settings of a keychain.
+
+
+
+
+
+
+
+ Specifies the filepath of the keychain.
+
+
+
+
+ Specifies the whether the keychain is configured to lock on sleep.
+
+
+
+
+ The inactivity timeout (in seconds) for the keychain, or 0 if there is no timeout.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking a launchd-controlled daemon/agent.
+
+
+
+
+
+
+
+ Specifies the name of the agent/daemon.
+
+
+
+
+ Specifies the process ID of the daemon (if any).
+
+
+
+
+ Specifies the last exit code of the daemon (if any), or if $lt; 0, indicates the negative of the signal that interrupted processing. For example, a value of -15 would indicate that the job was terminated via a SIGTERM.
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of 'nvram -p'
+
+
+
+
+
+
+
+ A nvram variabl.
+
+
+
+
+ This is the value of the associated nvram variable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist_item holds information about an individual property list preference key found on a system. Each plist_item contains a preference key, application identifier or filepath, type, as well as the preference key's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+ 5.11.2:1.0
+ The plist_item has been deprecated and replaced by the plist511_item. The plist_item cannot express the context hierarchy required to differentiate between nodes with identical names. As a result, it is not possible to address a particular node when the order of their parent nodes is indeterminate. The plist511_item was added to address this deficiency. See the plist511_item.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ The preference key to check.
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist).
+
+
+
+
+ The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file.
+
+
+
+
+ The type of the preference key.
+
+
+
+
+ The value of the preference key.
+
+
+
+
+
+
+
+
+
+
+
+
+ The plist511_item stores results from checking the contents of the XML representation of a plist file. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
+
+
+
+
+ The absolute path to a plist file (e.g. /Library/Preferences/com.apple.TimeMachine.plist).
+
+
+
+
+ Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of 'pwpolicy -getpolicy'. Please see the 'pwpolicy' man page for additional information.
+
+
+ 5.9
+ Replaced by the pwpolicy59_item. The username, userpass, and directory_node entities in the pwpolicy_item were underspecified and as a result their meaning was uncertain. A new item was created to resolve this issue. See the pwpolicy59_item.
+ This item has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Maximum number of characters allowed in a password.
+
+
+
+
+ Maximum number of failed logins before the account is locked.
+
+
+
+
+ Minimum number of characters allowed in a password.
+
+
+
+
+ Defines if the password is allowed to be the same as the username or not.
+
+
+
+
+ Defines if the password must contain an alphabetical character or not.
+
+
+
+
+ Defines if the password must contain an numeric character or not.
+
+
+
+
+
+
+
+
+
+
+
+
+ The pwpolicy59_item holds the password policy information for a particular user specified by the target_user element. Please see the 'pwpolicy' man page for additional information.
+
+
+
+
+
+
+
+ The target_user element specifies the user whose password policy information was collected. If xsi:nil="true", the item specifies the global policy.
+
+
+
+
+ The username element specifies the username of the authenticator.
+
+
+
+
+ The userpass element specifies the password of the authenticator as specified by the username element.
+
+
+
+
+ The directory_node element specifies the directory node that the password policy information was collected from.
+
+
+
+
+ Maximum number of characters allowed in a password.
+
+
+
+
+ Maximum number of failed logins before the account is locked.
+
+
+
+
+ Minimum number of characters allowed in a password.
+
+
+
+
+ Defines if the password is allowed to be the same as the username or not.
+
+
+
+
+ Defines if the password must contain an alphabetical character or not.
+
+
+
+
+ Defines if the password must contain an numeric character or not.
+
+
+
+
+ Maximum number of minutes until the password must be changed.
+
+
+
+
+ Minimum number of minutes between password changes.
+
+
+
+
+ Defines if the password must contain upper and lower case characters or not.
+
+
+
+
+ Defines if the password must contain a symbol character or not.
+
+
+
+
+ Number of minutes after login has been disabled due to too many failed login attempts to wait before reenabling login.
+
+
+
+
+ 0 = user can reuse the current pass-word, 1 = user cannot reuse the current password, 2-15 = user cannot reuse the last n passwords.
+
+
+
+
+ If true, the user can change the password.
+
+
+
+
+ If true, user is required to change password on the date in expirationDateGMT
+
+
+
+
+ If true, user's account is disabled on the date in hardExpireDateGMT
+
+
+
+
+ Date for the password to expire, format is: mm/dd/yyyy. NOTE: The pwpolicy command returns the year as a two digit value, but OVAL uses four digit years; the pwpolicy value is converted to an OVAL compatible value.
+
+
+
+
+ Date for the user's account to be disabled, format is: mm/dd/yyyy. NOTE: The pwpolicy command returns the year as a two digit value, but OVAL uses four digit years; the pwpolicy value is converted to an OVAL compatible value.
+
+
+
+
+ User's account is disabled after this interval
+
+
+
+
+ User's account is disabled if it is not accessed by this interval
+
+
+
+
+ If true, the user will be prompted for a new password at the next authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The rlimit_item contains information about the resource limits for launchd.
+ A resource limit is specified as a soft (current) limit and a hard (max) limit. When a soft limit is exceeded a process may receive a signal (for example, if the cpu time or file size is exceeded), but it will be allowed to con-tinue continue tinue execution until it reaches the hard limit (or modifies its resource limit).
+ For any 'unlimited' resource, the entity will have the status of 'does not exist'.
+
+
+
+
+
+
+
+ The maximum amount of cpu time (in seconds) to be used by each process.
+
+
+
+
+ cpu hard limit.
+
+
+
+
+ The largest size (in bytes) file that may be created.
+
+
+
+
+ filesize hard limit.
+
+
+
+
+ The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.
+
+
+
+
+ data hard limit.
+
+
+
+
+ The maximum size (in bytes) of the stack segment for a process; this defines how far a program's stack segment may be extended. Stack extension is performed automatically by the system.
+
+
+
+
+ stack hard limit.
+
+
+
+
+ The largest size (in bytes) core file that may be created.
+
+
+
+
+ core hard limit.
+
+
+
+
+ The maximum size (in bytes) to which a process's resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.
+
+
+
+
+ rss hard limit.
+
+
+
+
+ The maximum size (in bytes) which a process may lock into memory using the mlock(2) function.
+
+
+
+
+ memlock hard limit.
+
+
+
+
+ The maximum number of simultaneous processes for this user id.
+
+
+
+
+ maxproc hard limit.
+
+
+
+
+ The maximum number of open files for this process.
+
+
+
+
+ maxfiles hard limit.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item represents automatic software update information.
+
+
+
+
+
+
+
+ Specifies whether automatic checking is enabled (true).
+
+
+
+
+ Specifies the title string for an available (not installed) software update.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores results from performing an XPATH query on the XML result of a systemprofiler data type query.
+
+
+
+
+
+
+
+ Specifies the data type that was used in collection.
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item represents system setup information.
+
+
+
+
+
+
+
+ Specifies the name of the current time zone.
+
+
+
+
+ Specifies wither the machine is using network time.
+
+
+
+
+ Specifies the network time server.
+
+
+
+
+ Specifies the computer sleep inactivity timer, or 0 for never.
+
+
+
+
+ Specifies the display sleep inactivity timer, or 0 for never.
+
+
+
+
+ Specifies the hard disk sleep inactivity timer, or 0 for never.
+
+
+
+
+ Specifies whether the computer will wake up if the modem is accessed.
+
+
+
+
+ Specifies whether the computer will wake up if the network is accessed.
+
+
+
+
+ Specifies whether the computer will restart after freezing.
+
+
+
+
+ Specifies whether the computer will restart after a power failure.
+
+
+
+
+ Specifies whether the power button can be used to cause the computer to sleep.
+
+
+
+
+ Specifies whether remote logins are allowed.
+
+
+
+
+ Specifies whether remote Apple events are enabled.
+
+
+
+
+ Specifies the computer's name.
+
+
+
+
+ Specifies the name of the local subnet.
+
+
+
+
+ Specifies the startup disks.
+
+
+
+
+ Specifies the number of seconds the computer waits to start up after a power failure.
+
+
+
+
+ Specifies whether the keyboard is locked when the closure lock is engaged.
+
+
+
+
+ Specifies the kernel boot architecture setting.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemDataTypeType complex type defines the different values that are valid for the data_type entity of a system_profiler item. These values describe the system_profiler XML data to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the data_type entity and are not valid values for the datatype attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemPermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The actual permission is more restrictive than the expected permission.
+
+
+
+
+ The actual permission is less restrictive than the expected permission.
+
+
+
+
+ The actual permission is the same as the expected permission.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemPlistTypeType complex type restricts a string value to the seven values CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray, and CFDictionary that specify the type of the value associated with a property list preference key. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+ 5.11.2:1.0
+ Used only by the deprecated plist_item.
+ This enumeration has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+
+ The CFString type is used to describe a preference key that has a string value. The OVAL string datatype should be used to represent CFString values.
+
+
+
+
+ The CFNumber type is used to describe a preference key that has a integer or float value. The OVAL int and float datatypes should be used, as appropriate, to represent CFNumber values.
+
+
+
+
+ The CFBoolean type is used to describe a preference key that has a boolean value. The OVAL boolean datatype should be used to represent CFBoolean values.
+
+
+
+
+ The CFDate type is used to describe a preference key that has a date value. The OVAL string datatype should be used to represent CFDate values.
+
+
+
+
+ The CFData type is used to describe a preference key that has a base64-encoded binary value. The OVAL string datatype should be used to represent CFData values.
+
+
+
+
+ The CFArray type is used to describe a preference key that has a collection of values. This is represented as multiple value entities.
+
+
+
+
+ The CFDictionary type is used to describe a preference key that has a collection of key-value pairs. Note that the collection of CFDictionary values is not supported. If an attempt is made to collect a CFDictionary value, an error should be reported.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/netconf-definitions-schema.xsd b/oval-schemas/netconf-definitions-schema.xsd
new file mode 100644
index 0000000..5cf9b94
--- /dev/null
+++ b/oval-schemas/netconf-definitions-schema.xsd
@@ -0,0 +1,127 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the NETCONF (RFC 6241) protocol-specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here
+ This schema was originally developed by David Solin at jOVAL.org. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ NETCONF Definitions
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The config_test is used to check the properties of the XML output from a GET-CONFIG command, for the running configuration. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a config_object and the optional state element specifies the data to check.
+
+
+ config_test
+ config_object
+ config_state
+ config_item
+
+
+
+
+
+ - the object child element of a config_test must reference a config_object
+
+
+ - the state child element of a config_test must reference a config_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The config_object element is used by a config_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A config_object consists of an xpath entity that contains an XPATH 1.0 query to perform on the NETCONF get-config response XML data. The response data is assumed to consist of a <data> entity in the urn:ietf:params:xml:ns:netconf:base:1.0 XML namespace, with arbitrary (i.e., vendor-specific) child nodes.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a given xpath would be impossible.
+
+
+
+ - operation attribute for the xpath entity of a config_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The config_state element defines the different information that can be used to evaluate the result of a specific config xpath evaluation. This includes the xpath used and the value of this xpath.
+
+
+
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found.
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/netconf-system-characteristics-schema.xsd b/oval-schemas/netconf-system-characteristics-schema.xsd
new file mode 100644
index 0000000..769c85e
--- /dev/null
+++ b/oval-schemas/netconf-system-characteristics-schema.xsd
@@ -0,0 +1,48 @@
+
+
+
+
+ This document outlines the items of the OVAL System Characteristics XML schema that are composed of NETCONF (RFC 6241) protocol-specific tests. Each item is an extention of a basic System Characteristics item defined in the core System Characteristics XML schema.
+ This schema was originally developed by David Solin at jOVAL.org. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ NETCONF System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ This item stores results from checking the contents of an xml configuration.
+
+
+
+
+
+
+
+ Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
+
+
+
+
+ The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes.
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/oval-common-schema.xsd b/oval-schemas/oval-common-schema.xsd
new file mode 100644
index 0000000..45524ee
--- /dev/null
+++ b/oval-schemas/oval-common-schema.xsd
@@ -0,0 +1,879 @@
+
+
+
+ The following is a description of the common types that are shared across the different schemas within Open Vulnerability and Assessment Language (OVAL). Each type is described in detail and should provide the information necessary to understand what each represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these type is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Core Common
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+ The deprecated_info element is used in documenting deprecation information for items in the OVAL Language. It is declared globally as it can be found in any of the OVAL schemas and is used as part of the appinfo documentation and therefore it is not an element that can be declared locally and based off a global type..
+
+
+
+
+ The element_mapping element is used in documenting which tests, objects, states, and system characteristic items are associated with each other. It provides a way to explicitly and programatically associate the test, object, state, and item definitions.
+
+
+
+
+ Element for containing notes; can be replaced using a substitution group.
+
+
+
+
+
+
+
+ The ElementMapType is used to document the association between OVAL test, object, state, and item entities.
+
+
+
+
+ The local name of an OVAL test.
+
+
+
+
+ The local name of an OVAL object.
+
+
+
+
+ The local name of an OVAL state.
+
+
+
+
+ The local name of an OVAL item.
+
+
+
+
+
+
+ Defines a reference to an OVAL entity using the schema namespace and element name.
+
+
+
+
+
+ The target_namespace attributes indicates what XML namespace the element belongs to. If not present, the namespace is that of the document in which the ElementMapItemType instance element appears.
+
+
+
+
+
+
+
+ The DeprecatedInfoType complex type defines a structure that will be used to flag schema-defined constructs as deprecated. It holds information related to the version of OVAL when the construct was deprecated along with a reason and comment.
+
+
+
+
+ The required version child element details the version of OVAL in which the construct became deprecated.
+
+
+
+
+
+
+
+ The required reason child element is used to provide an explanation as to why an item was deprecated and to direct a reader to possible alternative structures within OVAL.
+
+
+
+
+ The optional comment child element is used to supply additional information regarding the element's deprecated status.
+
+
+
+
+
+
+ The GeneratorType complex type defines an element that is used to hold information about when a particular OVAL document was compiled, what version of the schema was used, what tool compiled the document, and what version of that tool was used.
+ Additional generator information is also allowed although it is not part of the official OVAL Schema. Individual organizations can place generator information that they feel are important and these will be skipped during the validation. All OVAL really cares about is that the stated generator information is there.
+
+
+
+
+ The optional product_name specifies the name of the application used to generate the file. Product names SHOULD be expressed as CPE Names according to the Common Platform Enumeration: Name Matching Specification Version 2.3.
+
+
+
+
+ The optional product_version specifies the version of the application used to generate the file.
+
+
+
+
+ The required schema_version specifies the version of the OVAL Schema that the document has been written in and that should be used for validation. The versions for both the Core and any platform extensions used should be declared in separate schema_version elements.
+
+
+
+
+
+ The required timestamp specifies when the particular OVAL document was compiled. The format for the timestamp is yyyy-mm-ddThh:mm:ss. Note that the timestamp element does not specify when a definition (or set of definitions) was created or modified but rather when the actual XML document that contains the definition was created. For example, the document might have pulled a bunch of existing OVAL Definitions together, each of the definitions having been created at some point in the past. The timestamp in this case would be when the combined document was created.
+
+
+
+
+ The Asset Identification specification (http://scap.nist.gov/specifications/ai/) provides a standardized way of reporting asset information across different organizations.
+ Asset Identification elements can hold data useful for identifying what tool, what version of that tool was used, and identify other assets used to compile an OVAL document, such as persons or organizations.
+ To support greater interoperability, an ai:assets element describing assets used to produce an OVAL document may appear at this point in an OVAL document.
+
+
+
+
+
+
+ The core version MUST match on all platform schema versions.
+
+
+
+ One (and only one) schema_version element MUST be present and omit the platform attribute to represent the core version.
+
+
+
+
+ Warning: The platform attribute should be set to the URI of the target namespace for this platform extension.
+
+
+
+
+
+ This platform's version () MUST match the core version being used: .
+
+
+
+
+
+
+
+
+ The platform attribute is available to indicate the URI of the target namespace for any platform extension being included. This platform attribute is to be omitted when specifying the core schema version.
+
+
+
+
+
+
+
+ The MessageType complex type defines the structure for which messages are relayed from the data collection engine. Each message is a text string that has an associated level attribute identifying the type of message being sent. These messages could be error messages, warning messages, debug messages, etc. How the messages are used by tools and whether or not they are displayed to the user is up to the specific implementation. Please refer to the description of the MessageLevelEnumeration for more information about each type of message.
+
+
+
+
+
+
+
+
+
+ The NotesType complex type is a container for one or more note child elements. Each note contains some information about the definition or tests that it references. A note may record an unresolved question about the definition or test or present the reason as to why a particular approach was taken.
+
+
+
+
+
+
+
+
+
+
+ The CheckEnumeration simple type defines acceptable check values, which are used to determine the final result of something based on the results of individual components. When used to define the relationship between objects and states, each check value defines how many of the matching objects (items except those with a status of does not exist) must satisfy the given state for the test to return true. When used to define the relationship between instances of a given entity, the different check values defines how many instances must be true for the entity to return true. When used to define the relationship between entities and multiple variable values, each check value defines how many variable values must be true for the entity to return true.
+
+ Below are some tables that outline how each check attribute effects evaluation. The far left column identifies the check attribute in question. The middle column specifies the different combinations of individual results that the check attribute may bind together. (T=true, F=false, E=error, U=unknown, NE=not evaluated, NA=not applicable) For example, a 1+ under T means that one or more individual results are true, while a 0 under U means that zero individual results are unknown. The last column specifies what the final result would be according to each combination of individual results. Note that if the individual test is negated, then a true result is false and a false result is true, all other results stay as is.
+
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0 | 0 | 0 | 0 | 0+ || True
+ || 0+ | 1+ | 0+ | 0+ | 0+ | 0+ || False
+ ALL || 0+ | 0 | 1+ | 0+ | 0+ | 0+ || Error
+ || 0+ | 0 | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0+ | 0 | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || True
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || False
+ AT LEAST ONE || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1 | 0+ | 0 | 0 | 0 | 0+ || True
+ || 2+ | 0+ | 0+ | 0+ | 0+ | 0+ || ** False **
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || ** False **
+ ONLY ONE ||0,1 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ ||0,1 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ ||0,1 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+ || num of individual results ||
+ check attr is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || True
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || False
+ NONE SATISFY || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+
+
+
+
+ A value of 'all' means that a final result of true is given if all the individual results under consideration are true.
+
+
+
+
+ A value of 'at least one' means that a final result of true is given if at least one of the individual results under consideration is true.
+
+
+
+
+ A value of 'none exists' means that a test evaluates to true if no matching object exists that satisfy the data requirements.
+
+
+ 5.3
+ Replaced by the 'none satisfy' value. In version 5.3 of the OVAL Language, the checking of existence and state were separated into two distinct checks CheckEnumeration (state) and ExistenceEnumeration (existence). Since CheckEnumeration is now used to specify how many objects should satisfy a given state for a test to return true, and no longer used for specifying how many objects must exist for a test to return true, a value of 'none exist' is no longer needed. See the 'none satisfy' value.
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ATTRIBUTE VALUE IN: ATTRIBUTE VALUE:
+
+
+
+
+
+
+
+
+ A value of 'none satisfy' means that a final result of true is given if none the individual results under consideration are true.
+
+
+
+
+ A value of 'only one' means that a final result of true is given if one and only one of the individual results under consideration are true.
+
+
+
+
+
+
+ The ClassEnumeration simple type defines the different classes of definitions. Each class defines a certain intent regarding how an OVAL Definition is written and what that definition is describing. The specified class gives a hint about the definition so a user can know what the definition writer is trying to say. Note that the class does not make a statement about whether a true result is good or bad as this depends on the use of an OVAL Definition. These classes are also used to group definitions by the type of system state they are describing. For example, this allows users to find all the vulnerability (or patch, or inventory, etc) definitions.
+
+
+
+
+ A compliance definition describes the state of a machine as it complies with a specific policy. A definition of this class will evaluate to true when the system is found to be compliant with the stated policy. Another way of thinking about this is that a compliance definition is stating "the system is compliant if ...".
+
+
+
+
+ An inventory definition describes whether a specific piece of software is installed on the system. A definition of this class will evaluate to true when the specified software is found on the system. Another way of thinking about this is that an inventory definition is stating "the software is installed if ...".
+
+
+
+
+ The 'miscellaneous' class is used to identify definitions that do not fall into any of the other defined classes.
+
+
+
+
+ A patch definition details the machine state of whether a patch executable should be installed. A definition of this class will evaluate to true when the specified patch is missing from the system. Another way of thinking about this is that a patch definition is stating "the patch should be installed if ...". Note that word SHOULD is intended to mean more than just CAN the patch executable be installed. In other words, if a more recent patch is already installed then the specified patch might not need to be installed.
+
+
+
+
+ A vulnerability definition describes the conditions under which a machine is vulnerable. A definition of this class will evaluate to true when the system is found to be vulnerable with the stated issue. Another way of thinking about this is that a vulnerability definition is stating "the system is vulnerable if ...".
+
+
+
+
+
+
+ The SimpleDatatypeEnumeration simple type defines the legal datatypes that are used to describe the values of individual entities that can be represented in a XML string field. The value may have structure and a pattern, but it is represented as string content.
+
+
+
+
+ The binary datatype is used to represent hex-encoded data that is in raw (non-printable) form. This datatype conforms to the W3C Recommendation for binary data meaning that each binary octet is encoded as a character tuple, consisting of two hexadecimal digits {[0-9a-fA-F]} representing the octet code. Expected operations within OVAL for binary values are 'equals' and 'not equal'.
+
+
+
+
+ The boolean datatype represents standard boolean data, either true or false. This datatype conforms to the W3C Recommendation for boolean data meaning that the following literals are legal values: {true, false, 1, 0}. Expected operations within OVAL for boolean values are 'equals' and 'not equal'.
+
+
+
+
+ The evr_string datatype represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function. Expected operations within OVAL for evr_string values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
+
+
+
+
+ The debian_evr_string datatype represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Comparisons involving this datatype should follow the algorithm outlined in Chapter 5 of the "Debian Policy Manual" (https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version). Note that a null epoch is equivalent to a value of '0'. An implementation of this is the cmpversions() function in dpkg's enquiry.c. Expected operations within OVAL for debian_evr_string values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
+
+
+
+
+ The fileset_revision datatype represents the version string related to filesets in HP-UX. An example would be 'A.03.61.00'. For more information, see the HP-UX "Software Distributor Administration Guide" (http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01919399/c01919399.pdf). Expected operations within OVAL for fileset_version values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
+
+
+
+
+ The float datatype describes standard float data. This datatype conforms to the W3C Recommendation for float data meaning it is patterned after the IEEE single-precision 32-bit floating point type. The format consists of a decimal followed, optionally, by the character 'E' or 'e', followed by an integer exponent. The special values positive and negative infinity and not-a-number have are represented by INF, -INF and NaN, respectively. Expected operations within OVAL for float values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
+
+
+
+
+ The ios_version datatype describes Cisco IOS Train strings. These are in essence version strings for IOS. Please refer to Cisco's IOS Reference Guide for information on how to compare different Trains as they follow a very specific pattern. Expected operations within OVAL for ios_version values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
+
+
+
+
+ The int datatype describes standard integer data. This datatype conforms to the W3C Recommendation for integer data which follows the standard mathematical concept of the integer numbers. (no decimal point and infinite range) Expected operations within OVAL for int values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', 'bitwise and', and 'bitwise or'.
+
+
+
+
+ The ipv4_address datatype represents IPv4 addresses and IPv4 address prefixes. Its value space consists of the set of ordered pairs of integers where the first element of each pair is in the range [0,2^32) (the representable range of a 32-bit unsigned int), and the second is in the range [0,32]. The first element is an address, and the second is a prefix length.
+ The lexical space is dotted-quad CIDR-like notation ('a.b.c.d' where 'a', 'b', 'c', and 'd' are integers from 0-255), optionally followed by a slash ('/') and either a prefix length (an integer from 0-32) or a netmask represented in the dotted-quad notation described previously. Examples of legal values are '192.0.2.0', '192.0.2.0/32', and '192.0.2.0/255.255.255.255'. Additionally, leading zeros are permitted such that '192.0.2.0' is equal to '192.000.002.000'. If a prefix length is not specified, it is implicitly equal to 32.
+ The expected operations within OVAL for ipv4_address values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', 'subset of', and 'superset of'. All operations are defined in terms of the value space. Let A and B be ipv4_address values (i.e. ordered pairs from the value space). The following definitions assume that bits outside the prefix have been zeroed out. By zeroing the low order bits, they are effectively ignored for all operations. Implementations of the following operations MUST behave as if this has been done.
+ The following defines how to perform each operation for the ipv4_address datatype. Let P_addr mean the first element of ordered pair P and P_prefix mean the second element.
+ equals: A equals B if and only if A_addr == B_addr and A_prefix == B_prefix.
+ not equal: A is not equal to B if and only if they don't satisfy the criteria for operator "equals".
+ greater than: A is greater than B if and only if A_prefix == B_prefix and A_addr > B_addr. If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
+ greater than or equal: A is greater than or equal to B if and only if A_prefix == B_prefix and they satisfy either the criteria for operators "equal" or "greater than". If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
+ less than: A is less than B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than or equal". If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
+ less than or equal: A is less than or equal to B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than". If A_prefix != B_prefix, i.e. prefix lengths are not equal, an error MUST be reported.
+ subset of: A is a subset of B if and only if every IPv4 address in subnet A is present in subnet B. In other words, A_prefix >= B_prefix and the high B_prefix bits of A_addr and B_addr are equal.
+ superset of: A is a superset of B if and only if B is a subset of A.
+
+
+
+
+ The ipv6_address datatype represents IPv6 addresses and IPv6 address prefixes. Its value space consists of the set of ordered pairs of integers where the first element of each pair is in the range [0,2^128) (the representable range of a 128-bit unsigned int), and the second is in the range [0,128]. The first element is an address, and the second is a prefix length.
+ The lexical space is CIDR notation given in IETF specification RFC 4291 for textual representations of IPv6 addresses and IPv6 address prefixes (see sections 2.2 and 2.3). If a prefix-length is not specified, it is implicitly equal to 128.
+ The expected operations within OVAL for ipv6_address values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', 'subset of', and 'superset of'. All operations are defined in terms of the value space. Let A and B be ipv6_address values (i.e. ordered pairs from the value space). The following definitions assume that bits outside the prefix have been zeroed out. By zeroing the low order bits, they are effectively ignored for all operations. Implementations of the following operations MUST behave as if this has been done.
+ The following defines how to perform each operation for the ipv6_address datatype. Let P_addr mean the first element of ordered pair P and P_prefix mean the second element.
+ equals: A equals B if and only if A_addr == B_addr and A_prefix == B_prefix.
+ not equal: A is not equal to B if and only if they don't satisfy the criteria for operator "equals".
+ greater than: A is greater than B if and only if A_prefix == B_prefix and A_addr > B_addr. If A_prefix != B_prefix, an error MUST be reported.
+ greater than or equal: A is greater than or equal to B if and only if A_prefix == B_prefix and they satisfy either the criteria for operators "equal" or "greater than". If A_prefix != B_prefix, an error MUST be reported.
+ less than: A is less than B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than or equal". If A_prefix != B_prefix, an error MUST be reported.
+ less than or equal: A is less than or equal to B if and only if A_prefix == B_prefix and they don't satisfy the criteria for operator "greater than". If A_prefix != B_prefix, an error MUST be reported.
+ subset of: A is a subset of B if and only if every IPv6 address in subnet A is present in subnet B. In other words, A_prefix >= B_prefix and the high B_prefix bits of A_addr and B_addr are equal.
+ superset of: A is a superset of B if and only if B is a subset of A.
+
+
+
+
+ The string datatype describes standard string data. This datatype conforms to the W3C Recommendation for string data. Expected operations within OVAL for string values are 'equals', 'not equal', 'case insensitive equals', 'case insensitive not equal', 'pattern match'.
+
+
+
+
+ The version datatype represents a value that is a hierarchical list of non-negative integers separated by a single character delimiter. Note that any non-number character can be used as a delimiter and that different characters can be used within the same version string. So '#.#-#' is the same as '#.#.#' or '#c#c#' where '#' is any non-negative integer. Expected operations within OVAL for version values are 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', and 'less than or equal'.
+ For example '#.#.#' or '#-#-#-#' where the numbers to the left are more significant than the numbers to the right. When performing an 'equals' operation on a version datatype, you should first check the left most number for equality. If that fails, then the values are not equal. If it succeeds, then check the second left most number for equality. Continue checking the numbers from left to right until the last number has been checked. If, after testing all the previous numbers, the last number is equal then the two versions are equal. When performing other operations, such as 'less than', 'less than or equal', 'greater than, or 'greater than or equal', similar logic as above is used. Start with the left most number and move from left to right. For each number, check if it is less than the number you are testing against. If it is, then the version in question is less than the version you are testing against. If the number is equal, then move to check the next number to the right. For example, to test if 5.7.23 is less than or equal to 5.8.0 you first compare 5 to 5. They are equal so you move on to compare 7 to 8. 7 is less than 8 so the entire test succeeds and 5.7.23 is 'less than or equal' to 5.8.0. The difference between the 'less than' and 'less than or equal' operations is how the last number is handled. If the last number is reached, the check should use the given operation (either 'less than' and 'less than or equal') to test the number. For example, to test if 4.23.6 is greater than 4.23.6 you first compare 4 to 4. They are equal so you move on to compare 23 to 23. They are equal so you move on to compare 6 to 6. This is the last number in the version and since 6 is not greater than 6, the entire test fails and 4.23.6 is not greater than 4.23.6.
+ Version strings with a different number of components shall be padded with zeros to make them the same size. For example, if the version strings '1.2.3' and '6.7.8.9' are being compared, then the short one should be padded to become '1.2.3.0'.
+
+
+
+
+
+
+ The ComplexDatatypeEnumeration simple type defines the complex legal datatypes that are supported in OVAL. These datatype describe the values of individual entities where the entity has some complex structure beyond simple string like content.
+
+
+
+
+ The record datatype describes an entity with structured set of named fields and values as its content. The only allowed operation within OVAL for record values is 'equals'. Note that the record datatype is not currently allowed when using variables.
+
+
+
+
+
+
+ The DatatypeEnumeration simple type defines the legal datatypes that are used to describe the values of individual entities. A value should be interpreted according to the specified type. This is most important during comparisons. For example, is '21' less than '123'? will evaluate to true if the datatypes are 'int', but will evaluate to 'false' if the datatypes are 'string'. Another example is applying the 'equal' operation to '1.0.0.0' and '1.0'. With datatype 'string' they are not equal, with datatype 'version' they are.
+
+
+
+
+
+ The ExistenceEnumeration simple type defines acceptable existence values, which are used to determine a result based on the existence of individual components. The main use for this is for a test regarding the existence of objects on the system. Its secondary use is for a state regarding the existence of entities in corresponding items.
+
+ Below are some tables that outline how each ExistenceEnumeration value effects evaluation of a given test. Note that this is related to the existence of an object(s) and not the object(s) compliance with a state. The left column identifies the ExistenceEnumeration value in question. The middle column specifies the different combinations of individual item status values that have been found in the system characteristics file related to the given object. (EX=exists, DE=does not exist, ER=error, NC=not collected) For example, a 1+ under EX means that one or more individual item status attributes are set to exists, while a 0 under NC means that zero individual item status attributes are set to not collected. The last column specifies what the result of the existence piece would be according to each combination of individual item status values.
+
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 1+ | 0 | 0 | 0 || True
+ || 0 | 0 | 0 | 0 || False
+ || 0+ | 1+ | 0+ | 0+ || False
+ all_exist || 0+ | 0 | 1+ | 0+ || Error
+ || 0+ | 0 | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+
+
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 0+ | 0+ | 0 | 0+ || True
+ || 1+ | 0+ | 1+ | 0+ || True
+ || -- | -- | -- | -- || False
+ any_exist || 0 | 0+ | 1+ | 0+ || Error
+ || -- | -- | -- | -- || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+
+
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ || True
+ || 0 | 0+ | 0 | 0 || False
+at_least_one_exists || 0 | 0+ | 1+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+
+
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 0 | 0+ | 0 | 0 || True
+ || 1+ | 0+ | 0+ | 0+ || False
+ none_exist || 0 | 0+ | 1+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+
+
+ || item status value count ||
+ attr value || || existence piece is
+ || EX | DE | ER | NC ||
+--------------------||---------------------------||------------------
+ || 1 | 0+ | 0 | 0 || True
+ || 2+ | 0+ | 0+ | 0+ || False
+ || 0 | 0+ | 0 | 0 || False
+ only_one_exists || 0,1 | 0+ | 1+ | 0+ || Error
+ || 0,1 | 0+ | 0 | 1+ || Unknown
+ || -- | -- | -- | -- || Not Evaluated
+ || -- | -- | -- | -- || Not Applicable
+--------------------||---------------------------||------------------
+
+
+
+
+
+
+ When used in the context of an OVAL state entity's check_existence attribute, a value of 'all_exist' means that every item entity for an object defined by the description exists on the system. When used in the context of an OVAL test's check_existence attribute, this value is equivalent to 'at_least_one_exists' because non-existent items have no impact upon evaluation.
+
+
+
+
+ A value of 'any_exist' means that zero or more objects defined by the description exist on the system.
+
+
+
+
+ A value of 'at_least_one_exists' means that at least one object defined by the description exists on the system.
+
+
+
+
+ A value of 'none_exist' means that none of the objects defined by the description exist on the system.
+
+
+
+
+ A value of 'only_one_exists' means that only one object defined by the description exists on the system.
+
+
+
+
+
+
+ The FamilyEnumeration simple type is a listing of families that OVAL supports at this time. Since new family values can only be added with new version of the schema, the value of 'undefined' is to be used when the desired family is not available. Note that use of the undefined family value does not target all families, rather it means that some family other than one of the defined values is targeted.
+
+
+
+
+ The android value describes the Android mobile operating system.
+
+
+
+
+ The asa value describes the Cisco ASA security devices.
+
+
+
+
+ The apple_ios value describes the iOS mobile operating system.
+
+
+
+
+ The catos value describes the Cisco CatOS operating system.
+
+
+
+
+ The ios value describes the Cisco IOS operating system.
+
+
+
+
+ The iosxe value describes the Cisco IOS XE operating system.
+
+
+
+
+ The junos value describes the Juniper JunOS operating system.
+
+
+
+
+ The macos value describes the Mac operating system.
+
+
+
+
+ The pixos value describes the Cisco PIX operating system.
+
+
+
+
+ The undefined value is to be used when the desired family is not available.
+
+
+
+
+ The unix value describes the UNIX operating system.
+
+
+
+
+ The vmware_infrastructure value describes VMWare Infrastructure.
+
+
+
+
+ The windows value describes the Microsoft Windows operating system.
+
+
+
+
+
+
+ The MessageLevelEnumeration simple type defines the different levels associated with a message. There is no specific criteria about which messages get assigned which level. This is completely arbitrary and up to the content producer to decide what is an error message and what is a debug message.
+
+
+
+
+ Debug messages should only be displayed by a tool when run in some sort of verbose mode.
+
+
+
+
+ Error messages should be recorded when there was an error that did not allow the collection of specific data.
+
+
+
+
+ A fatal message should be recorded when an error causes the failure of more than just a single piece of data.
+
+
+
+
+ Info messages are used to pass useful information about the data collection to a user.
+
+
+
+
+ A warning message reports something that might not correct but information was still collected.
+
+
+
+
+
+
+ The OperationEnumeration simple type defines acceptable operations. Each operation defines how to compare entities against their actual values.
+
+
+
+
+ The 'equals' operation returns true if the actual value on the system is equal to the stated entity. When the specified datatype is a string, this results in a case-sensitive comparison.
+
+
+
+
+ The 'not equal' operation returns true if the actual value on the system is not equal to the stated entity. When the specified datatype is a string, this results in a case-sensitive comparison.
+
+
+
+
+ The 'case insensitive equals' operation is meant for string data and returns true if the actual value on the system is equal (using a case insensitive comparison) to the stated entity.
+
+
+
+
+ The 'case insensitive not equal' operation is meant for string data and returns true if the actual value on the system is not equal (using a case insensitive comparison) to the stated entity.
+
+
+
+
+ The 'greater than' operation returns true if the actual value on the system is greater than the stated entity.
+
+
+
+
+ The 'less than' operation returns true if the actual value on the system is less than the stated entity.
+
+
+
+
+ The 'greater than or equal' operation returns true if the actual value on the system is greater than or equal to the stated entity.
+
+
+
+
+ The 'less than or equal' operation returns true if the actual value on the system is less than or equal to the stated entity.
+
+
+
+
+ The 'bitwise and' operation is used to determine if a specific bit is set. It returns true if performing a BITWISE AND with the binary representation of the stated entity against the binary representation of the actual value on the system results in a binary value that is equal to the binary representation of the stated entity. For example, assuming a datatype of 'int', if the actual integer value of the setting on your machine is 6 (same as 0110 in binary), then performing a 'bitwise and' with the stated integer 4 (0100) returns 4 (0100). Since the result is the same as the state mask, then the test returns true. If the actual value on your machine is 1 (0001), then the 'bitwise and' with the stated integer 4 (0100) returns 0 (0000). Since the result is not the same as the stated mask, then the test fails.
+
+
+
+
+ The 'bitwise or' operation is used to determine if a specific bit is not set. It returns true if performing a BITWISE OR with the binary representation of the stated entity against the binary representation of the actual value on the system results in a binary value that is equal to the binary representation of the stated entity. For example, assuming a datatype of 'int', if the actual integer value of the setting on your machine is 6 (same as 0110 in binary), then performing a 'bitwise or' with the stated integer 14 (1110) returns 14 (1110). Since the result is the same as the state mask, then the test returns true. If the actual value on your machine is 1 (0001), then the 'bitwise or' with the stated integer 14 (1110) returns 15 (1111). Since the result is not the same as the stated mask, then the test fails.
+
+
+
+
+ The 'pattern match' operation allows an item to be tested against a regular expression. When used by an entity in an OVAL Object, the regular expression represents the unique set of matching items on the system. OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html
+
+
+
+
+ The 'subset of' operation returns true if the actual set on the system is a subset of the set defined by the stated entity.
+
+
+
+
+ The 'superset of' operation returns true if the actual set on the system is a superset of the set defined by the stated entity.
+
+
+
+
+
+
+ The OperatorEnumeration simple type defines acceptable operators. Each operator defines how to evaluate multiple arguments.
+
+ Below are some tables that outline how each operator effects evaluation. The far left column identifies the operator in question. The middle column specifies the different combinations of individual results that the operator may bind together. (T=true, F=false, E=error, U=unknown, NE=not evaluated, NA=not applicable) For example, a 1+ under T means that one or more individual results are true, while a 0 under U means that zero individual results are unknown. The last column specifies what the final result would be according to each combination of individual results. Note that if the individual test is negated, then a true result is false and a false result is true, all other results stay as is.
+
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0 | 0 | 0 | 0 | 0+ || True
+ || 0+ | 1+ | 0+ | 0+ | 0+ | 0+ || False
+ AND || 0+ | 0 | 1+ | 0+ | 0+ | 0+ || Error
+ || 0+ | 0 | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0+ | 0 | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1 | 0+ | 0 | 0 | 0 | 0+ || True
+ || 2+ | 0+ | 0+ | 0+ | 0+ | 0+ || ** False **
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || ** False **
+ ONE ||0,1 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ ||0,1 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ ||0,1 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || True
+ || 0 | 1+ | 0 | 0 | 0 | 0+ || False
+ OR || 0 | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0 | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0 | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+ || num of individual results ||
+ operator is || || final result is
+ || T | F | E | U | NE | NA ||
+---------------||-----------------------------||------------------
+ ||odd | 0+ | 0 | 0 | 0 | 0+ || True
+ ||even| 0+ | 0 | 0 | 0 | 0+ || False
+ XOR || 0+ | 0+ | 1+ | 0+ | 0+ | 0+ || Error
+ || 0+ | 0+ | 0 | 1+ | 0+ | 0+ || Unknown
+ || 0+ | 0+ | 0 | 0 | 1+ | 0+ || Not Evaluated
+ || 0 | 0 | 0 | 0 | 0 | 1+ || Not Applicable
+---------------||-----------------------------||------------------
+
+
+
+
+
+
+ The AND operator produces a true result if every argument is true. If one or more arguments are false, the result of the AND is false. If one or more of the arguments are unknown, and if none of the arguments are false, then the AND operator produces a result of unknown.
+
+
+
+
+ The ONE operator produces a true result if one and only one argument is true. If there are more than argument is true (or if there are no true arguments), the result of the ONE is false. If one or more of the arguments are unknown, then the ONE operator produces a result of unknown.
+
+
+
+
+ The OR operator produces a true result if one or more arguments is true. If every argument is false, the result of the OR is false. If one or more of the arguments are unknown and if none of arguments are true, then the OR operator produces a result of unknown.
+
+
+
+
+ XOR is defined to be true if an odd number of its arguments are true, and false otherwise. If any of the arguments are unknown, then the XOR operator produces a result of unknown.
+
+
+
+
+
+
+
+
+
+ Define the format for acceptable OVAL Definition ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'def', and ending with an integer.
+
+
+
+
+
+
+
+ Define the format for acceptable OVAL Object ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'obj', and ending with an integer.
+
+
+
+
+
+
+
+ Define the format for acceptable OVAL State ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'ste', and ending with an integer.
+
+
+
+
+
+
+
+ Define the format for acceptable OVAL Test ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'tst', and ending with an integer.
+
+
+
+
+
+
+
+ Define the format for acceptable OVAL Variable ids. An urn format is used with the id starting with the word oval followed by a unique string, followed by the three letter code 'var', and ending with an integer.
+
+
+
+
+
+
+
+ Define the format for acceptable OVAL Item ids. The format is an integer. An item id is used to identify the different items found in an OVAL System Characteristics file.
+
+
+
+
+
+ Define the format for acceptable OVAL Language version strings.
+
+
+
+
+
+
+
+
+
+
+ The EmptyStringType simple type is a restriction of the built-in string simpleType. The only allowed string is the empty string with a length of zero. This type is used by certain elements to allow empty content when non-string data is accepted. See the EntityIntType in the OVAL Definition Schema for an example of its use.
+
+
+
+
+
+
+
+ The NonEmptyStringType simple type is a restriction of the built-in string simpleType. Empty strings are not allowed. This type is used by comment attributes where an empty value is not allowed.
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/oval-definitions-schema.xsd b/oval-schemas/oval-definitions-schema.xsd
new file mode 100644
index 0000000..bb158e6
--- /dev/null
+++ b/oval-schemas/oval-definitions-schema.xsd
@@ -0,0 +1,1819 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Definitions. Some of the objects defined here are extended and enhanced by individual component schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core Definition Schema are described in detail and should provide the information necessary to understand what each represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+ The OVAL Schema is maintained by OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Core Definition
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+ The oval_definitions element is the root of an OVAL Definition Document. Its purpose is to bind together the major sections of a document - generator, definitions, tests, objects, states, and variables - which are the children of the root element.
+
+
+
+ A valid OVAL Definition document must contain at least one definitions, tests, objects, states, or variables element. The optional definitions, tests, objects, states, and variables sections define the specific characteristics that should be evaluated on a system to determine the truth values of the OVAL Definition Document. To be valid though, at least one definitions, tests, objects, states, or variables element must be present.
+
+
+
+
+
+
+
+
+ The required generator section provides information about when the definition file was compiled and under what version.
+
+
+
+
+ The optional definitions section contains 1 or more definitions.
+
+
+
+
+ The optional tests section contains 1 or more tests.
+
+
+
+
+ The optional objects section contains 1 or more objects.
+
+
+
+
+ The optional states section contains 1 or more states.
+
+
+
+
+ The optional variables section contains 1 or more variables.
+
+
+
+
+ The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+
+
+
+
+
+ Enforce uniqueness amongst the ids differentiating the individual definition elements.
+
+
+
+
+
+
+ Enforce uniqueness amongst the ids differentiating the individual test elements.
+
+
+
+
+
+
+ Enforce uniqueness amongst the ids differentiating the individual object elements.
+
+
+
+
+
+
+ Enforce uniqueness amongst the ids differentiating the individual state elements.
+
+
+
+
+
+
+ Enforce uniqueness amongst the ids differentiating the individual variable elements.
+
+
+
+
+
+
+ Requires each definition reference to refer to a valid definition id.
+
+
+
+
+
+
+ Requires each test reference to refer to a valid test id.
+
+
+
+
+
+
+ Requires each object reference to refer to a valid object id.
+
+
+
+
+
+
+ Requires each state reference to refer to a valid state id.
+
+
+
+
+
+
+ Requires each variable reference to refer to a valid variable id.
+
+
+
+
+
+
+ Require each object reference in a set element to refer to a valid object id.
+
+
+
+
+
+
+ Require each filter in a set element to refer to a valid state id.
+
+
+
+
+
+
+
+ The notes element is a container for one or more note child elements. It exists for backwards-compatibility purposes, for the pre-5.11.0 oval-def:NotesType, which has been replaced by the oval:notes element in 5.11.1.
+
+
+ 5.11.1
+ Replaced by the oval:notes element.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ELEMENT: parent ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The DefinitionsType complex type is a container for one or more definition elements. Each definition element describes a single OVAL Definition. Please refer to the description of the DefinitionType for more information about an individual definition.
+
+
+
+
+
+
+
+ The definition element represents the globally defined element of type DefinitionType. For more information please see the documentation on the DefinitionType.
+
+
+
+
+ The DefinitionType defines a single OVAL Definition. A definition is the key structure in OVAL. It is analogous to the logical sentence or proposition: if a computer's state matches the configuration parameters laid out in the criteria, then that computer exhibits the state described. The DefinitionType contains a section for various metadata related elements that describe the definition. This includes a description, version, affected system types, and reference information. The notes section of a definition should be used to hold information that might be helpful to someone examining the technical aspects of the definition. For example, why certain tests have been included in the criteria, or maybe a link to where further information can be found. The DefinitionType also (unless the definition is deprecated) contains a criteria child element that joins individual tests together with a logical operator to specify the specific computer state being described.
+ The required id attribute is the OVAL-ID of the Definition. The form of an OVAL-ID must follow the specific format described by the oval:DefinitionIDPattern. The required version attribute holds the current version of the definition. Versions are integers, starting at 1 and incrementing every time a definition is modified. The required class attribute indicates the specific class to which the definition belongs. The class gives a hint to a user so they can know what the definition writer is trying to say. See the definition of oval-def:ClassEnumeration for more information about the different valid classes. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+ When the deprecated attribute is set to true, the definition is considered to be deprecated. The criteria child element of a deprecated definition is optional. If a deprecated definition does not contain a criteria child element, the definition must evaluate to "not evaluated". If a deprecated definition contains a criteria child element, an interpreter should evaluate the definition as if it were not deprecated, but an interpreter may evaluate the definition to "not evaluated".
+
+
+
+ A valid OVAL Definition must contain a criteria unless the definition is a deprecated definition.
+
+
+
+
+
+
+
+
+
+ Each affected element must have a unique family attribute value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The MetadataType complex type contains all the metadata available to an OVAL Definition. This metadata is for informational purposes only and is not part of the criteria used to evaluate machine state. The required title child element holds a short string that is used to quickly identify the definition to a human user. The affected metadata item contains information about the system(s) for which the definition has been written. Remember that this is just metadata and not part of the criteria. Please refer to the AffectedType description for more information. The required description element contains a textual description of the configuration state being addressed by the OVAL Definition. In the case of a definition from the vulnerability class, the reference is usually the Common Vulnerability and Exposures (CVE) Identifier, and this description field corresponds with the CVE description.
+ Additional metadata is also allowed although it is not part of the official OVAL Schema. Individual organizations can place metadata items that they feel are important and these will be skipped during the validation. All OVAL really cares about is that the stated metadata items are there.
+
+
+
+
+
+
+ Each affected platform element must have a unique value.
+
+
+
+
+
+
+ Each affected product element must have a unique value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each OVAL Definition is written to evaluate a certain type of system(s). The family, platform(s), and product(s) of this target are described by the AffectedType whose main purpose is to provide hints for tools using OVAL Definitions. For instance, to help a reporting tool only use Windows definitions, or to preselect only Red Hat definitions to be evaluated. Note, the inclusion of a particular platform or product does not mean the definition is physically checking for the existence of the platform or product. For the actual test to be performed, the correct test must still be included in the definition's criteria section.
+ The AffectedType complex type details the specific system, application, subsystem, library, etc. for which a definition has been written. If a definition is not tied to a specific product, then this element should not be included. The absence of the platform or product element can be thought of as definition applying to all platforms or products. The inclusion of a particular platform or product does not mean the definition is physically checking for the existence of the platform or product. For the actual test to be performed, the correct test must still be included in the definition's criteria section. To increase the utility of this element, care should be taken when assigning and using strings for product names. The schema places no restrictions on the values that can be assigned, potentially leading to many different representations of the same value. For example, 'Internet Explorer' and 'IE' might be used to refer to the same product. The current convention is to fully spell out all terms, and avoid the use of abbreviations at all costs.
+ Please note that the AffectedType will change in future versions of OVAL in order to support the Common Platform Enumeration (CPE).
+
+
+
+
+
+
+
+
+
+ The ReferenceType complex type links the OVAL Definition to a definitive external reference. For example, CVE Identifiers are used for referencing vulnerabilities. The intended purpose for this reference is to link the definition to a variety of other sources that address the same issue being specified by the OVAL Definition.
+ The required source attribute specifies where the reference is coming from. In other words, it identifies the reference repository being used. The required ref_id attribute is the external id of the reference. The optional ref_url attribute is the URL to the reference.
+
+
+
+
+
+
+
+ The CriteriaType complex type describes a container for a set of sub criteria, criteria, criterion, or extend_definition elements allowing complex logical trees to be constructed. Each referenced test is represented by a criterion element. Please refer to the description of the CriterionType for more information about and individual criterion element. The optional extend_definition element allows existing definitions to be included in the criteria. Refer to the description of the ExtendDefinitionType for more information.
+ The required operator attribute provides the logical operator that binds the different statements inside a criteria together. The optional negate attribute signifies that the result of the criteria as a whole should be negated during analysis. For example, consider a criteria that evaluates to TRUE if certain software is installed. By negating this test, it now evaluates to TRUE if the software is NOT installed. The optional comment attribute provides a short description of the criteria.
+ The optional applicability_check attribute provides a Boolean flag that when true indicates that the criteria is being used to determine whether the OVAL Definition applies to a given system.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The CriterionType complex type identifies a specific test to be included in the definition's criteria.
+ The required test_ref attribute is the actual id of the test being referenced. The optional negate attribute signifies that the result of an individual test should be negated during analysis. For example, consider a test that evaluates to TRUE if a specific patch is installed. By negating this test, it now evaluates to TRUE if the patch is NOT installed. The optional comment attribute provides a short description of the specified test and should mirror the comment attribute of the actual test.
+ The optional applicability_check attribute provides a Boolean flag that when true indicates that the criterion is being used to determine whether the OVAL Definition applies to a given system.
+
+
+
+
+
+
+
+
+ The ExtendDefinitionType complex type allows existing definitions to be extended by another definition. This works by evaluating the extended definition and then using the result within the logical context of the extending definition.
+ The required definition_ref attribute is the actual id of the definition being extended. The optional negate attribute signifies that the result of an extended definition should be negated during analysis. For example, consider a definition that evaluates TRUE if certainsoftware is installed. By negating the definition, it now evaluates to TRUE if the software is NOT installed. The optional comment attribute provides a short description of the specified definition and should mirror the title metadata of the extended definition.
+ The optional applicability_check attribute provides a Boolean flag that when true indicates that the extend_definition is being used to determine whether the OVAL Definition applies to a given system.
+
+
+
+
+
+
+
+
+
+
+
+ The TestsType complex type is a container for one or more test child elements. Each test element describes a single OVAL Test. Please refer to the description of the TestType for more information about an individual test.
+
+
+
+
+
+
+
+ The test element is an abstract element that is meant to be extended (via substitution groups) by the individual tests found in the component schemas. An OVAL Test is used to compare an object(s) against a defined state. An actual test element is not valid. The use of this abstract class simplifies the OVAL schema by allowing individual tests to inherit the optional notes child element, and the id and comment attributes from the base TestType. Please refer to the description of the TestType complex type for more information.
+
+
+
+
+ The base type of every test includes an optional notes element and several attributes. The notes section of a test should be used to hold information that might be helpful to someone examining the technical aspects of the test. For example, why certain values have been used by the test, or maybe a link to where further information can be found. Please refer to the description of the NotesType complex type for more information about the notes element. The required comment attribute provides a short description of the test. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+ The required id attribute uniquely identifies each test, and must conform to the format specified by the TestIdPattern simple type. The required version attribute holds the current version of the test. Versions are integers, starting at 1 and incrementing every time a test is modified.
+ The optional check_existence attribute specifies how many items in the set defined by the OVAL Object must exist for the test to evaluate to true. The default value for this attribute is 'at_least_one_exists' indicating that by default the test may evaluate to true if at least one item defined by the OVAL Object exists on the system. For example, if a value of 'all_exist' is given, every item defined by the OVAL Object must exist on the system for the test to evaluate to true. If the OVAL Object uses a variable reference, then every value of that variable must exist. Note that a pattern match defines a unique set of matching items found on a system. So when check_existence = 'all_exist' and a regex matches anything on a system the test will evaluate to true (since all matching objects on the system were found on the system). When check_existence = 'all_exist' and a regex does not match anything on a system the test will evaluate to false.
+ The required check attribute specifies how many items in the set defined by the OVAL Object (ignoring items with a status of Does Not Exist) must satisfy the state requirements. For example, should the test check that all matching files have a specified version or that at least one file has the specified version? The valid check values are explained in the description of the CheckEnumeration simple type. Note that if the test does not contain any references to OVAL States, then the check attribute has no meaning and can be ignored during evaluation.
+ An OVAL Test evaluates to true if both the check_existence and check attributes are satisfied during evaluation. The evaluation result for a test is determined by first evaluating the check_existence attribute. If the result of evaluating the check_existence attribute is true then the check attribute is evaluated. An interpreter may choose to always evaluate both the check_existence and the check attributes, but once the check_existence attribute evaluation has resulted in false the overall test result after evaluating the check attribute will not be affected.
+ The optional state_operator attribute provides the logical operator that combines the evaluation results from each referenced state on a per item basis. Each matching item is compared to each referenced state. The result of comparing each state to a single item is combined based on the specified state_operator value to determine one result for each item. Finally, the results for each item are combined based on the specified check value. Note that if the test does not contain any references to OVAL States, then the state_operator attribute has no meaning and can be ignored during evaluation. Referencing multiple states in one test allows ranges of possible values to be expressed. For example, one state can check that a value greater than 8 is found and another state can check that a value of less than 16 is found. In this example the referenced states are combined with a state_operator = 'AND' indicating that the conditions of all referenced states must be satisfied and that the value must be between 8 AND 16. The valid state_operation values are explained in the description of the OperatorEnumeration simple type.
+
+
+
+ - No state should be referenced when check_existence has a value of 'none_exist'.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ObjectRefType complex type defines an object reference to be used by OVAL Tests that are defined in the component schemas. The required object_ref attribute specifies the id of the OVAL Object being referenced.
+
+
+
+
+
+ The StateRefType complex type defines a state reference to be used by OVAL Tests that are defined in the component schemas. The required state_ref attribute specifies the id of the OVAL State being referenced.
+
+
+
+
+
+
+
+
+ The ObjectsType complex type is a container for one or more object child elements. Each object element provides details that define a unique set of matching items to be used by an OVAL Test. Please refer to the description of the object element for more information about an individual object.
+
+
+
+
+
+
+
+ The object element is an abstract element that is meant to be extended (via substitution groups) by the objects found in the component schemas. An actual object element is not valid. The use of this abstract element simplifies the OVAL schema by allowing individual objects to inherit any common elements and attributes from the base ObjectType. Please refer to the description of the ObjectType complex type for more information.
+ An object is used to identify a set of items to collect. The author of a schema object must define sufficient object entities to allow a user to identify a unique item to be collected.
+ A simple object typically results in a single file, process, etc being identified. But through the use of pattern matches, sets, and variables, multiple matching items can be identified. The set of items matching the object can then be used by an OVAL test and compared against an OVAL state.
+
+
+
+
+ The base type of every object includes an optional notes element. The notes element of an object should be used to hold information that might be helpful to someone examining the technical aspects of the object. For example, why certain values have been used, or maybe a link to where further information can be found. Please refer to the description of the NotesType complex type for more information about the notes element.
+ The required id attribute uniquely identifies each object, and must conform to the format specified by the ObjectIdPattern simple type. The required version attribute holds the current version of the object element. Versions are integers, starting at 1 and incrementing every time an object is modified. The optional comment attribute provides a short description of the object. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+
+
+
+
+
+
+
+
+
+
+
+
+ The set element enables complex objects to be described. It is a recursive element in that each set element can contain additional set elements as children. Each set element defines characteristics that produce a matching unique set of items. This set of items is defined by one or two references to OVAL Objects that provide the criteria needed to collect a set of system items. These items can have one or more filters applied to allow a subset of those items to be specifically included or excluded from the overall set of items.
+ The set element's object_reference refers to an existing OVAL Object. The set element's filter element provides a reference to an existing OVAL State and includes an optional action attribute. The filter's action attribute allows the author to specify whether matching items should be included or excluded from the overall set. The default filter action is to exclude all matching items. In other words, the filter can be thought of filtering items out by default.
+ Each filter is applied to the items identified by each OVAL Object before the set_operator is applied. For example, if an object_reference points to an OVAL Object that identifies every file in a certain directory, a filter might be set up to limit the object set to only those files with a size less than 10 KB. If multiple filters are provided, then each filter is applied to the set of items identified by the OVAL Object. Care must be taken to ensure that conflicting filters are not applied. It is possible to exclude all items with a size of 10 KB and then include only items with a size of 10 KB. This example would result in the empty set.
+ The required set_operator attribute defines how different child sets are combined to form the overall unique set of objects. For example, does one take the union of different sets or the intersection? For a description of the valid values please refer to the SetOperatorEnumeration simple type.
+
+
+
+ - Each object referenced by the set must be of the same type as parent object
+
+
+ - Each object referenced by the set must be of the same type as parent object
+
+
+ - Each object referenced by the set must be of the same type as parent object
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filter element provides a reference to an existing OVAL State and includes an optional action attribute. The action attribute is used to specify whether items that match the referenced OVAL State will be included in the resulting set or excluded from the resulting set.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The StatesType complex type is a container for one or more state child elements. Each state provides details about specific characteristics that can be used during an evaluation of an object. Please refer to the description of the state element for more information about an individual state.
+
+
+
+
+
+
+
+ The state element is an abstract element that is meant to be extended (via substitution groups) by the states found in the component schemas. An actual state element is not valid. The use of this abstract class simplifies the OVAL schema by allowing individual states to inherit the optional notes child element, and the id and operator attributes from the base StateType. Please refer to the description of the StateType complex type for more information.
+ An OVAL State is a collection of one or more characteristics pertaining to a specific object type. The OVAL State is used by an OVAL Test to determine if a unique set of items identified on a system meet certain characteristics.
+
+
+
+
+ The base type of every state includes an optional notes element and two attributes. The notes section of a state should be used to hold information that might be helpful to someone examining the technical aspects of the state. For example, why certain values have been used by the state, or maybe a link to where further information can be found. Please refer to the description of the NotesType complex type for more information about the notes element.
+ The required id attribute uniquely identifies each state, and must conform to the format specified by the StateIdPattern simple type. The required version attribute holds the current version of the state. Versions are integers, starting at 1 and incrementing every time a state is modified. The required operator attribute provides the logical operator that binds the different characteristics inside a state together. The optional comment attribute provides a short description of the state. The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+ When evaluating a particular state against an object, one should evaluate each individual entity separately. The individual results are then combined by the operator to produce an overall result. This process holds true even when there are multiple instances of the same entity. Evaluate each instance separately, taking the entity check attribute into account, and then combine everything using the operator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The VariablesType complex type is a container for one or more variable child elements. Each variable element is a way to define one or more values to be obtained at the time a definition is evaluated.
+
+
+
+
+
+
+
+ The variable element is an abstract element that is meant to be extended (via substitution groups) by the different types of variables. An actual variable element is not valid.
+ The different variable types describe different sources for obtaining a value(s) for the variable. There are currently three types of variables; local, external, and constant.
+ Please refer to the description of each one for more specific information. The value(s) of a variable is treated as if it were inserted where referenced.
+ One of the main benefits of variables is that they allow tests to evaluate user-defined policy.
+ For example, an OVAL Test might check to see if a password is at least a certain number of characters long, but this number depends upon the individual policy of the user.
+ To solve this, the test for password length can be written to refer to a variable element that defines the length.
+ If a variable defines a collection of values, any entity that references the variable will evaluate to true depending on the value of the var_check attribute.
+ For example, if an entity 'size' with an operation of 'less than' references a variable that returns five different integers, and the var_check attribute has a value of 'all', then the 'size' entity returns true only if the actual size is less than each of the five integers defined by the variable.
+ If a variable does not return any value, then an error should be reported during OVAL analysis.
+
+
+
+
+ The VariableType complex type defines attributes associated with each OVAL Variable.
+ The required id attribute uniquely identifies each variable, and must conform to the format specified by the VariableIDPattern simple type.
+ The required version attribute holds the current version of the variable. Versions are integers, starting at 1 and incrementing every time a variable is modified.
+ The required comment attribute provides a short description of the variable.
+ The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information has been kept around for historic purposes.
+ The required datatype attribute specifies the type of value being defined. The set of values identified by a variable must comply with the specified datatype, otherwise an error should be reported.
+ Please see the DatatypeEnumeration for details about each valid datatype. For example, if the datatype of the variable is specified as boolean then the value(s) returned by the component / function should be "true", "false", "1", or "0".
+ Note that the 'record' datatype is not permitted on variables. The notes section of a variable should be used to hold information that might be helpful to someone examining the technical aspects of the variable. Please refer to the description of the NotesType complex type for more information about the notes element.
+
+
+
+
+
+
+
+
+
+ Note that the 'record' datatype is not permitted on variables.
+
+
+
+
+
+
+
+ The external_variable element extends the VariableType and defines a variable with some external source.
+ The actual value(s) for the variable is not provided within the OVAL file, but rather it is retrieved during the evaluation of the OVAL Definition from an external source.
+ An unbounded set of possible-value and possible_restriction child elements can be specified that together specify the list of all possible values that an external source is allowed to supply for the external variable.
+ In other words, the value assigned by an external source must match one of the possible_value or possible_restriction elements specified.
+ Each possible_value element contains a single value that could be assigned to the given external_variable while each possible_restriction element outlines a range of possible values. Note that it is not necessary to declare a variable's possible values, but the option is available if desired. If no possible child elements are specified, then the valid values are only bound to the specified datatype of the external variable. Please refer to the description of the PossibleValueType and PossibleRestrictionType complex types for more information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The PossibleValueType complex type is used to outline a single expected value of an external variable. The required hint attribute gives a short description of what the value means or represents.
+
+
+
+
+
+
+
+
+
+ The PossibleRestrictionType complex type outlines a range of possible expected value of an external variable. Each possible_restriction element contains an unbounded list of child restriction elements that each specify a range that an actual value may fall in. For example, a restriction element may specify that a value must be less than 10. When multiple restriction elements are present, a valid possible value's evaluation is based on the operator attribute. The operator attribute is set to AND by default. Other valid operation values are explained in the description of the OperatorEnumeration simple type. One can think of the possible_value and possible_restriction elements as an OR'd list of possible values, with the restriction elements as using the selected operation to evaluate its own list of value descriptions. Please refer to the description of the RestrictionType complex type for more information. The required hint attribute gives a short description of what the value means or represents.
+
+
+
+
+
+
+
+
+
+ The RestrictionType complex type outlines a restriction that is placed on expected values for an external variable. For example, a possible value may be restricted to a integer less than 10. Please refer to the operationEnumeration simple type for a description of the valid operations.
+
+
+
+
+
+
+
+
+
+ The constant_variable element extends the VariableType and defines a variable with a constant value(s). Each constant_variable defines either a single value or a collection of values to be used throughout the evaluation of the OVAL Definition File in which it has been defined. Constant variables cannot be over-ridden by an external source. The actual value of a constant variable is defined by the required value child element. A collection of values can be specified by including multiple instances of the value element. Please refer to the description of the ValueType complex type for more information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ValueType complex type holds the actual value of the variable when dealing with a constant variable. This value should be used by all tests that reference this variable. The value cannot be over-ridden by an external source.
+
+
+
+
+
+
+
+ The local_variable element extends the VariableType and defines a variable with some local source. The actual value(s) for the variable is not provided in the OVAL Definition document but rather it is retrieved during the evaluation of the OVAL Definition. Each local variable is defined by either a single component or a complex function, meaning that a value can be as simple as a literal string or as complex as multiple registry keys concatenated together. Note that if an individual component is used and it returns a collection of values, then there will be multiple values associated with the local_variable. For example, if an object_component is used and it references a file object that identifies a set of 5 files, then the local variable would evaluate to a collection of those 5 values. Please refer to the description of the ComponentGroup for more information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Any value that is pulled directly off the local system is defined by the basic component element. For example, the name of a user or the value of a registry key. Please refer to the definition of the ObjectComponentType for more information. A value can also be obtained from another variable. The variable element identifies a variable id to pull a value(s) from. Please refer to the definition of the VariableComponentType for more information. Literal values can also be specified.
+
+
+
+
+
+
+
+
+
+
+ The LiteralComponentType complex type defines a literal value to be used as a component. The optional datatype attribute defines the type of data expected. The default datatype is 'string'.
+
+
+
+ - The 'record' datatype is prohibited on variables.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ObjectComponentType complex type defines a specific value or set of values on the local system to obtain.
+ The required object_ref attribute provides a reference to an existing OVAL Object declaration. The referenced OVAL Object specifies a set of OVAL Items to collect. Note that an OVAL Object might identify 0, 1, or many OVAL Items on a system. If no items are found on the system then an error should be reported when determining the value of an ObjectComponentType. If 1 or more OVAL Items are found then each OVAL Item will be considered and the ObjectComponentType may have one or more values.
+ The required item_field attribute specifies the name of the entity whose value will be retrieved from each OVAL Item collected by the referenced OVAL Object. For example, if the object_ref references a win-def:file_object, the item_field may specify the 'version' entity as the field to use as the value of the ObjectComponentType. Note that an OVAL Item may have 0, 1, or many entities whose name matches the specified item_field value. If an entity is not found with a name that matches the value of the item_field an error should be reported when determining the value of an ObjectComponentType. If 1 or more matching entities are found in a single OVAL Item the value of the ObjectComponentType is the list of the values from each of the matching entities.
+ The optional record_field attribute specifies the name of a field in a record entity in an OVAL Item. The record_field attribute allows the value of a specific field to be retrieved from an entity with a datatype of 'record'. If a field with a matching name attribute value is not found in the referenced OVAL Item entity an error should be reported when determining the value of the ObjectComponentType.
+
+
+
+
+
+
+
+ The VariableComponentType complex type defines a specific value obtained by looking at the value of another OVAL Variable. The required var_ref attribute provides a reference to the variable. One must make sure that the variable reference does not point to the parent variable that uses this component to avoid a race condition.
+
+
+
+
+
+ Complex functions have been defined that help determine how to manipulate specific values. These functions can be nested together to form complex statements. Each function is designed to work on a specific type of data. If the data being worked on is not of the correct type, a cast should be attempted before reporting an error. For example, if a concat function includes a registry component that returns an integer, then the integer should be cast as a string in order to work with the concat function. Note that if the operation being applied to the variable by the calling entity is "pattern match", then all the functions are performed before the regular expression is evaluated. In short, the variable would produce a value as normal and then any pattern match operation would be performed. It is also important to note that when using these functions with sub-components that return a collection of values that the operation will be performed on the Cartesian
+ product of the components and the result is also a collection of values. For example, assume a local_variable specifies the arithmetic function with an arithmetic_operation of "add" and has two sub-components under this function: the first component returns "1" and "2", and the second component returns "3" and "4" and "5". The local_variable element would be evaluated to have a collection of six values: 1+3, 1+4, 1+5, 2+3, 2+4, and 2+5. Please refer to the description of a specific function for more details about it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The arithmetic function takes two or more integer or float components and performs a basic mathematical function on them. The result of this function is a single integer or float unless one of the components returns a collection of values. In this case the specified arithmetic function would be performed multiple times and the end result would also be a collection of values for the local variable. For example assume a local_variable specifies the arithmetic function with an arithmetic_operation of "add" and has two sub-components under this function: the first component returns "1" and "2", and the second component returns "3" and "4" and "5". The local_variable element would be evaluated to be a collection of six values: 1+3, 1+4, 1+5, 2+3, 2+4, and 2+5.
+ Note that if both an integer and float components are used then the result is a float.
+
+
+
+ A literal_component used by an arithmetic function must have a datatype of float or int.
+
+
+
+ The variable referenced by the arithmetic function must have a datatype of float or int.
+
+
+
+
+
+
+
+
+
+
+
+ The begin function takes a single string component and defines a character (or string) that the component string should start with. The character attribute defines the specific character (or string). The character (or string) is only added to the component string if the component string does not already start with the specified character (or string). If the component string does not start with the specified character (or string) the entire character (or string) will be prepended to the component string..
+
+
+
+ A literal_component used by the begin function must have a datatype of string.
+
+
+
+ The variable referenced by the begin function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+ The concat function takes two or more components and concatenates them together to form a single string. The first component makes up the beginning of the resulting string and any following components are added to the end it. If one of the components returns multiple values then the concat function would be performed multiple times and the end result would be a collection of values for the local variable. For example assume a local variable has two sub-components: a basic component element returns the values "abc" and "def", and a literal component element that has a value of "xyz". The local_variable element would evaluate to a collection of two values, "abcxyz" and "defxyz". If one of the components does not exist, then the result of the concat operation should be does not exist.
+
+ Below is a chart that specifies how to classify the flag status of a variable using the concat function during evaluation when multiple components are supplied. Both the object and variable component are indirectly associated with collected objects in a system characteristics file. These objects could have been completely collected from the system, or there might have been some type of error that led to the object not being collected, or maybe only a part of the object set was collected. This flag status is important as OVAL Objects or OVAL States that are working with a variable (through the var_ref attribute on an entity) can use this information to report more accurate results. For example, an OVAL Test with a check attribute of 'at least one' that specifies an object with a variable reference, might be able to produce a valid result based on an incomplete object set as long as one of the objects in the set is true.
+
+ || num of components with flag ||
+ || || resulting flag is
+ || E | C | I | DNE | NC | NA ||
+------||-----------------------------------||------------------
+ || 1+ | 0+ | 0+ | 0+ | 0+ | 0+ || Error
+ || 0 | 1+ | 0 | 0 | 0 | 0 || Complete
+ || 0 | 0+ | 1+ | 0 | 0 | 0 || Incomplete
+ || 0 | 0+ | 0+ | 1+ | 0 | 0 || Does Not Exist
+ || 0 | 0+ | 0+ | 0+ | 1+ | 0 || Not Collected
+ || 0 | 0+ | 0+ | 0+ | 0+ | 1+ || Not Applicable
+------||-----------------------------------||------------------
+
+
+
+ A literal_component used by the concat function must have a datatype of string.
+
+
+
+ The variable referenced by the concat function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+ The end function takes a single string component and defines a character (or string) that the component string should end with. The character attribute defines the specific character (or string). The character (or string) is only added to the component string if the component string does not already end with the specified character (or string). If the desired end character is a string, then the entire end string must exist at the end if the component string. If the entire end string is not present then the entire end string is appended to the component string.
+
+
+
+ A literal_component used by the end function must have a datatype of string.
+
+
+
+ The variable referenced by the end function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+ The escape_regex function takes a single string component and escapes all of the regular expression characters. If the string sub-component contains multiple values, then the escape_regex function will be applied to each individual value and return a multiple-valued result. For example, the string '(\.test_string*)?' will evaluate to '\(\\\.test_string\*\)\?'. The purpose for this is that many times, a component used in pattern match needs to be treated as a literal string and not a regular expression. For example, assume a basic component element that identifies a file path that is held in the Windows registry. This path is a string that might contain regular expression characters. These characters are likely not intended to be treated as regular expression characters and need to be escaped. This function allows a definition writer to mark convert the values of components to regular expression format.
+ Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. The set of Perl metacharacters which must be escaped by this function is as follows, enclosed by single quotes: '^$\.[](){}*+?|'. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
+
+
+
+ A literal_component used by the escape_regex function must have a datatype of string.
+
+
+
+ The variable referenced by the escape_regex function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+ The split function takes a single string component and turns it into a collection of values based on a delimiter string. For example, assume that a basic component element returns the value "a-b-c-d" to the split function with the delimiter set to "-". The local_variable element would be evaluated to have four values "a", "b", "c", and "d". If the basic component returns a value that begins, or ends, with a delimiter, the local_variable element would contain empty string values at the beginning, or end, of the collection of values returned for that string component. For example, if the delimiter is "-", and the basic component element returns the value "-a-a-", the local_variable element would evaluate to a collection of four values "", "a", "a", and "". Likewise, if the basic component element returns a value that contains adjacent delimiters such as "---", the local_variable element would evaluate to a collection of four values "", "", "", and "".
+ Lastly, if the basic component element used by the split function returnsa collection of values, then the split function is performed multiple times, and all of the results, from each of the split functions, are returned.
+
+
+
+ A literal_component used by the split function must have a datatype of string.
+
+
+
+ The variable referenced by the split function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+ The substring function takes a single string component and produces a single value that contains a portion of the original string. The substring_start attribute defines the starting position in the original string. To include the first character of the string, the start position would be 1. A value less than 1 also means that the start position would be 1. If the substring_start attribute has value greater than the length of the original string an error should be reported. The substring_length attribute defines how many characters after, and including, the starting character to include. A substring_length value greater than the actual length of the string, or a negative value, means to include all of the characters after the starting character. For example, assume a basic component element that returns the value "abcdefg" with a substring_start value of 3 and a substring_length value of 2. The local_variable element would evaluate to have a single value
+ of "cd". If the string component used by the substring function returns a collection of values, then the substring operation is performed multiple times and results in a collection of values for the component.
+
+
+
+ A literal_component used by the substring function must have a datatype of string.
+
+
+
+ The variable referenced by the substring function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+
+ The time_difference function calculates the difference in seconds between date-time values. If one component is specified, the values of that component are subtracted from the current time (UTC). The current time is the time at which the function is evaluated. If two components are specified, the value of the second component is subtracted from the value of the first component. If the component(s) contain a collection of values, the operation is performed multiple times on the Cartesian product of the component(s) and the result is also a collection of time difference values. For example, assume a local_variable specifies the time_difference function and has two sub-components under this function: the first component returns "04/02/2009" and "04/03/2009", and the second component returns "02/02/2005" and "02/03/2005" and "02/04/2005". The local_variable element would evaluate to a collection of six values: (ToSeconds("04/02/2009") - ToSeconds("02/02/2005")), (ToSeconds("04/02/2009") - ToSeconds("02/03/2005")),
+ (ToSeconds("04/02/2009") - ToSeconds("02/04/2005")), (ToSeconds("04/03/2009") - ToSeconds("02/02/2005")), (ToSeconds("04/03/2009") - ToSeconds("02/03/2005")), and (ToSeconds("04/03/2009") - ToSeconds("02/04/2005")).
+ The date-time format of each component is determined by the two format attributes. The format1 attribute applies to the first component, and the format2 attribute applies to the second component. Valid values for the attributes are 'win_filetime', 'seconds_since_epoch', 'day_month_year', 'year_month_day', and 'month_day_year'. Please see the DateTimeFormatEnumeration for more information about each of these values. If an input value is not understood, the result is an error. If only one input is specified, specify the format with the format2 attribute, as the first input is considered to be the implied 'current time' input.
+ Note that the datatype associated with the components should be 'string' or 'int' depending on which date time format is specified. The result of this function though is always an integer.
+
+
+
+ A literal_component used by the time_difference function must have a datatype of string or int.
+
+
+
+ The variable referenced by the time_difference function must have a datatype of string or int.
+
+
+
+
+
+
+
+
+
+
+
+
+ The regex_capture function captures a single substring from a single string component. If the string sub-component contains multiple values, then the regex_capture function will extract a substring from each value. The 'pattern' attribute provides a regular expression that should contain a single subexpression (using parentheses). For example, the pattern ^abc(.*)xyz$ would capture a substring from each of the string component's values if the value starts with abc and ends with xyz. In this case the subexpression would be all the characters that exist in between the abc and the xyz. Note that subexpressions match the longest possible substrings.
+ If the regular expression contains multiple capturing sub-patterns, only the first capture is used. If there are no capturing sub-patterns, the result for each target string must be the empty string. Otherwise, if the regular expression could match the target string in more than one place, only the first match (and its first capture) is used. If no matches are found in a target string, the result for that target must be the empty string.
+ Note that a quantified capturing sub-pattern does not produce multiple substrings. Standard regular expression semantics are such that if a capturing sub-pattern is required to match multiple times in order for the overall regular expression to match, the capture produced is the last substring to have matched the sub-pattern.
+ Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. If any of the Perl metacharacters are to be used literally, then they must be escaped. The set of metacharacters which must be escaped for this purpose is as follows, enclosed by single quotes: '^$\.[](){}*+?|'. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
+
+
+
+ A literal_component used by the regex_capture function must have a datatype of string.
+
+
+
+ The variable referenced by the regex_capture function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+ The unique function takes one or more components and removes any duplicate value from the set of components. All components used in the unique function will be treated as strings. For example, assume that three components exist, one that contains a string value of 'foo', and two of which both resolve to the string value 'bar'. Applying the unique function to these three components resolves to a local_variable with two string values, 'foo' and 'bar'. Additionally, if any of the components referenced by the unique function evaluate to a collection of values, then those values are used in the unique calculation. For example, assume that there are two components, one of which resolves to a single string value, 'foo', the other of which resolves to two string values, 'foo' and 'bar'. If the unique function is used to remove duplicates from these two components, the function will resolve to a local_variable that is a collection of two string values, 'foo' and
+ 'bar'.
+
+
+
+
+
+
+
+ The count function takes one or more components and returns the count of all of the values represented by the components. For example, assume that two variables exist, each with a single value. By applying the count function against two variable components that resolve to the two variables, the resulting local_variable would have a value of '2'. Additionally, if any of the components referenced by the count function evaluate to a collection of values, then those values are used in the count calculation. For example, assume that there are two components, one of which resolves to a single value, the other of which resolves to two values. If the count function is used to provide a count of these two components, the function will resolve to a local_variable with the values '3'.
+
+
+
+
+
+
+
+ The glob_to_regex function takes a single string component representing shell glob pattern and produces a single value that corresponds to result of a conversion of the original glob pattern into Perl 5's regular expression pattern. The glob_noescape attribute defines the way how the backslash ('\') character should be interpreted. It defaults to 'false' meaning backslash should be interpreted as an escape character (backslash is allowed to be used as an escape character). If the glob_noescape attribute would be set to 'true' it instructs the glob_to_regex function to interpret the backslash ('\') character as a literal, rather than as an escape character (backslash is *not* allowed to be used as an escape character). Refer to table with examples below to see the difference how a different boolean value of the 'glob_noescape' attribute will impact the output form of the resulting Perl 5's regular expression produced by glob_to_regex function.
+ Please note the glob_to_regex function will fail to perform the conversion and return an error when the provided string argument (to represent glob pattern) does not represent a syntactically correct glob pattern. For example given the 'a*b?[' as the argument to be converted, glob_to_regex would return an error since there's missing the corresponding closing bracket in the provided glob pattern argument.
+ Also, it is necessary to mention that the glob_to_regex function respects the default behaviour for the input glob pattern and output Perl 5's regular expression spaces. Namely this means that:
+ - glob_to_regex will respect the UNIX glob behavior when processing forward slashes, forward slash should be treated as a path separator and * or ? shall not match it,
+ - glob_to_regex will rule out matches having special meaning (for example '.' as a representation of the current working directory or '..' as a representation of the parent directory of the current working directory,
+ - glob_to_regex will rule out files or folders starting with '.' character (e.g. dotfiles) unless the respective glob pattern part itself starts with the '.' character,
+ - glob_to_regex will not perform case-sensitivity transformation (alphabetical characters will be copied from input glob pattern space to output Perl 5's regular expression pattern space intact). It is kept as a responsibility of the OVAL content author to provide input glob pattern argument in such case so the resulting Perl 5's regular expression pattern will match the expected pathname entries according to the case of preference,
+ - glob_to_regex will not perform any possible brace expansion. Therefore glob patterns like '{pat,pat,pat}' would be converted into Perl 5's regular expression syntax in the original un-expanded form (kept for any potential subsequent expansion to be performed by Perl 5's regular expression engine in the moment of the use of that resulting regular expression),
+ - glob_to_regex will not perform tilde ('~') character substitution to user name home directory pathname. The ('~') character will be passed to Perl 5's regular expression engine intact. If user name home directory pathname glob pattern behaviour is expected, the pathname of the user name home directory needs to be specified in the original input glob pattern already,
+ - glob_to_regex function will not perform any custom changes wrt to the ordering of items (perform any additional sorting of set of pathnames represented by the provided glob pattern argument).
+
+ Below are some examples that outline how the glob_noescape attribute value affects the output form of the produced Perl regular expression. The far left column identifies the shell glob pattern provided as the input string component to the glob_to_regex function. The middle column specifies the two possible different boolean values of the 'glob_noescape' attribute that can be used. Finally the last column depicts how the output produced by the glob_to_regex function - the resulting Perl regular expression would look like.
+
+ || ||
+ input shell glob pattern || glob_noescape attribute value || corresponding Perl regular expression
+ || ||
+--------------------------||-------------------------------||--------------------------------------
+ '\*' || false || ^\*$
+ ||-------------------------------||--------------------------------------
+ '\*' || true || ^\\[^/]*$
+--------------------------||-------------------------------||--------------------------------------
+ '\?' || false || ^\?$
+ ||-------------------------------||--------------------------------------
+ '\?' || true || ^\\[^./]$
+--------------------------||-------------------------------||--------------------------------------
+ '\[hello\]' || false || ^\[hello\]$
+ ||-------------------------------||--------------------------------------
+ '\[hello\]' || true || ^\\[hello\\]$
+--------------------------||-------------------------------||--------------------------------------
+ '/root/*' || false || ^/root/(?=[^.])[^/]*$
+ ||-------------------------------||--------------------------------------
+ '/root/.*' || false || ^/root/\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '/root/x*' || false || ^/root/x[^/]*$
+ ||-------------------------------||--------------------------------------
+ '/root/?' || false || ^/root/[^./]$
+ ||-------------------------------||--------------------------------------
+ '/root/.?' || false || ^/root/\.[^/]$
+ ||-------------------------------||--------------------------------------
+ '/root/x?' || false || ^/root/x[^/]$
+--------------------------||-------------------------------||--------------------------------------
+ 'list.?' || false || ^list\.[^/]$
+ ||-------------------------------||--------------------------------------
+ 'list.?' || true || ^list\.[^/]$
+ ||-------------------------------||--------------------------------------
+ 'project.*' || false || ^project\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ 'project.*' || true || ^project\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*old' || false || ^(?=[^.])[^/]*old$
+ ||-------------------------------||--------------------------------------
+ '*old' || true || ^(?=[^.])[^/]*old$
+ ||-------------------------------||--------------------------------------
+ 'type*.[ch]' || false || ^type[^/]*\.[ch]$
+ ||-------------------------------||--------------------------------------
+ 'type*.[ch]' || true || ^type[^/]*\.[ch]$
+ ||-------------------------------||--------------------------------------
+ '*.*' || false || ^(?=[^.])[^/]*\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*.*' || true || ^(?=[^.])[^/]*\.[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*' || false || ^(?=[^.])[^/]*$
+ ||-------------------------------||--------------------------------------
+ '*' || true || ^(?=[^.])[^/]*$
+ ||-------------------------------||--------------------------------------
+ '?' || false || ^[^./]$
+ ||-------------------------------||--------------------------------------
+ '?' || true || ^[^./]$
+ ||-------------------------------||--------------------------------------
+ '\*' || false || ^\*$
+ ||-------------------------------||--------------------------------------
+ '\*' || true || ^\\[^/]*$
+ ||-------------------------------||--------------------------------------
+ '\?' || false || ^\?$
+ ||-------------------------------||--------------------------------------
+ '\?' || true || ^\\[^./]$
+ ||-------------------------------||--------------------------------------
+ 'x[[:digit:]]\*' || false || ^x[[:digit:]]\*$
+ ||-------------------------------||--------------------------------------
+ 'x[[:digit:]]\*' || true || ^x[[:digit:]]\\[^/]*$
+ ||-------------------------------||--------------------------------------
+ '' || false || ^$
+ ||-------------------------------||--------------------------------------
+ '' || true || ^$
+ ||-------------------------------||--------------------------------------
+ '~/files/*.txt' || false || ^~/files/(?=[^.])[^/]*\.txt$
+ ||-------------------------------||--------------------------------------
+ '~/files/*.txt' || true || ^~/files/(?=[^.])[^/]*\.txt$
+ ||-------------------------------||--------------------------------------
+ '\' || false || ^\\$
+ ||-------------------------------||--------------------------------------
+ '\' || true || ^\\$
+ ||-------------------------------||--------------------------------------
+ '[ab' || false || INVALID
+ ||-------------------------------||--------------------------------------
+ '[ab' || true || INVALID
+ ||-------------------------------||--------------------------------------
+ '.*.conf' || false || ^\.[^/]*\.conf$
+ ||-------------------------------||--------------------------------------
+ '.*.conf' || true || ^\.[^/]*\.conf$
+ ||-------------------------------||--------------------------------------
+ 'docs/?b' || false || ^docs/[^./]b$
+ ||-------------------------------||--------------------------------------
+ 'docs/?b' || true || ^docs/[^./]b$
+ ||-------------------------------||--------------------------------------
+ 'xy/??z' || false || ^xy/[^./][^/]z$
+ ||-------------------------------||--------------------------------------
+ 'xy/??z' || true || ^xy/[^./][^/]z$
+---------------------------------------------------------------------------------------------------
+
+
+
+ A literal_component used by the glob_to_regex function must have a datatype of string.
+
+
+
+ The variable referenced by the glob_to_regex function must have a datatype of string.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ArithmeticEnumeration simple type defines basic arithmetic operations. Currently add and multiply are defined.
+
+
+
+
+
+
+
+
+
+ The DateTimeFormatEnumeration simple type defines the different date-time formats that are understood by OVAL. Note that in some cases there are a few different possibilities within a given format. Each of these possibilities is unique though and can be distinguished from each other. The different formats are used to clarify the higher level structure of the date-time string being used.
+
+
+
+
+ The year_month_day value specifies date-time strings that follow the formats: 'yyyymmdd', 'yyyymmddThhmmss', 'yyyy/mm/dd hh:mm:ss', 'yyyy/mm/dd', 'yyyy-mm-dd hh:mm:ss', or 'yyyy-mm-dd'
+
+
+
+
+ The month_day_year value specifies date-time strings that follow the formats: 'mm/dd/yyyy hh:mm:ss', 'mm/dd/yyyy', 'mm-dd-yyyy hh:mm:ss', 'mm-dd-yyyy', 'NameOfMonth, dd yyyy hh:mm:ss' or 'NameOfMonth, dd yyyy', 'AbreviatedNameOfMonth, dd yyyy hh:mm:ss', or 'AbreviatedNameOfMonth, dd yyyy'
+
+
+
+
+ The day_month_year value specifies date-time strings that follow the formats: 'dd/mm/yyyy hh:mm:ss', 'dd/mm/yyyy', 'dd-mm-yyyy hh:mm:ss', or 'dd-mm-yyyy'
+
+
+
+
+ The win_filetime value specifies date-time strings that follow the windows file time format.
+
+
+
+
+ The seconds_since_epoch value specifies date-time values that represent the time in seconds since the UNIX epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+ The cim_datetime model is used by WMI and its value specifies date-time strings that follow the format: 'yyyymmddHHMMSS.mmmmmmsUUU', and alternatively 'yyyy-mm-dd HH:MM:SS:mmm' only when used in WMI Query Language queries.
+
+
+
+
+
+
+ The FilterActionEnumeration simple type defines the different options for filtering sets of items.
+
+
+
+
+ The exclude value specifies that all items that match the filter shall be excluded from set that the filter is applied to.
+
+
+
+
+ The include value specifies that only items that match the filter shall be included in the set that the filter is applied to.
+
+
+
+
+
+
+ The SetOperatorEnumeration simple type defines acceptable set operations. Set operations are used to take multiple different sets of objects within OVAL and merge them into a single unique set. The different operators that guide this merge are defined below. For each operator, if only a single object has been supplied, then the resulting set is simply that complete object.
+
+ Below are some tables that outline how different flags are combined with a given set_operator to return a new flag. These tables are needed when computing the flag for collected objects that represent object sets in an OVAL Definition. The top row identifies the flag associated with the first set or object reference. The left column identifies the flag associated with the second set or object reference. The matrix inside the table represent the resulting flag when the given set_operator is applied. (E=error, C=complete, I=incomplete, DNE=does not exist, NC=not collected, NA=not applicable)
+
+ || ||
+ set_operator is || obj 1 flag ||
+ union || ||
+ || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+ E || E | E | E | E | E | E ||
+ obj C || E | C | I | C | I | C ||
+ 2 I || E | I | I | I | I | I ||
+ flag DNE || E | C | I | DNE | I | DNE ||
+ NC || E | I | I | I | NC | NC ||
+ NA || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+
+
+ || ||
+ set_operator is || obj 1 flag ||
+ intersection || ||
+ || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+ E || E | E | E | DNE | E | E ||
+ obj C || E | C | I | DNE | NC | C ||
+ 2 I || E | I | I | DNE | NC | I ||
+ flag DNE || DNE | DNE | DNE | DNE | DNE | DNE ||
+ NC || E | NC | NC | DNE | NC | NC ||
+ NA || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+
+
+ || ||
+ set_operator is || obj 1 flag ||
+ complement || ||
+ || E | C | I | DNE | NC | NA ||
+-----------------||-----------------------------------||
+ E || E | E | E | DNE | E | E ||
+ obj C || E | C | I | DNE | NC | E ||
+ 2 I || E | E | E | DNE | NC | E ||
+ flag DNE || E | C | I | DNE | NC | E ||
+ NC || E | NC | NC | DNE | NC | E ||
+ NA || E | E | E | E | E | E ||
+-----------------||-----------------------------------||
+
+
+
+
+
+
+ The complement operator is defined in OVAL as a relative complement. The resulting unique set contains everything that belongs to the first declared set that is not part of the second declared set. If A and B are sets (with A being the first declared set), then the relative complement is the set of elements in A, but not in B, with the duplicates removed.
+
+
+
+
+ The intersection of two sets in OVAL results in a unique set that contains everything that belongs to both sets in the collection, but nothing else. If A and B are sets, then the intersection of A and B contains all the elements of A that also belong to B, but no other elements, with the duplicates removed.
+
+
+
+
+ The union of two sets in OVAL results in a unique set that contains everything that belongs to either of the original sets. If A and B are sets, then the union of A and B contains all the elements of A and all elements of B, with the duplicates removed.
+
+
+
+
+
+
+
+
+
+
+ The EntityAttributeGroup is a collection of attributes that are common to all entities. This group defines these attributes and their default values. Individual entities may limit allowed values for these attributes, but all entities will support these attributes.
+
+
+
+
+
+
+ - a var_ref has been supplied for the entity so no value should be provided
+ - inconsistent datatype between the variable and an associated var_ref
+
+
+ - a var_ref has been supplied for the entity so a var_check should also be provided
+
+
+ - a var_check has been supplied for the entity so a var_ref must also be provided
+
+
+ - a var_ref has been supplied for the entity so a var_check should also be provided
+
+
+ - a var_check has been supplied for the entity so a var_ref must also be provided
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given the lack of a declared datatype (hence a default datatype of string).
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of binary.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of boolean.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of evr_string.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of debian_evr_string.
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of fileset_revision.
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of float.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of ios_version.
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of int.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of ipv4_address.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of ipv6_address.
+
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of string.
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of version.
+
+
+ - The use of '' for the operation attribute of the entity is not valid given a datatype of record.
+
+
+
+
+ - The use of var_ref is prohibited when the datatype is 'record'.
+
+
+
+
+ - The datatype for the entity is 'int' but the value is not an integer.
+
+
+
+
+
+
+
+ The optional datatype attribute specifies how the given operation should be applied to the data. Since we are dealing with XML everything is technically a string, but often the value is meant to represent some other datatype and this affects the way an operation is performed. For example, with the statement 'is 123 less than 98'. If the data is treated as integers the answer is no, but if the data is treated as strings, then the answer is yes. Specifying a datatype defines how the less than operation should be performed. Another way of thinking of things is that the datatype attribute specifies how the data should be cast before performing the operation (note that the default datatype is 'string'). In the previous example, if the datatype is set to int, then '123' and '98' should be cast as integers. Another example is applying the 'equals' operation to '1.0.0.0' and '1.0'. With datatype 'string' they are not equal, with datatype 'version' they are. Note that there are certain cases where a cast from one datatype to another is not possible. If a cast cannot be made, (trying to cast 'abc' to an integer) then an error should be reported. For example, if the datatype is set to 'integer' and the value is the empty string. There is no way to cast the empty string (or NULL) to an integer, and in cases like this an error should be reported.
+
+
+
+
+ The optional operation attribute determines how the individual entities should be evaluated (the default operation is 'equals').
+
+
+
+
+ The optional mask attribute is used to identify values that have been hidden for sensitivity concerns.
+ This is used by the Result document which uses the System Characteristics schema to format the information found on a specific system.
+ When the mask attribute is set to 'true' on an OVAL Entity or an OVAL Field, the corresponding collected value of that OVAL Entity or OVAL Field MUST NOT be present in the "results" section of the OVAL Results document; the "oval_definitions" section must not be altered and must be an exact copy of the definitions evaluated.
+ Values MUST NOT be masked in OVAL System Characteristics documents that are not contained within an OVAL Results document.
+ It is possible for masking conflicts to occur where one entity has mask set to true and another entity has mask set to false.
+ A conflict will occur when the mask attribute is set differently on an OVAL Object and matching OVAL State or when more than one OVAL Objects identify the same OVAL Item(s).
+ When such a conflict occurs the result is always to mask the entity.
+
+
+
+
+ The optional var_ref attribute refers the value of the element to a variable element. When supplied, the value(s) associated with the OVAL Variable should be used as the value(s) of the element. If there is an error computing the value of the variable, then that error should be passed up to the element referencing it. If the variable being referenced does not have a value (for example, if the variable pertains to the size of a file, but the file does not exist) then one of two results are possible. If the element is part of an object declaration, then the object element referencing it is considered to not exist. If the element is part of a state declaration, then the state element referencing it will evaluate to error.
+
+
+
+
+ The optional var_check attribute specifies how data collection or state evaluation should proceed when an element uses a var_ref attribute, and the associated variable defines more than one value. For example, if an object entity 'filename' with an operation of 'not equal' references a variable that returns five different values, and the var_check attribute has a value of 'all', then an actual file on the system matches only if the actual filename does not equal any of the variable values. As another example, if a state entity 'size' with an operation of 'less than' references a variable that has five different integer values, and the var_check attribute has a value of 'all', then the 'size' state entity evaluates to true only if the corresponding 'size' item entity is less than each of the five integers defined by the variable. If a variable does not have any value value when referenced by an OVAL Object the object should be considered to not exist.
+ If a variable does not have any value when referenced by an OVAL State an error should be reported during OVAL analysis. When an OVAL State uses a var_ref, if both the state entity and a corresponding item entity are collections of values, the var_check is applied to each value of the item entity individually, and all must evaluate to true for the state entity to evaluate to true. In this condition, there is no value of var_check which enables an element-wise comparison, and so there is no way to determine whether the two entities are truly 'equal' in that sense. If var_ref is present but var_check is not, the element should be processed as if var_check has the value "all".
+
+
+
+
+
+
+ The EntitySimpleBaseType complex type is an abstract type that defines the default attributes associated with every simple entity. Entities can be found in both OVAL Objects and OVAL States and represent the individual properties associated with items found on a system. An example of a single entity would be the path of a file. Another example would be the version of the file.
+
+
+
+
+
+
+
+
+
+
+ The EntityComplexBaseType complex type is an abstract type that defines the default attributes associated with every complex entity. Entities can be found in both OVAL Objects and OVAL States and represent the individual properties associated with items found on a system. An example of a single entity would be the path of a file. Another example would be the version of the file.
+
+
+
+
+
+
+ The EntityObjectIPAddressType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes any IPv4/IPv6 address or address prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectIPAddressStringType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes any IPv4/IPv6 address, address prefix, or its string representation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectAnySimpleType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes any simple data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityBinaryType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple binary data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityBoolType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple boolean data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectFloatType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple float data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityIntType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple integer data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStringType type is extended by the entities of an individual OVAL Object. This type provides uniformity to each object entity by including the attributes found in the EntitySimpleBaseType. This specific type describes simple string data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectVersionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple version data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectRecordType defines an entity that consists of a number of uniquely named fields. This structure is used for representing a record from a database query and other similar structures where multiple related fields must be represented at once. Note that for all entities of this type, the only allowed datatype is 'record' and the only allowed operation is 'equals'. During analysis of a system characteristics item, each field is analyzed and then the overall result for elements of this type is computed by logically anding the results for each field and then applying the entity_check attribute.
+ Note the datatype attribute must be set to 'record'.
+
+ Note the operation attribute must be set to 'equals'.
+ Note the var_ref attribute is not permitted and the var_check attribute does not apply.
+ Note that when the mask attribute is set to 'true', all child field elements must be masked regardless of the child field's mask attribute value.
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectFieldType defines an element with simple content that represents a named field in a record that may contain any number of named fields. The EntityObjectFieldType is much like all other entities with one significant difference, the EntityObjectFieldType has a name attribute
+ The required name attribute specifies a unique name for the field. Field names are lowercase and must be unique within a given parent record element. When analyzing system characteristics an error should be reported for the result of a field that is present in the OVAL State, but not found in the system characteristics Item.
+ The optional entity_check attribute specifies how to handle multiple record fields with the same name in the OVAL Systems Characteristics file. For example, while collecting group information where one field is the represents the users that are members of the group. It is very likely that there will be multiple fields with a name of 'user' associated with the group. If the OVAL State defines the value of the field with name equal 'user' to equal 'Fred', then the entity_check attribute determines if all values for field entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc.
+ Note that when the mask attribute is set to 'true' on a field's parent element the field must be masked regardless of the field's mask attribute value.
+
+
+
+
+
+ A string restricted to disallow upper case characters.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateSimpleBaseType complex type is an abstract type that extends the EntitySimpleBaseType and is used by some entities within an OVAL State.
+ The optional check_existence attribute specifies how to interpret the status of corresponding item entities when performing an item-state comparison. The default value for this attribute is 'at_least_one_exists' indicating that by default an item comparison may evaluate to true only if at least one corresponding item entity has a status of 'exists'. For example, if a value of 'none_exist' is given, then the comparison can evaluate to true only if there are one or more corresponding item entities, each with a status of 'does not exist'.
+ The optional entity_check attribute specifies how to handle multiple item entities with the same name in the OVAL Systems Characteristics file. For example, suppose we are dealing with a Group Test and an entity in the state is related to the user. It is very likely that when the information about the group is collected off of the system (and represented in the OVAL System Characteristics file) that there will be multiple users associated with the group (i.e. multiple 'user' item entities associated with the same 'user' state entity). If the OVAL State defines the value of the user entity to equal 'Fred', then the entity_check attribute determines if all values for 'user' item entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc. Note that with the exception of the 'none_satisfy' check value, the entity_check attribute can only affect the result of the test if the corresponding OVAL Item allows more than one occurrence of the entity (e.g. 'maxOccurs' is some value greater than one).
+ The entity_check and var_check attributes are considered together when evaluating a single state entity. When a variable identifies more than one value and multiple item entities with the same name exist, for a single state entity, a many-to-many comparison must be conducted. In this situation, there are many values for the state entity that must be compared to many item entities. Each item entity is compared to the state entity. For each item entity, an interim result is calculated by using the var_check attribute to combine the result of comparing each variable value with a single system value. Then these interim results are combined for each system value using the entity_check attribute.
+
+
+
+
+
+
+
+
+
+
+ The EntityStateComplexBaseType complex type is an abstract type that extends the EntityComplexBaseType and is used by some entities within an OVAL State.
+ The optional check_existence attribute specifies how to interpret the status of corresponding item entities when performing an item-state comparison. The default value for this attribute is 'at_least_one_exists' indicating that by default an item comparison may evaluate to true only if at least one corresponding item entity has a status of 'exists'. For example, if a value of 'none_exist' is given, then the comparison can evaluate to true only if there are one or more corresponding item entities, each with a status of 'does not exist'.
+ The optional entity_check attribute specifies how to handle multiple item entities with the same name in the OVAL Systems Characteristics file. For example, suppose we are dealing with a Group Test and an entity in the state is related to the user. It is very likely that when the information about the group is collected off of the system (and represented in the OVAL System Characteristics file) that there will be multiple users associated with the group (i.e. multiple 'user' item entities associated with the same 'user' state entity). If the OVAL State defines the value of the user entity to equal 'Fred', then the entity_check attribute determines if all values for 'user' item entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc. Note that with the exception of the 'none_satisfy' check value, the entity_check attribute can only affect the result of the test if the corresponding OVAL Item allows more than one occurrence of the entity (e.g. 'maxOccurs' is some value greater than one).
+ The entity_check and var_check attributes are considered together when evaluating a single state entity. When a variable identifies more than one value and multiple item entities with the same name exist, for a single state entity, a many-to-many comparison must be conducted. In this situation, there are many values for the state entity that must be compared to many item entities. Each item entity is compared to the state entity. For each item entity, an interim result is calculated by using the var_check attribute to combine the result of comparing each variable value with a single system value. Then these interim results are combined for each system value using the entity_check attribute.
+
+
+
+
+
+
+
+
+
+
+ The EntityStateIPAddressType type is extended by the entities of an individual OVAL State. This type provides uniformity to each object entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes any IPv4/IPv6 address or address prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateIPAddressStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each object entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes any IPv4/IPv6 address, address prefix, or its string representation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateAnySimpleType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes any simple data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateBinaryType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple binary data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateBoolType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple boolean data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateFloatType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple float data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateIntType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple integer data. The empty string is also allowed when using a variable reference with an element.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateEVRStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This type represents the epoch, version, and release fields, for an RPM package, as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateDebianEVRStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. Comparisons involving this datatype should follow the algorithm outlined in Chapter 5 of the "Debian Policy Manual" (https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version). An implementation of this is the cmpversions() function in dpkg's enquiry.c.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateVersionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple version data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateFileSetRevisionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type represents the version string related to filesets in HP-UX.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateIOSVersionType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type represents the version string related to CISCO IOS.
+
+
+
+
+
+
+
+
+
+
+
+
+ 'string' is included to allow for regular expressions on IOS version strings.
+
+
+
+
+
+
+
+
+
+
+ The EntityStateStringType type is extended by the entities of an individual OVAL State. This type provides uniformity to each state entity by including the attributes found in the EntityStateSimpleBaseType. This specific type describes simple string data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateRecordType defines an entity that consists of a number of uniquely named fields. This structure is used for representing a record from a database query and other similar structures where multiple related fields must be collected at once. Note that for all entities of this type, the only allowed datatype is 'record' and the only allowed operation is 'equals'. During analysis of a system characteristics item, each field is analyzed and then the overall result for elements of this type is computed by logically anding the results for each field and then applying the entity_check attribute.
+ Note the datatype attribute must be set to 'record'.
+
+ Note the operation attribute must be set to 'equals'.
+ Note the var_ref attribute is not permitted and the var_check attribute does not apply.
+ Note that when the mask attribute is set to 'true', all child field elements must be masked regardless of the child field's mask attribute value.
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateFieldType defines an element with simple content that represents a named field in a record that may contain any number of named fields. The EntityStateFieldType is much like all other entities with one significant difference, the EntityStateFieldType has a name attribute
+ The required name attribute specifies a unique name for the field. Field names are lowercase and must be unique within a given parent record element. When analyzing system characteristics an error should be reported for the result of a field that is present in the OVAL State, but not found in the system characteristics Item.
+ The optional entity_check attribute specifies how to handle multiple record fields with the same name in the OVAL Systems Characteristics file. For example, while collecting group information where one field is the represents the users that are members of the group. It is very likely that there will be multiple fields with a name of 'user' associated with the group. If the OVAL State defines the value of the field with name equal 'user' to equal 'Fred', then the entity_check attribute determines if all values for field entities must be equal to 'Fred', or at least one value must be equal to 'Fred', etc.
+ Note that when the mask attribute is set to 'true' on a field's parent element the field must be masked regardless of the field's mask attribute value.
+
+
+
+
+
+ A string restricted to disallow upper case characters.
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/oval-directives-schema.xsd b/oval-schemas/oval-directives-schema.xsd
new file mode 100644
index 0000000..9d9caa0
--- /dev/null
+++ b/oval-schemas/oval-directives-schema.xsd
@@ -0,0 +1,85 @@
+
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Directives. Each of the elements, types, and attributes that make up the Core Directives Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+ The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
+
+ Core Directives
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+ The oval_directives element is the root of an OVAL Directive Document. Its purpose is to bind together the generator and the set of directives contained in the document. The generator section must be present and provides information about when the directives document was compiled and under what version. The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+
+
+
+
+ The required generator section provides information about when the directives document was compiled and under what version.
+
+
+
+
+ The required directives section presents flags describing what information must be been included in an oval results document. This element represents the default set of directives. These directives apply to all classes of definitions for which there is not a class specific set of directives.
+
+
+
+
+ The optional class_directives section presents flags describing what information has been included in the results document for a specific OVAL Definition class. The directives for a particlar class override the default directives.
+
+
+
+
+ The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+
+
+
+
+
+ The class attribute on class_directives must be unique.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/oval-results-schema.xsd b/oval-schemas/oval-results-schema.xsd
new file mode 100644
index 0000000..267be4b
--- /dev/null
+++ b/oval-schemas/oval-results-schema.xsd
@@ -0,0 +1,612 @@
+
+
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Results. Each of the elements, types, and attributes that make up the Core Results Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Core Results
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+ The oval_results element is the root of an OVAL Results Document. Its purpose is to bind together the four major sections of a results document - generator, directives, oval_definitions, and results - which are the children of the root element. It must contain exactly one generator section, one directives section, and one results section.
+
+
+
+
+
+ The required generator section provides information about when the results document was compiled and under what version.
+
+
+
+
+ The required directives section presents flags describing what information has been included in the results document. This element represents the default set of directives. These directives apply to all classes of definitions for which there is not a class specific set of directives.
+
+
+
+
+ The source OVAL Definition document must be included when the directives include_source_definitions attribute is set to true.
+
+
+
+
+ The source OVAL Definition document must not be included when the directives include_source_definitions attribute is set to false.
+
+
+
+
+
+
+
+
+ The optional class_directives section presents flags describing what information has been included in the results document for a specific OVAL Definition class. The directives for a particlar class override the default directives. Using OVAL Results class_directives, an OVAL Results document dealing with vulnerabilities might by default include only minimal information and then include full details for all vulnerability definitions that evaluated to true.
+
+
+
+
+ The oval_definitions section is optional and dependent on the include_source_definitions attribute of the directives element. Its purpose is to provide an exact copy of the definitions evaluated for the results document.
+
+
+
+
+ The required results section holds all the results of the evaluated definitions.
+
+
+
+
+ The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+
+
+
+
+
+ The class attribute on class_directives must be unique.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The DirectivesType complex type presents a set of flags that describe what information has been included in the results document. There are six possible results (true, false, unknown, error, not evaluated, and not applicable) for the evaluation of an OVAL Definition. The directives state which of these results are being reported in the results document.
+
+
+
+
+
+
+
+
+
+
+
+
+ The DefaultDirectivesType complex type presents the default set of flags that describe what information has been included in the results document. See the definition of the oval-res:DirectivesType for more information.
+ The optional include_source_definitions attribute indicates whether or not the source OVAL Definitions document has been included in the results document. A value of false indicates that the source OVAL Definitions has not been included. By default the source document is included.
+
+
+
+
+
+
+
+
+
+ The ClassDirectivesType complex type presents a set of flags that describe what information has been included in the results document for a specific OVAL Definition class. See the definition of the oval-res:DirectivesType for more information.
+ The required class attribute allows a set of directives to be specified for each supported OVAL Definition class (See the definition of the oval:ClassEnumeration for more information about the supported classes). A set of class specific directives overrides the default directives for the specified definition class. A given class may be specified once.
+
+
+
+
+
+
+
+
+
+ An individual directive element determines whether or not a specific type of result is included in the results document. The required reported attribute controls this by providing a true or false for the specific directive. The optional content attribute controls how much information about the specific result is provided. For example, thin content would only be the id of the definition and the result, while a full content set would be the definition id with the result along with results for all the individual tests and extended definitions. Please refer to the oval-res:ContentEnumeration for details about the different content options.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ResultsType complex type is a container for one or more system elements. Each system element defines the results associated with an individual system. Please refer to the description of SystemType for more information about an individual system element.
+
+
+
+
+
+ Enforce uniqueness in the combination of OVAL id, version, and variable_instance in order to differentiate the individual definition elements.
+
+
+
+
+
+
+
+
+ Enforce uniqueness in the combination of the individual test ids, version, and the variable_instance of the test.
+
+
+
+
+
+
+
+
+ Requires each definition reference (used by extend_definitions) to refer to a valid definition id.
+
+
+
+
+
+
+
+
+ Requires each test reference to refer to a valid test id.
+
+
+
+
+
+
+
+
+
+
+
+ The SystemType complex type holds the evaluation results of the definitions and tests, as well as a copy of the OVAL System Characteristics used to perform the evaluation. The definitions section holds the results of the definitions and the tests section holds the results of the tests. The oval_system_characteristics section is a copy of the System Characteristics document used to perform the evaluation of the OVAL Definitions.
+
+
+
+
+
+ The tests element should not be included unless full results are to be provided (see directives)
+
+
+
+
+
+ The tests element should be included when full results are specified (see directives)
+
+
+
+
+
+
+
+
+
+
+
+
+
+ item - a value for the entity should only be supplied if the mask attribute is 'false'.
+
+
+
+
+
+
+
+
+
+ The DefinitionsType complex type is a container for one or more definition elements. Each definition element holds the result of the evaluation of an OVAL Definition. Please refer to the description of DefinitionType for more information about an individual definition element.
+
+
+
+
+
+
+
+ The DefinitionType complex type holds the result of the evaluation of an OVAL Definition. The message element holds an error message or some other string that the analysis engine wishes to pass along. In addition, the optional criteria element provides the results of the individual pieces of the criteria. Please refer to the description of the CriteriaType for more information.
+ The required definition_id attribute is the OVAL id of the definition.
+ The required version attribute is the specific version of the OVAL Definition used during analysis.
+ The optional variable_instance attribute is a unique id that differentiates each unique instance of a definition. Capabilities that use OVAL may reference the same definition multiple times and provide different variable values each time the definition is referenced. This will result in multiple instances of a definition being included in the OVAL Results document (definitions that do not use variables can only have one unique instance). The inclusion of this unique instance identifier allows the OVAL Results document to associate the correct objects and items for each combination of supplied values.
+ The optional class attribute ...
+ The required result attribute holds the result of the evaluation. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+
+
+
+
+
+ - definitions with a result of TRUE should not be included (see directives)
+
+
+ - definitions with a result of TRUE should contain THIN content (see directives)
+
+
+
+
+
+
+ - definitions with a result of TRUE should not be included (see directives)
+
+
+ - definitions with a result of TRUE should contain FULL content (see directives)
+
+
+
+
+
+
+ - definitions with a result of FALSE should not be included (see directives)
+
+
+ - definitions with a result of FALSE should contain THIN content (see directives)
+
+
+
+
+
+
+ - definitions with a result of FALSE should not be included (see directives)
+
+
+ - definitions with a result of FALSE should contain FULL content (see directives)
+
+
+
+
+
+
+ - definitions with a result of UNKNOWN should not be included (see directives)
+
+
+ - definitions with a result of UNKNOWN should contain THIN content (see directives)
+
+
+
+
+
+
+ - definitions with a result of UNKNOWN should not be included (see directives)
+
+
+ - definitions with a result of UNKNOWN should contain FULL content (see directives)
+
+
+
+
+
+
+ - definitions with a result of ERROR should not be included (see directives)
+
+
+ - definitions with a result of ERROR should contain THIN content (see directives)
+
+
+
+
+
+
+ - definitions with a result of ERROR should not be included (see directives)
+
+
+ - definitions with a result of ERROR should contain FULL content (see directives)
+
+
+
+
+
+
+ - definitions with a result of NOT EVALUATED should not be included (see directives)
+
+
+ - definitions with a result of NOT EVALUATED should contain THIN content (see directives)
+
+
+
+
+
+
+ - definitions with a result of NOT EVALUATED should not be included (see directives)
+
+
+ - definitions with a result of NOT EVALUATED should contain FULL content (see directives)
+
+
+
+
+
+
+ - definitions with a result of NOT APPLICABLE should not be included (see directives)
+
+
+ - definitions with a result of NOT APPLICABLE should contain THIN content (see directives)
+
+
+
+
+
+
+ - definitions with a result of NOT APPLICABLE should not be included (see directives)
+
+
+ - definitions with a result of NOT APPLICABLE should contain FULL content (see directives)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The CriteriaType complex type describes the high level container for all the tests and represents the meat of the definition. Each criteria can contain other criteria elements in a recursive structure allowing complex logical trees to be constructed. Each referenced test is represented by a criterion element. Please refer to the description of the CriterionType for more information about and individual criterion element. The optional extend_definition element allows existing definitions to be included in the criteria. Refer to the description of the ExtendDefinitionType for more information.
+ The required operator attribute provides the logical operator that binds the different statements inside a criteria together. The optional negate attribute signifies that the result of an extended definition should be negated during analysis. For example, consider a definition that evaluates TRUE if a certain software is installed. By negating the definition, it now evaluates to TRUE if the software is NOT installed. The required result attribute holds the result of the evaluation of the criteria. Note that this would be after any negation operation has been applied. Please refer to the description of the ResultEnumeration for details about the different result values.
+ The optional applicability_check attribute provides a Boolean flag that when true indicates that the criteria is being used to determine whether the OVAL Definition applies to a given system.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The CriterionType complex type identifies a specific test that is included in the definition's criteria.
+ The optional applicability_check attribute provides a Boolean flag that when true indicates that the criterion is being used to determine whether the OVAL Definition applies to a given system.
+ The required test_ref attribute is the actual id of the included test.
+ The required version attribute is the specific version of the OVAL Test used during analysis.
+ The optional variable_instance attribute differentiates between unique instances of a test. This can happen when a test includes a variable reference and different variable values are used by different definitions.
+ The optional negate attribute signifies that the result of an individual test should be negated during analysis. For example, consider a test that evaluates to TRUE if a specific patch is installed. By negating this test, it now evaluates to TRUE if the patch is NOT installed.
+ The required result attribute holds the result of the evaluation. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+
+
+
+
+
+
+
+
+
+ The ExtendDefinitionType complex type identifies a specific definition that has been extended by the criteria.
+ The optional applicability_check attribute provides a Boolean flag that when true indicates that the extend_definition is being used to determine whether the OVAL Definition applies to a given system.
+ The required definition_ref attribute is the actual id of the extended definition.
+ The required version attribute is the specific version of the OVAL Definition used during analysis.
+ The optional variable_instance attribute is a unique id that differentiates each unique instance of a definition. Capabilities that use OVAL may reference the same definition multiple times and provide different variable values each time the definition is referenced. This will result in multiple instances of a definition being included in the OVAL Results document (definitions that do not use variables can only have one unique instance). The inclusion of this unique instance identifier allows the OVAL Results document to associate the correct objects and items for each combination of supplied values.
+ The optional negate attribute signifies that the result of an extended definition should be negated during analysis. For example, consider a definition that evaluates TRUE if certain software is installed. By negating the definition, it now evaluates to TRUE if the software is NOT installed.
+ The required result attribute holds the result of the evaluation. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+
+
+
+
+
+
+
+
+
+ The TestsType complex type is a container for one or more test elements. Each test element holds the result of the evaluation of an OVAL Test. Please refer to the description of TestType for more information about an individual test element.
+
+
+
+
+
+
+
+ The TestType complex type provides a reference to every item that matched the object section of the original test as well as providing an overall test result based on those items. The optional message element holds an error message or some other string that the analysis engine wishes to pass along. The optional tested_variable elements hold the value of each variable used by the test during evaluation. This includes the values used in both OVAL Objects and OVAL States. If a variable represents a collection of values, then multiple tested_variable elements would exist with the same variable_id attribute. Please refer to the description of oval-res:TestedVariableType for more information.
+ The required test_id attribute identifies the test and must conform to the format specified by the oval:TestIDPattern simple type.
+ The required version attribute is the specific version of the OVAL Test used during analysis.
+ The optional variable_instance attribute differentiates between unique instances of a test. This can happen when a test includes a variable reference and different values for that variable are used by different definitions.
+ The check_existence, check, and state_operator attributes reflect the values that were specified on the test as it was evaluated. These evaluation control attributes are copied into the OVAL Results file to enable post processing of results documents. More information on each of these attributes is provided with the definition of the oval-def:TestType.
+ The required result attribute holds the result of the evaluation after all referenced items have been examined and the evaluation control attributes have been applied. Please refer to the description of the oval-res:ResultEnumeration for details about the different result values. In general, the overall result of an OVAL Test is determined by combining the results of each matching item based first on the check_existence attribute, then the check attribute, and finally the state_operator attribute.
+ The following section provides a more detailed description of how the result for an OVAL Test is determined when using an OVAL System Characteristics document. An OVAL System Characteristics document can contain an optional collected_objects section. When the collected_objects section is present the following rules specify how the overall result for an OVAL Test is determined: When an oval-sc:collected_objects/oval-sc:object with an id that matches the OVAL Object id that is referenced by the OVAL Test is not found, the result for the OVAL Test must be "unknown". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "error", the result of the OVAL Test must be "error". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "not collected", the result of the OVAL Test must be "unknown". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "not applicable", the result of the OVAL Test must be "not applicable". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "does not exist", the result of the OVAL Test is determined by examining the check_existence attribute's value and if the check_existence attribute is "none_exist" or "any_exist" the OVAL Test should evaluate to "true", for all other values of the check_existence attribute the OVAL Test should evaluate to "false". The check and state_operator attributes do not need to be considered in this condition. When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "complete", the result of the OVAL Test is determined by first evaluating the check_existence attribute specified by the OVAL Test and then evaluating the check and state_operator attributes. The check attribute only needs to be considered if the result of evaluating the check_existence attribute is "true". When the flag attribute of the corresponding oval-sc:collected_objects/oval-sc:object is "incomplete", the result of the OVAL Test must be "unknown" with the following exceptions: 1) When the check_existence attribute of the OVAL Test is set to "none_exist" and the collected object has 1 or more item references with a status of "exists", a result of "false" must be reported; 2) When the check_existence attribute of the OVAL Test is set to "only_one_exists", the collected object has more than 1 item reference with a status of "exists", a result of "false" must be reported; 3) If after evaluating the check_existence attribute a non "true" result has not been determined, the check attribute must be considered as follows: 3a) If the check attribute evaluation results in "false", then the OVAL Test result must be "false"; 3b) If the check attribute is set to "at_least_one_satisfies" and its evaluation results in "true", the OVAL Test result must be "true". When the collected_objects section is not present in the OVAL System Characteristics document, the evaluation engine must search the system characteristics for all Items that match the OVAL Object referenced by the OVAL Test. The set of matching OVAL Items is then evaluated first based on the check_existence attribute, then the check attribute, and finally the state_operator attribute.
+
+
+
+ - the specified test is not used in any definition's criteria
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The TestedItemType complex type holds a reference to a system characteristic item that matched the object specified in a test. Details of the item can be found in the oval_system_characteristics section of the OVAL Results document by using the required item_id. The optional message element holds an error message or some other message that the analysis engine wishes to pass along. The required result attribute holds the result of the evaluation of the individual item as it relates to the state specified by the test. If the test did not include a state reference then the result attribute will be set to 'not evaluated'. Please refer to the description of the ResultEnumeration for details about the different result values.
+
+
+
+
+
+
+
+
+
+ The TestedVariableType complex type holds the value of a variable used during the evaluation of a test. Of special importance are the values of any external variables used since these values are not captured in either the definition or system characteristic documents. If a variable is represented by a collection of values, then multiple elements of TestedVariableType, each with the same variable_id attribute, would exist. The required variable_id attribute is the unique id of the variable that was used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ContentEnumeration defines the valid values for the directives controlling the amount of expected depth found in the results document. Each directive specified at the top of an OVAL Results document defines how much information should be included in the document for each of the different result types. The amount of content that is expected with each value is defined by Schematron statements embedded throughout the OVAL Results Schema. Currently, the enumeration defines two values: thin and full. Please refer to the documentation of each individual value of this enumeration for more information about what each means.
+
+
+
+
+ A value of 'thin' means only the minimal amount of information will be provided. This is the id associated with an evaluated OVAL Definition and the result of the evaluation. The criteria child element of a definition should not be present when providing thin results. In addition, system characteristic information for the objects used by the given definition should not be presented.
+
+
+
+
+ A value of 'full' means that very detailed information will be provided allowing in-depth reports to be generated from the results. In addition to the results of the evaluated definition, the results of all extended definitions and tests included in the criteria as well as the actual information collected off the system must be presented.
+
+
+
+
+
+
+ The ResultEnumeration defines the acceptable result values for the DefinitionType, CriteriaType, CriterionType, ExtendDefinitionType, TestType, and TestedItemType constructs.
+
+
+
+
+ When evaluating a definition or test, a result value of 'true' means that the characteristics being evaluated match the information represented in the system characteristic document. When evaluating a tested_item, and a state exists, a result value of 'true' indicates that the item matches the state.
+
+
+
+
+ When evaluating a definition or test, a result value of 'false' means that the characteristics being evaluated do not match the information represented in the system characteristic document. When evaluating a tested_item, and a state exists, a result value of 'false' indicates that the item does not match the state.
+
+
+
+
+ When evaluating a definition or test, a result value of 'unknown' means that the characteristics being evaluated cannot be found in the system characteristic document (or the characteristics can be found but collected object flag is 'not collected'). For example, assume that a definition tests a file, but data pertaining to that file cannot be found and is not recorded in the System Characteristics document. The lack of an item (in the system_data section) for this file in the System Characteristics document means that no attempt was made to collect information about the file. In this situation, there is no way of knowing what the result would be if the file was collected. Note that finding a collected_object element in the system characteristic document is not the same as finding a matching element of the system. When evaluating an OVAL Test, the lack of a matching object on a system (for example, file not found) does not cause a result of unknown since an test considers both the state of an item and its existence. In this case the test result would be based on the existence check specified by the check_existence attribute on the test. When evaluating a tested_item, and a state exists, a result value of 'unknown' indicates that it could not be determined whether or not the item and state match. For example, if a registry_object with a hive equal to HKEY_LOCAL_MACHINE, a key with the xsi:nil attribute set to 'true', and a name with the xsi:nil attribute set to 'true' was collected and compared against a registry_state with key entity equal to 'SOFTWARE', the tested_item result would be 'unknown' because an assertion of whether or not the item matches the state could not be determined since the key entity of the item was not collected.
+
+
+
+
+ When evaluating a definition or test, a result value of 'error' means that the characteristics being evaluated exist in the system characteristic document but there was an error either collecting information or in performing analysis. For example, if there was an error returned by an api when trying to determine if an object exists on a system. Another example would be: xsi:nil might be set on an object entity, but then the entity is compared to a state entity with a value, thus producing an error. When evaluating a tested_item, and a state exists, a result value of 'error' indicates that there was either an error collecting the item or there was an error analyzing the item against the state. For example, a tested_item will receive a result value of 'error' if an attempt is made to compare a state entity against an item entity that has a status of 'error'.
+
+
+
+
+ When evaluating a definition or test, a result value of 'not evaluated' means that a choice was made not to evaluate the given definition or test. The actual result is not known since if evaluation had occurred the result could have been either true or false. When evaluating a tested_item, a result value of 'not evaluated' indicates that a state was not specified and is equivalent to an existence check.
+
+
+
+
+ When evaluating a definition or test, a result value of 'not applicable' means that the definition or test being evaluated is not valid on the given platform. For example, trying to collect Linux RPM information on a Windows system is not possible and so a result of not applicable is used. Another example would be in trying to collect RPM information on a linux system that does not have the RPM packaging system installed.
+
+
+
+
+
diff --git a/oval-schemas/oval-system-characteristics-schema.xsd b/oval-schemas/oval-system-characteristics-schema.xsd
new file mode 100644
index 0000000..1034580
--- /dev/null
+++ b/oval-schemas/oval-system-characteristics-schema.xsd
@@ -0,0 +1,642 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) System Characteristics. The Core System Characteristics Schema defines all operating system independent objects. These objects are extended and enhanced by individual family schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core System Characteristics Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Core System Characteristics
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+ The system_characteristics element is the root of an OVAL System Characteristics Document, and must occur exactly once. Its purpose is to bind together the four major sections of a system characteristics file - generator, system_info, collected_objects, and system_data - which are the children of the oval_system_characteristics element.
+
+
+
+
+
+ The generator section must be present and provides information about when the system characteristics file was compiled and under what version.
+
+
+
+
+ The required system_info element is used to record information about the system being described.
+
+
+
+
+ The optional collected_objects section is used to associated the ids of the OVAL Objects collected with the system characteristics items that have been defined. The collected_objects section provides a listing of all the objects used to generate this system characteristics file.
+
+
+
+
+ The optional system_data section defines the specific characteristics that have been collected from the system.
+
+
+
+
+ The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+
+
+
+
+
+ Enforce uniqueness amongst the individual object ids used in the collected object section.
+
+
+
+
+
+
+
+
+ Enforce uniqueness amongst the individual item ids.
+
+
+
+
+
+
+ Require that each item reference refers to a valid item id.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SystemInfoType complex type specifies general information about the system that data was collected from, including information that can be used to identify the system. See the description of the InterfacesType complex type for more information. Note that the high level interfaces is required due to the inclusion of the xsd:any tag that follows it. The interfaces tag can be empty if no single interface is present.
+ Additional system information is also allowed although it is not part of the official OVAL Schema. Individual organizations can place system information that they feel is important and these will be skipped during the validation. All OVAL really cares about is that the required system information items are there.
+
+
+
+
+ The required os_name elements describes the operating system of the machine the data was collected on.
+
+
+
+
+ The required os_version elements describe the operating system version of the machine the data was collected on.
+
+
+
+
+ The required architecture element describes the hardware architecture type of the system data was collected on.
+
+
+
+
+ The required primary_host_name element is the primary host name of the machine the data was collected on.
+
+
+
+
+ The required interfaces element outlines the network interfaces that exist on the system.
+
+
+
+
+ The Asset Identification specification (http://scap.nist.gov/specifications/ai/) provides a standardized way of reporting asset information across different organizations.
+ The information contained within an AI computing-device element is similar to the information collected by OVAL's SystemInfoType.
+ To support greater interoperability, an ai:computing-device element describing the system that data was collected from may appear at this point in an OVAL System Characteristics document.
+
+
+
+
+
+
+ The InterfacesType complex type is a container for zero or more interface elements. Each interface element is used to describe an existing network interface on the system.
+
+
+
+
+ Please refer to the description of the InterfaceType for more information.
+
+
+
+
+
+
+ The InterfaceType complex type is used to describe an existing network interface on the system. This information can help identify a specific system on a given network.
+
+
+
+
+ The required interface_name element is the name of the interface
+
+
+
+
+ The required ip_address element holds the IP address for the interface. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ The required mac_address element holds the MAC address for the interface. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
+
+
+
+
+
+
+
+
+
+ The CollectedObjectsType complex type states all the objects that have been collected by the system characteristics file. The details of each object are defined by the global OVAL object that is identified by the id.
+
+
+
+
+
+
+
+ The ObjectType complex type provides a reference between items collected and a related global OVAL Object.
+ If an OVAL Object does not exist on the system, then an object element is still provided but with the flag attribute set to 'does not exist'. For details on how to handle items, when an OVAL Object does not exist on the system, please see the ItemType documentation. This shows that the object was looked for but not found on the system. If no object element is written in this case, users of the system characteristics file will not know whether the object was not found or no attempt was made to collect it.
+ The required id attribute is the id of the global OVAL Object.
+ The required version attribute is the specific version of the global OVAL Object that was used by the data collection engine. The version is necessary so that analysis using a system characteristics file knows exactly what was collected.
+ The optional variable_instance identifier is a unique id that differentiates each unique instance of an object. Capabilities that use OVAL may reference the same definition multiple times and provide different variable values each time the definition is referenced. This will result in multiple instances of an object being included in the OVAL System Characteristics file (definitions that do not use variables can only have one unique instance). The inclusion of this unique instance identifier allows the OVAL Results document to associate the correct objects and items for each combination of supplied values.
+ The optional comment attribute provides a short description of the object.
+ The required flag attribute holds information regarding the outcome of the data collection. For example, if there was an error looking for items that match the object specification, then the flag would be 'error'. Please refer to the description of FlagEnumeration for details about the different flag values.
+
+
+
+
+ The optional message element holds an error message or some other string that the data collection engine wishes to pass along.
+
+
+
+
+ The optional variable_value elements define the actual value(s) used during data collection of any variable referenced by the object (as well as any object referenced via a set element). An OVAL Object that includes a variable maybe have a different unique set of matching items depending on the value assigned to the variable. A tool that is given an OVAL System Characteristics file in order to analyze an OVAL Definition needs to be able to determine the exact instance of an object to use based on the variable values supplied. If a variable represents a collection of values, then multiple variable_value elements would exist with the same variable_id attribute.
+
+
+
+
+ The optional reference element links the collected item found by the data collection engine and the global OVAL Object. A global OVAL Object my have multiple matching items on a system. For example a global file object that is a pattern match might match 10 different files on a specific system. In this case, there would be 10 reference elements, one for each of the files found on the system.
+
+
+
+
+
+
+
+
+
+
+
+ The VariableValueType complex type holds the value to a variable used during the collection of an object. The required variable_id attribute is the unique id of the variable being identified.
+
+
+
+
+
+
+
+
+
+ The ReferenceType complex type specifies an item in the system characteristics file. This reference is used to link global OVAL Objects to specific items.
+
+
+
+
+
+
+
+
+ The SystemDataType complex type is a container for one or more item elements. Each item defines a specific piece of data on the system.
+
+
+
+
+
+
+
+ The abstract item element holds information about a specific item on a system. An item might be a file, a rpm, a process, etc. This element is extended by the different component schemas through substitution groups. Each item represents a unique instance of an object as specified by an OVAL Object. For example, a single file or a single user. Each item may be referenced by more than one object in the collected object section. Please refer to the description of ItemType for more details about the information stored in items.
+
+
+
+
+ The ItemType complex type specifies an optional message element that is used to pass things like error messages during data collection to a tool that will utilize the information.
+ The required id attribute is a unique (to the file) identifier that allows the specific item to be referenced.
+ The required status attribute holds information regarding the success of the data collection. For example, if an item exists on the system then the status would reflect this with a value of 'exists'. If an error occurs which is not associated with any item entities, or if an error occurs that is associated with an item entity matching an associated object entity, then the status would be 'error'. An error specific to any particular entity should be addressed at the entity level and, for item entities not associated with an object entity, not the item level. When creating items, any entities that can successfully be collected should be reported.
+ In some cases, when an item for a specified object does not exist, it may be beneficial to report a partial match of an item showing what entities did exist and what entities did not exist for debugging purposes. This is especially true when considering items that are collected by objects with hierarchical object entities. An example of such a case is when a file_object has a path entity equal to 'C:\' and a filename entity equal to 'test.txt' where 'test.txt' does not exist in the 'C:\' directory. This would result in the creation of a partially matching file_item with a status of 'does not exist' where the path entity equals 'C:\' and the filename entity equals 'test.txt' with a status of 'does not exist'. By showing the partial match, someone reading a system-characteristics document can quickly see that a matching file_item did not exist because the specified filename did not exist and not that the specified path did not exist. Again, please note that the implementation of partial matches, when an item for a specified object does not exist, is completely optional.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The FlagEnumeration simple type defines the valid flags associated with a collected object. These flags are meant to provide information about how the specified object was handled by the data collector. In order to evaluate an OVAL Definition, information about the defined objects needs to be available. The flags help detail the outcome of attempting to collect information related to these objects..
+
+ Below is a table that outlines how each FlagEnumeration value effects evaluation of a given test. Note that this is related to the existence of a unique set of items identified by an object and not each item's compliance with a state. The left column identifies the FlagEnumeration value in question. The right column specifies the ResultEnumeration value that should be used when evaluating the collected object.
+
+ ||
+ flag value || test result is
+ ||
+-----------------||----------------------------
+ error || error
+ complete || (test result depends on
+ incomplete || check_existence and
+ does not exist || check attributes)
+ not collected || unknown
+ not applicable || not applicable
+-----------------||-----------------------------
+
+
+
+
+
+
+ A flag of 'error' indicates that there was an error trying to identify items on the system that match the specified object declaration. This flag is not meant to be used when there was an error retrieving a specific entity, but rather when it could not be determined if an item exists or not. Any error in retrieving a specific entity should be represented by setting the status of that specific entity to 'error'.
+
+
+
+
+ A flag of 'complete' indicates that every matching item on the system has been identified and is represented in the system characteristics file. It can be assumed that no additional matching items exist on the system.
+
+
+
+
+ A flag of 'incomplete' indicates that a matching item exists on the system, but only some of the matching items have been identified and are represented in the system characteristics file. It is unknown if additional matching items also exist. Note that with a flag of 'incomplete', each item that has been identified matches the object declaration, but additional items might also exist on the system.
+
+
+
+
+ A flag of 'does not exist' indicates that the underlying structure is installed on the system but no matching item was found. For example, the Windows metabase is installed but there were no items that matched the metabase_object. In this example, if the metabase itself was not installed, then the flag would have been 'not applicable'.
+
+
+
+
+ A flag of 'not collected' indicates that no attempt was made to collect items on the system. An object with this flag will produce an 'unknown' result during analysis since it is unknown if matching items exists on the system or not. This is different from an 'error' flag because an 'error' flag indicates that an attempt was made to collect items on system whereas a 'not collected' flag indicates that an attempt was not made to collect items on the system.
+
+
+
+
+ A flag of 'not applicable' indicates that the specified object is not applicable to the system being characterized. This could be because the data repository is not installed or that the object structure is for a different flavor of systems. An example would be trying to collect objects related to a Red Hat system off of a Windows system. Another example would be trying to collect an rpminfo_object on a Linux system if the rpm packaging system is not installed. If the rpm packaging system is installed and the specified rpminfo_object could not be found, then the flag would be 'does not exist'.
+
+
+
+
+
+
+ The StatusEnumeration simple type defines the valid status messages associated with collection of specific information associated with an item.
+
+
+
+
+ A status of 'error' says that there was an error collecting information associated with an item as a whole or any specific entity. An item would have a status of 'error' if a problem occurred that prevented the item from being collected. For example, a file_item would have a status of 'error' if a handle to the file could not be opened because the handle was already in use by another program. See the documentation for ItemType for information about when an item entity status of 'error' should propagate up to the item status level.
+
+
+
+
+ A status of 'exists' says that the item or specific piece of information exists on the system and has been collected.
+
+
+
+
+ A status of 'does not exist' says that the item or specific piece of information does not exist and therefore has not been collected. This status assumes that an attempt was made to collect the information, but the information just does not exist. This can happen when a certain entity is only pertinent to particular instances or if the information for that entity is not set.
+
+
+
+
+ A status of 'not collected' says that no attempt was made to collect the item or specific piece of information so it is unknown what the value is and if it even exists.
+
+
+
+
+
+
+
+
+
+
+ The EntityAttributeGroup is a collection of attributes that are common to all entities. This group defines these attributes and their default values. Individual entities may limit allowed values for these attributes, but all entities will support these attributes.
+
+
+
+ Warning: item - a value for the entity should only be supplied if the status attribute is 'exists'
+
+
+
+
+
+
+
+ - The datatype for the entity is 'int' but the value is not an integer.
+
+
+
+
+
+
+
+ The optional datatype attribute determines the type of data expected (the default datatype is 'string'). Note that the datatype attribute simply defines the type of data as found on the system, it is not used during evaluation. An OVAL Definition defines how the data should be interpreted during analysis. If the definition states a datatype that is different than what the system characteristics presents, then a type cast must be made.
+
+
+
+
+ The optional mask attribute is used to identify values that have been hidden for sensitivity concerns.
+ This is used by the Result document which uses the System Characteristics schema to format the information found on a specific system.
+ When the mask attribute is set to 'true' on an OVAL Entity or an OVAL Field, the corresponding collected value of that OVAL Entity or OVAL Field MUST NOT be present in the "results" section of the OVAL Results document; the "oval_definitions" section must not be altered and must be an exact copy of the definitions evaluated.
+ Values MUST NOT be masked in OVAL System Characteristics documents that are not contained within an OVAL Results document.
+ It is possible for masking conflicts to occur where one entity has mask set to true and another entity has mask set to false.
+ A conflict will occur when the mask attribute is set differently on an OVAL Object and matching OVAL State or when more than one OVAL Objects identify the same OVAL Item(s).
+ When such a conflict occurs the result is always to mask the entity.
+
+
+
+
+ The optional status attribute holds information regarding the success of the data collection. For example, if there was an error collecting a particular piece of data, then the status would be 'error'.
+
+
+
+
+
+
+ The EntityItemSimpleBaseType complex type is an abstract type that serves as the base type for all simple item entities.
+
+
+
+
+
+
+
+
+
+
+ The EntityItemComplexBaseType complex type is an abstract type that serves as the base type for all complex item entities.
+
+
+
+
+
+
+ The EntityItemIPAddressType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes any IPv4/IPv6 address or address prefix.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemIPAddressStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes any IPv4/IPv6 address, address prefix, or its string representation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemAnySimpleType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes any simple data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemBinaryType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple binary data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemBoolType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple boolean data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemFloatType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple float data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemIntType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple integer data. The empty string is also allowed for cases where there was an error in the data collection of an entity and a status needs to be reported.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes simple string data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemRecordType defines an entity that consists of a number of named fields. This structure is used for representing a record from a database query and other similar structures where multiple related fields must be collected at once. Note that for all entities of this type, the only allowed datatype is 'record'.
+ Note the datatype attribute must be set to 'record'.
+
+ Note that when the mask attribute is set to 'true', all child field elements must be masked regardless of the child field's mask attribute value.
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemFieldType defines an element with simple content that represents a named field in a record that may contain any number of named fields. The EntityItemFieldType is much like all other entities with one significant difference, the EntityItemFieldType has a name attribute.
+ The required name attribute specifies a name for the field. Field names are lowercase and may occur more than once to allow for a field to have multiple values.
+ Note that when the mask attribute is set to 'true' on a field's parent element the field must be masked regardless of the field's mask attribute value.
+
+
+
+
+
+ A string restricted to disallow upper case characters.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemVersionType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type describes version data.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemFilesetRevisionType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type represents the version string related to filesets in HP-UX.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemIOSVersionType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This specific type represents the version string for IOS.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemEVRStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType.
+ This type represents the epoch, version, and release fields, for an RPM package, as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemDebianEVRStringType type is extended by the entities of an individual item. This type provides uniformity to each entity by including the attributes found in the EntityItemSimpleBaseType. This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. Comparisons involving this datatype should follow the algorithm outlined in Chapter 5 of the "Debian Policy Manual" (https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version). An implementation of this is the cmpversions() function in dpkg's enquiry.c.
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/oval-variables-schema.xsd b/oval-schemas/oval-variables-schema.xsd
new file mode 100644
index 0000000..1d29b19
--- /dev/null
+++ b/oval-schemas/oval-variables-schema.xsd
@@ -0,0 +1,97 @@
+
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Variables. This schema is provided to give structure to any external variables and their values that an OVAL Definition is expecting.
+ The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
+
+ Core Variable
+ 5.11.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+ The oval_variables element is the root of an OVAL Variable Document. Its purpose is to bind together the different variables contained in the document. The generator section must be present and provides information about when the variable file was compiled and under what version. The optional Signature element allows an XML Signature as defined by the W3C to be attached to the document. This allows authentication and data integrity to be provided to the user. Enveloped signatures are supported. More information about the official W3C Recommendation regarding XML digital signatures can be found at http://www.w3.org/TR/xmldsig-core/.
+
+
+
+
+
+
+
+
+
+
+ Enforce uniqueness amongst the variable ids found in the variable document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The VariablesType complex type is a container for one or more variable elements. Each variable element holds the value of an external variable used in an OVAL Definition. Please refer to the description of the VariableType for more information about an individual variable.
+
+
+
+
+
+
+
+ Each variable element contains the associated datatype and value which will be substituted into the OVAL Definition that is referencing this specific variable.
+ The notes section of a variable should be used to hold information that might be helpful to someone examining the technical aspects of the variable. Please refer to the description of the NotesType complex type for more information about the notes element.
+
+
+
+
+
+
+
+
+ Note that the 'record' datatype is not permitted on variables.
+
+
+
+
+ Use to specify multiple variable instances.
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/pixos-definitions-schema.xsd b/oval-schemas/pixos-definitions-schema.xsd
new file mode 100644
index 0000000..472d154
--- /dev/null
+++ b/oval-schemas/pixos-definitions-schema.xsd
@@ -0,0 +1,200 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the PIX specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou and Eric Grey at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ PixOS Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The line_test is used to check the properties of specific output lines from a SHOW command, such as SHOW RUNNING-CONFIG. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check.
+
+
+ line_test
+ line_object
+ line_state
+ line_item
+
+
+
+
+
+ - the object child element of a line_test must reference a line_object
+
+
+ - the state child element of a line_test must reference a line_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_object element is used by a line_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A line object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of a SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ The version test is used to check the version of the PIX operating system. It is based off of the SHOW VERSION command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check.
+
+
+ version_test
+ version_object
+ version_state
+ version_item
+
+
+
+
+
+ - the object child element of a version_test must reference a version_object
+
+
+ - the state child element of a version_test must reference a version_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The version_object element is used by a version test to define the different version information associated with a PIX system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The version_state element defines the version information held within a Cisco PIX software release. The pix_release element specifies the whole PIX version information. The pix_major_release, pix_minor_release and pix_build elements specify seperated parts of PIX software version information. For instance, if the PIX version is 7.1(2.3)49, then pix_release is 7.1(2.3)49, pix_major_release is 7.1, pix_minor_release is 2.3 and pix_build is 49. See the SHOW VERSION command within PIX for more information.
+
+
+
+
+
+
+
+ The pix_release element specifies the whole PIX version information.
+
+
+
+
+ The pix_major_release is the dotted version that starts a version string. For example the pix_release 7.1(2.3)49 has a pix_major_release of 7.1.
+
+
+
+
+ The pix_minor_release is the dotted version that starts a version string. For example the pix_release 7.1(2.3)49 has a pix_minor_release of 2.3.
+
+
+
+
+ The pix_build is an integer. For example the pix_release 7.1(2.3)49 has a pix_build of 49.
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/pixos-system-characteristics-schema.xsd b/oval-schemas/pixos-system-characteristics-schema.xsd
new file mode 100644
index 0000000..e099134
--- /dev/null
+++ b/oval-schemas/pixos-system-characteristics-schema.xsd
@@ -0,0 +1,87 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Cisco PIX (Private Internet Exchange) specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ This schema was originally developed by Yuzheng Zhou and Eric Grey at Hewlett-Packard. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ PixOS System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ Stores the properties of specific lines in the PIX config file.
+
+
+
+
+
+
+
+ The name of the SHOW sub-command.
+
+
+
+
+ The value returned from by the specified SHOW sub-command.
+
+
+
+
+
+
+
+
+
+
+
+
+ Stores results from SHOW VERSION command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-schemas/sharepoint-definitions-schema.xsd b/oval-schemas/sharepoint-definitions-schema.xsd
new file mode 100644
index 0000000..824b435
--- /dev/null
+++ b/oval-schemas/sharepoint-definitions-schema.xsd
@@ -0,0 +1,2337 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the SharePoint specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all
+ OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined
+ here.
+ The SharePoint Component Schema is based on the SharePoint Object Model (Windows SharePoint Services 3.0)
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ SharePoint Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The spwebapplication test is used to check the properties or permission settings of a SharePoint web application. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a spwebapplication_object and the optional state element
+ specifies the data to check.
+
+
+ spwebapplication_test
+ spwebapplication_object
+ spwebapplication_state
+ spwebapplication_item
+
+
+
+
+
+ - the object child element of a spwebapplication_test must reference an spwebapplication_object
+
+
+ - the state child element of a spwebapplication_test must reference an spwebapplication_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spwebapplication_object element is used by a spwebapplication test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again,
+ please refer to the description of the set element in the oval-definitions-schema.
+ An spwebapplication object consists of a webapplicationurl used to define a specific web application. See the defintion of the SPWebApplication class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The webapplicationurl element defines the SPWebApplication to evaluate specific security settings or permissions.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spwebapplication_state element defines security settings and permissions that can be checked for a specified SPWebApplications.
+
+
+
+
+
+
+
+ The webapplicationurl element identifies a Web application.
+
+
+
+
+ If the allowparttopartcommunication is enabled it allows users to create connections between Web parts.
+
+
+
+
+ If the allowaccesstowebpartcatalog is enabled it allows users access to the online Web part gallery.
+
+
+
+
+ The blockedfileextention element identifies one or more file extensions that should be blocked from the deployment.
+
+
+
+
+ The defaultquotatemplate element identifies the default quota template set for the web application.
+
+
+
+
+ If the externalworkflowparticipantsenabled is enabled then users are allowed to participate in workflows.
+
+
+
+
+ If the recyclebinenabled is enabled it will be easy to restore deleted files.
+
+
+
+
+ If the automaticallydeleteunusedsitecollections is disabled, sites will not be automatically deleted.
+
+
+
+
+ If the selfservicesitecreationenabled is enabled users will be allowed to create and manager their own top-level Web sites .
+
+
+
+
+ The secondstagerecyclebinquota is the quota for the second stage recyle bin
+
+
+
+
+ The recyclebinretentionperiod is the retention period for the recyle bin
+
+
+
+
+ The outboundmailserverinstance element identifies the string name of the SMPT server. Note that there is a small naming inconsistency here. The SharePoint SDK calls this 'outboundmailserviceinstance'.
+
+
+
+
+ The outboundmailsenderaddress element identifies the address that the mail is being send from.
+
+
+
+
+ The outboundmailreplytoaddress element identifies the address that the mail should be replied to.
+
+
+
+
+ If the secvalexpires is enabled then the form will expire after the security validation time (timeout) .
+
+
+
+
+ The timeout is the amount of time before security validation expires in seconds.
+
+
+
+
+ If this is true, the web application to which this test refers is the Central Administration web application.
+
+
+
+
+ The applicationpoolname element identifies the web applications application pool name.
+
+
+
+
+ The applicationpoolusername element identifies the web applications application pool username.
+
+
+
+
+ If the openitems is enabled the permission to view the source of documents with server-side file handlers is available to use for this web application..
+
+
+
+
+ If the addlistitems is enabled the permission to add items to lists, add documents to document libraries, and add Web discussion comments is available to use for this Web application.
+
+
+
+
+ If approveitems is enabled the permission to approve a minor version of a list item or document is available to use for this the Web application.
+
+
+
+
+ If the deletelistitems is enabled the permission to delete items from a list, documents from a document library, and Web discussion comments in documents is available to use for this Web application.
+
+
+
+
+ If the deleteversions is enabled the permission to delete past versions of a list item or document is available to use for this Web application.
+
+
+
+
+ If the editlistitems is enabled the permission to edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries is available to use for this Web application.
+
+
+
+
+ If the managelists is enabled the permission to create and delete lists, add or remove columns in a list, and add or remove public views of a list is available to use for this the Web application.
+
+
+
+
+ If the viewversions is enabled the permission to view past versions of a list item or document is available to use for this Web application.
+
+
+
+
+ If the viewlistitems is enabled the permission to view items in lists, documents in document libraries, and view Web discussion commentsis available is available to use for this Web application.
+
+
+
+
+ If the cancelcheckout is enabled the permission to discard or check in a document which is checked out to another user is available to use for this the Web application.
+
+
+
+
+ If the createalerts is enabled the permission to Create e-mail alerts is available to use for this Web application.
+
+
+
+
+ If the viewformpages is enabled the permission to view forms, views, and application pages, and enumerate lists is available to use for this Web application.
+
+
+
+
+ If the viewpages is enabled the permission to view pages in a Web site is available to use for this Web application.
+
+
+
+
+ If addandcustomizepages is enabled the permission to add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services–compatible editor is available to use for this Web application.
+
+
+
+
+ If the applystylesheets is enabled the permission to Apply a style sheet (.css file) to the Web site is available to use for this Web application.
+
+
+
+
+ If the applythemeanborder is enabled the permission to apply a theme or borders to the entire Web site is available to use for this Web application.
+
+
+
+
+ If the browsedirectories is enabled the permission to enumerate files and folders in a Web site using Microsoft Office SharePoint Designer and WebDAV interfaces is available to use for this Web application.
+
+
+
+
+ If the browseuserinfo is enabled the permission to view information about users of the Web site is available to use for this Web application.
+
+
+
+
+ If the creategroups is enabled the permission to create a group of users that can be used anywhere within the site collection is available to use for this Web application.
+
+
+
+
+ If the createsscsite is enabled the permission to create a Web site using Self-Service Site Creation is available to use for this Web application.
+
+
+
+
+ If the editmyuserinfo is enabled the permission to allows a user to change his or her user information, such as adding a picture is available to use for this Web application.
+
+
+
+
+ If enumeratepermissions is enabled the permission to enumerate permissions on the Web site, list, folder, document, or list itemis is available to use for this Web application.
+
+
+
+
+ If the managealerts is enabled the permission to manage alerts for all users of the Web site is available to use for this Web application.
+
+
+
+
+ If the managepermissions is enabled the permission to create and change permission levels on the Web site and assign permissions to users and groups is available to use for this Web application.
+
+
+
+
+ If the managesubwebs is enabled the permission to create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites is available to use for this Web application.
+
+
+
+
+ If the manageweb is enabled the permission to perform all administration tasks for the Web site as well as manage content is available to use for this Web application.
+
+
+
+
+ If open is enabled the permission to allow users to open a Web site, list, or folder to access items inside that containeris available to use for this Web application.
+
+
+
+
+ If the useclientintegration is enabled the permission to use features that launch client applications; otherwise, users must work on documents locally and upload changesis is available to use for this Web application.
+
+
+
+
+ If the useremoteapis is enabled the permission to use SOAP, WebDAV, or Microsoft Office SharePoint Designer interfaces to access the Web siteis available to use for this Web application.
+
+
+
+
+ If the viewusagedata is enabled the permission to view reports on Web site usage in documents is available to use for this Web application.
+
+
+
+
+ If the managepersonalviews is enabled the permission to Create, change, and delete personal views of lists is available to use for this Web application.
+
+
+
+
+ If the adddelprivatewebparts is enabled the permission to add or remove personal Web Parts on a Web Part Page is available to use for this Web application.
+
+
+
+
+ If the updatepersonalwebparts is enabled the permission to update Web Parts to display personalized informationis available to use for this Web application.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spgroup test is used to check the group properties for site collections. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to
+ check.
+
+
+ spgroup_test
+ spgroup_object
+ spgroup_state
+ spgroup_item
+
+
+
+
+
+ - the object child element of a spgroup_test must reference a spgroup_object
+
+
+ - the state child element of a spgroup_test must reference a spgroup_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spgroup_object element is used by a spgroup test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to
+ the description of the set element in the oval-definitions-schema.
+ An spgroup object consists of a sitecollectionurl used to define a specific site collection. See the defintion of the SPGroup class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sitecollectionurl element defines the Site Colection to evaluate specific group settings.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spgroup_state element defines settings for groups in a site collections.
+
+
+
+
+
+
+
+ The sitecollectionurl element identifies a Site Collection.
+
+
+
+
+ The name element identifies a Group name.
+
+
+
+
+ If the autoacceptrequesttojoinleave is enabled it allows users to automatically join groups.
+
+
+
+
+ If the allowmemberseditmembership is enabled than all group memebers will be allowed to edit the membership of a group..
+
+
+
+
+ If the onlyallowmembersviewmembership is enabled it allows users to automatically join groups.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spweb test is used to check the properties for site collections. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to check. See https://msdn.microsoft.com/en-us/library/ms473633.aspx for more information.
+
+
+ spweb_test
+ spweb_object
+ spweb_state
+ spweb_item
+
+
+
+
+
+ - the object child element of a spweb_test must reference an spweb_object
+
+
+ - the state child element of a spweb_test must reference an spweb_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spweb_object element is used by a spweb test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the
+ description of the set element in the oval-definitions-schema.
+ An spweb object consists of a webcollection url and sitecollection url used to define a specific web apoplication and a specific site collection. See the defintion of the SPWeb class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies a web site (this is the SPWeb object we want).
+
+
+
+
+ Specifies a site collection.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spweb_state element defines settings for a site collection.
+
+
+
+
+
+
+
+ The webcollectionurl specifies a web site (the SPWeb object).
+
+
+
+
+ The sitecollectionurl element specifies a site collection.
+
+
+
+
+ The secondarysitecolladmin element identifies a secondary site collection admin.
+
+
+
+
+ A boolean that represents if the secondarysitecolladmin is enabled.
+
+
+
+
+ If the allowanonymousaccess is enabled users will be allowed to create and manager their own top-level Web sites .
+
+
+
+
+
+
+
+
+
+
+
+
+ The splist test is used to check the properties of lists associated with a SharePoint site or site collection. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an splist_object and the optional state element specifies the data
+ to check.
+
+
+ splist_test
+ splist_object
+ splist_state
+ splist_item
+
+
+
+
+
+ - the object child element of a splist_test must reference an splist_object
+
+
+ - the state child element of a splist_test must reference an splist_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The splist_object element is used by a splist test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the
+ description of the set element in the oval-definitions-schema.
+ An splist object consists of a spsiteurl used to define a specific site in a site collection that various security related configuration items need to be checked. See the defintion of the SPList class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsiteurl element defines the Sharepoint website being specified ...
+
+
+
+
+
+
+
+
+
+
+
+
+ The splist_state element defines the different information that can be used to evaluate the specified Sharepoint sites....
+
+
+
+
+
+
+
+ The spsiteurl element identifies an Sharepoint site to test for.
+
+
+
+
+ If the irmenabled option is enabled, documents are protected whenever they leave the control of the Sharepoint system.
+
+
+
+
+ If the enableversioning option is enabled, backup copies of documents are kept and managed by the Sharepoint system.
+
+
+
+
+ If the nocrawl option is enabled, the site is excluded from crawls that Sharepoint does when it indexes sites.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spantivirussettings test is used to check the settings for antivirus software associated with a SharePoint deployment.
+
+
+ spantivirussettings_test
+ spantivirussettings_object
+ spantivirussettings_state
+ spantivirussettings_item
+
+
+
+
+
+ - the object child element of a spantivirussettings_test must reference an spantivirussettings_object
+
+
+ - the state child element of a spantivirussettings_test must reference an spantivirussettings_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spantivirussettings_object element is used by a spantivirussettings test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spantivirussettings object consists of a spwebservicename used to define a specific webservice in a farm that various security related configuration items need to be checked and an spfarmname which denotes the farm of which the spwebservice is a part. See the defintion of the SPAntiVirusSettings class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spwebservicename element denotes the web service for which antivirus settings will be checked.
+
+
+
+
+ The spfarmname element denotes the farm on which a web service to be queried resides.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spantivirus_state element defines the different information that can be used to evaluate the specified Sharepoint sites....
+
+
+
+
+
+
+
+ The spwebservicename denotes the name of a SharePoint web service to be tested or * (the default) to test all web services.
+
+
+
+
+ The spfarmname denotes the name of the farm on which the Sharepoint webservice resides or the local farm (default).
+
+
+
+
+ Specifies whether infected documents can be downloaded on the SharePoint system.
+
+
+
+
+ Specifies whether the virus scanner should attempt to cure files that are infected.
+
+
+
+
+ Specifies whetehr files are scanned for viruses when they are downloaded.
+
+
+
+
+ The number of threads that the antivirus scanner can use to scan documents for viruses.
+
+
+
+
+ Specifies whether to skip scanning for viruses during a search crawl.
+
+
+
+
+ Denotes the amount of time before the virus scanner times out in seconds.
+
+
+
+
+ Specifies whether files are scanned when they are uploaded.
+
+
+
+
+ Denotes the current increment of the number of times the vendor has been updated.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsiteadministration test is used to check the properties of a site. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to
+ check.
+
+
+ spsiteadministration_test
+ spsiteadministration_object
+ spsiteadministration_state
+ spsiteadministration_item
+
+
+
+
+
+ - the object child element of a spsiteadministration_test must reference an spsiteadministration_object
+
+
+ - the state child element of a spsiteadministration_test must reference an spsiteadministration_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsiteadministration_object element is used by a spsiteadministration test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set
+ logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spsiteadministration object consists of a webapplicationurl used to define a specific web application. The collected data is available via the SPQuota class, which can be found via the SPSite object. See the defintions of the SPSite and the SPQuota classes in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sitecollectionurl element defines the site to evaluate.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spspsiteadministration_state element defines security settings and permissions that can be checked for a specified SPSite.
+
+
+
+
+
+
+
+ The sitecollectionurl element identifies a site.
+
+
+
+
+ The storagemaxlevel is the maximum storage allowed for the site.
+
+
+
+
+ When the storagewarninglevel is reached a site collection receive advance notice before available storage is expended.s.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsite test is used to check the properties of a site. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an spwebapplication_object and the optional state element specifies the data to check.
+
+
+ spsite_test
+ spsite_object
+ spsite_state
+ spsite_item
+
+
+
+
+
+ - the object child element of a spsite_test must reference an spsite_object
+
+
+ - the state child element of a spsite_test must reference an spsite_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsite_object element is used by a spsiteadministration test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again,
+ please refer to the description of the set element in the oval-definitions-schema.
+ An spsite object consists of a sitecollectionurl used to define a specific web application. See the defintion of the SPSite class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sitecollectionurl element defines the site to evaluate.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsite_state element defines security settings and permissions that can be checked for a specified SPSite.
+
+
+
+
+
+
+
+ The sitecollectionurl element identifies a site.
+
+
+
+
+ The quota name is the name of quota template for a site collection.
+
+
+
+
+ The URL is the full URL to the root Web site of the site collection, including host name, port number, and path.
+
+
+ 5.10
+ The 'url' entity has been deprecated as it has been identified as redundant since the 'sitecollectionurl' is the same URL.
+ See the defintion of the SPSite class in the SharePoint object model documentation.
+
+
+
+ DEPRECATED ENTITY IN: sp-def:spsite_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spcrawlrule test is used to check the configuration or rules associated with the SharePoint system's built-in indexer and the sites or documents that will be indexed.
+
+
+ spcrawlrule_test
+ spcrawlrule_object
+ spcrawlrule_state
+ spcrawlrule_item
+
+
+
+
+
+ - the object child element of a spcrawlrule_test must reference an spcrawlrule_object
+
+
+ - the state child element of a spcrawlrule_test must reference an spcrawlrule_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spcrawlrule_object element is used by a spcrawlrule test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spcrawlrule object consists of a spsiteurl used to define a specific resource (eg. website or document) on a server that can be indexed by the SharePoint indexer. See the defintion of the CrawlRule class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spsiteurl element denotes the resource on the SharePoint server (eg. a site or document) for which indexing settings will be checked.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spcrawlrule state element defines the various properties of the SharePoint indexer that can be checked.
+
+
+
+
+
+
+
+ The spsiteurl denotes the URL of a website or resource whose indexing properties should be tested.
+
+
+
+
+ Specifies whether the crawler should crawl content from a hierarchical content source, such as HTTP content.
+
+
+
+
+ Specifies whether a particular crawl rule is enabled.
+
+
+
+
+ Specifies whether the indexer should crawl websites that contain the question mark (?) character.
+
+
+
+
+ The path to which a particular crawl rule applies.
+
+
+
+
+ The priority setting for a particular crawl rule.
+
+
+
+
+ Specifies whether the crawler should exclude the content of items that this rule applies to from the content index.
+
+
+
+
+ A string containing the account name for the crawl rule.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spjobdefinition test is used to check the status of the various properties associated with scheduled jobs in the SharePoint system.
+
+
+ spjobdefinition_test
+ spjobdefinition_object
+ spjobdefinition_state
+ spjobdefinition_item
+
+
+
+
+ 5.10
+ Replaced by the spjobdefinition510_test. This test does not uniquely identify a single job definition. A new test was created to use displaynames, which are unique. See the spjobdefinition510_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a spjobdefinition_test must reference an spjobdefinition_object
+
+
+ - the state child element of a spjobdefinition_test must reference an spjobdefinition_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spjobdefinition_object element is used by a spjobdefinition test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spjobdefinition_object consists of a webappuri used to define a specific web application for which job checks should be done. See the defintion of the SPJobDefinition class in the SharePoint object model documentation.
+
+
+ 5.10
+ Replaced by the spjobdefinition510_object. This test does not uniquely identify a single job definition. A new object was created to use displaynames, which are unique. See the spjobdefinition510_object.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The URI that represents the web application for which jobs should be checked.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a Sharepoint job that can be checked.
+
+
+ 5.10
+ Replaced by the spjobdefinition510_state. This state does not uniquely identify a single job definition. A new state was created to use displaynames, which are unique. See the spjobdefinition510_state.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+
+
+
+
+ The URI that represents the web application for which jobs should be checked.
+
+
+
+
+ The name of the job as displayed in the SharePoint Central Administration site.
+
+
+
+
+ Determines whether or not the job definition is enabled.
+
+
+
+
+ Determines whether the job definition should be retried if it ends abnormally.
+
+
+
+
+ The title of a job as displayed in the SharePoint Central Administration site.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spjobdefinition test is used to check the status of the various properties associated with scheduled jobs in the SharePoint system.
+
+
+ spjobdefinition510_test
+ spjobdefinition510_object
+ spjobdefinition510_state
+ spjobdefinition510_item
+
+
+
+
+
+ - the object child element of a spjobdefinition510_test must reference an spjobdefinition510_object
+
+
+ - the state child element of a spjobdefinition510_test must reference an spjobdefinition510_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spjobdefinition510_object element is used by a spjobdefinition test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spjobdefinition510_object consists of a webappuri and displayname used to define a specific web application for which job checks should be done. See the defintion of the SPJobDefinition class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The URI that represents the web application for which jobs should be checked.
+
+
+
+
+ The name of the job as displayed in the SharePoint Central Administration site.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a Sharepoint job that can be checked.
+
+
+
+
+
+
+
+ The URI that represents the web application for which jobs should be checked.
+
+
+
+
+ The name of the job as displayed in the SharePoint Central Administration site.
+
+
+
+
+ Determines whether or not the job definition is enabled.
+
+
+
+
+ Determines whether the job definition should be retried if it ends abnormally.
+
+
+
+
+ The title of a job as displayed in the SharePoint Central Administration site.
+
+
+
+
+
+
+
+
+
+
+
+
+ The bestbet test is used to get all the best bets associated with a site.
+
+
+ bestbet_test
+ bestbet_object
+ bestbet_state
+ bestbet_item
+
+
+
+
+
+ - the object child element of a bestbet_test must reference an bestbet_object
+
+
+ - the state child element of a bestbet_test must reference an bestbet_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bestbet_object element is used by a bestbet test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to
+ the description of the set element in the oval-definitions-schema.
+ An bestbet object consists of a sitecollectionurl used to define a specific site and a bestbeturl used to define a specific best bet. See the defintion of the BestBet class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The URL that represents the site collection.
+
+
+
+
+ The URL that represents the best bet.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a Best Bet that can be checked.
+
+
+
+
+
+
+
+ The URL that represents the site collection.
+
+
+
+
+ The name of the job as displayed in the SharePoint Central Administration site.
+
+
+
+
+ The title of a best bet.
+
+
+
+
+ Thedescription of a best bet..
+
+
+
+
+
+
+
+
+
+
+
+
+ The policycoll test is used to get all the Information Policies associated with a site.
+
+
+ infopolicycoll_test
+ infopolicycoll_object
+ infopolicycoll_state
+ infopolicycoll_item
+
+
+
+
+
+ - the object child element of a policycoll_test must reference an policycoll_object
+
+
+ - the state child element of a policycoll_test must reference an policycoll_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The infopolicycoll_object element is used by a policycoll test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please
+ refer to the description of the set element in the oval-definitions-schema.
+ A infopolicycoll object consists of a sitecollectionurl used to define a specific site and an id used to define a specific information policy. See the defintion of the Policy class and policycollection class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The URL that represents the site collection.
+
+
+
+
+ The id that represents the Information Policy.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of the Information Policy that can be checked.
+
+
+
+
+
+
+
+ The URL that represents the site collection.
+
+
+
+
+ The id of the Information Policy.
+
+
+
+
+ The name of the Information Policy.
+
+
+
+
+ The description of an Information Policy..
+
+
+
+
+ The long description of an Information Policy..
+
+
+
+
+
+
+
+
+
+
+
+
+ The spdiagnosticsservice test is used to check the diagnostic properties associated with a Sharepoint system.
+
+
+ spdiagnosticsservice_test
+ spdiagnosticsservice_object
+ spdiagnosticsservice_state
+ spdiagnosticsservice_item
+
+
+
+
+
+ - the object child element of an spdiagnosticsservice_test must reference an spdiagnosticsservice_object
+
+
+ - the state child element of an spdiagnosticsservice_test must reference an spdiagnosticsservice_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spdiagnosticsservice_object element is used by an spdiagnosticsservice test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set
+ logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spdiagnosticsservice object consists of a farmname used to define a specific Sharepoint farm for which diagnostics properties should be checked. See the defintion of the SPDiagnosticsService class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The farm whose diagnostic capabilities should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a diagnostics service that can be checked.
+
+
+
+
+
+
+
+ The farm whose diagnostic capabilities should be checked.
+
+
+
+
+ The name of the diagnostic service as shown in the Sharepoint Central Administration site.
+
+
+
+
+ The number of minutes to capture events to a single log file. This value lies in the range 0 to 1440. The default value is 30.
+
+
+
+
+ The path to the file system directory where log files are created and stored.
+
+
+
+
+ The value that indicates the number of log files to create. This lies in the range 0 to 1024 with a default of 96.
+
+
+
+
+ The required property specifies whether an instance of the spdiagnosticsservice must be running on the farm.
+
+
+
+
+ The friendly name for the service as displayed in the Central Administration and in logs. This should be "Windows Sharepoint Diagnostics Service" by default.
+
+
+
+
+
+
+
+
+
+
+
+
+ The spdiagnosticslevel_test is used to check the status of the logging features associated with a Sharepoint deployment.
+
+
+ spdiagnosticslevel_test
+ spdiagnosticslevel_object
+ spdiagnosticslevel_state
+ spdiagnosticslevel_item
+
+
+
+
+
+ - the object child element of an spdiagnosticslevel_test must reference an spdiagnosticslevel_object
+
+
+ - the state child element of an spdiagnosticslevel_test must reference an spdiagnosticslevel_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spdiagnosticslevel_object element is used by an spdiagnosticslevel test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An spdiagnosticslevel object consists of a farmname used to define a specific Sharepoint farm for which policy properties should be checked. See the defintion of the SPWebApplication class in the SharePoint object model documentation. See the defintion of the IDiagnosticsLevel Interface in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The farm whose diagnostics levels should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a Diagnostics level that can be checked.
+
+
+
+
+
+
+
+ The name of the farm for which diagnostics level properties should be checked.
+
+
+
+
+ The event severity setting for a particular diagnostic level category.
+
+
+
+
+ Specifies whether the trace log category is hidden in the Windows Sharepoint Services Central Administration interface.
+
+
+
+
+ A string that represents the ID of the trace log category. This is its English language name.
+
+
+
+
+ The name of the trace log category. This represents the localized name for the category.
+
+
+
+
+ The trace severity setting for a particular diagnostic level category.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sppolicyfeature test enables one to check the attributes associated with policies and policy features on the Sharepoint deployment.
+
+
+ sppolicyfeature_test
+ sppolicyfeature_object
+ sppolicyfeature_state
+ sppolicyfeature_item
+
+
+
+
+
+ - the object child element of an sppolicyfeature_test must reference an sppolicyfeature_object
+
+
+ - the state child element of an sppolicyfeature_test must reference an sppolicyfeature_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sppolicyfeature_object element is used by an sppolicyfeature test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again,
+ please refer to the description of the set element in the oval-definitions-schema.
+ An sppolicyfeature object consists of a farmname used to define a specific Sharepoint farm for which policy feature properties should be checked. See the defintion of the PolicyFeature class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The farm whose policy features should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a policy feature that can be checked.
+
+
+
+
+
+
+
+ The farm whose policy features should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+ The URL to a web control used to edit policy instance-level settings.
+
+
+
+
+ The default values for any policy instance-level settings for a policy feature.
+
+
+
+
+ The short description of the policy feature and of the service it provides.
+
+
+
+
+ The URL to a web control used to edit server farm-level settings for this policy feature.
+
+
+
+
+ The default settings for any server farm-level settings for this policy feature.
+
+
+
+
+ The policy feature group to which a policy feature belongs.
+
+
+
+
+ The name to display in the Microsoft Office Sharepoint Server 2007 interface for an information policy feature.
+
+
+
+
+ The name of the creator of the policy feature as it is displayed in the Microsoft Office Sharepoint Server 2007 user interface.
+
+
+
+
+ Specifies whether the policy feature is hidden or visible.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sppolicy test enables one to check the attributes of the policies associated with a particular URL Zone in a Sharepoint system.
+
+
+ sppolicy_test
+ sppolicy_object
+ sppolicy_state
+ sppolicy_item
+
+
+
+
+
+ - the object child element of an sppolicy_test must reference an sppolicy_object
+
+
+ - the state child element of an sppolicy_test must reference an sppolicy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sppolicy_object element is used by an sppolicy test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer
+ to the description of the set element in the oval-definitions-schema.
+ An sppolicy object consists of a webappuri and a URL Zone used to define a specific Sharepoint web application and zone for which policy properties should be checked. See the defintion of the SPPolicy class and the sppolicyroletype in the SharePoint object model documentation.
+
+
+
+
+
+
+
+
+
+
+ The URI that represents the web application for which policies should be checked.
+
+
+
+
+ The zone for which policies should be checked.
+
+
+
+
+
+
+
+
+
+
+
+ The various properties of a policy that can be checked.
+
+
+
+
+
+
+
+ The URI that represents the web application for which policies should be checked.
+
+
+
+
+ The zone for which policies should be checked.
+
+
+
+
+ The user or group display name for a policy. This defaults to the user name if the display name cannot be resolved through Active Directory.
+
+
+
+
+ Specifies whether the user identified by a particular policy is visible only as a System account within the Windows Sharepoint Services user interface.
+
+
+
+
+ The user name of the user or group that is associated with policy.
+
+
+
+
+ The policy role type to apply globally in a Sharepoint web application to a user or group.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectUrlZoneType restricts a string value to a set of values that describe the different IIS Url Zones. The empty string is also allowed to support empty element associated with error conditions.
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateEventSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level event severity level property of the diagnostics service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateTraceSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level trace severity level property of the diagnostics service.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePolicyRoleType restricts a string value to a set of values that describe the different Policy settings for Access Control that are available for users.
+
+
+
+
+
+ Deny all rights.
+
+
+
+
+ Deny write permissions.
+
+
+
+
+ Grant full control.
+
+
+
+
+ Grant full read permissions.
+
+
+
+
+ No role type assigned.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePolicyRoleType restricts a string value to a set of values that describe the different policy feature states that can be configured for a policy feature.
+
+
+
+
+
+ Specifies that the policy feature is hidden from the Sharepoint Central Administration user interface.
+
+
+
+
+ Specifies that the policy feature is visible from the Sharepoint Central Administration user interface.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateUrlZoneType restricts a string value to a set of values that describe the different IIS Url Zones.
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/sharepoint-system-characteristics-schema.xsd b/oval-schemas/sharepoint-system-characteristics-schema.xsd
new file mode 100644
index 0000000..093e863
--- /dev/null
+++ b/oval-schemas/sharepoint-system-characteristics-schema.xsd
@@ -0,0 +1,1122 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the SharePoint specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The SharePoint Component Schema is based on the SharePoint Object Model (Windows SharePoint Services 3.0)
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ SharePoint System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ This spwebapplication item stores information for security related features and permissions related to each web application. See the defintion of the SPWebApplication class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+ A string the represents the url that identifies the web application.
+
+
+
+
+ A boolean that represents if a user can create connections between Web Parts.
+
+
+
+
+ A boolean that represents if a user can create connections to Online Web Part Galleries.
+
+
+
+
+ A single blockedfileextention for the application. An applicaiton may have zero or more blocked file extensions.
+
+
+
+
+ A string the represents the default quota template for the web application.
+
+
+
+
+ A boolean that represents if a user is allowed to participate in workflow by sending them a copy of the document.
+
+
+
+
+ A boolean that represents if the recycle bin is enabled or disabled.
+
+
+
+
+ A boolean that represents if the site can be automatically deleted.
+
+
+
+
+ A boolean that represents if a self service site can be created.
+
+
+
+
+ Size of the second stage recycle bin quota.
+
+
+
+
+ The recyclebinretentionperiod is the retention period for the recyle bin.
+
+
+
+
+ The string name of the outboundmailserver.
+
+
+
+
+ The from address that is used when sending email.
+
+
+
+
+ The reply to address that is used when sending email.
+
+
+
+
+ A boolean that represents if a security validation can expire.
+
+
+
+
+ The timeout is the amount of time before security validation expires in seconds.
+
+
+
+
+ A boolean that specifies whether the current web application is the Central Administration web application.
+
+
+
+
+ A string that represents the application pool name.
+
+
+
+
+ A string that represents the application pool username.
+
+
+
+
+ A boolean that represents if the permission to view the source of documents with server-side file handlers is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to add items to lists, add documents to document libraries, and add Web discussion comments to the Web application.
+
+
+
+
+ A boolean that represents if the permission to approve a minor version of a list item or document is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to delete items from a list, documents from a document library, and Web discussion comments in documents is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to delete past versions of a list item or document is available to the Web application.
+
+
+
+
+ A boolean that represents if edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to create and delete lists, add or remove columns in a list, and add or remove public views of a list is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to view past versions of a list item or document is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to view items in lists, documents in document libraries, and view Web discussion commentsis available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to discard or check in a document which is checked out to another user is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to Create e-mail alerts is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to view forms, views, and application pages, and enumerate lists is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to view pages in a Web site is available to the Web application.
+
+
+
+
+
+
+
+
+
+ A boolean that represents if the permission to Apply a style sheet (.css file) to the Web site is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to apply a theme or borders to the entire Web site is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to enumerate files and folders in a Web site using Microsoft Office SharePoint Designer and WebDAV interfaces is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to view information about users of the Web site is available to the Web application.
+
+
+
+
+
+ A boolean that represents if the permission to create a group of users that can be used anywhere within the site collection is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to create a Web site using Self-Service Site Creation is available to the Web application.
+
+
+
+
+
+ A boolean that represents if the permission to allows a user to change his or her user information, such as adding a picture is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to enumerate permissions on the Web site, list, folder, document, or list itemis is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to manage alerts for all users of the Web site is available for the Web application.
+
+
+
+
+
+ A boolean that represents if the permission to create and change permission levels on the Web site and assign permissions to users and groups is available to the Web application.
+
+
+
+
+
+ A boolean that represents if the permission to create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to perform all administration tasks for the Web site as well as manage content is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to allow users to open a Web site, list, or folder to access items inside that containeris available to the Web application.
+
+
+
+
+
+ A boolean that represents if the permission to use features that launch client applications; otherwise, users must work on documents locally and upload changesis is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to use SOAP, WebDAV, or Microsoft Office SharePoint Designer interfaces to access the Web siteis available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to view reports on Web site usage in documents is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to Create, change, and delete personal views of lists is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to add or remove personal Web Parts on a Web Part Page is available to the Web application.
+
+
+
+
+ A boolean that represents if the permission to update Web Parts to display personalized informationis available to the Web application.
+
+
+
+
+
+
+
+
+
+
+
+
+ This spgroup item stores information for security related features related to site groups
+
+
+
+
+
+
+
+ A string the represents the url that identifies the site collection.
+
+
+
+
+ A string the represents the name of a group in a site collection.
+
+
+
+
+ A boolean that represents if sites can automatically accepts requests.
+
+
+
+
+ A boolean that represents if owners other than the group owner can edit the membership of groups.
+
+
+
+
+ A boolean that represents if owners other than the group owner can edit the membership of groups.
+
+
+
+
+
+
+
+
+
+
+
+
+ This spweb item stores information for security related features related to site collections.
+
+
+
+
+
+
+
+ A string that specifies a web site (the SPWeb object).
+
+
+
+
+ A string that specifies a site collection.
+
+
+
+
+ A string the represents the secondarysitecolladmin.
+
+
+
+
+ A boolean that represents if the secondsitecolladmin is enabled.
+
+
+
+
+ A boolean that represents if a anonymous access is allowed to the web site.
+
+
+
+
+
+
+
+
+
+
+
+
+ An SPList represents a list of content on a Sharepoint web site. It consists of items or rows and columns or fields that contain data.
+
+
+
+
+
+
+
+ The url that identifies the website.
+
+
+
+
+ The irmenabled attribute tests to see if documents that leave the Sharepoint environment are protected.
+
+
+
+
+ The enableversioning attribute specifies whether backup copies of files should be created and managed in the Sharepoint system.
+
+
+
+
+ The nocrawl attribute indicates that this site should not be among those crawled and indexed.
+
+
+
+
+
+
+
+
+
+
+
+
+ An SPAntivirusSettings Item represents the set of antivirus-related security settings on a Sharepoint server.
+
+
+
+
+
+
+
+ The name of the SP Web Service for which to retrieve the antivirus settings or * for all web services. The default value is * which checks all SP Web services
+
+
+
+
+ The Farm in which the SP Web Service resides.
+
+
+
+
+ Specifies whether SharePoint users can download documents that are found to be infected.
+
+
+
+
+ Specifies whether or not the virus scanner should attempt to cure infected files.
+
+
+
+
+ Specifies whether files are scanned when they are downloaded.
+
+
+
+
+ Specifies the number of threads that the virus scanner may use to perform virus scans.
+
+
+
+
+ Specifies whether to skip document virus scanning during a search crawl.
+
+
+
+
+ The amount of time before the virus scanner times out in seconds.
+
+
+
+
+ Specifies whether files are scanned for viruses when they are uploaded.
+
+
+
+
+ The current increment of the number of times the vendor has been updated.
+
+
+
+
+
+
+
+
+
+
+
+
+ This spsiteadministration item stores information for security related features and permissions related to each top-level web sites. See the defintion of the SPSiteAdministration class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+ A string the represents the url that identifies the sitecollection application.
+
+
+
+
+ The storagemaxlevel is the maximum storage allowed for the site.
+
+
+
+
+ When the storagewarninglevel is reached a site collection receive advance notice before available storage is expended.
+
+
+
+
+
+
+
+
+
+
+
+
+ This spsite item stores information for security related features for sites. See the defintion of the SPSite class in the SharePoint object model documentation.
+
+
+
+
+
+
+
+ A string the represents the url that identifies the sitecollection application.
+
+
+
+
+ The string that represents the name of the quota for a specific site collection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The spcrawlrule_item specifies rules that the SharePoint system follows when it crawls the content of sites stored within it.
+
+
+
+
+
+
+
+ A URL that represents the resource (eg. sites, documents,etc.) on which the crawlrule tests should be run or * if the check should be run on all sites/documents on the server.
+
+
+
+
+ Specifies whether the crawler should crawl content from a hierarchical content source, such as HTTP content.
+
+
+
+
+ Specifies whether a particular crawl rule is enabled.
+
+
+
+
+ Specifies whether the indexer should crawl websites that contain the question mark (?) character.
+
+
+
+
+ The path to which a particular crawl rule applies.
+
+
+
+
+ The priority setting for a particular crawl rule.
+
+
+
+
+ Specifies whether the crawler should exclude the content of items that this rule applies to from the content index.
+
+
+
+
+ A string containing the account name for the crawl rule.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the set of Job Definitions that are scheduled to run on each SharePoint Web Application
+
+
+ 5.10
+ Replaced by the spjobdefinition510_item. This item does not uniquely identify a single job definition. A new state was created to use displaynames, which are unique. See the spjobdefinition510_item.
+ This item has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ The URI that represents the web application for which the IIS Settings should be checked.
+
+
+
+
+ The name of the job as displayed in the SharePoint Central Administration site.
+
+
+
+
+ Determines whether or not the job definition is enabled.
+
+
+
+
+ Determines whether the job definition should be retried if it ends abnormally.
+
+
+
+
+ The title of a job as displayed in the SharePoint Central Administration site.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the set of Job Definitions that are scheduled to run on each SharePoint Web Application
+
+
+
+
+
+
+
+ The URI that represents the web application for which the IIS Settings should be checked.
+
+
+
+
+ The name of the job as displayed in the SharePoint Central Administration site.
+
+
+
+
+ Determines whether or not the job definition is enabled.
+
+
+
+
+ Determines whether the job definition should be retried if it ends abnormally.
+
+
+
+
+ The title of a job as displayed in the SharePoint Central Administration site.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the set of Best Bets for a site collection.
+
+
+
+
+
+
+
+ The sitecollectionurl represents the URL for the site.
+
+
+
+
+ The bestbeturl represents the URL for the best bet.
+
+
+
+
+ The title of the Best Bet.
+
+
+
+
+ The description of the Best Bet.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the set of Information Policies for a site collection.
+
+
+
+
+
+
+
+ The sitecollectionurl represents the URL for the site.
+
+
+
+
+ The id of the sitecollection poilicy.
+
+
+
+
+ The name of the sitecollection poilicy.
+
+
+
+
+ The description of the Information Policy.
+
+
+
+
+ The long description of an Information Policy.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents the set of diagnostic capabilities for Windows Sharepoint Services.
+
+
+
+
+
+
+
+ The farm whose diagnostic capabilities should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+ The name of the diagnostic service as shown in the Sharepoint Central Administration site.
+
+
+
+
+ The number of minutes to capture events to a single log file. This value lies in the range 0 to 1440. The default value is 30.
+
+
+
+
+ The path to the file system directory where log files are created and stored.
+
+
+
+
+ The value that indicates the number of log files to create. This lies in the range 0 to 1024 with a default of 96.
+
+
+
+
+ The required property specifies whether an instance of the spdiagnosticsservice must be running on the farm.
+
+
+
+
+ The friendly name for the service as displayed in the Central Administration and in logs. This should be "Windows Sharepoint Diagnostics Service" by default.
+
+
+
+
+
+
+
+
+
+
+
+
+ The diagnostics level associated with a particular instance of a diagnostics service on a Sharepoint farm.
+
+
+
+
+
+
+
+ The farm whose diagnostics levels should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+ The event severity setting for a particular diagnostic level category.
+
+
+
+
+ Specifies whether the trace log category is hidden in the Windows Sharepoint Services Central Administration interface.
+
+
+
+
+ A string that represents the ID of the trace log category. This is its English language name.
+
+
+
+
+ The name of the trace log category. This represents the localized name for the category.
+
+
+
+
+ The trace severity setting for a particular diagnostic level category.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents a policy feature that is installed on the Sharepoint server farm.
+
+
+
+
+
+
+
+ The farm whose policy features should be checked. Use .* for all farms or SPFarm.Local for the local farm.
+
+
+
+
+ The URL to a web control used to edit policy instance-level settings.
+
+
+
+
+ The default values for any policy instance-level settings for a policy feature.
+
+
+
+
+ The short description of the policy feature and of the service it provides.
+
+
+
+
+ The URL to a web control used to edit server farm-level settings for this policy feature.
+
+
+
+
+ The default settings for any server farm-level settings for this policy feature.
+
+
+
+
+ The policy feature group to which a policy feature belongs.
+
+
+
+
+ The name to display in the Microsoft Office Sharepoint Server 2007 interface for an information policy feature.
+
+
+
+
+ The name of the creator of the policy feature as it is displayed in the Microsoft Office Sharepoint Server 2007 user interface.
+
+
+
+
+ Specifies whether the policy feature is hidden or visible.
+
+
+
+
+
+
+
+
+
+
+
+
+ This represents a policy on the Sharepoint system.
+
+
+
+
+
+
+
+ The URI that represents the web application for which policies should be checked.
+
+
+
+
+ The zone for which policies should be checked.
+
+
+
+
+ The user or group display name for a policy. This defaults to the user name if the display name cannot be resolved through Active Directory.
+
+
+
+
+ Specifies whether the user identified by a particular policy is visible only as a System account within the Windows Sharepoint Services user interface.
+
+
+
+
+ The user name of the user or group that is associated with policy.
+
+
+
+
+ The policy role type to apply globally in a Sharepoint web application to a user or group.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemUrlZoneType restricts a string value to a set of values that describe the different IIS Url Zones. The empty string is also allowed to support empty element associated with error conditions.
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+
+ The EntityItemEventSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level event severity level property of the diagnostics service.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+
+ The EntityItemTraceSeverityType restricts a string value to a set of values that describe the different states that can be configured for a diagnostics level trace severity level property of the diagnostics service.
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+
+ The EntityItemPolicyFeatureStateType restricts a string value to a set of values that describe the different states that can be configured for a policy feature.
+
+
+
+
+
+ Specifies that the policy feature is hidden from the Sharepoint Central Administration user interface.
+
+
+
+
+ Specifies that the policy feature is visible from the Sharepoint Central Administration user interface.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+
+ The EntityItemPolicyRoleType restricts a string value to a set of values that describe the different Policy settings for Access Control that are available for users.
+
+
+
+
+
+ Deny all rights.
+
+
+
+
+ Deny write permissions.
+
+
+
+
+ Grant full control.
+
+
+
+
+ Grant full read permissions.
+
+
+
+
+ No role type assigned.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
diff --git a/oval-schemas/solaris-definitions-schema.xsd b/oval-schemas/solaris-definitions-schema.xsd
new file mode 100644
index 0000000..f4cec9e
--- /dev/null
+++ b/oval-schemas/solaris-definitions-schema.xsd
@@ -0,0 +1,2063 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Solaris specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Solaris Definition
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The facet_test is used to check the facets associated with the specified Image Packaging System image. Facets are properties that control whether or not optional components from a package are installed on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an facet_object and the optional state elements reference a facet_state and specifies the data to check.
+
+
+ facet_test
+ facet_object
+ facet_state
+ facet_item
+
+
+
+
+
+ - the object child element of an facet_test must reference an facet_object
+
+
+ - the state child element of an facet_test must reference an facet_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The facet_object element is used by a facet test to define the image facet items to be evaluated based on the specified states. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The path to the Solaris IPS image.
+
+
+
+
+ The name of the facet property associated with an IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ The facet_state specifies the various facet properties associated with an IPS image.
+
+
+
+
+
+
+
+ Specifies the path to the Solaris IPS image.
+
+
+
+
+ Specifies the name of the facet property associated with an IPS image.
+
+
+
+
+ Specifies the value of the facet property associated with an IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ The image_test provides support for checking the metadata of IPS images on Solaris systems. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a image_object and the optional state elements reference image_states that specify the metadata to check about a set of images.
+
+
+ image_test
+ image_object
+ image_state
+ image_item
+
+
+
+
+
+ - the object child element of an image_test must reference an image_object
+
+
+ - the state child element of an image_test must reference an image_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The image_object element is used by a image_test to identify the set of images to check on a system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The path to the Solaris IPS image.
+
+
+
+
+ The name of the property associated with the Solaris IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ The image_state element defines the different system state information that can be used to check the metadata associated with the specified IPS image on a Solaris system.
+
+
+
+
+
+
+
+ The path to the Solaris IPS image.
+
+
+
+
+ The name of the property associated with the Solaris IPS image.
+
+
+
+
+ The value of a property that is associated with a Solaris IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ The isainfo test reveals information about the instruction set architectures. This information can be retrieved by the isainfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an isainfo_object and the optional state element specifies the metadata to check.
+ The isainfo_test was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project.
+
+
+ isainfo_test
+ isainfo_object
+ isainfo_state
+ isainfo_item
+
+
+
+
+
+
+ - the object child element of an isainfo_test must reference an isainfo_object
+
+
+
+ - the state child element of an isainfo_test must reference an isainfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The isainfo_object element is used by an isainfo test to define those objects to evaluated based on a specified state. There is actually only one object relating to isainfo and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check isainfo will reference the same isainfo_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The isainfo_state element defines the information about the instruction set architectures. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the number of bits in the address space of the native instruction set (isainfo -b).
+
+
+
+
+ This is the name of the instruction set used by kernel components (isainfo -k).
+
+
+
+
+ This is the name of the instruction set used by portable applications (isainfo -n).
+
+
+
+
+
+
+
+
+
+
+
+
+ From /usr/bin/ndd. See ndd manpage for specific fields
+
+
+ ndd_test
+ ndd_object
+ ndd_state
+ ndd_item
+
+
+
+
+
+ - the object child element of an ndd_test must reference an ndd_object
+
+
+ - the state child element of an ndd_test must reference an ndd_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the device to examine. If multiple instances of this device exist on the system, an item for each instance will be collected.
+
+
+
+
+ The name of the parameter, For example, ip_forwarding.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the device to examine.
+
+
+
+
+ The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, an item for each instance will be collected and will have this entity populated with its respective instance value. If only a single instance exists, this entity will not be collected.
+
+
+
+
+ The name of the parameter, For example, ip_forwarding.
+
+
+
+
+ The value of the named parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+ The package test is used to check information associated with different SVR4 packages installed on the system. Image Packaging System (IPS) packages are not supported by this test. The information used by this test is modeled after the /usr/bin/pkginfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an package_object and the optional state element specifies the information to check.
+
+
+ package_test
+ package_object
+ package_state
+ package_item
+
+
+
+
+
+
+ - the object child element of a package_test must reference a package_object
+
+
+
+ - the state child element of a package_test must reference a package_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The package_object element is used by a package test to define the SVR4 packages to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A package object consists of a single pkginst entity that identifies the package to be used.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
+
+
+
+
+
+
+
+
+
+
+
+
+ The package_state element defines the different information associated with SVR4 packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
+
+
+
+
+ The name entity is a text string that specifies a full package name.
+
+
+
+
+ The category entity is a string in the form of a comma-separated list of categories under which a package may be displayed. Note that a package must at least belong to the system or application category. Categories are case-insensitive and may contain only alphanumerics. Each category is limited in length to 16 characters.
+
+
+
+
+ The version entity is a text string that specifies the current version associated with the software package. The maximum length is 256 ASCII characters and the first character cannot be a left parenthesis. Current Solaris software practice is to assign this parameter monotonically increasing Dewey decimal values of the form: major_revision.minor_revision[.micro_revision] where all the revision fields are integers. The versioning fields can be extended to an arbitrary string of numbers in Dewey-decimal format, if necessary.
+
+
+
+
+ The vendor entity is a string used to identify the vendor that holds the software copyright (maximum length of 256 ASCII characters).
+
+
+
+
+ The description entity is a string that represents a more in-depth description of a package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The package511_test provides support for checking the metadata of packages installed using the Solaris Image Packaging System. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a package511_object and the optional state elements reference package511_states that specify the metadata to check about a set of packages.
+
+
+ package511_test
+ package511_object
+ package511_state
+ package511_item
+
+
+
+
+
+ - the object child element of an package511_test must reference an package511_object
+
+
+ - the state child element of an package511_test must reference an package511_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The package511_object element is used by a package511_test to identify the set of packages to check on a system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components.
+
+
+
+
+ The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components.
+
+
+
+
+ The version of the package which consists of the component version, build version, and branch version.
+
+
+
+
+ The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ).
+
+
+
+
+
+
+
+
+
+
+
+
+ The package511_state element defines the different system state information that can be used to check the metadata associated with the specified IPS packages on a Solaris system.
+
+
+
+
+
+
+
+ The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components.
+
+
+
+
+ The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components.
+
+
+
+
+ The version of the package which consists of the component version, build version, and branch version.
+
+
+
+
+ The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ).
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
+
+
+
+
+ A summary of what the package provides.
+
+
+
+
+ A description of what the package provides.
+
+
+
+
+ The category of the package.
+
+
+
+
+ A boolean value indicating whether or not updates are available for this package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packageavoidlist_test provides support for checking the metadata of IPS packages that have been flagged as needing to avoid from installation on a Solaris system. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packageavoidlist_object and the optional state elements reference packageavoidlist_states that specify the metadata to check about a set of packages that have been flagged as to be avoided on a Solaris system.
+
+
+ packageavoidlist_test
+ packageavoidlist_object
+ packageavoidlist_state
+ packageavoidlist_item
+
+
+
+
+
+ - the object child element of an packageavoidlist_test must reference a packageavoidlist_object
+
+
+ - the state child element of an packageavoidlist_test must reference a packageavoidlist_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The packageavoidlist_object element is used by a packageavoidlist_test to identify the set of IPS packages that have been flagged as to be avoided from installation on a Solaris system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packageavoidlist_state element defines the different system state information that can be used to evaluate the specified IPS packages that have been flagged as to be avoided from installation on a Solaris system.
+
+
+
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagecheck_test is used to verify the integrity of an installed Solaris SVR4 package. Image Packaging System (IPS) packages are not supported by this test. The information used by this test is modeled after the pkgchk command. For more information, see pkgchk(1M). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagecheck_object and the optional packagecheck_state element specifies the data to check.
+
+
+ packagecheck_test
+ packagecheck_object
+ packagecheck_state
+ packagecheck_item
+
+
+
+
+
+
+ - the object child element of a packagecheck_test must reference a packagecheck_object
+
+
+
+ - the state child element of a packagecheck_test must reference a packagecheck_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagecheck_object element is used by a packagecheck_test to define the SVR4 packages to be verified. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+
+
+
+
+
+
+
+
+ The package_state element defines the different verification information associated with SVR4 packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package.
+
+
+
+
+ Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed.
+
+
+
+
+ Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed.
+
+
+
+
+ Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed.
+
+
+
+
+ Has the actual user read permission changed from the expected user read permission?
+
+
+
+
+ Has the actual user write permission changed from the expected user write permission?
+
+
+
+
+ Has the actual user exec permission changed from the expected user exec permission?
+
+
+
+
+ Has the actual group read permission changed from the expected group read permission?
+
+
+
+
+ Has the actual group write permission changed from the expected group write permission?
+
+
+
+
+ Has the actual group exec permission changed from the expected group exec permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+
+
+
+
+
+ The PackageCheckBehaviors complex type defines a set of behaviors that for controlling how installed SVR4 packages are checked. These behaviors align with the options of the pkgchk command (specifically '-a', '-c', and '-n').
+
+
+
+ 'fileattributes_only' when true this behavior means only check the file attributes and do not check file contents. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-a'.
+
+
+
+
+ 'filecontents_only' when true this behavior means only check the file contents and do not check file attributes. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-c'.
+
+
+
+
+ 'no_volatileeditable' when true this behavior means do not check volatile or editable files' contents. When false, volatile and editable files' contents will be checked. This aligns with the pkgchk option '-n'.
+
+
+
+
+
+
+
+
+ The packagefreezelist_test provides support for checking the metadata of IPS packages that have been frozen at a particular version. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagefreezelist_object and the optional state elements reference packagefreezelist_states that specify the metadata to check about a set of packages.
+
+
+ packagefreezelist_test
+ packagefreezelist_object
+ packagefreezelist_state
+ packagefreezelist_item
+
+
+
+
+
+ - the object child element of an packagefreezelist_test must reference a packagefreezelist_object
+
+
+ - the state child element of an packagefreezelist_test must reference a packagefreezelist_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagefreezelist_object element is used by a packagefreezelist_test to identify the set of IPS packages that have been frozen at a particular version on a system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagefreezelist_state element defines the different system state information that can be used to evaluate the specified IPS packages on a Solaris system that have been frozen at a particular version.
+
+
+
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagepublisher_test provides support for checking the metadata of package publishers on a Solaris system. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagepublisher_object and the optional state elements reference packagepublisher_states that specify the metadata to check about a set of package publishers on a Solaris system.
+
+
+ packagepublisher_test
+ packagepublisher_object
+ packagepublisher_state
+ packagepublisher_item
+
+
+
+
+
+ - the object child element of an packagepublisher_test must reference a packagepublisher_object
+
+
+ - the state child element of an packagepublisher_test must reference a packagepublisher_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagepublisher_object element is used by a packagepublisher_test to identify the set of package publishers to check on a Solaris system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the IPS package publisher.
+
+
+
+
+ The type of the IPS package publisher.
+
+
+
+
+ The origin URI of the IPS package publisher.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagepublisher_state element defines the different system information that can be used to evaluate the specified package publishers.
+
+
+
+
+
+
+
+ The name of the IPS package publisher.
+
+
+
+
+ The type of the IPS package publisher.
+
+
+
+
+ The origin URI of the IPS package publisher.
+
+
+
+
+ The alias of the IPS package publisher.
+
+
+
+
+ The Secure Socket Layer (SSL) key registered by a client for publishers using client-side SSL authentication.
+
+
+
+
+ The Secure Socket Layer (SSL) certificate registered by a client for publishers using client-side SSL authentication.
+
+
+
+
+ The universally unique identifier (UUID) that identifies the image to its IPS package publisher.
+
+
+
+
+ The last time that the IPS package publisher's catalog was updated in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+ Specifies whether or not the IPS package publisher is enabled.
+
+
+
+
+ Specifies where in the search order the IPS package publisher is listed. The first publisher in the search order will have a value of '1'.
+
+
+
+
+ The properties associated with the IPS package publisher.
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch test is used to check information associated with different patches for SVR4 packages installed on the system. Image Packaging System (IPS) packages do not support patches and are not supported by this test. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+
+ patch54_test
+ patch54_object
+ patch_state
+ patch_item
+
+
+
+
+
+
+ - the object child element of a patch54_test must reference a patch54_object
+
+
+
+ - the state child element of a patch54_test must reference a patch_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch test is used to check information associated with different patches installed on the system. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+
+ patch_test
+ patch_object
+ patch_state
+ patch_item
+
+
+
+
+ 5.4
+ Replaced by the patch54_test. The new test includes additional functionality that allows the object element to match both the original patch and any superseding patches. As a result of this new functionality, the patch_object was also expanded to include behaviors and version entities. See the patch54_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+
+ - the object child element of a patch_test must reference a patch_object
+
+
+
+ - the state child element of a patch_test must reference a patch_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch54_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A patch object consists of a base entity that identifies the patch to be used, and a version entity that represent the patch revision number.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The base entity represents a patch base code found before the hyphen.
+
+
+
+
+ The version entity represents a patch version number found after the hyphen.
+
+
+
+
+
+
+
+
+
+
+
+
+ The patch_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A patch object consists of a single base entity that identifies the patch to be used.
+
+
+ 5.4
+ Replaced by the patch54_object. Due to the additional functionality that allows the object element to match both the original patch and any superseding patches, a new object was created that includes behaviors and version entities. See the patch54_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The base entity reresents a patch base code found before the hyphen.
+
+
+
+
+
+
+
+
+
+
+ The patch_state element defines the different information associated with a specific patch for an SVR4 package installed on the system. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The base entity reresents a patch base code found before the hyphen.
+
+
+
+
+ The version entity represents a patch version number found after the hyphen.
+
+
+
+
+
+
+
+
+
+ The PatchBehaviors complex type defines a number of behaviors that allow a more detailed definition of the patch_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'supersedence' specifies that the object should also match any superseding patches to the one being specified. In Solaris, a patch can be superseded in two ways. The first way is implicitly when a new revision of a patch is released (e.g. patch 12345-02 supersedes patch 12345-01). The second way is explicitly where a new patch contains the complete functionality of another patch. If set to 'true', the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
+
+
+
+
+
+
+
+
+
+
+
+ The smf_test is used to check service management facility controlled services including traditional unix rc level start/kill scrips and inetd daemon services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a smf_object and the optional state element specifies the information to check.
+
+
+ smf_test
+ smf_object
+ smf_state
+ smf_item
+
+
+
+
+
+
+ - the object child element of a smf_test must reference a smf_object
+
+
+
+ - the state child element of a smf_test must reference a smf_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The smf_object element is used by a smf_test to define the specific service instance to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A smf_object consists of a fmri entity that represents the Fault Management Resource Identifier (FMRI) which uniquely identifies a service.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The FMRI (Fault Managed Resource Identifier) entity is used to identify system objects for which advanced fault and resource management capabilities are provided. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
+
+
+
+
+
+
+
+
+
+
+
+
+ The smf_state element defines the different information associated with a specific smf controlled service. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The FMRI (Fault Managed Resource Identifier) entity describes a possible identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
+
+
+
+
+ The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log.
+
+
+
+
+ The service_state entity describes a possible state that the service may be in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN.
+
+
+
+
+ The protocol entity describes a possible protocol supported by the service.
+
+
+
+
+ The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a'
+
+
+
+
+ The server_arguments entity describes possible parameters that are passed to the service.
+
+
+
+
+ The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root
+
+
+
+
+
+
+
+
+
+
+
+
+ The smfproperty_test is used to check the value of properties associated with SMF services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an smfproperty_object and the optional state elements reference a smfproperty_state and specifies the data to check.
+
+
+ smfproperty_test
+ smfproperty_object
+ smfproperty_state
+ smfproperty_item
+
+
+
+
+
+ - the object child element of an smfproperty_test must reference an smfproperty_object
+
+
+ - the state child element of an smfproperty_test must reference an smfproperty_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The smfproperty_object element is used by a SMF property test to define the SMF property items to be evaluated based on the specified states. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/").
+
+
+
+
+ The instance of an SMF service which represents a specific configuration of a service.
+
+
+
+
+ The name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/").
+
+
+
+
+
+
+
+
+
+
+
+
+ The smfproperty_state specifies the values of properties associated with SMF services.
+
+
+
+
+
+
+
+ Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/").
+
+
+
+
+ Specifies the instance of an SMF service which represents a specific configuration of a service.
+
+
+
+
+ Specifies the name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/").
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the SMF service which uniquely identifies the service on the system.
+
+
+
+
+ Specifies the value of the property associated with an SMF service.
+
+
+
+
+
+
+
+
+
+
+
+
+ The variant_test is used to check the variants associated with the current Image Packaging System image. Variants are properties that control whether or not mutually exclusive components from a package are installed on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an variant_object and the optional state elements reference a variant_state and specifies the data to check.
+
+
+ variant_test
+ variant_object
+ variant_state
+ variant_item
+
+
+
+
+
+ - the object child element of an variant_test must reference a variant_object
+
+
+ - the state child element of an variant_test must reference a variant_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The variant_object element is used by a variant test to define the image variant items to be evaluated based on the specified states. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The path to the Solaris IPS image.
+
+
+
+
+ The name of the variant property associated with an IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ The variant_state specifies the various variant properties associated with the specified IPS image.
+
+
+
+
+
+
+
+ Specifies the path to the Solaris IPS image.
+
+
+
+
+ Specifies the name of the variant property associated with an IPS image.
+
+
+
+
+ Specifies the value of the variant property associated with an IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ The virtualizationinfo_test provides support for checking the metadata associated with the current virtualization environment this instance of Solaris is running on. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a virtualizationinfo_object and the optional state elements reference virtualizationinfo_states that specify the metadata to check the current virtualization environment.
+
+
+ virtualizationinfo_test
+ virtualizationinfo_object
+ virtualizationinfo_state
+ virtualizationinfo_item
+
+
+
+
+
+ - the object child element of an virtualizationinfo_test must reference a virtualizationinfo_object
+
+
+ - the state child element of an virtualizationinfo_test must reference a virtualizationinfo_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The virtualizationinfo_object element is used by a virtualizationinfo_test to identify the current virtualization environment this instance of Solaris is running on. Given that this object only retrieves the current virtualization environment for the system, there are no child entities to specify in the object.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The virtualizationinfo_state element defines the different information that can be used to evaluate the current virtualization environment this instance of Solaris is running on.
+
+
+
+
+
+
+
+ The name of the current environment.
+
+
+
+
+ The list of virtualization environments that this node supports as children.
+
+
+
+
+ The parent environment of the current environment.
+
+
+
+
+ The logical domain roles associated with the current environment.
+
+
+
+
+ The properties associated with the current environment.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityObjectPublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages.
+
+
+
+
+ The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content.
+
+
+
+
+ The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateClientUUIDType restricts a string value to a representation of a client UUID, used to identify an image to its IPS package publisher. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+
+
+
+
+ The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The actual permission is more restrictive than the expected permission.
+
+
+
+
+ The actual permission is less restrictive than the expected permission.
+
+
+
+
+ The actual permission is the same as the expected permission.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages.
+
+
+
+
+ The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content.
+
+
+
+
+ The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSmfServiceStateType complex type defines the different values that are valid for the service_state entity of a smf_state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity.
+
+
+
+
+
+ The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation.
+
+
+
+
+ The instance is disabled.
+
+
+
+
+ The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states.
+
+
+
+
+ This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running.
+
+
+
+
+ The instance is enabled, but not yet running or available to run.
+
+
+
+
+ The instance is enabled and running or is available to run.
+
+
+
+
+ This is the initial state for all service instances.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+
+
+ The EntityStateV12NEnvType complex type restricts a string value to a specific set of values that describe the virtalization environment. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The virtualization environment is unknown. This could mean it is a bare metal virtualization environment.
+
+
+
+
+ The virtualization environment is a Kernel-based Virtual Machine (KVM).
+
+
+
+
+ The virtualization environment is a logical domain.
+
+
+
+
+ The virtualization environment is a non-global zone.
+
+
+
+
+ The virtualization environment is a kernel zone.
+
+
+
+
+ The virtualization environment is VMware.
+
+
+
+
+ The virtualization environment is Oracle VirtualBox.
+
+
+
+
+ The virtualization environment is Xen.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateLDOMRoleType complex type restricts a string value to a specific set of roles for the current virtualization environment. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The current virtualization environment is a control domain.
+
+
+
+
+ The current virtualization environment is an I/O domain.
+
+
+
+
+ The current virtualization environment is a root I/O domain.
+
+
+
+
+ The current virtualization environment is a service domain.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/solaris-system-characteristics-schema.xsd b/oval-schemas/solaris-system-characteristics-schema.xsd
new file mode 100644
index 0000000..04a02bf
--- /dev/null
+++ b/oval-schemas/solaris-system-characteristics-schema.xsd
@@ -0,0 +1,856 @@
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Solaris specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Solaris System Characteristics
+ 5.11.1:1.1
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ This item stores the facet properties and values of an IPS system image.
+
+
+
+
+
+
+
+ Specifies the path to the Solaris IPS image.
+
+
+
+
+ Specifies the name of the facet property associated with an IPS image.
+
+
+
+
+ Specifies the value of the facet property associated with an IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores system state information associated with an IPS image on a Solaris system.
+
+
+
+
+
+
+
+ The path to the Solaris IPS image.
+
+
+
+
+ The name of the property associated with the Solaris IPS image.
+
+
+
+
+ The value of a property that is associated with a Solaris IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about the instruction set architectures. This information can be retrieved by the isainfo command.
+ The isainfo_item was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project.
+
+
+
+
+
+
+
+ This is the number of bits in the address space of the native instruction set (isainfo -b).
+
+
+
+
+ This is the name of the instruction set used by kernel components (isainfo -k).
+
+
+
+
+ This is the name of the instruction set used by portable applications (isainfo -n).
+
+
+
+
+
+
+
+
+
+
+
+
+ This item represents data collected by the ndd command.
+
+
+
+
+
+
+
+ The name of the device for which the parameter was collected.
+
+
+
+
+ The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, this entity should be populated with its respective instance value. If only a single instance exists, this entity should not be collected.
+
+
+
+
+ The name of a parameter for example, ip_forwarding
+
+
+
+
+ The observed value of the named parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+ The package_item holds information about installed SVR4 packages. Output of /usr/bin/pkginfo. See pkginfo(1).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores system state information associated with IPS packages installed on a Solaris system.
+
+
+
+
+
+
+
+ The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components.
+
+
+
+
+ The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components.
+
+
+
+
+ The version of the package which consists of the component version, build version, and branch version.
+
+
+
+
+ The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ).
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
+
+
+
+
+ A summary of what the package provides.
+
+
+
+
+ A description of what the package provides.
+
+
+
+
+ The category of the package.
+
+
+
+
+ A boolean value indicating whether or not updates are available for this package.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the FMRI associated with associated with IPS packages that have been flagged as to be avoided from installation on a Solaris system.
+
+
+
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The packagecheck_item holds verification information about an individual file that is part of an installed SVR4 package. Each packagecheck_item contains a package designation, filepath, whether the checksum differs, whether the size differs, whether the modfication time differs, and how the actual permissions differ from the expected permissions. For more information, see pkgchk(1M). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
+
+
+
+
+ The filepath element specifies the absolute path for a file or directory in the specified package..
+
+
+
+
+ Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed.
+
+
+
+
+ Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed.
+
+
+
+
+ Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed.
+
+
+
+
+ Has the actual user read permission changed from the expected user read permission?
+
+
+
+
+ Has the actual user write permission changed from the expected user write permission?
+
+
+
+
+ Has the actual user exec permission changed from the expected user exec permission?
+
+
+
+
+ Has the actual group read permission changed from the expected group read permission?
+
+
+
+
+ Has the actual group write permission changed from the expected group write permission?
+
+
+
+
+ Has the actual group exec permission changed from the expected group exec permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+ Has the actual others read permission changed from the expected others read permission?
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the FMRI associated with associated with IPS packages that have been frozen at a particular version.
+
+
+
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores system state information associated with IPS package publishers on a Solaris system.
+
+
+
+
+
+
+
+ The name of the IPS package publisher.
+
+
+
+
+ The type of the IPS package publisher.
+
+
+
+
+ The origin URI of the IPS package publisher.
+
+
+
+
+ The alias of the IPS package publisher.
+
+
+
+
+ The Secure Socket Layer (SSL) key registered by a client for publishers using client-side SSL authentication.
+
+
+
+
+ The Secure Socket Layer (SSL) certificate registered by a client for publishers using client-side SSL authentication.
+
+
+
+
+ The universally unique identifier (UUID) that identifies the image to its publisher.
+
+
+
+
+ The last time that the IPS package publisher's catalog was updated in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+ Specifies whether or not the publisher is enabled.
+
+
+
+
+ Specifies where in the search order the IPS package publisher is listed. The first publisher in the search order will have a value of '1'.
+
+
+
+
+ The properties associated with an IPS package publisher.
+
+
+
+
+
+
+
+
+
+
+
+
+ Patches for SVR4 packages are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. The information can be obtained using /usr/bin/showrev -p. Please see showrev(1M).
+
+
+
+
+
+
+
+ The base entity reresents a patch base code found before the hyphen.
+
+
+
+
+ The version entity represents a patch version number found after the hyphen.
+
+
+
+
+
+
+
+
+
+
+
+
+ The smf_item is used to hold information related to service management facility controlled services
+
+
+
+
+
+
+
+ The FMRI (Fault Managed Resource Identifier) entity holds the identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
+
+
+
+
+ The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log.
+
+
+
+
+ The service_state entity describes the state that the service is in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN.
+
+
+
+
+ The protocol entity describes the protocol supported by the service.
+
+
+
+
+ The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a'
+
+
+
+
+ The server_arguments entity describes the parameters that are passed to the service.
+
+
+
+
+ The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the properties and values of an SMF service.
+
+
+
+
+
+
+
+ Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/").
+
+
+
+
+ Specifies the instance of an SMF service which represents a specific configuration of a service.
+
+
+
+
+ The name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/").
+
+
+
+
+ The Fault Management Resource Identifier (FMRI) of the SMF service which uniquely identifies the service on the system.
+
+
+
+
+ Specifies the value of the property associated with an SMF service.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the variant properties and values of the specified IPS system image.
+
+
+
+
+
+
+
+ Specifies the path to the Solaris IPS image.
+
+
+
+
+ Specifies the name of the variant property associated with an IPS image.
+
+
+
+
+ Specifies the value of the variant property associated with an IPS image.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the information associated with the current virtualization environment this instance of Solaris is running on and is capable of supporting.
+
+
+
+
+
+
+
+ The name of the current environment. This information could be collected using the libv12n library or by executing the 'virtinfo -c current list -H -o name' command.
+
+
+
+
+ The list of virtualization environments that this node supports as children. This information could be collected using the libv12n library or by executing the 'virtinfo -c supported list -H -o name' command.
+
+
+
+
+ The parent environment of the current environment. This information could be collected using libv12n library or by executing the 'virtinfo -c parent list -H -o name' command.
+
+
+
+
+ The logical domain roles associated with the current environment. This information could be collected using libv12n library.
+
+
+
+
+ The properties associated with the current environment. This information could be collected using libv12n library.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemClientUUIDType restricts a string value to a representation of a client UUID, used to identify an image to its IPS package publisher. The empty string is also allowed to support empty element associated with error conditions.
+
+
+
+
+
+
+
+
+
+ The EntityItemPermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The actual permission is more restrictive than the expected permission.
+
+
+
+
+ The actual permission is less restrictive than the expected permission.
+
+
+
+
+ The actual permission is the same as the expected permission.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemPublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages.
+
+
+
+
+ The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content.
+
+
+
+
+ The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemSmfServiceStateType defines the different values that are valid for the service_state entity of a smf_item. The empty string is also allowed as a valid value to support empty emlements associated with error conditions.
+
+
+
+
+
+ The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation.
+
+
+
+
+ The instance is disabled.
+
+
+
+
+ The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states.
+
+
+
+
+ This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running.
+
+
+
+
+ The instance is enabled, but not yet running or available to run.
+
+
+
+
+ The instance is enabled and running or is available to run.
+
+
+
+
+ This is the initial state for all service instances.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemV12NEnvypeType complex type restricts a string value to a specific set of values that describe the virtalization environment. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The virtualization environment is unknown. This could mean it is a bare metal virtualization environment.
+
+
+
+
+ The virtualization environment is a Kernel-based Virtual Machine (KVM).
+
+
+
+
+ The virtualization environment is a logical domain.
+
+
+
+
+ The virtualization environment is a non-global zone.
+
+
+
+
+ The virtualization environment is a kernel zone.
+
+
+
+
+ The virtualization environment is VMware.
+
+
+
+
+ The virtualization environment is Oracle VirtualBox.
+
+
+
+
+ The virtualization environment is Xen.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemLDOMRoleType complex type restricts a string value to a specific set of roles for the current virtualization environment. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The current virtualization environment is a control domain.
+
+
+
+
+ The current virtualization environment is an I/O domain.
+
+
+
+
+ The current virtualization environment is a root I/O domain.
+
+
+
+
+ The current virtualization environment is a service domain.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/unix-definitions-schema.xsd b/oval-schemas/unix-definitions-schema.xsd
new file mode 100644
index 0000000..efd6721
--- /dev/null
+++ b/oval-schemas/unix-definitions-schema.xsd
@@ -0,0 +1,3347 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose generic UNIX tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ UNIX Definition
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The dnscache_test is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dnscache_object and the optional state element specifies the metadata to check.
+
+
+ dnscache_test
+ dnscache_object
+ dnscache_state
+ dnscache_item
+
+
+
+
+
+ - the object child element of a dnscache_test must reference a dnscache_object
+
+
+ - the state child element of a dnscache_test must reference a dnscache_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The dnscache_object is used by the dnscache_test to specify the domain name(s) that should be collected from the DNS cache on the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The domain_name element specifies the domain name(s) that should be collected from the DNS cache on the local system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The dnscache_state contains three entities that are used to check the domain name, time to live, and IP addresses associated with the DNS cache entry.
+
+
+
+
+
+
+
+ The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
+
+
+
+
+ The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
+
+
+
+
+ The ip_address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+
+
+
+
+
+
+
+
+ The file test is used to check metadata associated with UNIX files, of the sort returned by either an ls command, stat command or stat() system call. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a file_object and the optional state element specifies the metadata to check.
+
+
+ file_test
+ file_object
+ file_state
+ file_item
+
+
+
+
+
+ - the object child element of a file_test must reference a file_object
+
+
+ - the state child element of a file_test must reference a file_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file_object element is used by a file test to define the specific file(s) to be evaluated. The file_object will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A file object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth, recurse, and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file_state element defines the different metadata associate with a UNIX file. This includes the path, filename, type, group id, user id, size, etc. In addition, the permission associated with the file are also included. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file.
+
+
+
+
+ This is the file's type: regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.
+
+
+
+
+ The group_id entity represents the group owner of a file, by group number.
+
+
+
+ - the value of group_id must be greater than zero
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
+
+
+
+ - the value of user_id must be greater than zero
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the time that the file was last accessed, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the time of the last change to the file's inode, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. An inode is a Unix data structure that stores all of the information about a particular file.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the time of the last change to the file's contents, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the size of the file in bytes.
+
+
+
+
+ Does the program run with the uid (thus privileges) of the file's owner, rather than the calling user?
+
+
+
+
+ Does the program run with the gid (thus privileges) of the file's group owner, rather than the calling user's group?
+
+
+
+
+ Can users delete each other's files in this directory, when said directory is writable by those users?
+
+
+
+
+ Can the owner (user owner) of the file read this file or, if a directory, read the directory contents?
+
+
+
+
+ Can the owner (user owner) of the file write to this file or, if a directory, write to the directory?
+
+
+
+
+ Can the owner (user owner) of the file execute it or, if a directory, change into the directory?
+
+
+
+
+ Can the group owner of the file read this file or, if a directory, read the directory contents?
+
+
+
+
+ Can the group owner of the file write to this file or, if a directory, write to the directory?
+
+
+
+
+ Can the group owner of the file execute it or, if a directory, change into the directory?
+
+
+
+
+ Can all other users read this file or, if a directory, read the directory contents?
+
+
+
+
+ Can the other users write to this file or, if a directory, write to the directory?
+
+
+
+
+ Can the other users execute this file or, if a directory, change into the directory?
+
+
+
+
+ Does the file or directory have ACL permissions applied to it? If the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the value will be 'false'. Otherwise, if a file or directory has an ACL, the value will be 'true'.
+
+
+
+
+
+
+
+
+
+ The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of the file_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+ 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.
+ Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+ 'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+ DEPRECATED ATTRIBUTE VALUE IN: ATTRIBUTE VALUE:
+ DEPRECATED ATTRIBUTE VALUE IN: ATTRIBUTE VALUE:
+ DEPRECATED ATTRIBUTE VALUE IN: ATTRIBUTE VALUE:
+
+
+
+
+
+
+
+
+
+
+ 5.4
+ The values 'files', 'files and directories', and 'none' are being removed because it is not possible to recurse files and the value 'none' was intended to mean no recursion, however, this is already covered by the recurse_direction attribute.
+ These values have been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+
+ 5.4
+ The values 'files', 'files and directories', and 'none' are being removed because it is not possible to recurse files and the value 'none' was intended to mean no recursion, however, this is already covered by the recurse_direction attribute.
+ These values have been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+
+
+ 5.4
+ The values 'files', 'files and directories', and 'none' are being removed because it is not possible to recurse files and the value 'none' was intended to mean no recursion, however, this is already covered by the recurse_direction attribute.
+ These values have been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_direction' defines the direction to recurse, either 'up' to parent directories, or 'down' into child directories. The default value is 'none' for no recursion.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, if the path specified was "/", you would search only the filesystem mounted there, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.
+ Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file extended attribute test is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileextendedattribute_object and the optional state element specifies the extended attributes to check.
+ NOTE: Solaris has a very different implementation of "extended attributes" in which the attributes are really an orthogonal directory hierarchy of files. See the Solaris documentation for more details. The file extended attribute test only handles simple name/value pairs as implemented by most other UNIX derived operating systems.
+
+
+ fileextendedattribute_test
+ fileextendedattribute_object
+ fileextendedattribute_state
+ fileextendedattribute_item
+
+
+
+
+
+ - the object child element of a fileextendedattribute_test must reference a fileextendedattribute_object
+
+
+ - the state child element of a fileextendedattribute_test must reference a fileextendedattribute_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileextendedattribute_object element is used by a file extended attribute test to define the specific file(s) and attribute(s) to be evaluated. The fileextendedattribute_object will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A file extended attribute object defines the path, filename and attribute name. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileExtendedAttributeBehaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth, recurse, and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+ The attribute_name element specifies the name of an extended attribute to evaluate.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileextendedattribute_state element defines an extended attribute associated with a UNIX file. This includes the path, filename, attribute name, and attribute value.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file.
+
+
+
+
+ This is the extended attribute's name, identifier or key.
+
+
+
+
+ The value entity represents the extended attribute's value or contents. To test for an attribute with no value assigned to it, this entity would be used with an empty value.
+
+
+
+
+
+
+
+
+
+
+
+
+ The gconf_test is used to check the attributes and value(s) associated with GConf preference keys. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a gconf_object and the optional gconf_state element specifies the data to check.
+
+
+ gconf_test
+ gconf_object
+ gconf_state
+ gconf_item
+
+
+
+
+
+ - the object child element of a gconf_test must reference an gconf_object
+
+
+ - the state child element of a gconf_test must reference an gconf_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The gconf_object element is used by a gconf_test to define the preference keys to collect and the sources from which to collect the preference keys. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the preference key to check.
+
+
+
+
+ The source element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future. If the xsi:nil attribute is set to 'true', the preference key is looked up using the GConf daemon. Otherwise, the preference key is looked up using the values specified in this entity.
+
+
+
+
+ - operation attribute for the source entity of a gconf_object should be 'equals'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The gconf_state element defines the different information that can be used to evaluate the specified GConf preference key. This includes the preference key, source, type, whether it's writable, the user who last modified it, the time it was last modified, whether it's the default value, as well as the preference key's value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The preference key to check.
+
+
+
+
+ The source used to look up the preference key.
+
+
+
+
+ The type of the preference key.
+
+
+
+
+ Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
+
+
+
+
+ The user who last modified the preference key.
+
+
+
+
+ The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+ Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
+
+
+
+
+ The value of the preference key.
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetd test is used to check information associated with different Internet services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+
+ inetd_test
+ inetd_object
+ inetd_state
+ inetd_item
+
+
+
+
+
+ - the object child element of an inetd_test must reference an inetd_object
+
+
+ - the state child element of an inetd_test must reference an inetd_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetd_object element is used by an inetd test to define the specific protocol-service to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An inetd object consists of a protocol entity and a service_name entity that identifies the specific service to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A recognized protocol listed in the file /etc/inet/protocols.
+
+
+
+
+ The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetd_state element defines the different information associated with a specific Internet service. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ A recognized protocol listed in the file /etc/inet/protocols.
+
+
+
+
+ The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
+
+
+
+
+ Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service.
+
+
+
+
+ The arguments for running the service. These are either passed to the server program invoked by inetd, or used to configure a service provided by inetd. In the case of server programs, the arguments shall begin with argv[0], which is typically the name of the program. In the case of a service provided by inted, the first argument shall be the word "internal".
+
+
+
+
+ The endpoint type (aka, socket type) associated with the service.
+
+
+
+
+ The user id of the user the server program should run under. (This allows for running with less permission than root.)
+
+
+
+
+ This field has values wait or nowait. This entry specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface test enumerates various attributes about the interfaces on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an interface_object and the optional state element specifies the interface information to check.
+
+
+ interface_test
+ interface_object
+ interface_state
+ interface_item
+
+
+
+
+
+ - the object child element of an interface_test must reference an interface_object
+
+
+ - the state child element of an interface_test must reference an interface_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_object element is used by an interface test to define the specific interfaces(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An interface object consists of a single name entity that identifies which interface is being specified.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name element is the interface (eth0, eth1, fw0, etc.) name to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_state element enumerates the different properties associate with a Unix interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name element is the interface (eth0, eth1, fw0, etc.) name to check.
+
+
+
+
+ The type element specifies the type of interface.
+
+
+
+
+ The hardware_addr element is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
+
+
+
+
+ This is the IP address of the interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
+
+
+
+
+ This is the broadcast IP address for this interface's network. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the bitmask used to calculate the interface's IP network. The network number is calculated by bitwise-ANDing this with the IP address. The host number on that network is calculated by bitwise-XORing this with the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity will not be collected.
+
+
+
+
+ The flag entity represents the interface flag line, which generally contains flags like "UP" to denote an active interface, "PROMISC" to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times.
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/passwd. See passwd(4).
+ The password test is used to check metadata associated with the UNIX password file, of the sort returned by the passwd command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a password_object and the optional state element specifies the metadata to check.
+
+
+ password_test
+ password_object
+ password_state
+ password_item
+
+
+
+
+
+ - the object child element of a password_test must reference a password_object
+
+
+ - the state child element of a password_test must reference a password_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The password_object element is used by a password test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A password object consists of a single username entity that identifies the user(s) whose password is to be evaluated.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The user(s) account whose password is to be evaluated.
+
+
+
+
+
+
+
+
+
+
+
+
+ The password_state element defines the different information associated with the system passwords. Please refer to the individual elements in the schema for more details about what each represents.
+ See documentation on /etc/passwd for more details on the fields.
+
+
+
+
+
+
+
+ The UNIX account name.
+
+
+
+
+ This is the encrypted version of the user's password.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The id of the primary UNIX group the user belongs to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The GECOS (or GCOS) field from /etc/passwd; typically contains the user's full name.
+
+
+
+
+ The user's home directory.
+
+
+
+
+ The user's shell program.
+
+
+
+
+ The date and time when the last login occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, UTC.
+
+
+
+
+
+
+
+
+
+
+
+
+ The process test is used to check information found in the UNIX processes. It is equivalent to parsing the output of the ps command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process_object and the optional state element specifies the process information to check.
+
+
+ process_test
+ process_object
+ process_state
+ process_item
+
+
+
+
+ 5.8
+ The process_test has been deprecated and replaced by the process58_test. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_test for additional information.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a process_test must reference a process_object
+
+
+ - the state child element of a process_test must reference a process_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The process_object element is used by a process test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A process object defines the command line used to start the process(es).
+
+
+ 5.8
+ The process_object has been deprecated and replaced by the process58_object. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_object for additional information.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The command element specifies the command/program name to check.
+
+
+
+
+
+
+
+
+
+
+ The process_state element defines the different metadata associated with a UNIX process. This includes the command line, pid, ppid, priority, and user id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.8
+ The process_state has been deprecated and replaced by the process58_state. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_state for additional information.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The command element specifies the command/program name to check.
+
+
+
+
+ This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
+
+
+
+
+ This is the process ID of the process.
+
+
+
+
+ This is the process ID of the process's parent process.
+
+
+
+
+ This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
+
+
+
+
+ This is the real user id which represents the user who has created the process.
+
+
+
+
+ A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
+
+
+
+
+ This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
+
+
+
+
+ This is the TTY on which the process was started, if applicable.
+
+
+
+
+ This is the effective user id which represents the actual privileges of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ The process58_test is used to check information found in the UNIX processes. It is equivalent to parsing the output of the ps command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process58_object and the optional state element references a process58_state that specifies the process information to check.
+
+
+ process58_test
+ process58_object
+ process58_state
+ process58_item
+
+
+
+
+
+ - the object child element of a process58_test must reference a process58_object
+
+
+ - the state child element of a process58_test must reference a process58_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The process58_object element is used by a process58_test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A process58_object defines the command line used to start the process(es) and pid.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+ The pid entity is the process ID of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ The process58_state element defines the different metadata associated with a UNIX process. This includes the command line, pid, ppid, priority, and user id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+ This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
+
+
+
+
+ This is the process ID of the process.
+
+
+
+
+ This is the process ID of the process's parent process.
+
+
+
+
+ This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
+
+
+
+
+ This is the real user id which represents the user who has created the process.
+
+
+
+
+ A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
+
+
+
+
+ This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
+
+
+
+
+ This is the TTY on which the process was started, if applicable.
+
+
+
+
+ This is the effective user id which represents the actual privileges of the process.
+
+
+
+
+ A boolean that when true would indicates that ExecShield is enabled for the process. Applicable only to RedHat-based Linux distros, an example script demonstrating the collection of this entity can be found at http://people.redhat.com/sgrubb/files/lsexec
+
+
+
+
+ The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
+
+
+
+
+ An effective capability associated with the process. See linux/include/linux/capability.h for more information.
+
+
+
+
+ An selinux domain label associated with the process.
+
+
+
+
+ The session ID of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingtable_test is used to check information about the IPv4 and IPv6 routing table entries found in a system's primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the '-n' option with route(8) or netstat(8). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a routingtable_object and the optional routingtable_state element specifies the data to check.
+
+
+ routingtable_test
+ routingtable_object
+ routingtable_state
+ routingtable_item
+
+
+
+
+
+ - the object child element of a routingtable_test must reference an routingtable_object
+
+
+ - the state child element of a routingtable_test must reference an routingtable_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingtable_object element is used by a routingtable_test to define the destination IP address(es), found in a system's primary routing table, to collect. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the destination IP address of the routing table entry to check.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingtable_state element defines the different information that can be used to check an entry found in a system's primary routing table. This includes the destination IP address, gateway, netmask, flags, and the name of the interface associated with it. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
+
+
+
+
+ The gateway of the specified routing table entry.
+
+
+
+
+ The flags associated with the specified routing table entry.
+
+
+
+
+ The name of the interface associated with the routing table entry.
+
+
+
+
+
+
+
+
+
+
+
+
+ The runlevel test is used to check information about which runlevel specified services are scheduled to exist at. For more information see the output generated by a chkconfig --list. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a runlevel_object and the optional state element specifies the data to check.
+
+
+ runlevel_test
+ runlevel_object
+ runlevel_state
+ runlevel_item
+
+
+
+
+
+ - the object child element of a runlevel_test must reference a runlevel_object
+
+
+ - the state child element of a runlevel_test must reference a runlevel_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The runlevel_object element is used by a runlevel_test to define the specific service(s)/runlevel combination to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_name entity refers to the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory.
+
+
+
+
+ The system runlevel to examine. A runlevel is defined as a software configuration of the system that allows only a selected group of processes to exist.
+
+
+
+
+
+
+
+
+
+
+
+
+ The runlevel_state element holds information about whether a specific service is scheduled to start or stop at a given runlevel. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The service_name entity refers the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory.
+
+
+
+
+ The runlevel entity refers to the system runlevel associated with a service. A runlevel is defined as a software configuration of the system that allows only a selected group of processes to exist.
+
+
+
+
+ The start entity determines if the process is scheduled to be spawned at the specified runlevel.
+
+
+
+
+ The kill entity determines if the process is supposed to be killed at the specified runlevel.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ sccs_test
+ sccs_object
+ sccs_state
+ sccs_item
+
+
+
+
+ 5.10
+ The sccs_test has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_test may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a sccs_test must reference a sccs_object
+
+
+ - the state child element of a sccs_test must reference a sccs_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+ 5.10
+ The sccs_object has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_object may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth, recurse, and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to an SCCS file.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The name of an SCCS file.
+
+
+
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.10
+ The sccs_state has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_state may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to an SCCS file.
+
+
+
+
+ This is the name of a SCCS file.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The shadow test is used to check information from the /etc/shadow file for a specific user. This file contains a user's password, but also their password aging and lockout information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an shadow_object and the optional state element specifies the information to check.
+
+
+ shadow_test
+ shadow_object
+ shadow_state
+ shadow_item
+
+
+
+
+
+ - the object child element of a shadow_test must reference a shadow_object
+
+
+ - the state child element of a shadow_test must reference a shadow_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The shadow_object element is used by a shadow test to define the shadow file to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A shdow object consists of a single user entity that identifies the username associted with the shadow file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The shadows_state element defines the different information associated with the system shadow file. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This is the name of the user being checked.
+
+
+
+
+ This is the encrypted version of the user's password.
+
+
+
+
+ This is the date of the last password change in days since 1/1/1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This describes how long the user can keep a password before the system forces them to change it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The exp_inact entity describes how many days of account inactivity the system will wait after a password expires before locking the account. Unix systems are generally configured to only allow a given password to last for a fixed period of time. When this time, the chg_req parameter, is near running out, the system begins warning the user at each login. How soon before the expiration the user receives these warnings is specified in exp_warn. The only hiccup in this design is that a user may not login in time to ever receive a warning before account expiration. The exp_inact parameter gives the sysadmin flexibility so that a user who reaches the end of their expiration time gains exp_inact more days to login and change their password manually.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This specifies when will the account's password expire, in days since 1/1/1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is a numeric reserved field that the shadow file may use in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The encrypt_method entity describes method that is used for hashing passwords.
+
+
+
+
+
+
+
+
+
+
+
+
+ The symlink_test is used to obtain canonical path information for symbolic links.
+
+
+ symlink_test
+ symlink_object
+ symlink_state
+ symlink_item
+
+
+
+
+
+ - the object child element of a symlink_test must reference a symlink_object
+
+
+ - the state child element of a symlink_test must reference a symlink_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The symlink_object element is used by a symlink_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A symlink_object consists of a filepath entity that contains the path to a symbolic link file. The resulting item identifies the canonical path of the link target (followed to its final destination, if there are intermediate links), an error if the link target does not exist or is a circular link (e.g., a link to itself). If the file located at filepath is not a symlink, or if there is no file located at the filepath, then any resulting item would itself have a status of does not exist.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the filepath for the symbolic link.
+
+
+
+
+
+
+
+
+
+
+
+
+ The symlink_state element defines a value used to evaluate the result of a specific symlink_object item.
+
+
+
+
+
+
+
+ Specifies the filepath used to create the object.
+
+
+
+
+ Specifies the canonical path for the target of a symbolic link file specified by the filepath.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sysctl_test is used to check the values associated with the kernel parameters that are used by the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sysctl_object and the optional state element references a sysctl_state that specifies the information to check.
+
+
+ sysctl_test
+ sysctl_object
+ sysctl_state
+ sysctl_item
+
+
+
+
+
+ - the object child element of a sysctl_test must reference a sysctl_object
+
+
+ - the state child element of a sysctl_test must reference a sysctl_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sysctl_object is used by a sysctl_test to define which kernel parameters on the local system should be collected. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name element specifies the name(s) of the kernel parameter(s) that should be collected from the local system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sysctl_state contains two entities that are used to check the kernel parameter name and value(s).
+
+
+
+
+
+
+
+ The name element contains a string that represents the name of a kernel parameter that was collected from the local system.
+
+
+
+
+ The value element contains a string that represents the value(s) associated with the specified kernel parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+ The uname test reveals information about the hardware the machine is running on. This information is the parsed equivalent of uname -a. For example: "Linux quark 2.6.5-7.108-default #1 Wed Aug 25 13:34:40 UTC 2004 i686 i686 i386 GNU/Linux" or "Darwin TestHost 7.7.0 Darwin Kernel Version 7.7.0: Sun Nov 7 16:06:51 PST 2004; root:xnu/xnu-517.9.5.obj~1/RELEASE_PPC Power Macintosh powerpc". It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a uname_object and the optional state element specifies the metadata to check.
+
+
+ uname_test
+ uname_object
+ uname_state
+ uname_item
+
+
+
+
+
+ - the object child element of a uname_test must reference a uname_object
+
+
+ - the state child element of a uname_test must reference a uname_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The uname_object element is used by an uname test to define those objects to evaluated based on a specified state. There is actually only one object relating to uname and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check uname will reference the same uname_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The uname_state element defines the information about the hardware the machine is running one. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This entity specifies a machine hardware name. This corresponds to the command uname -m.
+
+
+
+
+ This entity specifies a host name. This corresponds to the command uname -n.
+
+
+
+
+ This entity specifies an operating system name. This corresponds to the command uname -s.
+
+
+
+
+ This entity specifies a build version. This corresponds to the command uname -r.
+
+
+
+
+ This entity specifies an operating system version. This corresponds to the command uname -v.
+
+
+
+
+ This entity specifies a processor type. This corresponds to the command uname -p.
+
+
+
+
+
+
+
+
+
+
+
+
+ The xinetd test is used to check information associated with different Internet services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
+
+
+ xinetd_test
+ xinetd_object
+ xinetd_state
+ xinetd_item
+
+
+
+
+
+ - the object child element of a xinetd_test must reference a xinetd_object
+
+
+ - the state child element of a xinetd_test must reference a xinetd_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The xinetd_object element is used by an xinetd test to define the specific protocol-service to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An xinetd object consists of a protocol entity and a service_name entity that identifies the specific service to be tested.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols.
+
+
+
+
+ The service_name entity specifies the name of the service.
+
+
+
+
+
+
+
+
+
+
+
+
+ The xinetd_state element defines the different information associated with a specific Internet service. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols.
+
+
+
+
+ The service_name entity specifies the name of the service.
+
+
+
+
+ The flags entity specifies miscellaneous settings associated with the service.
+
+
+
+
+ The no_access entity specifies the remote hosts to which the service is unavailable. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
+
+
+
+
+ The only_from entity specifies the remote hosts to which the service is available. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
+
+
+
+
+ The port entity specifies the port used by the service.
+
+
+
+
+ The server entity specifies the executable that is used to launch the service.
+
+
+
+
+ The server_arguments entity specifies the arguments that are passed to the executable when launching the service.
+
+
+
+
+ The socket_type entity specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket.
+
+
+
+
+ The type entity specifies the type of the service. A service may have multiple types.
+
+
+
+
+ The user entity specifies the user identifier of the process that is running the service. The user identifier may be expressed as a numerical value or as a user name that exists in /etc/passwd.
+
+
+
+
+ The wait entity specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi-threaded and xinetd will accept the connection.
+
+
+
+
+ The disabled entity specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityStateCapabilityType complex type restricts a string value to a specific set of values that describe POSIX capability types associated with a process service. This list is based off the values defined in linux/include/linux/capability.h. Documentation on each allowed value can be found in capability.h. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateEndpointType complex type restricts a string value to a specific set of values that describe endpoint types associated with an Internet service. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The stream value is used to describe a stream socket.
+
+
+
+
+ The dgram value is used to describe a datagram socket.
+
+
+
+
+ The raw value is used to describe a raw socket.
+
+
+
+
+ The seqpacket value is used to describe a sequenced packet socket.
+
+
+
+
+ The tli value is used to describe all TLI endpoints.
+
+
+
+
+ The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints.
+
+
+
+
+ The sunrpc_udp value is used to describe all SUNRPC UDP endpoints.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateGconfTypeType complex type restricts a string value to the seven values GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, GCONF_VALUE_SCHEMA, GCONF_VALUE_LIST, and GCONF_VALUE_PAIR that specify the datatype of the value associated with a GConf preference key. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The GCONF_VALUE_STRING type is used to describe a preference key that has a string value.
+
+
+
+
+ The GCONF_VALUE_INT type is used to describe a preference key that has a integer value.
+
+
+
+
+ The GCONF_VALUE_FLOAT type is used to describe a preference key that has a float value.
+
+
+
+
+ The GCONF_VALUE_BOOL type is used to describe a preference key that has a boolean value.
+
+
+
+
+ The GCONF_VALUE_SCHEMA type is used to describe a preference key that has a schema value. The actual value will be the default value as specified in the GConf schema.
+
+
+
+
+ The GCONF_VALUE_LIST type is used to describe a preference key that has a list of values. The actual values will be one of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that all of the values associated with a GCONF_VALUE_LIST are required to have the same type.
+
+
+
+
+ The GCONF_VALUE_PAIR type is used to describe a preference key that has a pair of values. The actual values will consist of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that the values associated with a GCONF_VALUE_PAIR are not required to have the same type.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRoutingTableFlagsType complex type restricts a string value to a specific set of values that describe the flags associated with a routing table entry. This list is based off the values defined in the man pages of various platforms. For Linux, please see route(8). For Solaris, please see netstat(1M). For HP-UX, please see netstat(1). For Mac OS, please see netstat(1). For FreeBSD, please see netstat(1). Documentation on each allowed value can be found in the previously listed man pages. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+ The following table is a mapping between the generic flag enumeration values and the actual flag values found on the various platforms. If the flag value is not specified, for a particular generic flag enumeration value, the flag value is not defined for that platform.
+
+Name Linux Solaris HPUX Mac OS FreeBSD AIX
+UP U U U U U U
+GATEWAY G G G G G G
+HOST H H H H H H
+REINSTATE R
+DYNAMIC D D D D D
+MODIFIED M M M M
+ADDRCONF A A
+CACHE C e
+REJECT ! R R R
+REDUNDANT M (>=9)
+SETSRC S
+BROADCAST B b b b
+LOCAL L l
+PROTOCOL_1 1 1 1
+PROTOCOL_2 2 2 2
+PROTOCOL_3 3 3 3
+BLACK_HOLE B B
+CLONING C C c
+PROTOCOL_CLONING c c
+INTERFACE_SCOPE I
+LINK_LAYER L L L
+MULTICAST m m
+STATIC S S S
+WAS_CLONED W W W
+XRESOLVE X X
+USABLE u
+PINNED P
+ACTIVE_DEAD_GATEWAY_DETECTION A (>=5.1)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateXinetdTypeStatusType complex type restricts a string value to five values, either RPC, INTERNAL, UNLISTED, TCPMUX, or TCPMUXPLUS that specify the type of service registered in xinetd. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself.
+
+
+
+
+ The RPC type is used to describe services that use remote procedure call ala NFS.
+
+
+
+
+ The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc.
+
+
+
+
+ The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake.
+
+
+
+
+ The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWaitStatusType complex type restricts a string value to two values, either wait or nowait, that specify whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
+
+
+
+
+ The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateEncryptMethodType complex type restricts a string value to a set that corresponds to the allowed encrypt methods used for protected passwords in a shadow file. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The DES method corresponds to the (none) prefix.
+
+
+
+
+ The BSDi method corresponds to BSDi modified DES or the '_' prefix.
+
+
+
+
+ The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix.
+
+
+
+
+ The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes.
+
+
+
+
+ The Sun MD5 method corresponds to the $md5$ prefix.
+
+
+
+
+ The SHA-256 method corresponds to the $5$ prefix.
+
+
+
+
+ The SHA-512 method corresponds to the $6$ prefix.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateInterfaceType complex type restricts a string value to a specific set of values. These values describe the different interface types which are defined in 'if_arp.h'. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The ARPHRD_ETHER type is used to describe ethernet interfaces.
+
+
+
+
+ The ARPHRD_FDDI type is used to describe fiber distributed data interfaces (FDDI).
+
+
+
+
+ The ARPHRD_LOOPBACK type is used to describe loopback interfaces.
+
+
+
+
+ The ARPHRD_VOID type is used to describe unknown interfaces.
+
+
+
+
+ The ARPHRD_PPP type is used to describe point-to-point protocol interfaces (PPP).
+
+
+
+
+ The ARPHRD_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
+
+
+
+
+ The ARPHRD_PRONET type is used to describe PROnet token ring interfaces.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/unix-system-characteristics-schema.xsd b/oval-schemas/unix-system-characteristics-schema.xsd
new file mode 100644
index 0000000..200225e
--- /dev/null
+++ b/oval-schemas/unix-system-characteristics-schema.xsd
@@ -0,0 +1,1868 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the UNIX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Unix System Characteristics
+ 5.11.1:1.2
+ 11/30/2016 09:00:00 AM
+ Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.
+
+
+
+
+
+
+
+ The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
+
+
+
+
+ The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
+
+
+
+
+ The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file item holds information about the individual files found on a system. Each file item contains path and filename information as well as its type, associated user and group ids, relevant dates, and the privialeges granted. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
+
+
+
+
+ This is the file's type: regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.
+
+
+
+
+ This is the group owner of the file, by group number.
+
+
+
+ - the value of group_id must be greater than zero
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
+
+
+
+ - the value of user_id must be greater than zero
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the time that the file was last accessed, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the time of the last change to the file's inode, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. An inode is a Unix data structure that stores all of the information about a particular file.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the time of the last change to the file's contents, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is the size of the file in bytes.
+
+
+
+
+ Does the program run with the uid (thus privileges) of the file's owner, rather than the calling user?
+
+
+
+
+ Does the program run with the gid (thus privileges) of the file's group owner, rather than the calling user's group?
+
+
+
+
+ Can users delete each other's files in this directory, when said directory is writable by those users?
+
+
+
+
+ Can the owner (user owner) of the file read this file or, if a directory, read the directory contents?
+
+
+
+
+ Can the owner (user owner) of the file write to this file or, if a directory, write to the directory?
+
+
+
+
+ Can the owner (user owner) of the file execute it or, if a directory, change into the directory?
+
+
+
+
+ Can the group owner of the file read this file or, if a directory, read the directory contents?
+
+
+
+
+ Can the group owner of the file write to this file, or if a directory, write to the directory?
+
+
+
+
+ Can the group owner of the file execute it or, if a directory, change into the directory?
+
+
+
+
+ Can all other users read this file or, if a directory, read the directory contents?
+
+
+
+
+ Can the other users write to this file, or if a directory, write to the directory?
+
+
+
+
+ Can the other users execute this file or, if a directory, change into the directory?
+
+
+
+
+ Does the file or directory have ACL permissions applied to it? If a system supports ACLs and the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the entity will have a status of 'exists' and a value of 'false'. If the system supports ACLs and the file or directory has an ACL, the entity will have a status of 'exists' and a value of 'true'. Lastly, if a system doesn't support ACLs, the entity will have a status of 'does not exist'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The file extended attribute item holds information about the individual file extended attributes found on a system. Each file extended attribute item contains path, filename, and attribute name information as well as the attribute's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
+
+
+
+
+ This is the extended attribute's name, identifier or key.
+
+
+
+
+ This is the extended attribute's value or contents.
+
+
+
+
+
+
+
+
+
+
+
+
+ The gconf_item holds information about an individual GConf preference key found on a system. Each gconf_item contains a preference key, source, type, whether it's writable, the user who last modified it, the time it was last modified, whether it's the default value, as well as the preference key's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The preference key to check.
+
+
+
+
+ The source used to look up the preference key.
+
+
+
+
+ The type of the preference key.
+
+
+
+
+ Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
+
+
+
+
+ The user who last modified the preference key.
+
+
+
+
+ The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
+
+
+
+
+ Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
+
+
+
+
+ The value of the preference key.
+
+
+
+
+
+
+
+
+
+
+
+
+ The inetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ A recognized protocol listed in the file /etc/inet/protocols.
+
+
+
+
+ The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
+
+
+
+
+ Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service.
+
+
+
+
+ The arguments for running the service. These are either passed to the server program invoked by inetd, or used to configure a service provided by inetd. In the case of server programs, the arguments shall begin with argv[0], which is typically the name of the program. In the case of a service provided by inted, the first argument shall be the word "internal".
+
+
+
+
+ The endpoint type (aka, socket type) associated with the service.
+
+
+
+
+ The user id of the user the server program should run under. (This allows for running with less permission than root.)
+
+
+
+
+ This field has values wait or nowait. This entry specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface item holds information about the interfaces on a system. Each interface item contains name and address information as well as any associated flags. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The name entity is the actual name of the specific interface. Examples might be eth0, eth1, fwo, etc.
+
+
+
+
+ This element specifies the type of interface.
+
+
+
+
+ The hardware_addr entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
+
+
+
+
+ The inet_addr entity is the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity should be expressed as an IPv6 address prefix using CIDR notation and the netmask entity should not be collected.
+
+
+
+
+ The broadcast_addr entity is the broadcast IP address for this interface's network. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the bitmask used to calculate the interface's IP network. The network number is calculated by bitwise-ANDing this with the IP address. The host number on that network is calculated by bitwise-XORing this with the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity should not be collected.
+
+
+
+
+ This is the interface flag line, which generally contains flags like "UP" to denote an active interface, "PROMISC" to note that the interface is listening for Ethernet frames not specifically addressed to it, and others.
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/passwd. See passwd(4).
+
+
+
+
+
+
+
+ This is the name of the user for which data was gathered.
+
+
+
+
+ This is the encrypted version of the user's password.
+
+
+
+
+ The numeric user id, or uid, is the third column of each user's entry in /etc/passwd.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The id of the primary UNIX group the user belongs to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The GECOS (or GCOS) field from /etc/passwd; typically contains the user's full name.
+
+
+
+
+ The user's home directory.
+
+
+
+
+ The user's shell program.
+
+
+
+
+ The date and time when the last login occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, UTC.
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of /usr/bin/ps. See ps(1).
+
+
+ 5.8
+ The process_item has been deprecated and replaced by the process58_item. The entity 'command' was changed to 'command_line' in the process58_item to accurately describe what information is collected. Please see the process58_item for additional information.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ This specifies the command/program name about which data has has been collected.
+
+
+
+
+ This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
+
+
+
+
+ This is the process ID of the process.
+
+
+
+
+ This is the process ID of the process's parent process.
+
+
+
+
+ This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
+
+
+
+
+ This is the real user id which represents the user who has created the process.
+
+
+
+
+ A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
+
+
+
+
+ This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
+
+
+
+
+ This is the TTY on which the process was started, if applicable.
+
+
+
+
+ This is the effective user id which represents the actual privileges of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ Output of /usr/bin/ps. See ps(1).
+
+
+
+
+
+
+
+ This is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+ This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
+
+
+
+
+ This is the process ID of the process.
+
+
+
+
+ This is the process ID of the process's parent process.
+
+
+
+
+ This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
+
+
+
+
+ This is the real user id which represents the user who has created the process.
+
+
+
+
+ A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
+
+
+
+
+ This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
+
+
+
+
+ This is the TTY on which the process was started, if applicable.
+
+
+
+
+ This is the effective user id which represents the actual privileges of the process.
+
+
+
+
+ A boolean that when true would indicates that ExecShield is enabled for the process.
+
+
+
+
+ The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
+
+
+
+
+ An effective capability associated with the process. See linux/include/linux/capability.h for more information.
+
+
+
+
+ An selinux domain label associated with the process.
+
+
+
+
+ The session ID of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ The routingtable_item holds information about an individual routing table entry found in a system's primary routing table. Each routingtable_item contains a destination IP address, gateway, netmask, flags, and the name of the interface associated with it. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the '-n' option with route(8) or netstat(8). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
+
+
+
+
+ The gateway of the specified routing table entry.
+
+
+
+
+ The flags associated with the specified routing table entry.
+
+
+
+
+ The name of the interface associated with the routing table entry.
+
+
+
+
+
+
+
+
+
+
+
+
+ The runlevel item holds information about the start or kill state of a specified service at a given runlevel. Each runlevel item contains service name and runlevel information as well as start and kill information. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The service_name entity is the actual name of the specific service.
+
+
+
+
+ The runlevel entity specifies the system runlevel associated with a service.
+
+
+
+
+ The start entity specifies whether the service is scheduled to start at the runlevel.
+
+
+
+
+ The kill entity specifies whether the service is scheduled to be killed at the runlevel.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.10
+ The sccs_item has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_item may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ Specifies the absolute path to an SCCS file. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to an SCCS file.
+
+
+
+
+ The name of an SCCS file.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/shadow. See shadow(4).
+
+
+
+
+
+
+
+ This is the name of the user for which data was gathered.
+
+
+
+
+ This is the encrypted version of the user's password.
+
+
+
+
+ This is the date of the last password change in days since 1/1/1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This describes how long the user can keep a password before the system forces them to change it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This describes how many days of account inactivity the system will wait after a password expires before locking the account? This window, usually only set to a few days, gives users who are logging in very seldomly a bit of extra time to receive the password expiration warning and change their password.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This specifies when will the account's password expire, in days since 1/1/1970.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is a numeric reserved field that the shadow file may use in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The encrypt_method entity describes method that is used for hashing passwords.
+
+
+
+
+
+
+
+
+
+
+
+
+ The symlink_item element identifies the result generated for a symlink_object.
+
+
+
+
+
+
+
+ Specifies the filepath to the subject symbolic link file, specified by the symlink_object.
+
+
+
+
+ Specifies the canonical path for the target of the symbolic link file specified by the filepath.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sysctl_item stores information retrieved from the local system about a kernel parameter and its respective value(s).
+
+
+
+
+
+
+
+ The name element contains a string that represents the name of a kernel parameter that was collected from the local system.
+
+
+
+
+ The value element contains a string that represents the current value(s) for the specified kernel parameter on the local system.
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about the hardware the machine is running on. This information is the parsed equivalent of uname -a.
+
+
+
+
+
+
+
+ This entity specifies the machine hardware name. This corresponds to the command uname -m.
+
+
+
+
+ This entity specifies the host name. This corresponds to the command uname -n.
+
+
+
+
+ This entity specifies the operating system name. This corresponds to the command uname -s.
+
+
+
+
+ This entity specifies the build version. This corresponds to the command uname -r.
+
+
+
+
+ This entity specifies the operating system version. This corresponds to the command uname -v.
+
+
+
+
+ This entity specifies the processor type. This corresponds to the command uname -p.
+
+
+
+
+
+
+
+
+
+
+
+
+ The xinetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+ The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols.
+
+
+
+
+ The service_name entity specifies the name of the service.
+
+
+
+
+ The flags entity specifies miscellaneous settings associated with the service.
+
+
+
+
+ The no_access entity specifies the remote hosts to which the service is unavailable. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
+
+
+
+
+ The only_from entity specifies the remote hosts to which the service is available. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host.
+
+
+
+
+ The port entity specifies the port used by the service.
+
+
+
+
+ The server entity specifies the executable that is used to launch the service.
+
+
+
+
+ The server_arguments entity specifies the arguments that are passed to the executable when launching the service.
+
+
+
+
+ The socket_type entity specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket.
+
+
+
+
+ The type entity specifies the type of the service. A service may have multiple types.
+
+
+
+
+ The user entity specifies the user identifier of the process that is running the service. The user identifier may be expressed as a numerical value or as a user name that exists in /etc/passwd.
+
+
+
+
+ The wait entity specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi-threaded and xinetd will accept the connection.
+
+
+
+
+ The disabled entity specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemCapabilityType complex type restricts a string value to a specific set of values that describe POSIX capability types associated with a process service. This list is based off the values defined in linux/include/linux/capability.h. Documentation on each allowed value can be found in capability.h. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityItemEndpointType complex type restricts a string value to a specific set of values that describe endpoint types associated with an Internet service. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The stream value is used to describe a stream socket.
+
+
+
+
+ The dgram value is used to describe a datagram socket.
+
+
+
+
+ The raw value is used to describe a raw socket.
+
+
+
+
+ The seqpacket value is used to describe a sequenced packet socket.
+
+
+
+
+ The tli value is used to describe all TLI endpoints.
+
+
+
+
+ The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints.
+
+
+
+
+ The sunrpc_udp value is used to describe all SUNRPC UDP endpoints.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemGconfTypeType complex type restricts a string value to the seven values GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, GCONF_VALUE_SCHEMA, GCONF_VALUE_LIST, and GCONF_VALUE_PAIR that specify the type of the value associated with a GConf preference key. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The GCONF_VALUE_STRING type is used to describe a preference key that has a string value.
+
+
+
+
+ The GCONF_VALUE_INT type is used to describe a preference key that has a integer value.
+
+
+
+
+ The GCONF_VALUE_FLOAT type is used to describe a preference key that has a float value.
+
+
+
+
+ The GCONF_VALUE_BOOL type is used to describe a preference key that has a boolean value.
+
+
+
+
+ The GCONF_VALUE_SCHEMA type is used to describe a preference key that has a schema value. The actual value will be the default value as specified in the GConf schema.
+
+
+
+
+ The GCONF_VALUE_LIST type is used to describe a preference key that has a list of values. The actual values will be one of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that all of the values associated with a GCONF_VALUE_LIST are required to have the same type.
+
+
+
+
+ The GCONF_VALUE_PAIR type is used to describe a preference key that has a pair of values. The actual values will consist of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that the values associated with a GCONF_VALUE_PAIR are not required to have the same type.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRoutingTableFlagsType complex type restricts a string value to a specific set of values that describe the flags associated with a routing table entry. This list is based off the values defined in the man pages of various platforms. For Linux, please see route(8). For Solaris, please see netstat(1M). For HP-UX, please see netstat(1). For Mac OS, please see netstat(1). For FreeBSD, please see netstat(1). Documentation on each allowed value can be found in the previously listed man pages. The empty string is also allowed to support empty elements associated with error conditions.
+
+ The following table is a mapping between the generic flag enumeration values and the actual flag values found on the various platforms. If the flag value is not specified, for a particular generic flag enumeration value, the flag value is not defined for that platform.
+
+Name Linux Solaris HPUX Mac OS FreeBSD AIX
+UP U U U U U U
+GATEWAY G G G G G G
+HOST H H H H H H
+REINSTATE R
+DYNAMIC D D D D D
+MODIFIED M M M M
+ADDRCONF A A
+CACHE C e
+REJECT ! R R R
+REDUNDANT M (>=9)
+SETSRC S
+BROADCAST B b b b
+LOCAL L l
+PROTOCOL_1 1 1 1
+PROTOCOL_2 2 2 2
+PROTOCOL_3 3 3 3
+BLACK_HOLE B B
+CLONING C C c
+PROTOCOL_CLONING c c
+INTERFACE_SCOPE I
+LINK_LAYER L L L
+MULTICAST m m
+STATIC S S S
+WAS_CLONED W W W
+XRESOLVE X X
+USABLE u
+PINNED P
+ACTIVE_DEAD_GATEWAY_DETECTION A (>=5.1)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemXinetdTypeStatusType complex type restricts a string value to five values, either RPC, INTERNAL, UNLISTED, TCPMUX, or TCPMUXPLUS that specify the type of service registered in xinetd. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself.
+
+
+
+
+ The RPC type is used to describe services that use remote procedure call ala NFS.
+
+
+
+
+ The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc.
+
+
+
+
+ The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake.
+
+
+
+
+ The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemWaitStatusType complex type restricts a string value to two values, either wait or nowait, that specify whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
+
+
+
+
+ The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemEncryptMethodType complex type restricts a string value to a set that corresponds to the allowed encrypt methods used for protected passwords in a shadow file. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The DES method corresponds to the (none) prefix.
+
+
+
+
+ The BSDi method corresponds to BSDi modified DES or the '_' prefix.
+
+
+
+
+ The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix.
+
+
+
+
+ The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes.
+
+
+
+
+ The Sun MD5 method corresponds to the $md5$ prefix.
+
+
+
+
+ The SHA-256 method corresponds to the $5$ prefix.
+
+
+
+
+ The SHA-512 method corresponds to the $6$ prefix.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityItemInterfaceType complex type restricts a string value to a specific set of values. These values describe the different interface types which are defined in 'if_arp.h'. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The ARPHRD_ETHER type is used to describe ethernet interfaces.
+
+
+
+
+ The ARPHRD_FDDI type is used to describe fiber distributed data interfaces (FDDI).
+
+
+
+
+ The ARPHRD_LOOPBACK type is used to describe loopback interfaces.
+
+
+
+
+ The ARPHRD_VOID type is used to describe unknown interfaces.
+
+
+
+
+ The ARPHRD_PPP type is used to describe point-to-point protocol interfaces (PPP).
+
+
+
+
+ The ARPHRD_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
+
+
+
+
+ The ARPHRD_PRONET type is used to describe PROnet token ring interfaces.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/windows-definitions-schema.xsd b/oval-schemas/windows-definitions-schema.xsd
new file mode 100644
index 0000000..9b38ecb
--- /dev/null
+++ b/oval-schemas/windows-definitions-schema.xsd
@@ -0,0 +1,11985 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Windows specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Windows Definition
+ 5.11.1:1.4
+ 01/09/2017 10:00:00 PM
+ Copyright (c) 2017, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The accesstoken_test is used to check the properties of a Windows access token as well as individual privileges and rights associated with it. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an accesstoken_object and the optional state element specifies the data to check.
+
+
+ accesstoken_test
+ accesstoken_object
+ accesstoken_state
+ accesstoken_item
+
+
+
+
+ 5.11
+ Replaced by the userright_test. This accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an accesstoken_test must reference an accesstoken_object
+
+
+ - the state child element of an accesstoken_test must reference an accesstoken_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The accesstoken_object element is used by an access token test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An accesstoken_object consists of a single security principle that identifies user, group, or computer account that is associated with the token.
+
+
+ 5.11
+ Replaced by the userright_object. The accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The security_principle element defines the access token being specified. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain. If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the Local Security Authority database. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The accesstoken_state element defines the different information that can be used to evaluate the specified access tokens. This includes the multitude of user rights and permissions that can be granted. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.11
+ Replaced by the userright_state. The accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The security_principle element identifies an access token to test for. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ If the seassignprimarytokenprivilege privilege is enabled, it allows a parent process to replace the access token that is associated with a child process.
+
+
+
+
+ If the seauditprivilege privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
+
+
+
+
+ If the sebackupprivilege privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
+
+
+
+
+ If the sechangenotifyprivilege privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
+
+
+
+
+ If the secreateglobalprivilege privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
+
+
+
+
+ If the secreatepagefileprivilege privilege is enabled, it allows the user to create and change the size of a pagefile.
+
+
+
+
+ If the secreatepermanentprivilege privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
+
+
+
+
+ If the secreatesymboliclinkprivilege privilege is enabled, it allows users to create symbolic links.
+
+
+
+
+ If the secreatetokenprivilege privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
+
+
+
+
+ If the sedebugprivilege privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
+
+
+
+
+ If the seenabledelegationprivilege privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
+
+
+
+
+ If the seimpersonateprivilege privilege is enabled, it allows the user to impersonate a client after authentication.
+
+
+
+
+ If the seincreasebasepriorityprivilege privilege is enabled, it allows a user to increase the base priority class of a process.
+
+
+
+
+ If the seincreasequotaprivilege privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
+
+
+
+
+ If the seincreaseworkingsetprivilege privilege is enabled, it allows a user to increase a process working set.
+
+
+
+
+ If the seloaddriverprivilege privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
+
+
+
+
+ If the selockmemoryprivilege privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
+
+
+
+
+ If the semachineaccountprivilege privilege is enabled, it allows the user to add a computer to a specific domain.
+
+
+
+
+ If the semanagevolumeprivilege privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
+
+
+
+
+ If the seprofilesingleprocessprivilege privilege is enabled, it allows a user to sample the performance of an application process.
+
+
+
+
+ If the serelabelprivilege privilege is enabled, it allows a user to modify an object label.
+
+
+
+
+ If the seremoteshutdownprivilege privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
+
+
+
+
+ If the serestoreprivilege privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
+
+
+
+
+ If the sesecurityprivilege privilege is enabled, it allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
+
+
+
+
+ If the seshutdownprivilege privilege is enabled, it allows a user to shut down the local computer.
+
+
+
+
+ If the sesyncagentprivilege privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
+
+
+
+
+ If the sesystemenvironmentprivilege privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
+
+
+
+
+ If the sesystemprofileprivilege privilege is enabled, it allows a user to sample the performance of system processes.
+
+
+
+
+ If the sesystemtimeprivilege privilege is enabled, it allows the user to adjust the time on the computer's internal clock. It is not required to change the time zone or other display characteristics of the system time.
+
+
+
+
+ If the setakeownershipprivilege privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
+
+
+
+
+ If the setcbprivilege privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
+
+
+
+
+ If the setimezoneprivilege privilege is enabled, it allows the user to change the time zone.
+
+
+
+
+ If the seundockprivilege privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
+
+
+
+
+ If the seunsolicitedinputprivilege privilege is enabled, it allows the user to read unsolicited data from a terminal device.
+
+
+
+
+ If an account is assigned the sebatchlogonright right, it can log on using the batch logon type.
+
+
+
+
+ If an account is assigned the seinteractivelogonright right, it can log on using the interactive logon type.
+
+
+
+
+ If an account is assigned the senetworklogonright right, it can log on using the network logon type.
+
+
+
+
+ If an account is assigned the seremoteinteractivelogonright right, it can log on to the computer by using a Remote Desktop connection.
+
+
+
+
+ If an account is assigned the seservicelogonright right, it can log on using the service logon type.
+
+
+
+
+ If an account is assigned the sedenybatchLogonright right, it is explicitly denied the ability to log on using the batch logon type.
+
+
+
+
+ If an account is assigned the sedenyinteractivelogonright right, it is explicitly denied the ability to log on using the interactive logon type.
+
+
+
+
+ If an account is assigned the sedenynetworklogonright right, it is explicitly denied the ability to log on using the network logon type.
+
+
+
+
+ If an account is assigned the sedenyremoteInteractivelogonright right, it is explicitly denied the ability to log on through Terminal Services.
+
+
+
+
+ If an account is assigned the sedenyservicelogonright right, it is explicitly denied the ability to log on using the service logon type.
+
+
+
+
+ If an account is assigned this right, it can access the Credential Manager as a trusted caller.
+
+
+
+
+
+
+
+
+
+ The AccesstokenBehaviors complex type defines a number of behaviors that allow a more detailed definition of the accesstoken_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+ 5.11
+ Replaced by the userright_test. The AccesstokenBehaviors complex type is used by the accesstoken_test which suffers from scalability issues when run on a domain controller and should not be used. As a result, the AccesstokenBehaviors complex type is no longer needed. See the userright_test.
+ This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+ If a group security principle is specified, this behavior specifies whether to include the group or not. For example, maybe you want to check the access tokens associated with every user within a group, but not the group itself. In this case, you would set the include_group behavior to 'false'. If the security_principle is not a group, then this behavior should be ignored.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:accesstoken_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved and any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:accesstoken_object
+
+
+
+
+
+
+
+
+
+
+
+ The active directory test is used to check information about specific entries in active directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an activedirectory_object and the optional state element specifies the metadata to check.
+
+
+ activedirectory_test
+ activedirectory_object
+ activedirectory_state
+ activedirectory_item
+
+
+
+
+
+ - the object child element of an activedirectory_test must reference an activedirectory_object
+
+
+ - the state child element of an activedirectory_test must reference an activedirectory_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The activedirectory_object element is used by an active directory test to define those objects to evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An active directory object consists of three pieces of information, a naming context, a relative distinguished name, and an attribute. Each piece helps identify a specific active directory entry.
+
+
+
+
+
+
+
+
+
+
+ Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object's distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the object being specified is the higher level naming context. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative dn under a given naming context.
+
+
+
+
+ Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative dn.
+
+
+
+
+
+
+
+
+
+
+
+ The activedirectory_state element defines the different information that can be used to evaluate the specified entries in active directory. An active directory test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified active directory attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+ The active directory test is used to check information about specific entries in active directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an activedirectory57_object and the optional state element specifies the metadata to check.
+ Note that this test supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_test.
+
+
+ activedirectory57_test
+ activedirectory57_object
+ activedirectory57_state
+ activedirectory57_item
+
+
+
+
+ 5.11.1:1.2
+ Use the original activedirectory_test. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of an activedirectory57_test must reference an activedirectory57_object
+
+
+ - the state child element of an activedirectory57_test must reference an activedirectory57_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The activedirectory57_object element is used by an active directory test to define those objects to evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An active directory object consists of three pieces of information, a naming context, a relative distinguished name, and an attribute. Each piece helps identify a specific active directory entry.
+ Note that this object supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_object.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+ 5.11.1:1.2
+ Use the original activedirectory_object. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object's distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the object being specified is the higher level naming context. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative dn under a given naming context.
+
+
+
+
+ Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative dn.
+
+
+
+
+
+
+
+
+
+
+
+
+ The activedirectory57_state element defines the different information that can be used to evaluate the specified entries in active directory. An active directory test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+ Note that this state supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_state.
+
+
+ 5.11.1:1.2
+ Use the original activedirectory_state. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object's distinguished name except those outlined by the naming context.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ The type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the 'record' datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field and satisfy this requirement.
+
+
+
+ - datatype attribute for the value entity of a activedirectory57_state must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The auditeventpolicy_test is used to check different types of events the system should audit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditeventpolicy_object and the optional state element specifies the metadata to check.
+
+
+ auditeventpolicy_test
+ auditeventpolicy_object
+ auditeventpolicy_state
+ auditeventpolicy_item
+
+
+
+
+
+ - the object child element of an auditeventpolicy_test must reference an auditeventpolicy_object
+
+
+ - the state child element of an auditeventpolicy_test must reference an auditeventpolicy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The auditeventpolicy_object element is used by an audit event policy test to define those objects to evaluate based on a specified state. There is actually only one object relating to audit event policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check audit event policy will reference the same auditeventpolicy_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The auditeventpolicy_state element specifies the different system activities that can be audited. An audit event policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
+
+
+
+
+ Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
+
+
+
+
+ Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Note that this activitiy is also known as process tracking.
+
+
+
+
+ Audit attempts to access the directory service.
+
+
+
+
+ Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
+
+
+
+
+ Audit attempts to access securable objects, such as files.
+
+
+
+
+ Audit attempts to change Policy object rules.
+
+
+
+
+ Audit attempts to use privileges.
+
+
+
+
+ Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.
+
+
+
+
+
+
+
+
+
+
+
+
+ The auditeventpolicysubcategories_test is used to check the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, if the credential_validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditeventpolicy_object and the optional state element specifies the metadata to check.
+
+
+ auditeventpolicysubcategories_test
+ auditeventpolicysubcategories_object
+ auditeventpolicysubcategories_state
+ auditeventpolicysubcategories_item
+
+
+
+
+
+ - the object child element of an auditeventpolicysubcategories_test must reference an auditeventpolicysubcategories_object
+
+
+ - the state child element of an auditeventpolicysubcategories_test must reference an auditeventpolicysubcategories_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The auditeventpolicysubcategories_object element is used by an audit event policy subcategories test to define those objects to evaluate based on a specified state. There is actually only one object relating to audit event policy subcategories and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check audit event policy subcategories will reference the same auditeventpolicysubcategories_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The auditeventpolicysubcategories_state element specifies the different system activities that can be audited. An audit event policy subcategories test will reference a specific instance of this state that defines the exact subcategories that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+
+ Audit the events produced during the validation of a user's logon credentials. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Credential Validation
+
+
+
+
+ Audit the events produced by Kerberos authentication ticket-granting requests. This state corresponds with the following GUID specified in ntsecapi.h: 0CCE9242-69AE-11D9-BED3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerboros Authentication Service
+
+
+
+
+ Audit the events produced by Kerberos service ticket requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9240-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerberos Service Ticket Operations
+
+
+
+
+ Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
+
+
+ 5.11
+ This entity does not map to any known audit event policy subcategory.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9241-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Other Account Logon Events
+
+
+
+
+
+ Audit the events produced by changes to application groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9239-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Application Group Management
+
+
+
+
+ Audit the events produced by changes to computer accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9236-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Computer Account Management
+
+
+
+
+ Audit the events produced by changes to distribution groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9238-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Distribution Account Management
+
+
+
+
+ Audit the events produced by other user account changes that are not covered by other events in the Account Management category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Other Account Management Events
+
+
+
+
+ Audit the events produced by changes to security groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9237-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Security Group Management
+
+
+
+
+ Audit the events produced by changes to user accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9235-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit User Account Management
+
+
+
+
+
+ Audit the events produced when requests are made to the Data Protection application interface. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit DPAPI Activity
+
+
+
+
+ Audit the events produced when a process is created or starts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Creation
+
+
+
+
+ Audit the events produced when a process ends. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Termination
+
+
+
+
+ Audit the events produced by inbound remote procedure call connections. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit RPC Events
+
+
+
+
+
+ Audit the events produced when a Active Directory Domain Services object is accessed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
+
+
+
+
+ Audit the events produced when changes are made to Active Directory Domain Services objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Changes
+
+
+
+
+ Audit the events produced when two Active Directory Domain Services domain controllers are replicated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
+
+
+
+
+ Audit the events produced by detailed Active Directory Domain Services replication between domain controllers. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Detailed Directory Service Replication
+
+
+
+
+
+ Audit the events produced by a failed attempt to log onto a locked out account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9217-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Account Lockout
+
+
+
+
+ Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Extended Mode
+
+
+
+
+ Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9218-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logof/Logoff: Audit IPsec Main Mode
+
+
+
+
+ Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9219-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Quick Mode
+
+
+
+
+ Audit the events produced by closing a logon session. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9216-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logoff
+
+
+
+
+ Audit the events produced by attempts to log onto a user account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9215-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logon
+
+
+
+
+ Audit the events produced by RADIUS and Network Access Protection user access requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9243-69ae-11d9-bed3-505054503030.This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Network Policy Server
+
+
+
+
+ Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events
+
+
+
+
+ Audit the events produced by special logons. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Special Logon
+
+
+
+
+ Audit user and device claims information in the user's logon token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit User / Device Claims
+
+
+
+
+
+ Audit the events produced by applications that use the Windows Auditing API. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9222-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Application Generated
+
+
+
+
+ Audit the events produced by operations on Active Directory Certificate Services. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9221-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Certification Services
+
+
+
+
+ Audit the events produced by attempts to access files and folders on a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9244-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Detailed File Share
+
+
+
+
+ Audit the events produced by attempts to access a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9224-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File Share
+
+
+
+
+ Audit the events produced user attempts to access file system objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File System
+
+
+
+
+ Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9226-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Connection
+
+
+
+
+ Audit the events produced by packets that are dropped by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9225-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Packet Drop
+
+
+
+
+ Audit the events produced when a handle is opened or closed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9223-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Handle Manipulation
+
+
+
+
+ Audit the events produced by attempts to access the system kernel. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Kernel Object
+
+
+
+
+ Audit the events produced by the management of Task Scheduler jobs or COM+ objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9227-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Other Object Access Events
+
+
+
+
+ Audit the events produced by attempts to access registry objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Registry
+
+
+
+
+ Audit the events produced by attempts to access Security Accounts Manager objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9220-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit SAM
+
+
+
+
+ Audit events that indicate file object access attemps to removable storage. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9245-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Removable Storage
+
+
+
+
+ Audit events that indicate permission granted or denied by a proposed policy differs from the current central access policy on an object. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9246-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Central Access Policy Staging
+
+
+
+
+
+ Audit the events produced by changes in security audit policy settings. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Audit Policy Change
+
+
+
+
+ Audit the events produced by changes to the authentication policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9230-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authentication Policy Change
+
+
+
+
+ Audit the events produced by changes to the authorization policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9231-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authorization Policy Change
+
+
+
+
+ Audit the events produced by changes to the Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9233-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Filtering Platform Policy Change
+
+
+
+
+ Audit the events produced by changes to policy rules used by the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9232-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit MPSSVC Rule-Level Policy Change
+
+
+
+
+ Audit the events produced by other security policy changes that are not covered other events in the Policy Change category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9234-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Other Policy Change Events
+
+
+
+
+
+ Audit the events produced by the use of non-sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9229-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Non Sensitive Privilege Use
+
+
+
+
+ This is currently not used and has been reserved by Microsoft for use in the future. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Other Privilege Use Events
+
+
+
+
+ Audit the events produced by the use of sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9228-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Sensitive Privilege Use
+
+
+
+
+
+ Audit the events produced by the IPsec filter driver. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9213-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit IPsec Driver
+
+
+
+
+ Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9214-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Other System Events
+
+
+
+
+ Audit the events produced by changes in the security state. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9210-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security State Change
+
+
+
+
+ Audit the events produced by the security system extensions or services. This state corresponds with the following GUID specified in ntsecapi.h: cce9211-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security System Extension
+
+
+
+
+ Audit the events that indicate that the integrity security subsystem has been violated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9212-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit System Integrity
+
+
+
+
+ This subcategory audits the group membership of a token for an associated log on. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9249-69ae-11d9-bed3-505054503030.
+
+
+
+
+ This subcategory audits events generated by plug and play (PNP). This state corresponds with the following GUID specified in ntsecapi.h: 0cce9248-69ae-11d9-bed3-505054503030.
+
+
+
+
+ This subcategory audits the user and device claims that are present in the token of an associated logon. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030.
+
+
+
+
+ This subcategory audits when token privileges are enabled or disabled for a specific account’s token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce924a-69ae-11d9-bed3-505054503030.
+
+
+
+
+
+
+
+
+
+
+
+
+ The cmdlet_test is used to levarage a PowerShell cmdlet to check a Windows system. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a cmdlet_object and the optional state element specifies the metadata to check.
+
+
+ cmdlet_test
+ cmdlet_object
+ cmdlet_state
+ cmdlet_item
+
+
+
+
+
+ - the object child element of a cmdlet_test must reference a cmdlet_object
+
+
+ - the state child element of a cmdlet_test must reference a cmdlet_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The cmdlet_object element is used by a cmdlet_test to identify the set of cmdlets to use and the parameters to provide to them for checking the state of a system. In order to ensure the consistency of PowerShell cmdlet support among OVAL interpreters as well as ensure that the state of a system is not changed, every OVAL interpreter must implement the following requirements. An OVAL interpreter must only support the processing of the verbs specified in the EntityObjectCmdletVerbType. If a cmdlet verb that is not defined in this enumeration is discovered, an error should be reported and the cmdlet must not be executed on the system. While XML Schema validation will enforce this requirement, it is strongly recommended that OVAL interpreters implement a whitelist of allowed cmdlets. This can be done using constrained runspaces which can limit the PowerShell execution environment. For more information, please see Microsoft's documentation on Windows PowerShell Host Application Concepts. Furthermore, it is strongly recommended that OVAL interpreters also implement PowerShell support with the NoLanguage mode enabled. The NoLanguage mode ensures that scripts that need to be evaluated are not allowed in the runspace. For more information about the NoLanguage mode, please see Microsoft's documentation on the PSLanguageMode enumeration.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name of the module that contains the cmdlet.
+
+
+
+ - operation attribute for the module_name entity of a cmdlet_object must be 'equals'
+
+
+
+
+
+
+
+ The globally unique identifier for the module. If xsi:nil='true', it does not matter which module GUID the command comes from.
+
+
+
+ - operation attribute for the module_id entity of a cmdlet_object must be 'equals'
+
+
+
+
+
+
+
+ The version of the module that contains the cmdlet in the form of MAJOR.MINOR. If xsi:nil='true', that implies it does not matter which version of the module the command refers to.
+
+
+
+
+ The cmdlet verb.
+
+
+
+ - operation attribute for the verb entity of a cmdlet_object must be 'equals'
+
+
+
+
+
+
+
+ The cmdlet noun.
+
+
+
+ - operation attribute for the noun entity of a cmdlet_object must be 'equals'
+
+
+
+
+
+
+
+ A list of properties (name and value pairs) as input to invoke the cmdlet. Each property name must be unique. When xsi:nil='true', parameters are not provided to the cmdlet.
+
+
+
+ - datatype attribute for the parameters entity of a cmdlet_object must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+ A list of fields (name and value pairs) used as input to the Select-Object cmdlet to select specific output properties. Each property name must be unique. Please note that the use of the '*' character, to select all properties, is not permitted. This is because the value record entity, in the state and item, require unique field name values to ensure that any query results can be evaluated consistently. This is equivalent to piping the output of a cmdlet to the Select-Object cmdlet. When xsi:nil='true', the Select-Object is not used.
+
+
+
+ - datatype attribute for the select entity of a cmdlet_object must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The cmdlet_state allows for assertions about the presence of PowerShell cmdlet related properties and values obtained from a cmdlet.
+
+
+
+
+
+
+
+ The name of the module that contains the cmdlet.
+
+
+
+
+ The globally unique identifier for the module.
+
+
+
+
+ The version of the module that contains the cmdlet in the form of MAJOR.MINOR.
+
+
+
+
+ The cmdlet verb.
+
+
+
+
+ The cmdlet noun.
+
+
+
+
+ A list of properties (name and value pairs) as input to invoke the cmdlet. Each property name must be unique.
+
+
+
+ - datatype attribute for the parameters entity of a cmdlet_state must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+ A list of fields (name and value pairs) used as input to the Select-Object cmdlet to select specific output properties. Each property name must be unique.
+
+
+
+ - datatype attribute for the select entity of a cmdlet_state must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+ The expected value represented as a set of fields (name and value pairs). Each field must be have a unique name.
+
+
+
+ - datatype attribute for the value entity of a cmdlet_state must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The dnscache_test is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. The entries in the DNS cache can be collected using Microsoft's DnsGetCacheDataTable() and DnsQuery() API calls. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dnscache_object and the optional state element specifies the metadata to check.
+
+
+ dnscache_test
+ dnscache_object
+ dnscache_state
+ dnscache_item
+
+
+
+
+
+ - the object child element of a dnscache_test must reference a dnscache_object
+
+
+ - the state child element of a dnscache_test must reference a dnscache_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The dnscache_object is used by the dnscache_test to specify the domain name(s) that should be collected from the DNS cache on the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The domain_name element specifies the domain name(s) that should be collected from the DNS cache on the local system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The dnscache_state contains three entities that are used to check the domain name, time to live, and IP addresses associated with the DNS cache entry.
+
+
+
+
+
+
+
+ The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
+
+
+
+
+ The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
+
+
+
+
+ The ip_address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+
+
+
+
+
+
+
+
+ The file test is used to check metadata associated with Windows files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a file_object and the optional state element specifies the metadata to check.
+
+
+ file_test
+ file_object
+ file_state
+ file_item
+
+
+
+
+
+ - the object child element of a file_test must reference a file_object
+
+
+ - the state child element of a file_test must reference a file_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file_object element is used by a file test to define the specific file(s) to be evaluated. The file_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A file object defines the path and filename or complete filepath of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file_state element defines the different metadata associate with a Windows file. This includes the path, filename, owner, size, last modified time, version, etc. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+
+
+
+
+
+
+
+ The owner element is a string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
+
+
+
+
+ The size element is the size of the file in bytes.
+
+
+
+
+ Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ The checksum of the file as supplied by Microsoft's MapFileAndCheckSum function.
+
+
+
+
+ The version element is the delimited version string of the file.
+
+
+
+
+ The type element marks whether the file is a named pipe, standard file, etc. These types are the return values for GetFileType. For directories, this element must have a status of 'does not exist'.
+
+
+
+
+ The attribute element marks a Windows file attribute. These types are the return values for GetFileAttribute.
+ The attribute element can be included multiple times in a system characteristic item in order to record that a file has a number of different attributes. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like the attribute entity that refer to items that can occur an unbounded number of times.
+
+
+
+
+ The development_class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
+
+
+
+
+ This entity defines a company name to be found within the version-information structure.
+
+
+
+
+ This entity defines an internal name to be found within the version-information structure.
+
+
+
+
+ This entity defines a language to be found within the version-information structure.
+
+
+
+
+ This entity defines an original filename to be found within the version-information structure.
+
+
+
+
+ This entity defines a product name to be found within the version-information structure.
+
+
+
+
+ This entity defines the product version held within the version-information structure. This may not necessarily be a string compatible with the OVAL version datatype, in which case the string datatype should be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of the file_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+ 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.
+ Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+ 'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include junctions, directories, or both (a junction on Windows is equivalent to a symlink on Unix). Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_direction' defines the direction, either 'up' to parent directories, or 'down' into child directories to recursively search for files. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
+ Note that this behavior only applies with the equality operation on the path entity.
+
+
+
+
+
+
+
+
+
+
+
+ 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, if the path specified was "C:\", you would search only the C: drive, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.
+ Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications.
+
+
+
+
+
+
+
+
+
+
+
+ 64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to state which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+ Note that the values have the following meaning: '64_bit' - Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' - Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between OVAL Items that were collected in the 32-bit or 64-bit views.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file audit permissions test is used to check the audit permissions associated with Windows files. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object and the optional state element specifies the metadata to check.
+
+
+ fileauditedpermissions53_test
+ fileauditedpermissions53_object
+ fileauditedpermissions53_state
+ fileauditedpermissions_item
+
+
+
+
+
+ - the object child element of a fileauditedpermissions53_test must reference a fileauditedpermissions53_object
+
+
+ - the state child element of a fileauditedpermissions53_test must reference a fileauditedpermissions53_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileauditedpermissions53_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. The fileauditedpermissions53_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A fileauditedpermissions53_object is defined as a combination of a Windows file and trustee SID. The file represents the file to be evaluated while the trustee SID represents the account (SID) to check audited permissions of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissions53Behaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileauditedpermissions53_state element defines the different audit permissions that can be associated with a given fileauditedpermissions53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of a file to test for.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+
+
+
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+ Grants the right to read data from the file.
+
+
+
+
+ Grants the right to write data to the file.
+
+
+
+
+ Grants the right to append data to the file.
+
+
+
+
+ Grants the right to read extended attributes.
+
+
+
+
+ Grants the right to write extended attributes.
+
+
+
+
+ Grants the right to execute a file.
+
+
+
+
+ Right to delete a directory and all the files it contains (its children), even if the files are read-only.
+
+
+
+
+ Grants the right to read file attributes.
+
+
+
+
+ Grants the right to change file attributes.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The FileAuditPermissions53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the fileauditpermissions53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+ The FileAuditPermissions53Behaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:fileauditedpermissions53_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: fileauditedpermissions53_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file audited permissions test is used to check the audit permissions associated with Windows files. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object, and the optional state element references a fileauditedpermissions_state that specifies the metadata to check.
+
+
+ fileauditedpermissions_test
+ fileauditedpermissions_object
+ fileauditedpermissions_state
+ fileauditedpermissions_item
+
+
+
+
+ 5.3
+ Replaced by the fileauditedpermissions53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the fileauditedpermissions53_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a fileauditedpermissions_test must reference a fileauditedpermissions_object
+
+
+ - the state child element of a fileauditedpermissions_test must reference a fileauditedpermissions_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileauditedpermissions_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. The fileauditedpermissions_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A fileauditedpermissions_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (SID) to check audited permissions of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissionsBehaviors complex type for more information about specific behaviors.
+
+
+ 5.3
+ Replaced by the fileauditedpermissions53_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the fileauditedpermissions53_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+ The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+
+
+
+
+
+
+
+ The fileauditedpermissions_state element defines the different audit permissions that can be associated with a given fileauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.3
+ Replaced by the fileauditedpermissions53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the fileauditedpermissions53_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of a file to test for.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+
+
+
+
+
+
+
+ The trustee_name is the unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+ Grants the right to read data from the file.
+
+
+
+
+ Grants the right to write data to the file.
+
+
+
+
+ Grants the right to append data to the file.
+
+
+
+
+ Grants the right to read extended attributes.
+
+
+
+
+ Grants the right to write extended attributes.
+
+
+
+
+ Grants the right to execute a file.
+
+
+
+
+ Right to delete a directory and all the files it contains (its children), even if the files are read-only.
+
+
+
+
+ Grants the right to read file attributes.
+
+
+
+
+ Grants the right to change file attributes.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The FileAuditPermissionsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the fileauditpermissions_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ The FileAuditPermissionsBehaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+
+ 5.3
+ Replaced by the FileAuditPermissionsBehaviors53. The FileAuditPermissionsBehaviors complex type is used by the fileauditedpermissions_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the FileAuditPermissionsBehaviors53 complex type, and as a result, the FileAuditPermissionsBehaviors complex type is no longer needed.
+ This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+ 'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user SIDs that are a member of the group, but not the group trustee name itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:fileauditedpermissions_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: fileauditedpermissions_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The fileeffectiverights53_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileeffectiverights53_object and the optional state element specifies the metadata to check.
+
+
+ fileeffectiverights53_test
+ fileeffectiverights53_object
+ fileeffectiverights53_state
+ fileeffectiverights_item
+
+
+
+
+
+ - the object child element of a fileeffectiverights53_test must reference a fileeffectiverights53_object
+
+
+ - the state child element of a fileeffectiverights53_test must reference a fileeffectiverights53_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileeffectiverights53_object element is used by a file effective rights test to define the objects used to evalutate against the specified state. The fileeffectiverights53_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A fileeffectiverights53_object is defined as a combination of a Windows file and trustee SID. The file represents the file to be evaluated while the trustee SID represents the account (SID) to check effective rights of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileEffectiveRights53Behaviors complex type for more information about specific behaviors.
+ The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+ - the max_depth and recurse_direction behaviors are not allowed with a filepath entity
+
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity.
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+ - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a path entity.
+ - the max_depth behavior MUST not be used when a pattern match is used with a path entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a path entity.
+
+
+
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path..
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileeffectiverights53_state element defines the different rights that can be associated with a given fileeffectiverights53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+
+
+
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+ Grants the right to read data from the file, or if a directory, grants the right to list the contents of the directory.
+
+
+
+
+ Grants the right to write data to the file, or if a directory, grants the right to add a file to the directory.
+
+
+
+
+ Grants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory.
+
+
+
+
+ Grants the right to read extended attributes.
+
+
+
+
+ Grants the right to write extended attributes.
+
+
+
+
+ Grants the right to execute a file, or if a directory, the right to traverse the directory.
+
+
+
+
+ Right to delete a directory and all the files it contains (its children), even if the files are read-only.
+
+
+
+
+ Grants the right to read file, or directory, attributes.
+
+
+
+
+ Grants the right to change file, or directory, attributes.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The FileEffectiveRights53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the fileeffectiverights53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+ The FileEffectiveRights53Behaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:fileeffectiverights53_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: fileeffectiverights53_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The file effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The fileeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileeffectiverights_object and the optional state element specifies the metadata to check.
+
+
+ fileeffectiverights_test
+ fileeffectiverights_object
+ fileeffectiverights_state
+ fileeffectiverights_item
+
+
+
+
+ 5.3
+ Replaced by the fileeffectiverights53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the fileeffectiverights53_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a fileeffectiverights_test must reference a fileeffectiverights_object
+
+
+ - the state child element of a fileeffectiverights_test must reference a fileeffectiverights_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The fileeffectiverights_object element is used by a file effective rights test to define the objects used to evalutate against the specified state. The fileeffectiverights_object will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A fileeffectiverights_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (SID) to check effective rights of. If multiple files or SIDs are matched by either reference, then each possible combination of file and SID is a matching file effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileEffectiveRightsBehaviors complex type for more information about specific behaviors.
+
+
+ 5.3
+ Replaced by the fileeffectiverights_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the fileeffectiverights53_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+ - filename entity cannot be empty unless the xsi:nil attribute is set to true or a var_ref is used
+
+
+
+
+
+
+
+ The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+
+
+
+
+
+
+
+ The fileeffectiverights_state element defines the different rights that can be associated with a given fileeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.3
+ Replaced by the fileeffectiverights53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the fileeffectiverights53_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The filename element specifies the name of the file.
+
+
+
+ - filename entity cannot contain the characters / \ : * ? > | < "
+
+
+
+
+
+
+
+ The unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+ Grants the right to read data from the file, or if a directory, grants the right to list the contents of the directory.
+
+
+
+
+ Grants the right to write data to the file, or if a directory, grants the right to add a file to the directory.
+
+
+
+
+ Grants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory.
+
+
+
+
+ Grants the right to read extended attributes.
+
+
+
+
+ Grants the right to write extended attributes.
+
+
+
+
+ Grants the right to execute a file, or if a directory, the right to traverse the directory.
+
+
+
+
+ Right to delete a directory and all the files it contains (its children), even if the files are read-only.
+
+
+
+
+ Grants the right to read file, or directory, attributes.
+
+
+
+
+ Grants the right to change file, or directory, attributes.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The FileEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the fileeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ The FileEffectiveRightsBehaviors extend the win-def:FileBehaviors and therefore include the behaviors defined by that type.
+
+
+ 5.3
+ Replaced by the FileEffectiveRightsBehaviors53. The FileEffectiveRightsBehaviors complex type is used by the fileeffectiverights_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the FileEffectiveRightsBehaviors53 complex type, and as a result, the FileEffectiveRightsBehaviors complex type is no longer needed.
+ This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+ 'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group SID might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:fileeffectiverights_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: fileeffectiverights_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_test allows the different users and subgroups, that directly belong to specific groups (identified by name), to be tested. When the group_test collects the groups on the system, it should only include the local and built-in group accounts and not domain group accounts. However, it is important to note that domain group accounts can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If the subgroups need to be resolved, it should be done using the sid_object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a group_object and the optional state element specifies the metadata to check.
+
+
+ group_test
+ group_object
+ group_state
+ group_item
+
+
+
+
+ 5.11
+ Replaced by the group_sid_test. This test uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_test, which uses trustee SIDs which are unique, should be used instead. See the group_sid_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a group_test must reference a group_object
+
+
+ - the state child element of a group_test must reference a group_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_object element is used by a group test to define the specific group(s) (identified by name) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+ 5.11
+ Replaced by the group_sid_object. This object uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_object, which uses trustee SIDs which are unique, should be used instead. See the group_sid_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The group element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the group should be identified in the form: "domain\group name". In a local environment, the group should be identified in the form: "computer name\group name". If the group is a built-in group, the group should be identified in the form: "group name" without a domain component.
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_state element enumerates the different users and subgroups directly associated with a Windows group. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.11
+ Replaced by the group_sid_state. This state uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_state, which uses trustee SIDs which are unique, should be used instead. See the group_sid_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The group element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
+
+
+
+
+ The user element holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
+ The user element can be included multiple times in a system characteristic item in order to record that a group contains a number of different users. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like user that refer to items that can occur an unbounded number of times.
+
+
+
+
+ A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: "domain\group name". In a local environment, the subgroups should be identified in the form: "computer name\group name". If the subgroups are built-in groups, the subgroups should be identified in the form: "group name" without a domain component.
+ The subgroup element can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like the subgroup entity that refer to items that can occur an unbounded number of times.
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_sid_test allows the different users and subgroups, that directly belong to specific groups (identified by SID), to be tested. When the group_sid_test collects the group SIDs on the system, it should only include the local and built-in group SIDs and not domain group SIDs. However, it is important to note that domain group SIDs can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If the subgroups need to be resolved, it should be done using the sid_sid_object. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a group_sid_object and the optional state element specifies the metadata to check.
+
+
+ group_sid_test
+ group_sid_object
+ group_sid_state
+ group_sid_item
+
+
+
+
+
+ - the object child element of a group_sid_test must reference a group_sid_object
+
+
+ - the state child element of a group_sid_test must reference a group_sid_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_sid_object element is used by a group_test to define the specific group(s) (identified by SID) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_sid entity holds a string that represents the SID of a particular group.
+
+
+
+
+
+
+
+
+
+
+
+
+ The group_state element enumerates the different users and subgroups directly associated with a Windows group. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The group_sid entity holds a string that represents the SID of a particular group.
+
+
+
+
+ The user_sid entity holds a string that represents the SID of a particular user. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different users. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like user that refer to items that can occur an unbounded number of times.
+
+
+
+
+ The subgroup_sid entity holds a string that represents the SID of particular subgroup in the specified group. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like subgroup_sid that refer to items that can occur an unbounded number of times.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface test enumerate various attributes about the interfaces on a system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an interface_object and the optional state element specifies the interface information to check.
+
+
+ interface_test
+ interface_object
+ interface_state
+ interface_item
+
+
+
+
+
+ - the object child element of an interface_test must reference an interface_object
+
+
+ - the state child element of an interface_test must reference an interface_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_object element is used by an interface test to define the specific interfaces(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An interface object consists of a single name entity that identifies which interface is being specified. For help understanding this object, see the MIB_IFROW and MIB_IPADDRROW structures.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The name element specifies the name of an interface.
+
+
+
+
+
+
+
+
+
+
+
+
+ The interface_state element enumerates the different properties associate with a Windows interface. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name element specifies the name of an interface.
+
+
+
+
+ The index element specifies index that identifies the interface.
+
+
+
+
+ The type element specifies the type of interface which is limited to certain set of values.
+
+
+
+
+ The hardware_addr entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
+
+
+
+
+ The inet_addr element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
+
+
+
+
+ The broadcast_addr element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ The netmask element specifies the subnet mask for the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity will not be collected.
+
+
+
+
+ The addr_type element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the addr_type element can occur multiple times in a system characteristic item. Note that the entity_check attribute associated with EntityStateAddrTypeType guides the evaluation of unbounded entities like addr_type.
+
+
+
+
+
+
+
+
+
+
+
+
+ The junction_test is used to obtain canonical path information for junctions (reparse points) on Windows filesystems.
+
+
+ junction_test
+ junction_object
+ junction_state
+ junction_item
+
+
+
+
+
+ - the object child element of a junction_test must reference a junction_object
+
+
+ - the state child element of a junction_test must reference a junction_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The junction_object element is used by a junction_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A junction_object consists of a path entity that contains the path to a symbolic link file. The resulting item identifies the canonical path of the link target (followed to its final destination, if there are intermediate links), an error if the link target does not exist or is a circular link (e.g., a link to itself). If the directory located at path is not a junction, or if there is no directory located at the path, then any resulting item would itself have a status of does not exist.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the path to the junction.
+
+
+
+
+
+
+
+
+
+
+
+
+ The junction_state element defines a value used to evaluate the result of a specific junction_object item.
+
+
+
+
+
+
+
+ Specifies the path used to create the object.
+
+
+
+
+ Specifies the canonical path for the target of a Windows junction specified by the path.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+
+
+
+ The license_test is used to check the content of a particular entry in the Windows registry HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions key, ProductPolicy value. Access to this data is exposed by the functions NtQueryLicenseValue (and also, in version 6.0 and higher, ZwQueryLicenseValue) in NTDLL.DLL.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The license_object element is used by a license_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+
+ The name entity provides the address of a UNICODE_STRING structure for the name of the value for which data is desired, for example, TabletPCPlatformInput-core-EnableTouchUI.
+
+
+
+
+
+
+
+
+
+
+
+
+ The license_state element defines the different information that can be found in the Windows license registry value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The name entity corresponds to the license_object name entity.
+
+
+
+
+ The optional type entity provides the type of data that is expected: REG_SZ (0x01) for a string; REG_BINARY (0x03) for binary data; REG_DWORD (0x04) for a dword.
+
+
+
+
+ The value entity allows a test to be written against the value held within the specified license entry(-ies). If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
+ Note that if the intent is to test a version number held in the license entry (as a reg_sz) then instead of setting the datatype to 'string', the datatype can be set to 'version'. This allows tools performing the evaluation to know how to perform less than and greater than operations correctly.
+
+
+
+
+
+
+
+
+
+
+
+
+ The lockout policy test enumerates various attributes associated with lockout information for users and global groups in the security database. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a lockoutpolicy_object and the optional state element specifies the metadata to check.
+
+
+ lockoutpolicy_test
+ lockoutpolicy_object
+ lockoutpolicy_state
+ lockoutpolicy_item
+
+
+
+
+
+ - the object child element of a lockoutpolicy_test must reference a lockoutpolicy_object
+
+
+ - the state child element of a lockoutpolicy_test must reference a lockoutpolicy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The lockoutpolicy_object element is used by a lockout policy test to define those objects to evaluated based on a specified state. There is actually only one object relating to lockout policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check lockout policy will reference the same lockoutpolicy_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The lockoutpolicy_state element specifies the various attributes associated with lockout information for users and global groups in the security database. A lockout policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Specifies, in seconds (from a DWORD), the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
+
+
+
+ - the value of force_logoff must be greater than or equal to zero
+
+
+
+
+
+
+
+ Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
+
+
+
+ - the value of lockout_duration must be greater than or equal to zero
+
+
+
+
+
+
+
+ Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
+
+
+
+
+ Specifies the number of invalid password authentications that can occur before an account is marked "locked out." See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
+
+
+
+
+
+
+
+
+
+
+
+
+ The metabase test is used to check information found in the Windows metabase. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a metabase_object and the optional state element specifies the metadata to check.
+
+
+ metabase_test
+ metabase_object
+ metabase_state
+ metabase_item
+
+
+
+
+
+ - the object child element of a metabase_test must reference a metabase_object
+
+
+ - the state child element of a metabase_test must reference a metabase_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The metabase_object element is used by a metabase test to define the specific metabase item(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A metabase object defines the key and id of the item(s).
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The key element specifies a metabase key.
+
+
+
+
+ The id element specifies a particular object under the metabase key. If the xsi:nil attribute is set to true, then the object being specified is the higher level key. In this case, the id element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, says to collect every id under a given key. The most likely use for xsi:nil within a metabase object is when checking for the existence of a particular key, without regards to the different ids associated with it.
+
+
+
+
+
+
+
+
+
+
+
+
+ The metabase_state element defines the different metadata associate with a metabase item. This includes the name, user type, data type, and the actual data. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The key element specifies a metabase key.
+
+
+
+
+ The id element specifies a particular object under the metabase key.
+
+
+
+
+ The name element describes the name of the specified metabase object. This is intended to be the string name of the constant from IIScnfg.h, e.g., MD_KEY_TYPE.
+
+
+
+
+ The user_type element is an unsigned 32-bit integer (DWORD) that specifies the user type of the data. See the METADATA_RECORD structure.
+
+
+
+
+ The data_type element identifies the type of data in the metabase entry. See the METADATA_RECORD structure.
+
+
+
+
+ The actual data of the named item under the specified metabase key
+
+
+
+
+
+
+
+
+
+
+
+
+ The ntuser test is used to check metadata associated with Windows ntuser.dat files. It extends the standard TestType as defined in the oval-definitions-schema and
+ one should refer to the TestType description for more information. The required object element references a ntuser_object and the optional state element specifies the ntuser
+ data to check.
+
+
+ ntuser_test
+ ntuser_object
+ ntuser_state
+ ntuser_item
+
+
+
+
+
+ - the object child
+ element of a ntuser_test must reference a ntuser_object
+
+
+ - the state child element
+ of a ntuser_test must reference a ntuser_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The ntuser_object element is used to specify which metadata should be collected from a Windows ntuser.dat file. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for
+ '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The key element describes a registry key to be collected. Note that the hive portion of the string should not be
+ included, as this data is not neccessary for the ntuser test and would normally reside in the HKCU hive.
+
+
+
+ - the max_depth
+ behavior MUST not be used when a pattern match is used with a key entity.
+ - the
+ recurse_direction behavior MUST not be used when a pattern match is used with a key entity.
+
+
+
+
+
+
+
+ The name element describes the name assigned to a value associated with a specific registry key. If an empty string is
+ specified for the name element, the registry key's default value should be collected. If the xsi:nil attribute is set to true, then
+ the object being specified is the higher level key. In this case, the name element should not be collected or used in analysis.
+ Setting xsi:nil equal to true on an element is different than using a .* pattern match. A .* pattern match says to collect every name
+ under a given hive/key. The most likely use for xsi:nil within a registry object is when checking for the existence of a particular
+ key, without regards to the different names associated with it.
+
+
+
+
+
+
+
+
+
+
+
+
+ The ntuser_state element defines the different metadata associated with a ntuser.dat file. This includes the key, name, type, and value. Please refer to the
+ individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element describes a registry key normally found in the HKCU hive to be tested.
+
+
+
+
+ This element describes the name of a value of a registry key.
+
+
+
+
+ This element holds a string that represents the SID of a particular user.
+
+
+
+
+ The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a
+ result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in
+ the form: "domain\user name". For local users use: "computer name\user name".
+
+
+
+
+ The account_type element describes if the user account is a local account or domain account.
+
+
+
+
+ The logged_on element describes if the user account is currently logged on to the computer.
+
+
+
+
+ The enabled element describes if the user account is enabled or disabled.
+
+
+
+
+ Time of last modification of file. The integer should represent the FILETIME structure which is a 64-bit value representing the number
+ of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ The number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer.
+
+
+
+
+ This element describes the filepath of the ntuser.dat file.
+
+
+
+
+ The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which
+ is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a key or
+ name. When collecting only information about a registry key the last write time will be the time the key or any of its entiries was written to.
+ When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey
+ function lpftLastWriteTime.
+
+
+
+
+ The type entity allows a test to be written against the registy type associated with the specified registry key(s). Please refer to
+ the documentation on the EntityStateRegistryTypeType for more information about the different valid individual types.
+
+
+
+
+ The value entity allows a test to be written against the value held within the specified registry key(s). If the value being tested
+ is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the
+ xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD or REG_QWORD, then the
+ datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the value being tested is of type
+ REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the
+ value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with
+ the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests should be used. If the specified registry
+ key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
+ Note that if the intent is to test a version number held in the registry (as a reg_sz) then instead of setting the datatype to
+ 'string', the datatype can be set to 'version'. This allows tools performing the evaluation to know how to perform less than and greater than
+ operations correctly.
+
+
+
+
+
+
+
+
+
+ The NTUserBehaviors complex type defines a number of behaviors that allow a more detailed definition of the ntuser_object being specified. Note that using these
+ behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific
+ item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_default' defines if the Window's local Default ntuser.dat file is included in the results. By default, this file is not included in the results.
+ The Default User's directory which contains the ntuser.dat file is stored in the registry at 'HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList/Default'.
+
+
+
+
+ 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means
+ to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting key
+ must be considered in the recursive search.
+ Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns
+ recursion off.
+ Note that this behavior only applies with the equality operation on the key entity.
+
+
+
+
+
+
+
+
+
+
+ 'recurse_direction' defines the direction, either 'up' to parent keys, or 'down' into child keys to recursively search for registry keys. When recursing up
+ or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist.
+ Recursing should only go as deep as available. The default value is 'none' for no recursion.
+ Note that this behavior only applies with the equality operation on the key entity.
+
+
+
+
+
+
+
+
+
+
+
+ 64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to specify which
+ view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+ Note that the values have the following meaning: '64_bit' – Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit
+ system, the Object must be evaluated without applying the behavior. '32_bit' – Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be
+ evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is
+ used to distinguish between the OVAL Items that are collected in the 32-bit or 64-bit views.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The password policy test is used to check specific policy associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a passwordpolicy_object and the optional state element specifies the metadata to check.
+ NOTE: This information is stored in the SAM or Active Directory but is encrypted or hidden so the registry_test and activedirectory57_test are of no use. If this can be figured out, then the password_policy test is not needed.
+
+
+ passwordpolicy_test
+ passwordpolicy_object
+ passwordpolicy_state
+ passwordpolicy_item
+
+
+
+
+
+ - the object child element of a passwordpolicy_test must reference a passwordpolicy_object
+
+
+ - the state child element of a passwordpolicy_test must reference a passwordpolicy_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The passwordpolicy_object element is used by a password policy test to define those objects to evaluated based on a specified state. There is actually only one object relating to password policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check password policy will reference the same passwordpolicy_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The passwordpolicy_state element specifies the various policies associated with passwords. A password policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated.
+
+
+
+
+
+
+
+ Specifies, in seconds (from a DWORD), the maximum allowable password age. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
+
+
+
+ - the value of max_passwd_age must be greater than or equal to zero
+
+
+
+
+
+
+
+ Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
+
+
+
+
+ Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
+
+
+
+
+ Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
+
+
+
+
+ A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
+
+
+
+
+ Determines whether or not passwords are stored using reversible encryption.
+
+
+
+
+ Determines whether or not an anonymous user may query the local LSA policy.
+
+
+
+
+
+
+
+
+
+
+
+
+ The peheader_test is used to check data from a Portable Executable file header. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a peheader_object and the optional state element specifies the metadata to check.
+
+
+ peheader_test
+ peheader_object
+ peheader_state
+ peheader_item
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The peheader_object is used by a peheader_test to define the specific file(s) whose headers should be evaluated. The peheader_object will collect header information from PE files. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A peheader_object defines the path and filename or complete filepath of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the PEHeaderBehaviors complex type for more information about specific behaviors.
+ The set of files whose headers should be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
+ It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
+
+
+
+
+
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+
+
+
+
+
+ The path element specifies the directory component of the absolute path to a PE file on the machine.
+
+
+
+
+
+
+
+ The filename element specifies the name of a PE file to evaluate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The peheader_state defines the different metadata associated with the header of a PE file. Please refer to the individual elements in the schema for more details about what each represents. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a PE file on the machine.
+
+
+
+
+ The filename element specifies the name of a PE file to evaluate.
+
+
+
+
+
+
+
+ The header_signature entity is the signature of the header.
+
+
+
+
+ The target_machine_type entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for.
+
+
+
+
+ The number_of_sections entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00.
+
+
+
+
+ The pointer_to_symbol_table entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table.
+
+
+
+
+ The number_of_symbols entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table.
+
+
+
+
+ The size_of_optional_header entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes.
+
+
+
+
+ The image_file_relocs_stripped entity is a boolean value that specifies if the relocation information is stripped from the file.
+
+
+
+
+ The image_file_executable_image entity is a boolean value that specifies if the file is executable.
+
+
+
+
+ The image_file_line_nums_stripped entity is a boolean value that specifies if the line numbers are stripped from the file.
+
+
+
+
+ The image_file_local_syms_stripped entity is a boolean value that specifies if the local symbols are stripped from the file.
+
+
+
+
+ The image_file_aggressive_ws_trim entity is a boolean value that specifies that the working set should be aggressively trimmed.
+
+
+
+
+ The image_file_large_address_aware entity is a boolean value that specifies that the application can handle addresses larger than 2GB.
+
+
+
+
+ The image_file_16bit_machine entity is a boolean value that specifies that the computer supports 16-bit words.
+
+
+
+
+ The image_file_bytes_reversed_lo entity is a boolean value that specifies that the bytes of the word are reversed.
+
+
+
+
+ The image_file_32bit_machine entity is a boolean value that specifies that the computer supports 32-bit words.
+
+
+
+
+ The image_file_debug_stripped entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file.
+
+
+
+
+ The image_file_removable_run_from_swap entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file.
+
+
+
+
+ The image_file_system entity is a boolean value that specifies that the image is a system file.
+
+
+
+
+ The image_file_dll entity is a boolean value that specifies that the image is a DLL.
+
+
+
+
+ The image_file_up_system_only entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
+
+
+
+
+ The image_file_bytes_reversed_hi entity is a boolean value that specifies that the bytes of the word are reversed.
+
+
+
+
+ The magic_number entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file.
+
+
+
+
+ The major_linker_version entity is a BYTE that specifies the major version of the linker that produced the file.
+
+
+
+
+ The minor_linker_version entity is a BYTE that specifies the minor version of the linker that produced the file.
+
+
+
+
+ The size_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections.
+
+
+
+
+ The size_of_initialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data.
+
+
+
+
+ The size_of_uninitialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data.
+
+
+
+
+ The address_of_entry_point entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution.
+
+
+
+
+ The base_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's code section begins.
+
+
+
+
+ The base_of_data entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's data section begins.
+
+
+
+
+ The image_base_address entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address fo the first byte of the image when it is loaded into memory.
+
+
+
+
+ The section_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory.
+
+
+
+
+ The file_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file.
+
+
+
+
+ The major_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable.
+
+
+
+
+ The minor_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable.
+
+
+
+
+ The major_image_version entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image.
+
+
+
+
+ The minor_image_version entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image.
+
+
+
+
+ The major_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable.
+
+
+
+
+ The minor_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable.
+
+
+
+
+ The size_of_image entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers.
+
+
+
+
+ The size_of_headers entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers.
+
+
+
+
+ The checksum entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file.
+
+
+
+
+ The subsystem entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface.
+
+
+
+
+ The dll_characteristics entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL's initialization function will be called..
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap.
+
+
+
+
+ The loader_flags entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header.
+
+
+
+
+ The number_of_rva_and_sizes entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header.
+
+
+
+
+ The real_number_of_directory_entries entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+
+
+
+ The port test is used to check information about the available ports on a Windows system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a port_object and the optional state element specifies the port information to check.
+
+
+ port_test
+ port_object
+ port_state
+ port_item
+
+
+
+
+
+ - the object child element of a port_test must reference a port_object
+
+
+ - the state child element of a port_test must reference a port_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The port_object element is used by a port test to define the specific port(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A port object defines the local address, port number, and protocol of the port(s).
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This element specifies the number assigned to the local listening port.
+
+
+
+
+ This element specifies the type of listening port. It is restricted to either TCP or UDP.
+
+
+
+
+
+
+
+
+
+
+
+
+ The port_state element defines the different metadata associate with a Windows port. This includes the local address, port number, protocol, and pid. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This element specifies the number assigned to the local listening port.
+
+
+
+
+ This element specifies the type of listening port. It is restricted to either TCP or UDP.
+
+
+
+
+ The id given to the process that is associated with the specified listening port.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually '0'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The printer effective rights test is used to check the effective rights associated with Windows printers. The printereffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a printereffectiverights_object and the optional state element specifies the metadata to check.
+
+
+ printereffectiverights_test
+ printereffectiverights_object
+ printereffectiverights_state
+ printereffectiverights_item
+
+
+
+
+
+ - the object child element of a printereffectiverights_test must reference a printereffectiverights_object
+
+
+ - the state child element of a printereffectiverights_test must reference a printereffectiverights_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The printer_name element describes a printer that a user may have rights on.
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the printer's Security Descriptor. The scope is limited here to ensure that it is possible to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The printereffectiverights_state element defines the different rights that can be associated with a given printereffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the name of the printer.
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The PrinterEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the pritnereffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:printereffectiverights_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: printereffectiverights_object
+
+
+
+
+
+
+
+
+
+
+
+ The process_test is used to check information found in the Windows processes. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process_object and the optional state element references a process_state element that specifies the process information to check.
+
+
+ process_test
+ process_object
+ process_state
+ process_item
+
+
+
+
+ 5.8
+ The process_test has been deprecated and replaced by the process58_test. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_test for additional information.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a process_test must reference a process_object
+
+
+ - the state child element of a process_test must reference a process_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The process_object element is used by a process test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A process_object defines the command line used to start the process(es).
+
+
+ 5.8
+ The process_object has been deprecated and replaced by the process58_object. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_object for additional information.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+
+
+
+
+
+
+ The process_state element defines the different metadata associate with a Windows process. This includes the command line, pid, ppid, image path, and current directory. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.8
+ The process_state has been deprecated and replaced by the process58_state. The command line of a process cannot be used to uniquely identify a process. As a result, the pid entity was added to the process58_object. Please see the process58_state for additional information.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+ The id given to the process that is created for a specified command line.
+
+
+
+
+ The id given to the parent of the process that is created for the specified command line
+
+
+
+
+ The base priority of the process. The priority value range is from 0 to 31.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The image_path entity contains the name of the executable file in question.
+
+
+
+
+ The current_directory entity represents the current path to the executable.
+
+
+
+
+
+
+
+
+
+
+
+
+ The process58_test is used to check information found in the Windows processes. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a process58_object and the optional state element references a process58_state element that specifies the process information to check.
+
+
+ process58_test
+ process58_object
+ process58_state
+ process_item
+
+
+
+
+
+ - the object child element of a process58_test must reference a process58_object
+
+
+ - the state child element of a process58_test must reference a process58_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The process58_object element is used by a process58_test to define the specific process(es) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A process58_object defines the command line used to start the process(es)and pid.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The command_line entity is the string used to start the process. This includes any parameters that are part of the command line. Use xsi:nil='true' to disregard (and permit processes with non-existent commane_lines, such as the System process).
+
+
+
+
+ The id given to the process that is created for a specified command line.
+
+
+
+
+
+
+
+
+
+
+
+
+ The process58_state element defines the different metadata associate with a Windows process. This includes the command line, pid, ppid, image path, and current directory. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+ The id given to the process that is created for a specified command line.
+
+
+
+
+ The id given to the parent of the process that is created for the specified command line
+
+
+
+
+ The base priority of the process. The priority value range is from 0 to 31.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The image_path entity represents the name of the executable file for the process.
+
+
+
+
+ The current_dir entity represents the current path to the executable file for the process.
+
+
+
+
+ The creation_time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime.
+
+
+
+
+ The dep_enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy lpFlags.
+
+
+
+
+ The primary_window_text entity represents the title of the primary window of the process. See the GetWindowText function.
+
+
+
+
+ The name of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ The registry test is used to check metadata associated with Windows registry key. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a registry_object and the optional state element specifies the registry data to check.
+
+
+ registry_test
+ registry_object
+ registry_state
+ registry_item
+
+
+
+
+
+ - the object child element of a registry_test must reference a registry_object
+
+
+ - the state child element of a registry_test must reference a registry_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS.
+
+
+
+
+ The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive. In this case, the key element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match. A .* pattern match says to collect every key under a given hive.
+
+
+
+ - the max_depth behavior MUST not be used when a pattern match is used with a key entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a key entity.
+
+
+
+
+
+
+
+ The name element describes the name assigned to a value associated with a specific registry key. If an empty string is specified for the name element, the registry key's default value should be collected. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive/key. In this case, the name element should not be collected or used in analysis. Setting xsi:nil equal to true on an element is different than using a .* pattern match. A .* pattern match says to collect every name under a given hive/key. The most likely use for xsi:nil within a registry object is when checking for the existence of a particular key, without regards to the different names associated with it.
+
+
+
+
+
+
+
+
+
+
+
+
+ The registry_state element defines the different metadata associate with a Windows registry key. This includes the hive, key, name, type, and value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS,HKEY_LOCAL_MACHINE, and HKEY_USERS.
+
+
+
+
+ This element describes a registry key to be tested. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
+
+
+
+
+ This element describes the name of a value of a registry key. If the xsi:nil attribute is set to true, then the name element should not be used in analysis.
+
+
+
+
+ The last time that the key or any of its value entries were modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on any key, with hives being classified as a type of key. When collecting only information about a registry hive or key the last write time will be the time the key or any of its entries were modified. When collecting only information about a registry name the last write time will be the time the containing key was modified. Thus when collecting information about a registry name, the last write time does not correlate directly to the specified name. See the RegQueryInfoKey function lpftLastWriteTime.
+
+
+
+
+ The type entity allows a test to be written against the registy type associated with the specified registry key(s). Please refer to the documentation on the EntityStateRegistryTypeType for more information about the different valid individual types.
+
+
+
+
+ The value entity allows a test to be written against the value held within the specified registry key(s). If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, and REG_QWORD_LITTLE_ENDIAN then the datatype attribute should be set to 'int' and the value entity should represent the data as an unsigned integer. DWORD and QWORD values represnt unsigned 32-bit and 64-bit integers, respectively. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests should be used. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string. If the value being tested is of type REG_LINK, then the datatype attribute should be set to 'string' and the null-terminated Unicode string should be represented by the value entity.
+ Note that if the intent is to test a version number held in the registry (as a reg_sz) then instead of setting the datatype to 'string', the datatype can be set to 'version'. This allows tools performing the evaluation to know how to perform less than and greater than operations correctly.
+
+
+
+
+ For registry values of type REG_EXPAND_SZ, this entity contains the expanded value. Otherwise, it should not exist.
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The RegistryBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registry_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting key must be considered in the recursive search.
+ Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
+ Note that this behavior only applies with the equality operation on the key entity.
+
+
+
+
+
+
+
+
+
+
+ 'recurse_direction' defines the direction, either 'up' to parent keys, or 'down' into child keys to recursively search for registry keys. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
+ Note that this behavior only applies with the equality operation on the key entity.
+
+
+
+
+
+
+
+
+
+
+
+ 64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to specify which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.
+ Note that the values have the following meaning: '64_bit' - Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' - Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between the OVAL Items that are collected in the 32-bit or 64-bit views.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The registry key audited permissions test is used to check the audit permissions associated with Windows registry keys. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyauditedpermissions53_object and the optional state element specifies the metadata to check.
+
+
+ regkeyauditedpermissions53_test
+ regkeyauditedpermissions53_object
+ regkeyauditedpermissions53_state
+ regkeyauditedpermissions_item
+
+
+
+
+
+ - the object child element of a regkeyauditedpermissions53_test must reference a regkeyauditedpermissions53_object
+
+
+ - the state child element of a regkeyauditedpermissions53_test must reference a regkeyauditedpermissions53_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyauditedpermissions53_object element is used by a registry key audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A regkeyauditedpermissions53_object is defined as a combination of a Windows registry key and trustee name. The hive and key elements represents the registry key to be evaluated while the trustee name represents the account (SID) to check audited permissions of. If multiple keys or SIDs are matched by either reference, then each possible combination of registry key and SID is a matching registry key audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyAuditPermissions53Behaviors complex type for more information about specific behaviors.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS.
+
+
+
+
+ The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive. In this case, the key element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match. A .* pattern match says to collect every key under a given hive.
+
+
+
+ - the max_depth behavior MUST not be used when a pattern match is used with a key entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a key entity.
+
+
+
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the registry key's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyauditedpermissions53_state element defines the different audit permissions that can be associated with a given regkeyauditedpermissions53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
+
+
+
+
+ This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+ 5.6
+ This entity has been deprecated because registry keys do not support the SYNCHRONIZE standard access right.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The RegkeyAuditPermissions53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyauditedpermissions53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ The RegkeyAuditPermissions53Behaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:regkeyauditedpermissions53_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: regkeyauditedpermissions53_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The registry key audited permissions test is used to check the audit permissions associated with Windows registry keys. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyauditedpermissions_object and the optional state element specifies the metadata to check.
+
+
+ regkeyauditedpermissions_test
+ regkeyauditedpermissions_object
+ regkeyauditedpermissions_state
+ regkeyauditedpermissions_item
+
+
+
+
+ 5.3
+ Replaced by the regkeyauditedpermissions53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the regkeyauditedpermissions53_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a regkeyauditedpermissions_test must reference a regkeyauditedpermissions_object
+
+
+ - the state child element of a regkeyauditedpermissions_test must reference a regkeyauditedpermissions_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyauditedpermissions_object element is used by a registry key audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A regkeyauditedpermissions_object is defined as a combination of a Windows registry key and trustee name. The hive and key elements represents the registry key to be evaluated while the trustee name represents the account (SID) to check audited permissions of. If multiple keys or SIDs are matched by either reference, then each possible combination of file and SID is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyAuditPermissionsBehaviors complex type for more information about specific behaviors.
+
+
+ 5.3
+ Replaced by the regkeyauditedpermissions53_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the regkeyauditedpermissions53_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS.
+
+
+
+
+ The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element.
+
+
+
+ - the max_depth behavior MUST not be used when a pattern match is used with a key entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a key entity.
+
+
+
+
+
+
+
+ The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyauditedpermissions_state element defines the different audit permissions that can be associated with a given regkeyauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.3
+ Replaced by the regkeyauditedpermissions53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the regkeyauditedpermissions53_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
+
+
+
+
+ This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
+
+
+
+
+ The unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The RegkeyAuditPermissionsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyauditedpermissions_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ The RegkeyAuditPermissionsBehaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+
+ 5.3
+ Replaced by the RegkeyAuditPermissionsBehaviors53. The RegkeyAuditPermissionsBehaviors complex type is used by the regkeyauditedpermissions_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the RegkeyAuditPermissionsBehaviors53 complex type, and as a result, the RegkeyAuditPermissionsBehaviors complex type is no longer needed.
+ This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+ 'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:regkeyauditedpermissions_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: regkeyauditedpermissions_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The registry key effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The regkeyeffectiverights53_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyeffectiverights53_object and the optional state element specifies the metadata to check.
+
+
+ regkeyeffectiverights53_test
+ regkeyeffectiverights53_object
+ regkeyeffectiverights53_state
+ regkeyeffectiverights_item
+
+
+
+
+
+ - the object child element of a regkeyeffectiverights53_test must reference a regkeyeffectiverights53_object
+
+
+ - the state child element of a regkeyeffectiverights53_test must reference a regkeyeffectiverights53_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyeffectiverights53_object element is used by a registry key effective rights test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A regkeyeffectiverights53_object is defined as a combination of a Windows registry and trustee SID. The key entity represents the registry key to be evaluated while the trustee SID represents the account (SID) to check effective rights of. If multiple files or SIDs are matched by either reference, then each possible combination of registry key and SID is a matching registry key effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyEffectiveRights53Behaviors complex type for more information about specific behaviors.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS,HKEY_LOCAL_MACHINE, and HKEY_USERS.
+
+
+
+
+ The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element. If the xsi:nil attribute is set to true, then the object being specified is the higher level hive. In this case, the key element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match. A .* pattern match says to collect every key under a given hive.
+
+
+
+ - the max_depth behavior MUST not be used when a pattern match is used with a key entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a key entity.
+
+
+
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the registry key's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyeffectiverights53_state element defines the different rights that can be associated with a given regkeyeffectiverights53_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
+
+
+
+
+ This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+ 5.6
+ This entity has been deprecated because registry keys do not support the SYNCHRONIZE standard access right.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The RegkeyEffectiveRights53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyeffectiverights53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ The RegkeyEffectiveRights53Behaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:regkeyeffectiverights53_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: regkeyeffectiverights53_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The registry key effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The regkeyeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyeffectiverights_object and the optional state element specifies the metadata to check.
+
+
+ regkeyeffectiverights_test
+ regkeyeffectiverights_object
+ regkeyeffectiverights_state
+ regkeyeffectiverights_item
+
+
+
+
+ 5.3
+ Replaced by the regkeyeffectiverights53_test. This test uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. See the regkeyeffectiverights53_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a regkeyeffectiverights_test must reference a regkeyeffectiverights_object
+
+
+ - the state child element of a regkeyeffectiverights_test must reference a regkeyeffectiverights_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.3
+ Replaced by the regkeyeffectiverights53_object. This object uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new object was created to use trustee SIDs, which are unique. See the regkeyeffectiverights53_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The hive that the registry key belongs to. This is restricted to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS,HKEY_LOCAL_MACHINE, and HKEY_USERS.
+
+
+
+
+ The key element describes a registry key to be collected. Note that the hive portion of the string should not be included, as this data should be found under the hive element.
+
+
+
+ - the max_depth behavior MUST not be used when a pattern match is used with a key entity.
+ - the recurse_direction behavior MUST not be used when a pattern match is used with a key entity.
+
+
+
+
+
+
+
+ The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+
+
+
+
+
+
+
+ The regkeyeffectiverights_state element defines the different rights that can be associated with a given regkeyeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.3
+ Replaced by the regkeyeffectiverights53_state. This state uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new state was created to use trustee SIDs, which are unique. See the regkeyeffectiverights53_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ This element specifies the hive of a registry key on the machine from which to retrieve the SACL.
+
+
+
+
+ This element specifies a registry key on the machine from which to retrieve the SACL. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
+
+
+
+
+ The unique name associated with a particular security identifier (SID). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.
+
+
+
+
+
+
+
+
+
+ The RegkeyEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+ The RegkeyEffectiveRightsBehaviors extend the win-def:RegistryBehaviors and therefore include the behaviors defined by that type.
+
+
+ 5.3
+ Replaced by the RegkeyEffectiveRightsBehaviors53. The RegkeyEffectiveRightsBehaviors complex type is used by the regkeyeffectiverights_test which uses a trustee_name element for identifying trustees. Trustee names are not unique, and a new test was created to use trustee SIDs, which are unique. This new test utilizes the RegkeyEffectiveRightsBehaviors53 complex type, and as a result, the RegkeyEffectiveRightsBehaviors complex type is no longer needed.
+ This complex type has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+
+
+
+ 'include_group' defines whether the group trustee name should be included in the object when the object is defined by a group trustee name. For example, the intent of an object defined by a group trustee name might be to retrieve all the user trustee names that are members of the group, but not the group trustee name itself.
+
+
+ 5.10
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:regkeyeffectiverights_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.6
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: regkeyeffectiverights_object
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_test is used to check metadata associated with Windows services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a service_object and the optional state elements specify the metadata to check.
+
+
+ service_test
+ service_object
+ service_state
+ service_item
+
+
+
+
+
+ - the object child element of a service_test must reference a service_object
+
+
+ - the state child element of a service_test must reference a service_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_object element is used by a service_test to define the specific service(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_name element specifies the service name as stored in the Service Control Manager (SCM) database on the system.
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_state element defines the different metadata associated with a Windows service. This includes the service name, display name, description, type, start type, current state, controls accepted, start name, path, pid, service flag, and dependencies. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The service_name element specifies the name of the service as specified in the Service Control Manager (SCM) database.
+
+
+
+
+ The display_name element specifies the name of the service as specified in tools such as Control Panel->Administrative Tools->Services.
+
+
+
+
+ The description element specifies the description of the service.
+
+
+
+
+ The service_type element specifies the type of the service.
+
+
+
+
+ The start_type element specifies when the service should be started.
+
+
+
+
+ The current_state element specifies the current state of the service.
+
+
+
+
+ The controls_accepted element specifies the control codes that a service will accept and process.
+
+
+
+
+ The start_name element specifies the account under which the process should run.
+
+
+
+
+ The path element specifies the path to the binary of the service.
+
+
+
+
+ The pid element specifies the process ID of the service.
+
+
+
+
+ The service_flag element specifies if the service is in a system process that must always run (1) or if the service is in a non-system process or is not running (0). If the service is not running, the pid will be 0. Otherwise, the pid will be non-zero.
+
+
+
+
+ The dependencies element specifies the dependencies of this service on other services.
+
+
+
+
+
+
+
+
+
+
+
+
+ The service effective rights test is used to check the effective rights associated with Windows services. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. The serviceeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a serviceeffectiverights_object and the optional state element specifies the metadata to check.
+
+
+ serviceeffectiverights_test
+ serviceeffectiverights_object
+ serviceeffectiverights_state
+ serviceeffectiverights_item
+
+
+
+
+
+ - the object child element of a serviceeffectiverights_test must reference a serviceeffectiverights_object
+
+
+ - the state child element of a serviceeffectiverights_test must reference a serviceeffectiverights_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The serviceeffectiverights_object element is used by the serviceeffectiverights_test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A serviceeffectiverights_object is defined as a combination of a Windows service_name and trustee_sid. The service_name entity represents the service to be evaluated while the trustee_sid entity represents the account (SID) to check the effective rights of. If multiple services or SIDs are matched by either reference, then each possible combination of service and SID is a matching service effective rights object.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The service_name element describes a service to be collected. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
+
+
+
+
+ The trustee_sid entity identifies a set of SIDs associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the service's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The serviceeffectiverights_state element defines the different rights that can be associated with a given serviceeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+ See http://support.microsoft.com/kb/914392 for more information.
+
+
+
+
+
+
+
+ The service_name element specifies a service on the machine from which to retrieve the DACL. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
+
+
+
+
+ The trustee_sid element is the unique SID that is associated with a user, group, system, or program (such as a Windows service).
+
+
+
+
+ This permission is required to call the DeleteService function to delete the service.
+
+
+
+
+ This permission is required to call the QueryServiceObjectSecurity function to query the Security Descriptor of the service object.
+
+
+
+
+ This permission is required to call the SetServiceObjectSecurity function to modify the DACL member of the service object's Security Descriptor.
+
+
+
+
+ This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object's Security Descriptor.
+
+
+
+
+ Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
+
+
+
+
+ Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
+
+
+
+
+ Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
+
+
+
+
+ This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
+
+
+
+
+ This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
+
+
+
+
+ This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
+
+
+
+
+ This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
+
+
+
+
+ This permission is required to call the StartService function to start the service.
+
+
+
+
+ This permission is required to call the ControlService function to stop the service.
+
+
+
+
+ This permission is required to call the ControlService function to pause or continue the service.
+
+
+
+
+ This permission is required to call the ControlService function to ask the service to report its status immediately.
+
+
+
+
+ This permission is required to call the ControlService function to specify a user-defined control code.
+
+
+
+
+
+
+
+
+
+ The ServiceEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the serviceeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_group' defines whether the group trustee sid should be included in the object when the object is defined by a group trustee sid. For example, the intent of an object defined by a group trustee sid might be to retrieve all the user trustee sids that are members of the group, but not the group trustee sid itself.
+
+
+ 5.11.1:1.2
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:serviceeffectiverights_object
+
+
+
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+ 5.11.1:1.2
+ The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to resolve the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: serviceeffectiverights_object
+
+
+
+
+
+
+
+
+
+
+
+ The shared resource test is used to check properties associated with any shared resource on the system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sharedresource_object and the optional state element specifies the metadata to check.
+
+
+ sharedresource_test
+ sharedresource_object
+ sharedresource_state
+ sharedresource_item
+
+
+
+
+
+ - the object child element of a sharedresource_test must reference a sharedresource_object
+
+
+ - the state child element of a sharedresource_test must reference a sharedresource_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sharedresource_object element is used by a shared resource test to define the object, in this case a shared resource, to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ An shared resource object consists of a single netname entity that identifies a specific shared resource.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The netname element is the unique name that is associated with a specific shared resource.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sharedresource_state element defines the different metadata associated with a Windows shared resource. This includes the share type, permissions, and max uses. This state mirrors the SHARE_INFO_2 structure. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the name associated with a particular shared resource.
+
+
+
+
+ The type of the shared resource.
+
+
+
+
+ The maximum number of concurrent connections that the shared resource can accommodate.
+
+
+
+
+ The number of current connections to the resource.
+
+
+
+
+ The local path for the shared resource.
+
+
+
+
+ Permission to read data from a resource and, by default, to execute the resource.
+
+
+
+
+ Permission to write data to the resource.
+
+
+
+
+ Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
+
+
+
+
+ Permission to execute the resource.
+
+
+
+
+ Permission to delete the resource.
+
+
+
+
+ Permission to modify the resource's attributes (such as the date and time when a file was last modified).
+
+
+
+
+ Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
+
+
+
+
+ Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.
+
+
+
+
+
+
+
+
+
+
+
+
+ The shared resource audited permissions test is used to check the audit permissions associated with any shared resource on the system. Note that the trustee's audited permissions are the audit permissons that the SACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sharedresourceauditedpermissions_object and the optional state element specifies the metadata to check.
+
+
+ sharedresourceauditedpermissions_test
+ sharedresourceauditedpermissions_object
+ sharedresourceauditedpermissions_state
+ sharedresourceauditedpermissions_item
+
+
+
+
+
+ - the object child element of a sharedresourceauditedpermissions_test must reference a sharedresourceauditedpermissions_object
+
+
+ - the state child element of a sharedresourceauditedpermissions_test must reference a sharedresourceauditedpermissions_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sharedresourceauditedpermissions_object element is used by a shared resource audited permissions test to define the objects used to evaluate against the specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
+ A shared resource audited permissions object consists of a netname entity that identifies a specific shared resource and a trustee_sid entity that identifies a specific account (SID) to check the audited permissions of.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The netname element is the unique name that is associated with a specific shared resource.
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sharedresourceauditedpermissions_state element defines the different audited permissions that can be associated with a given sharedresourceauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the name associated with a particular shared resource.
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+ The SharedResourceAuditedPermissionsBehaviors complex type defines a behavior that allows for a more detailed definition of the sharedresourceauditedpermissions_object being specified. Note that using this behavior may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+ 5.10.1
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:sharedresourceauditedpermissions_object
+
+
+
+
+
+
+
+
+
+
+
+ The shared resource effective rights test is used to check the effective rights associated with any shared resource on the system. Note that the trustee's effective access rights are the access rights that the DACL grants to the trustee or to any groups of which the trustee is a member. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sharedresourceeffectiverights_object and the optional state element specifies the metadata to check.
+
+
+ sharedresourceeffectiverights_test
+ sharedresourceeffectiverights_object
+ sharedresourceeffectiverights_state
+ sharedresourceeffectiverights_item
+
+
+
+
+
+ - the object child element of a sharedresourceeffectiverights_test must reference a sharedresourceeffectiverights_object
+
+
+ - the state child element of a sharedresourceeffectiverights_test must reference a sharedresourceeffectiverights_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sharedresourceeffectiverights_object element is used by a shared resource effective rights test to define the object, in this case a shared resource effective rights object, to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A shared resource effective rights object consists of a netname entity that identifies a specific shared resource and a trustee_sid entity that identifies a specific account (SID) to check the effective rights of.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The netname element is the unique name that is associated with a specific shared resource.
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service). If an operation other than equals is used to identify matching trustees (i.e. not equal, or a pattern match) then the resulting matches shall be limited to only the trustees referenced in the file's Security Descriptor. The scope is limited here to avoid unnecessarily resource intensive searches for trustees. Note that the larger scope of all known trustees may be obtained through the use of variables.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sharedresourceeffectiverights_state element defines the different rights that can be associated with a given sharedresourceeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the name associated with a particular shared resource.
+
+
+
+
+ The trustee_sid element is the unique SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's Security Descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's Security Descriptor.
+
+
+
+
+ The right to change the owner in the object's Security Descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+ The SharedResourceEffectiveRightsBehaviors complex type defines a behavior that allows for a more detailed definition of the sharedresourceeffectiverights_object being specified. Note that using this behavior may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+ 5.10.1
+ The 'include_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups.
+ Consider using a sid_sid_object or similar to include the members of a group.
+
+
+
+ DEPRECATED BEHAVIOR IN: win-def:sharedresourceeffectiverights_object
+
+
+
+
+
+
+
+
+
+
+
+ The SID test is used to check properties associated with the specified SID. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sid_object and the optional state element specifies the metadata to check.
+
+
+ sid_test
+ sid_object
+ sid_state
+ sid_item
+
+
+
+
+
+ - the object child element of a sid_test must reference a sid_object
+
+
+ - the state child element of a sid_test must reference a sid_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sid_object element is used by a sid_test to define the object set, in this case a set of SIDs (identified by name), to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The trustee_name element is the unique name that associated a particular SID. A SID can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+
+
+
+
+
+
+
+
+ The sid_state element defines the different metadata associate with a Windows trustee (identified by name). Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The security identifier (SID) of the specified trustee name.
+
+
+
+
+ The domain of the specified trustee name.
+
+
+
+
+
+
+
+
+
+ The SidBehaviors complex type defines a number of behaviors that allow a more detailed definition of the sid_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+
+
+
+
+
+
+ The sid_sid_test is used to check properties associated with the specified SID. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a sid_sid_object and the optional state element specifies the metadata to check.
+ Note that this sid_sid test was added in version 5.4 as a temporary fix. There is a need within the community to identify things like users and groups by both the name and the SID. For version 6 of OVAL, work is underway for a better solution to the problem, but for now, a second test was added to satisfy the need.
+
+
+ sid_sid_test
+ sid_sid_object
+ sid_sid_state
+ sid_sid_item
+
+
+
+
+
+ - the object child element of a sid_sid_test must reference a sid_sid_object
+
+
+ - the state child element of a sid_sid_test must reference a sid_sid_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The sid_sid_object element is used by a sid_sid_test to define the object set, in this case a set of SIDs, to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The trustee_sid entity identifies a unique SID associated with a user, group, system, or program (such as a Windows service).
+
+
+
+
+
+
+
+
+
+
+
+
+ The sid_state element defines the different metadata associate with a Windows trustee (identified by SID). Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The security identifier (SID) of the specified trustee name.
+
+
+
+
+ This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The domain of the specified trustee name.
+
+
+
+
+
+
+
+
+
+ The SidSidBehaviors complex type defines a number of behaviors that allow a more detailed definition of the sid_sid_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_group' defines whether the group SID should be included in the object when the object is defined by a group SID. For example, the intent of an object defined by a group SID might be to retrieve all the user SIDs that are a member of the group, but not the group SID itself.
+
+
+
+
+ The 'resolve_group' behavior defines whether an object set defined by a group SID should be resolved to return a set that contains all the user SIDs that are a member of that group. Note that all child groups should also be resolved any valid domain users that are members of the group should also be included. The intent of this behavior is to end up with a list of all individual users from that system that make up the group once everything has been resolved.
+
+
+
+
+
+
+
+
+ The system metric test is used to check the value of a particular Windows system metric. Access to this information is exposed by the GetSystemMetrics function in User32.dll.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The system metric object element is used by a system metric test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+
+ The index entity provides the system metric index value that is desired.
+
+
+
+
+
+
+
+
+
+
+
+
+ The system metric state element defines the different information that can be found in a Windows system metric value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The index entity corresponds to the systemmetric_object index entity.
+
+
+
+
+ The optional value entity provides the value of the system metric that is expected.
+
+
+
+
+
+
+
+
+
+
+
+
+ The user access control test is used to check setting related to User Access Control within Windows. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a uaac_object and the optional state element specifies the metadata to check.
+
+
+ uac_test
+ uac_object
+ uac_state
+ uac_item
+
+
+
+
+
+ - the object child element of a uac_test must reference a uac_object
+
+
+ - the state child element of a uac_test must reference a uac_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The uac_object element is used by a user access control test to define those objects to evaluate based on a specified state. There is actually only one object relating to user access control and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check user access control settings will reference the same uac_object which is basically an empty object element.
+
+
+
+
+
+
+
+
+
+ The uac_state element specifies the different settings that are available under User Access Control. A user access control test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ Admin Approval Mode for the Built-in Administrator account.
+
+
+
+
+ Behavior of the elevation prompt for administrators in Admin Approval Mode.
+
+
+
+
+ Behavior of the elevation prompt for standard users.
+
+
+
+
+ Detect application installations and prompt for elevation.
+
+
+
+
+ Only elevate executables that are signed and validated.
+
+
+
+
+ Only elevate UIAccess applications that are installed in secure locations.
+
+
+
+
+ Run all administrators in Admin Approval Mode.
+
+
+
+
+ Switch to the secure desktop when prompting for elevation.
+
+
+
+
+ Virtualize file and registry write failures to per-user locations.
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_test is used to check information about Windows users. When the user_test collects the users on the system, it should only include the local and built-in user accounts and not domain user accounts. However, it is important to note that domain user accounts can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_object and the optional state element specifies the metadata to check.
+
+
+ user_test
+ user_object
+ user_state
+ user_item
+
+
+
+
+ 5.11
+ Replaced by the user_sid55_test. This test uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid55_test, which uses trustee SIDs which are unique, should be used instead. See the user_sid55_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a user_test must reference a user_object
+
+
+ - the state child element of a user_test must reference a user_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.11
+ Replaced by the user_sid55_object. This object uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid55_object, which uses trustee SIDs which are unique, should be used instead. See the user_sid55_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The user entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_state element enumerates the different groups (identified by name) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.11
+ Replaced by the user_sid55_state. This state uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid55_state, which uses trustee SIDs which are unique, should be used instead. See the user_sid55_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The user entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
+
+
+
+
+ This element holds a boolean value that specifies whether the particular user account is enabled or not.
+
+
+
+
+ A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
+ The group element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like group that refer to items that can occur an unbounded number of times.
+
+
+
+
+ The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT. If the target system is a domain controller, this data is maintained separately on each backup domain controller (BDC) in the domain. To obtain an accurate value, you must query each BDC in the domain. The last logoff occurred at the time indicated by the largest retrieved value.
+
+
+
+
+ A Unicode string that contains the full name of the user. This string can be a NULL string, or it can have any number of characters before the terminating null character.
+
+
+
+
+ A Unicode string that contains a comment to associate with the user account. The string can be a NULL string, or it can have any number of characters before the terminating null character.
+
+
+
+
+ The number of days that have elapsed since the password was last changed. This data should be rounded up to the nearest integer.
+
+
+
+
+ The account is currently locked out.
+
+
+
+
+ No password is required.
+
+
+
+
+ The password should never expire on the account.
+
+
+
+
+ The user's password is stored under reversible encryption in the Active Directory.
+
+
+
+
+ Marks the account as "sensitive"; other users cannot act as delegates of this user account.
+
+
+
+
+ Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
+
+
+
+
+ This account does not require Kerberos preauthentication for logon.
+
+
+
+
+ The password expiration information. Zero if the password has not expired (and nonzero if it has).
+
+
+
+
+ Requires the user to log on to the user account with a smart card.
+
+
+
+
+ The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
+
+
+
+
+ The account is trusted to authenticate a user outside of the Kerberos security package and delegate that user through constrained delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assert a client's identity and authenticate as that user to specifically configured services on the network. Windows 2000: This value is not supported.
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid55_test is used to check information about Windows users. When the user_sid55_test collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_sid55_object and the optional state element specifies the metadata to check.
+
+
+ user_sid55_test
+ user_sid55_object
+ user_sid55_state
+ user_sid_item
+
+
+
+
+
+ - the object child element of a user_sid55_test must reference a user_sid55_object
+
+
+ - the state child element of a user_sid55_test must reference a user_sid55_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid55_object represents a set of users on a Windows system. This set (which might contain only one user) is identified by a SID.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid entity holds a string that represents the SID of a particular user.
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid55_state element enumerates the different groups (identified by SID) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The user_sid entity holds a string that represents the SID of a particular user.
+
+
+
+
+ This element holds a boolean value that specifies whether the particular user account is enabled or not.
+
+
+
+
+ A string the represents the SID of a particular group. The group_sid element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like group that refer to items that can occur an unbounded number of times.
+
+
+
+
+ The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid_test is used to check information about Windows users. When the user_sid_test collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_sid_object and the optional state element specifies the metadata to check.
+
+
+ user_sid_test
+ user_sid_object
+ user_sid_state
+ user_sid_item
+
+
+
+
+ 5.5
+ Replaced by the user_sid55_test. This test uses user and group elements that are incorrectly named. A new test was created to change the element names to their correct values which are user_sid and group_sid. See the user_sid55_test.
+ This test has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a user_sid_test must reference a user_sid_object
+
+
+ - the state child element of a user_sid_test must reference a user_sid_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid_object represents a set of users on a Windows system. This set (which might contain only one user) is identified by a SID.
+
+
+ 5.5
+ Replaced by the user_sid55_object. This object uses a user element that is incorrectly named. A new object was created to change the element name to its correct value which is user_sid. See the user_sid55_object.
+ This object has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+ The user_sid entity holds a string that represents the SID of a particular user.
+
+
+
+
+
+
+
+
+
+
+ The user_sid_state element enumerates the different groups (identified by SID) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+ 5.5
+ Replaced by the user_sid55_state. This state uses user and group elements that are incorrectly named. A new state was created to change the element names to their correct values which are user_sid and group_sid. See the user_sid55_state.
+ This state has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ The user_sid entity holds a string that represents the SID of a particular user.
+
+
+
+
+ This element holds a boolean value that specifies whether the particular user account is enabled or not.
+
+
+
+
+ A string the represents the SID of a particular group. The group_sid element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like group that refer to items that can occur an unbounded number of times.
+
+
+
+
+
+
+
+
+
+
+
+
+ The userright_test is used to enumerate all of the trustees/SIDs that have been granted a specific user right/privilege.
+
+
+ userright_test
+ userright_object
+ userright_state
+ userright_item
+
+
+
+
+
+ - the object child element of a userright_test must reference a userright_object
+
+
+ - the state child element of a userright_test must reference a userright_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The userright_object is used to collect the trustees/SIDs that have been granted a specific user right/privilege.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The userright entity holds a string that represents the name of a particular user right/privilege.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The userright_state is used to determine if a trustee/SID has been granted a user right/privilege.
+
+
+
+
+
+
+ The userright entity holds a string that represents the name of a particular user right/privilege.
+
+
+
+
+ The trustee_name entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The trustee_sid entity identifies the SID that has been granted the specified user right/privilege.
+
+
+
+
+
+
+
+
+
+
+
+
+ The volume_test is used to check information about different storage volumes found on a Windows system. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a volume_object and the optional state element specifies the metadata to check.
+
+
+ volume_test
+ volume_object
+ volume_state
+ volume_item
+
+
+
+
+
+ - the object child element of a volume_test must reference a volume_object
+
+
+ - the state child element of a volume_test must reference a volume_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The volume_object element is used by a volume test to define the specific volume(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+ A volume object defines the rootpath of the volume(s).
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
+
+
+
+
+
+
+
+
+
+
+
+
+ The volume_state element defines the different metadata associate with a storage volume in Windows. This includes the rootpath, the file system type, name, and serial number, as well as any associated flags. Please refer to the individual elements in the schema for more details about what each represents. The GetVolumeInformation function as defined by Microsoft is also a good place to look for information.
+
+
+
+
+
+
+
+ A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
+
+
+
+
+ The type of filesystem. For example FAT or NTFS.
+
+
+
+
+ The name of the volume.
+
+
+
+
+ The drive type of the volume.
+
+
+
+
+ The volume_max_component_length element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
+
+
+
+
+ The volume serial number.
+
+
+
+
+ The file system supports case-sensitive file names.
+
+
+
+
+ The file system preserves the case of file names when it places a name on disk.
+
+
+
+
+ The file system supports Unicode in file names as they appear on disk.
+
+
+
+
+ The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
+
+
+
+
+ The file system supports file-based compression.
+
+
+
+
+ The file system supports disk quotas.
+
+
+
+
+ The file system supports sparse files.
+
+
+
+
+ The file system supports reparse points.
+
+
+
+
+ The file system supports remote storage.
+
+
+
+
+ The specified volume is a compressed volume; for example, a DoubleSpace volume.
+
+
+
+
+ The file system supports object identifiers.
+
+
+
+
+ The file system supports the Encrypted File System (EFS).
+
+
+
+
+ The file system supports named streams.
+
+
+
+
+ The specified volume is read-only.
+
+
+
+
+ The file system supports one time writes in sequential order.
+
+
+
+
+ The file system supports transaction processing.
+
+
+
+
+ The file system supports direct links to other devices and partitions.
+
+
+
+
+ The file system supports extended attributes.
+
+
+
+
+ The file system supports fileID.
+
+
+
+
+ The file system supports update sequence number journals.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wmi test is used to check information accessed by WMI. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check.
+
+
+ wmi_test
+ wmi_object
+ wmi_state
+ wmi_item
+
+
+
+
+ 5.7
+ Replaced by the wmi57_test. This test only allows for single fields to be selected from WMI. A new test was created to allow more than one field to be selected in one statement. See the wmi57_test.
+ This test has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED TEST: ID:
+
+
+
+
+
+
+ - the object child element of a wmi_test must reference a wmi_object
+
+
+ - the state child element of a wmi_test must reference a wmi_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.7
+ Replaced by the wmi57_object. This object allows for single fields to be selected from WMI. A new object was created to allow more than one field to be selected in one statement. See the wmi57_object.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED OBJECT: ID:
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
+
+
+
+ - operation attribute for the namespace entity of a wmi_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
+
+
+
+ - operation attribute for the wql entity of a wmi_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 5.7
+ Replaced by the wmi57_state. This object allows for single fields to be selected from WMI. A new state was created to allow more than one field to be selected in one statement. See the wmi57_state.
+ This state has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED STATE: ID:
+
+
+
+
+
+
+
+
+
+
+ Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
+
+
+
+
+ A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
+
+
+
+
+ The result element specifies how to test objects in the result set of the specified WQL statement. Only one comparable field is allowed. So if the WQL statement look like 'SELECT name FROM ...', then a result element with a value of 'Fred' would test that value against the names returned by the WQL statement.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wmi57 test is used to check information accessed by WMI. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi57_object and the optional state element specifies the metadata to check.
+
+
+ wmi57_test
+ wmi57_object
+ wmi57_state
+ wmi57_item
+
+
+
+
+
+ - the object child element of a wmi57_test must reference a wmi57_object
+
+
+ - the state child element of a wmi57_test must reference a wmi57_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
+
+
+
+ - operation attribute for the namespace entity of a wmi57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+ A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, all fields must be named in the SELECT portion of the query. For example SELECT name, age FROM ... is valid. However, SELECT * FROM ... is not valid. This is because the record element in the state and item require a unique field name value to ensure that any query results can be evaluated consistently.
+
+
+
+ - operation attribute for the wql entity of a wmi57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies which WMI namespace to look under. Each WMI provider normally registers its own WMI namespace and then all its classes within that namespace. For example, all Win32 WMI classes can be found in the namespace "root\cimv2", all IIS WMI classes can be found at "root\microsoftiisv2", and all LDAP WMI classes can be found at "root\directory\ldap".
+
+
+
+
+ A WQL query used to identify the object(s) to test against. Any valid WQL query is usable with one exception, all fields must be named in the SELECT portion of the query. For example SELECT name, age FROM ... is valid. However, SELECT * FROM ... is not valid. This is because the record element in the state and item require a unique field name value to ensure that any query results can be evaluated consistantly.
+
+
+
+
+ The result element specifies how to test items in the result set of the specified WQL statement.
+
+
+
+ - datatype attribute for the result entity of a wmi57_object must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The wuaupdatesearcher_test is used to evaluate patch level in a Windows environment utilizing the WUA (Windows Update Agent) interface. It is based on the Search method of the IUpdateSearcher interface found in the WUA API. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wuaupdatesearcher_object and the optional state element specifies the metadata to check.
+ Note that WUA can work off of many different sources including WSUS, update.microsoft.com, and a local cab file. The content source is specific to a given system evaluating a wuaupdatesearcher_test and thus is not defined by this test. The tool being used for evaluation should determine what content source is best for the system being assessed and then evaluate this test based on that selection.
+
+
+ wuaupdatesearcher_test
+ wuaupdatesearcher_object
+ wuaupdatesearcher_state
+ wuaupdatesearcher_item
+
+
+
+
+
+
+ - the object child element of a wuaupdatesearcher_test must reference a wuaupdatesearcher_object
+
+
+
+
+ - the state child element of a wuaupdatesearcher_test must reference a wuaupdatesearcher_state
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The wuaupdatesearcher_object element is used by a wuaupdatesearcher_test to define the specific search criteria to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
+
+
+
+
+
+
+
+
+
+ State referenced in filter for '' is of the wrong type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The search_criteria entity specifies a search criteria to use when generating a search result. The string used for the search criteria entity must match the custom search language for Search method of the IUpdateSearcher interface. The string consists of criteria that are evaluated to determine which updates to return. The Search method performs a synchronous search for updates by using the current configured search options. For more information about possible search criteria, please see the Search method of the IUpdateSearcher interface.
+
+
+
+
+ - operation attribute for the search_criteria entity of a wuaupdatesearcher_object must be 'equals'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The wuaupdatesearcher_state element defines entities that can be tested related to a uaupdatesearcher_object. This includes the search criteria and updated id. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ The search_criteria entity specifies a string to examine the search criteria that was used to generate the object set. Note that since this entity is part of the state, it is not used to determine the object set, but rather is used to test the search criteria that was actually used.
+
+
+
+
+ The update_id enity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface's Search method.
+
+
+
+
+
+
+
+
+
+ The WuaUpdateSearcherBehaviors complex type defines behaviors that allow a more detailed definition of the wuaupdatesearcher_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
+
+
+
+ 'include_superseded_updates' is a boolean flag that when set to true indicates that the search results should include updates that are superseded by other updates in the search results. When set to 'false' superseded updates should be excluded from the set of matching update items. The default value is 'true'.
+
+
+
+
+
+
+
+
+ The EntityStateAddrTypeType complex type restricts a string value to a specific set of values that describe address types associated with an interface. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The stated IP address is being deleted. The unsigned short value that this corresponds to is 0x0040
+
+
+
+
+ The stated IP address is on a disconnected interface. The unsigned short value that this corresponds to is 0x0008.
+
+
+
+
+ The stated IP address is a dynamic IP address. The unsigned short value that this corresponds to is 0x0004.
+
+
+
+
+ The stated IP address is a primary IP address. The unsigned short value that this corresponds to is 0x0001.
+
+
+
+
+ The stated IP address is a transient IP address. The unsigned short value that this corresponds to is 0x0080
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAdstypeType complex type restricts a string value to a specific set of values that specify the different types of information that an active directory attribute can represents. For more information look at the ADSTYPEENUM enumeration defined by Microsoft. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The data type is invalid.
+
+
+
+
+ The string is of Distinguished Name (path) of a directory service object.
+
+
+
+
+ The string is of the case-sensitive type.
+
+
+
+
+ The string is of the case-insensitive type.
+
+
+
+
+ The string is displayable on the screen or in print.
+
+
+
+
+ The string is of a numeric value to be interpreted as text.
+
+
+
+
+ The data is of a Boolean value.
+
+
+
+
+ The data is of an integer value.
+
+
+
+
+ The string is of a byte array.
+
+
+
+
+ The data is of the universal time as expressed in Universal Time Coordinate (UTC).
+
+
+
+
+ The data is of a long integer value.
+
+
+
+
+ The string is of a provider-specific string.
+
+
+
+
+ Not used.
+
+
+
+
+ The data is of a list of case insensitive strings.
+
+
+
+
+ The data is of a list of octet strings.
+
+
+
+
+ The string is of a directory path.
+
+
+
+
+ The string is of the postal address type.
+
+
+
+
+ The data is of a time stamp in seconds.
+
+
+
+
+ The string is of a back link.
+
+
+
+
+ The string is of a typed name.
+
+
+
+
+ The data is of the Hold data structure.
+
+
+
+
+ The string is of a net address.
+
+
+
+
+ The data is of a replica pointer.
+
+
+
+
+ The string is of a fax number.
+
+
+
+
+ The data is of an e-mail message.
+
+
+
+
+ The data is of Windows NT/Windows 2000 Security Descriptor as represented by a byte array.
+
+
+
+
+ The data is of an undefined type.
+
+
+
+
+ The data is of ADS_DN_WITH_BINARY used for mapping a distinguished name to a non varying GUID.
+
+
+
+
+ The data is of ADS_DN_WITH_STRING used for mapping a distinguished name to a non-varying string value.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateAuditType complex type restricts a string value to a specific set of values: AUDIT_NONE, AUDIT_SUCCESS, AUDIT_FAILURE, and AUDIT_SUCCESS_FAILURE. These values describe which audit records should be generated. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.
+
+
+
+
+ The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.
+
+
+
+
+ The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.
+
+
+
+
+ The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateDriveTypeType complex type defines the different values that are valid for the drive_type entity of a win-def:volume_state. Note that the Windows API returns a UINT value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the drive_type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The DRIVE_UNKNOWN type means that drive type cannot be determined. The UINT value that this corresponds to is 0.
+
+
+
+
+ The DRIVE_NO_ROOT_DIR type means that the root path is not valid. The UINT value that this corresponds to is 1.
+
+
+
+
+ The DRIVE_REMOVABLE type means that the drive contains removable media. The UINT value that this corresponds to is 2.
+
+
+
+
+ The DRIVE_FIXED type means that the drive contains fixed media. The UINT value that this corresponds to is 3.
+
+
+
+
+ The DRIVE_REMOTE type means that the drive is a remote drive (i.e. network drive). The UINT value that this corresponds to is 4.
+
+
+
+
+ The DRIVE_CDROM type means that the drive is a CD-ROM drive. The UINT value that this corresponds to is 5.
+
+
+
+
+ The DRIVE_RAMDISK type means that the drive is a RAM disk. The UINT value that this corresponds to is 6.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateInterfaceTypeType complex type restricts a string value to a specific set of values. These values describe the different interface types. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The MIB_IF_TYPE_ETHERNET type is used to describe ethernet interfaces.
+
+
+
+
+ The MIB_IF_TYPE_FDDI type is used to describe fiber distributed data interfaces (FDDI).
+
+
+
+
+ The MIB_IF_TYPE_LOOPBACK type is used to describe loopback interfaces.
+
+
+
+
+ The MIB_IF_TYPE_OTHER type is used to describe unknown interfaces.
+
+
+
+
+ The MIB_IF_TYPE_PPP type is used to describe point-to-point protocol interfaces (PPP).
+
+
+
+
+ The MIB_IF_TYPE_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
+
+
+
+
+ The MIB_IF_TYPE_TOKENRING type is used to describe token ring interfaces..
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateFileTypeType complex type restricts a string value to a specific set of values. These values describe the type of file being represented. For more information see the GetFileType and GetFileAttributesEx functions as defined by Microsoft. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The handle identifies a directory.
+
+
+ 5.11.1:1.2
+ In version 5.11.1:1.2 of the OVAL Language windows schema, a file_attributes entity was added to the file_state, obviating the need to overload this attribute with the file-type enumeration.
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: file_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The specified file is a character file, typically an LPT device or a console.
+
+
+
+
+ The specified file is a disk file.
+
+
+
+
+ The specified file is a socket, a named pipe, or an anonymous pipe.
+
+
+
+
+ Unused.
+
+
+
+
+ Either the type of the specified file is unknown, or the function failed.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateFileAttributeType complex type restricts a string value to a specific set of values. These values describe the Windows file attribute being represented. For more information see the GetFileAttributes and GetFileAttributesEx functions as defined by Microsoft. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ A file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal.
+
+
+
+
+ A file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.
+
+
+
+
+ This value is reserved for system use.
+
+
+
+
+ The handle that identifies a directory.
+
+
+
+
+ A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
+
+
+
+
+ The file or directory is hidden. It is not included in an ordinary directory listing.
+
+
+
+
+ The directory or user data stream is configured with integrity (only supported on ReFS volumes). It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set.
+ Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows Server 2012.
+
+
+
+
+ A file that does not have other attributes set. This attribute is valid only when used alone.
+
+
+
+
+ The file or directory is not to be indexed by the content indexing service.
+
+
+
+
+ The user data stream not to be read by the background data integrity scanner (AKA scrubber). When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes. It is not included in an ordinary directory listing.
+ Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows 8 and Windows Server 2012.
+
+
+
+
+ The data of a file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute.
+
+
+
+
+ A file that is read-only. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.
+
+
+
+
+ A file or directory that has an associated reparse point, or a file that is a symbolic link.
+
+
+
+
+ A file that is a sparse file.
+
+
+
+
+ A file or directory that the operating system uses a part of, or uses exclusively.
+
+
+
+
+ A file that is being used for temporary storage. File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed.
+
+
+
+
+ This value is reserved for system use.
+
+
+
+
+
+
+
+ The EntityObjectNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different default naming context found in active directory. A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
+
+
+
+
+ The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
+
+
+
+
+ The schema naming context contains all of the Active Directory object definitions.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different default naming context found in active directory. A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
+
+
+
+
+ The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
+
+
+
+
+ The schema naming context contains all of the Active Directory object definitions.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateNTUserAccountTypeType restricts a string value to a specific set of values that describe the different types of accounts. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ Local accounts are accounts that were created directly on the machine being tested and should be in the form of
+ machinename\username
+
+
+
+
+ Domain accounts are accounts that were created on a domain controller and should be in the form of domain\username
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStatePeTargetMachineType enumeration identifies the valid machine targets that can be specified in the PE file header. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The IMAGE_FILE_MACHINE_UNKNOWN type is used to indicate an unknown machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_ALPHA type is used to indicate an Alpha APX machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_ARM type is used to indicate an ARM little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_ALPHA64 type is used to indicate an 64-bit Alpha APX machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_I386 type is used to indicate an Intel 386 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_IA64 type is used to indicate an Intel Itanium machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_M68K type is used to indicate an M68K machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_MIPS16 type is used to indicate a MIPS16 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_MIPSFPU type is used to indicate an MIPS machine with FPU.
+
+
+
+
+ The IMAGE_FILE_MACHINE_MIPSFPU16 type is used to indicate a MIPS16 machine with FPU.
+
+
+
+
+ The IMAGE_FILE_MACHINE_POWERPC type is used to indicate an Power PC little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_R3000 type is used to indicate a MIPS little endian, 0x160 big endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_R4000 type is used to indicate a MIPS little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_10000 type is used to indicate a MIPS little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_SH3 type is used to indicate a Hitachi SH3 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_SH4 type is used to indicate a Hitachi SH4 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_THUMB type is used to indicate an ARM or Thumb ("interworking") machine.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+
+ The EntityStatePeSubsystemType enumeration identifies the valid subsystem types that can be specified in the PE file header. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The IMAGE_SUBSYSTEM_UNKNOWN type is used to indicate an unknown subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_NATIVE type is used to indicate that no subsystem is required.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_GUI type is used to indicate a Windows graphical user interface (GUI) subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_CUI type is used to indicate a Windows character-mode user interface (CUI) subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_OS2_CUI type is used to indicate an OS/2 CUI subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_POSIX_CUI type is used to indicate a POSIX CUI subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_CE_GUI type is used to indicate a Windows CE system.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_APPLICATION type is used to indicate an Extensible Firmware Interface (EFI) application.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER type is used to indicate a EFI driver with boot services.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER type is used to indicate a EFI driver with run-time services subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_ROM type is used to indicate an EFI ROM image.
+
+
+
+
+ The IMAGE_SUBSYSTEM_XBOX type is used to indicate an Xbox system.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION type is used to indicate a boot application.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectProtocolType restricts a string value to a specific set of values: TCP and UDP. These values describe the different protocols available to a port. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The port uses the Transmission Control Protocol (TCP).
+
+
+
+
+ The port uses the User Datagram Protocol (UDP).
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateProtocolType restricts a string value to a specific set of values: TCP and UDP. These values describe the different protocols available to a port. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The port uses the Transmission Control Protocol (TCP).
+
+
+
+
+ The port uses the User Datagram Protocol (UDP).
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectRegistryHiveType restricts a string value to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_CURRENT_USER_LOCAL_SETTINGS, HKEY_LOCAL_MACHINE, and HKEY_USERS. These values describe the possible hives in the registry. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
+
+
+
+
+ This registry subtree contains configuration data for the current hardware profile.
+
+
+
+
+ This registry subtree contains the user profile of the user that is currently logged into the system.
+
+
+
+
+ Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile. This key is supported starting with Windows 7 and Windows Server 2008 R2.
+
+
+
+
+ This registry subtree contains information about the local system.
+
+
+
+
+ This registry subtree contains user-specific data.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRegistryHiveType restricts a string value to a specific set of values: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_USERS. These values describe the possible hives in the registry. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
+
+
+
+
+ This registry subtree contains configuration data for the current hardware profile.
+
+
+
+
+ This registry subtree contains the user profile of the user that is currently logged into the system.
+
+
+
+
+ This registry subtree contains information about the local system.
+
+
+
+
+ This registry subtree contains user-specific data.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateRegistryTypeType complex type defines the different values that are valid for the type entity of a registry state. These values describe the possible types of data stored in a registry key. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the type entity and are not valid values for the datatype attribute. For information about how to encode registry data in OVAL for each of the different types, please visit the registry_state documentation.
+
+
+
+
+
+ The reg_binary type is used by registry keys that specify binary data in any form.
+
+
+
+
+ The reg_dword type is used by registry keys that specify an unsigned 32-bit integer.
+
+
+
+
+ The reg_dword_little_endian type is used by registry keys that specify an unsigned 32-bit little-endian integer. It is designed to run on little-endian computer architectures.
+
+
+ 5.11.1:1.1
+ Defined to have same value as reg_dword.
+ This registry type enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The reg_dword_big_endian type is used by registry keys that specify an unsigned 32-bit big-endian integer. It is designed to run on big-endian computer architectures.
+
+
+
+
+ The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").
+
+
+
+
+ The reg_link type is used by the registry keys for null-terminated unicode strings. It is related to target path of a symbolic link created by the RegCreateKeyEx function.
+
+
+
+
+ The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.
+
+
+
+
+ The reg_none type is used by registry keys that have no defined value type.
+
+
+
+
+ The reg_qword type is used by registry keys that specify an unsigned 64-bit integer.
+
+
+
+
+ The reg_qword_little_endian type is used by registry keys that specify an unsigned 64-bit integer in little-endian computer architectures.
+
+
+ 5.11.1:1.1
+ Defined to have same value as reg_qword.
+ This registry type enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The reg_sz type is used by registry keys that specify a single null-terminated string.
+
+
+
+
+ The reg_resource_list type is used by registry keys that specify a resource list.
+
+
+
+
+ The reg_full_resource_descriptor type is used by registry keys that specify a full resource descriptor.
+
+
+
+
+ The reg_resource_requirements_list type is used by registry keys that specify a resource requirements list.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateServiceAcceptedControlsType complex type defines the different values that are valid for the controls_accepted entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the controls_accepted entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010.
+
+
+
+
+ The SERVICE_ACCEPT_PARAMCHANGE type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008.
+
+
+
+
+ The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100.
+
+
+
+
+ The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004.
+
+
+
+
+ The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020.
+
+
+
+
+ The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040.
+
+
+
+
+ The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080.
+
+
+
+
+ The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200.
+
+
+
+
+ The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateServiceCurrentStateType complex type defines the different values that are valid for the current_state entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the current_state entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000005.
+
+
+
+
+ The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006.
+
+
+
+
+ The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007.
+
+
+
+
+ The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004.
+
+
+
+
+ The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003.
+
+
+
+
+ The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateServiceStartTypeType complex type defines the different values that are valid for the start_type entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the start_type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000.
+
+
+
+
+ The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003.
+
+
+
+
+ The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004.
+
+
+
+
+ The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateServiceTypeType complex type defines the different values that are valid for the service_type entity of a service. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the service_type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+
+
+
+
+
+ The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010.
+
+
+
+
+ The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020.
+
+
+
+
+ The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSharedResourceTypeType complex type defines the different values that are valid for the type entity of a shared resource state. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
+ It is also important to note that special shared resources are those reserved for remote administration, interprocess communication, and administrative shares.
+
+
+
+
+
+ The STYPE_DISKTREE type means that the shared resource is a disk drive. The DWORD value that this corresponds to is 0x00000000.
+
+
+
+
+ The STYPE_DISKTREE_SPECIAL type means that the shared resource is a special disk drive. The DWORD value that this corresponds to is 0x80000000.
+
+
+
+
+ The STYPE_DISKTREE_TEMPORARY type means that the shared resource is a temporary disk drive. The DWORD value that this corresponds to is 0x40000000.
+
+
+
+
+ The STYPE_DISKTREE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special disk drive. The DWORD value that this corresponds to is 0xC0000000.
+
+
+
+
+ The STYPE_PRINTQ type means that the shared resource is a print queue. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The STYPE_PRINTQ_SPECIAL type means that the shared resource is a special print queue. The DWORD value that this corresponds to is 0x80000001.
+
+
+
+
+ The STYPE_PRINTQ_TEMPORARY type means that the shared resource is a temporary print queue. The DWORD value that this corresponds to is 0x40000001.
+
+
+
+
+ The STYPE_PRINTQ_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special print queue. The DWORD value that this corresponds to is 0xC0000001.
+
+
+
+
+ The STYPE_DEVICE type means that the shared resource is a communication device. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The STYPE_DEVICE_SPECIAL type means that the shared resource is a special communication device. The DWORD value that this corresponds to is 0x80000002.
+
+
+
+
+ The STYPE_DEVICE_TEMPORARY type means that the shared resource is a temporary communication device. The DWORD value that this corresponds to is 0x40000002.
+
+
+
+
+ The STYPE_DEVICE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special communication device. The DWORD value that this corresponds to is 0xC0000002.
+
+
+
+
+ The STYPE_IPC type means that the shared resource is a interprocess communication. The DWORD value that this corresponds to is 0x00000003.
+
+
+
+
+ The STYPE_IPC_SPECIAL type means that the shared resource is a special interprocess communication. The DWORD value that this corresponds to is 0x80000003.
+
+
+
+
+ The STYPE_IPC_TEMPORARY type means that the shared resource is a temporary interprocess communication. The DWORD value that this corresponds to is 0x40000003.
+
+
+
+
+ The STYPE_IPC_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special interprocess communication. The DWORD value that this corresponds to is 0xC0000003.
+
+
+
+
+ The STYPE_SPECIAL type means that this is a special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. The DWORD value that this corresponds to is 0x40000000.
+
+
+ 5.6
+ In version 5.6 of the OVAL Language, the EntityStateSharedResourceTypeType was changed to include all of the different shared resource types as specified in Microsoft's documentation of the shi2_type member of the SHARE_INFO_2 structure. As a result, the STYPE_SPECIAL value by itself is no longer valid because it would actually be equal to the value STYPE_DISKTREE_SPECIAL (0x80000000) which is STYPE_DISKTREE (0x00000000) OR'd with STYPE_SPECIAL (0x80000000).
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: sharedresource_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The STYPE_TEMPORARY type means that the shared resource is a temporary share. The DWORD value that this corresponds to is 0x80000000.
+
+
+ 5.6
+ In version 5.6 of the OVAL Language, the EntityStateSharedResourceTypeType was changed to include all of the different shared resource types as specified in Microsoft's documentation of the shi2_type member of the SHARE_INFO_2 structure. As a result, the STYPE_TEMPORARY value by itself is no longer valid because it would actually be equal to the value STYPE_DISKTREE_TEMPORARY (0x40000000) which is STYPE_DISKTREE (0x00000000) OR'd with STYPE_TEMPORARY (0x40000000).
+ This value has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+
+ DEPRECATED ELEMENT VALUE IN: sharedresource_state ELEMENT VALUE:
+
+
+
+
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectSystemMetricIndexType complex type defines the different values that are valid for the index entity of a system metric object. These values describe the system metric or configuration setting to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the index entity and are not valid values for the datatype attribute.
+
+
+
+
+
+ The flags that specify how the system arranged minimized windows.
+
+
+
+
+ The value that specifies how the system is started.
+
+
+
+
+ The number of display monitors on a desktop.
+
+
+
+
+ The number of buttons on a mouse, or zero if no mouse is installed.
+
+
+
+
+ The width of a window border, in pixels. This is equivalent to the SM_CXEDGE value for windows with the 3-D look.
+
+
+
+
+ The width of a cursor, in pixels. The system cannot create cursors of other sizes.
+
+
+
+
+ This value is the same as SM_CXFIXEDFRAME.
+
+
+
+
+ The width of the rectangle around the location of a first click in a double-click sequence, in pixels.
+
+
+
+
+ The number of pixels on either side of a mouse-down point that the mouse pointer can move before a drag operation begins.
+
+
+
+
+ The width of a 3-D border, in pixels. This metric is the 3-D counterpart of SM_CXBORDER.
+
+
+
+
+ The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
+
+
+
+
+ The width of the left and right edges of the focus rectangle that the DrawFocusRect draws.
+
+
+
+
+ This value is the same as SM_CXSIZEFRAME.
+
+
+
+
+ The width of the client area for a full-screen window on the primary display monitor, in pixels.
+
+
+
+
+ The width of the arrow bitmap on a horizontal scroll bar, in pixels.
+
+
+
+
+ The width of the thumb box in a horizontal scroll bar, in pixels.
+
+
+
+
+ The default width of an icon, in pixels.
+
+
+
+
+ The width of a grid cell for items in large icon view, in pixels.
+
+
+
+
+ The default width, in pixels, of a maximized top-level window on the primary display monitor.
+
+
+
+
+ The default maximum width of a window that has a caption and sizing borders, in pixels.
+
+
+
+
+ The width of the default menu check-mark bitmap, in pixels.
+
+
+
+
+ The width of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
+
+
+
+
+ The minimum width of a window, in pixels.
+
+
+
+
+ The width of a minimized window, in pixels.
+
+
+
+
+ The width of a grid cell for a minimized window, in pixels.
+
+
+
+
+ The minimum tracking width of a window, in pixels.
+
+
+
+
+ The amount of border padding for captioned windows, in pixels.
+
+
+
+
+ The width of the screen of the primary display monitor, in pixels.
+
+
+
+
+ The width of a button in a window caption or title bar, in pixels.
+
+
+
+
+ The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
+
+
+
+
+ The recommended width of a small icon, in pixels.
+
+
+
+
+ The width of small caption buttons, in pixels.
+
+
+
+
+ The width of the virtual screen, in pixels.
+
+
+
+
+ The width of a vertical scroll bar, in pixels.
+
+
+
+
+ The height of a window border, in pixels.
+
+
+
+
+ The height of a caption area, in pixels.
+
+
+
+
+ The height of a cursor, in pixels.
+
+
+
+
+ This value is the same as SM_CYFIXEDFRAME.
+
+
+
+
+ The height of the rectangle around the location of a first click in a double-click sequence, in pixels.
+
+
+
+
+ The number of pixels above and below a mouse-down point that the mouse pointer can move before a drag operation begins.
+
+
+
+
+ The height of a 3-D border, in pixels. This is the 3-D counterpart of SM_CYBORDER.
+
+
+
+
+ The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
+
+
+
+
+ The height of the top and bottom edges of the focus rectangle drawn by DrawFocusRect. This value is in pixels.
+
+
+
+
+ This value is the same as SM_CYSIZEFRAME.
+
+
+
+
+ The height of the client area for a full-screen window on the primary display monitor, in pixels.
+
+
+
+
+ The height of a horizontal scroll bar, in pixels.
+
+
+
+
+ The default height of an icon, in pixels.
+
+
+
+
+ The height of a grid cell for items in large icon view, in pixels.
+
+
+
+
+ For double byte character set versions of the system, this is the height of the Kanji window at the bottom of the screen, in pixels.
+
+
+
+
+ The default height, in pixels, of a maximized top-level window on the primary display monitor.
+
+
+
+
+ The default maximum height of a window that has a caption and sizing borders, in pixels.
+
+
+
+
+ The height of a single-line menu bar, in pixels.
+
+
+
+
+ The height of the default menu check-mark bitmap, in pixels.
+
+
+
+
+ The height of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
+
+
+
+
+ The minimum height of a window, in pixels.
+
+
+
+
+ The height of a minimized window, in pixels.
+
+
+
+
+ The height of a grid cell for a minimized window, in pixels.
+
+
+
+
+ The minimum tracking height of a window, in pixels.
+
+
+
+
+ The height of the screen of the primary display monitor, in pixels.
+
+
+
+
+ The height of a button in a window caption or title bar, in pixels.
+
+
+
+
+ The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
+
+
+
+
+ The height of a small caption, in pixels.
+
+
+
+
+ The recommended height of a small icon, in pixels.
+
+
+
+
+ The height of small caption buttons, in pixels.
+
+
+
+
+ The height of the virtual screen, in pixels. The virtual screen is the bounding rectangle of all display monitors.
+
+
+
+
+ The height of the arrow bitmap on a vertical scroll bar, in pixels.
+
+
+
+
+ The height of the thumb box in a vertical scroll bar, in pixels.
+
+
+
+
+ Nonzero if User32.dll supports DBCS; otherwise, 0.
+
+
+
+
+ Nonzero if the debug version of User.exe is installed; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is Windows 7 or Windows Server 2008 R2 and the Tablet PC Input service is started; otherwise, 0. The return value is a bitmask that specifies the type of digitizer input supported by the device.
+
+
+
+
+ Nonzero if Input Method Manager/Input Method Editor features are enabled; otherwise, 0.
+
+
+
+
+ Nonzero if there are digitizers in the system; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is the Windows XP, Media Center Edition, 0 if not.
+
+
+
+
+ Nonzero if drop-down menus are right-aligned with the corresponding menu-bar item; 0 if the menus are left-aligned.
+
+
+
+
+ Nonzero if the system is enabled for Hebrew and Arabic languages, 0 if not.
+
+
+
+
+ Nonzero if a mouse is installed; otherwise, 0.
+
+
+
+
+ Nonzero if a mouse with a horizontal scroll wheel is installed; otherwise 0.
+
+
+
+
+ Nonzero if a mouse with a vertical scroll wheel is installed; otherwise 0.
+
+
+
+
+ The least significant bit is set if a network is present; otherwise, it is cleared.
+
+
+
+
+ Nonzero if the Microsoft Windows for Pen computing extensions are installed; zero otherwise.
+
+
+
+
+ This system metric is used in a Terminal Services environment to determine if the current Terminal Server session is being remotely controlled. Its value is nonzero if the current session is remotely controlled; otherwise, 0.
+
+
+
+
+ This system metric is used in a Terminal Services environment. If the calling process is associated with a Terminal Services client session, the return value is nonzero. If the calling process is associated with the Terminal Services console session, the return value is 0.
+
+
+
+
+ Nonzero if all the display monitors have the same color format, otherwise, 0.
+
+
+
+
+ This system metric should be ignored; it always returns 0.
+
+
+
+
+ The build number if the system is Windows Server 2003 R2; otherwise, 0.
+
+
+
+
+ Nonzero if the user requires an application to present information visually in situations where it would otherwise present the information only in audible form; otherwise, 0.
+
+
+
+
+ Nonzero if the current session is shutting down; otherwise, 0.
+
+
+
+
+ Nonzero if the computer has a low-end (slow) processor; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is Windows 7 Starter Edition, Windows Vista Starter, or Windows XP Starter Edition; otherwise, 0.
+
+
+
+
+ Nonzero if the meanings of the left and right mouse buttons are swapped; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is the Windows XP Tablet PC edition or if the current operating system is Windows Vista or Windows 7 and the Tablet PC Input service is started; otherwise, 0.
+
+
+
+
+ The coordinates for the left side of the virtual screen.
+
+
+
+
+ The coordinates for the top of the virtual screen.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateSystemMetricIndexType complex type defines the different values that are valid for the index entity of a systemmetric_state. These values describe the system metric or configuration setting to be retrieved. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the index entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Please note that the values identified are for the index entity and are not valid values for the datatype attribute.
+
+
+
+
+
+ The flags that specify how the system arranged minimized windows.
+
+
+
+
+ The value that specifies how the system is started.
+
+
+
+
+ The number of display monitors on a desktop.
+
+
+
+
+ The number of buttons on a mouse, or zero if no mouse is installed.
+
+
+
+
+ The width of a window border, in pixels. This is equivalent to the SM_CXEDGE value for windows with the 3-D look.
+
+
+
+
+ The width of a cursor, in pixels. The system cannot create cursors of other sizes.
+
+
+
+
+ This value is the same as SM_CXFIXEDFRAME.
+
+
+
+
+ The width of the rectangle around the location of a first click in a double-click sequence, in pixels.
+
+
+
+
+ The number of pixels on either side of a mouse-down point that the mouse pointer can move before a drag operation begins.
+
+
+
+
+ The width of a 3-D border, in pixels. This metric is the 3-D counterpart of SM_CXBORDER.
+
+
+
+
+ The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
+
+
+
+
+ The width of the left and right edges of the focus rectangle that the DrawFocusRect draws.
+
+
+
+
+ This value is the same as SM_CXSIZEFRAME.
+
+
+
+
+ The width of the client area for a full-screen window on the primary display monitor, in pixels.
+
+
+
+
+ The width of the arrow bitmap on a horizontal scroll bar, in pixels.
+
+
+
+
+ The width of the thumb box in a horizontal scroll bar, in pixels.
+
+
+
+
+ The default width of an icon, in pixels.
+
+
+
+
+ The width of a grid cell for items in large icon view, in pixels.
+
+
+
+
+ The default width, in pixels, of a maximized top-level window on the primary display monitor.
+
+
+
+
+ The default maximum width of a window that has a caption and sizing borders, in pixels.
+
+
+
+
+ The width of the default menu check-mark bitmap, in pixels.
+
+
+
+
+ The width of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
+
+
+
+
+ The minimum width of a window, in pixels.
+
+
+
+
+ The width of a minimized window, in pixels.
+
+
+
+
+ The width of a grid cell for a minimized window, in pixels.
+
+
+
+
+ The minimum tracking width of a window, in pixels.
+
+
+
+
+ The amount of border padding for captioned windows, in pixels.
+
+
+
+
+ The width of the screen of the primary display monitor, in pixels.
+
+
+
+
+ The width of a button in a window caption or title bar, in pixels.
+
+
+
+
+ The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
+
+
+
+
+ The recommended width of a small icon, in pixels.
+
+
+
+
+ The width of small caption buttons, in pixels.
+
+
+
+
+ The width of the virtual screen, in pixels.
+
+
+
+
+ The width of a vertical scroll bar, in pixels.
+
+
+
+
+ The height of a window border, in pixels.
+
+
+
+
+ The height of a caption area, in pixels.
+
+
+
+
+ The height of a cursor, in pixels.
+
+
+
+
+ This value is the same as SM_CYFIXEDFRAME.
+
+
+
+
+ The height of the rectangle around the location of a first click in a double-click sequence, in pixels.
+
+
+
+
+ The number of pixels above and below a mouse-down point that the mouse pointer can move before a drag operation begins.
+
+
+
+
+ The height of a 3-D border, in pixels. This is the 3-D counterpart of SM_CYBORDER.
+
+
+
+
+ The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
+
+
+
+
+ The height of the top and bottom edges of the focus rectangle drawn by DrawFocusRect. This value is in pixels.
+
+
+
+
+ This value is the same as SM_CYSIZEFRAME.
+
+
+
+
+ The height of the client area for a full-screen window on the primary display monitor, in pixels.
+
+
+
+
+ The height of a horizontal scroll bar, in pixels.
+
+
+
+
+ The default height of an icon, in pixels.
+
+
+
+
+ The height of a grid cell for items in large icon view, in pixels.
+
+
+
+
+ For double byte character set versions of the system, this is the height of the Kanji window at the bottom of the screen, in pixels.
+
+
+
+
+ The default height, in pixels, of a maximized top-level window on the primary display monitor.
+
+
+
+
+ The default maximum height of a window that has a caption and sizing borders, in pixels.
+
+
+
+
+ The height of a single-line menu bar, in pixels.
+
+
+
+
+ The height of the default menu check-mark bitmap, in pixels.
+
+
+
+
+ The height of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
+
+
+
+
+ The minimum height of a window, in pixels.
+
+
+
+
+ The height of a minimized window, in pixels.
+
+
+
+
+ The height of a grid cell for a minimized window, in pixels.
+
+
+
+
+ The minimum tracking height of a window, in pixels.
+
+
+
+
+ The height of the screen of the primary display monitor, in pixels.
+
+
+
+
+ The height of a button in a window caption or title bar, in pixels.
+
+
+
+
+ The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
+
+
+
+
+ The height of a small caption, in pixels.
+
+
+
+
+ The recommended height of a small icon, in pixels.
+
+
+
+
+ The height of small caption buttons, in pixels.
+
+
+
+
+ The height of the virtual screen, in pixels. The virtual screen is the bounding rectangle of all display monitors.
+
+
+
+
+ The height of the arrow bitmap on a vertical scroll bar, in pixels.
+
+
+
+
+ The height of the thumb box in a vertical scroll bar, in pixels.
+
+
+
+
+ Nonzero if User32.dll supports DBCS; otherwise, 0.
+
+
+
+
+ Nonzero if the debug version of User.exe is installed; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is Windows 7 or Windows Server 2008 R2 and the Tablet PC Input service is started; otherwise, 0. The return value is a bitmask that specifies the type of digitizer input supported by the device.
+
+
+
+
+ Nonzero if Input Method Manager/Input Method Editor features are enabled; otherwise, 0.
+
+
+
+
+ Nonzero if there are digitizers in the system; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is the Windows XP, Media Center Edition, 0 if not.
+
+
+
+
+ Nonzero if drop-down menus are right-aligned with the corresponding menu-bar item; 0 if the menus are left-aligned.
+
+
+
+
+ Nonzero if the system is enabled for Hebrew and Arabic languages, 0 if not.
+
+
+
+
+ Nonzero if a mouse is installed; otherwise, 0.
+
+
+
+
+ Nonzero if a mouse with a horizontal scroll wheel is installed; otherwise 0.
+
+
+
+
+ Nonzero if a mouse with a vertical scroll wheel is installed; otherwise 0.
+
+
+
+
+ The least significant bit is set if a network is present; otherwise, it is cleared.
+
+
+
+
+ Nonzero if the Microsoft Windows for Pen computing extensions are installed; zero otherwise.
+
+
+
+
+ This system metric is used in a Terminal Services environment to determine if the current Terminal Server session is being remotely controlled. Its value is nonzero if the current session is remotely controlled; otherwise, 0.
+
+
+
+
+ This system metric is used in a Terminal Services environment. If the calling process is associated with a Terminal Services client session, the return value is nonzero. If the calling process is associated with the Terminal Services console session, the return value is 0.
+
+
+
+
+ Nonzero if all the display monitors have the same color format, otherwise, 0.
+
+
+
+
+ This system metric should be ignored; it always returns 0.
+
+
+
+
+ The build number if the system is Windows Server 2003 R2; otherwise, 0.
+
+
+
+
+ Nonzero if the user requires an application to present information visually in situations where it would otherwise present the information only in audible form; otherwise, 0.
+
+
+
+
+ Nonzero if the current session is shutting down; otherwise, 0.
+
+
+
+
+ Nonzero if the computer has a low-end (slow) processor; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is Windows 7 Starter Edition, Windows Vista Starter, or Windows XP Starter Edition; otherwise, 0.
+
+
+
+
+ Nonzero if the meanings of the left and right mouse buttons are swapped; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is the Windows XP Tablet PC edition or if the current operating system is Windows Vista or Windows 7 and the Tablet PC Input service is started; otherwise, 0.
+
+
+
+
+ The coordinates for the left side of the virtual screen.
+
+
+
+
+ The coordinates for the top of the virtual screen.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+
+ The EntityObjectGUIDType restricts a string value to a representation of a GUID, used for module ID. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+
+
+
+
+ The EntityStateGUIDType restricts a string value to a representation of a GUID, used for module ID. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+
+
+
+
+ The EntityObjectCmdletVerbType restricts a string value to a set of allow cmdlet verbs. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+ The Approve verb confirms or agrees to the status of a resource or process.
+
+
+
+
+ The Assert verb affirms the state of a resource.
+
+
+
+
+ The Compare verb evaluates the data from one resource against the data from another resource.
+
+
+
+
+ The Confirm verb acknowledges, verifies, or validates, the state of a resource or process.
+
+
+
+
+ The Find verb looks for an object in a container that is unknown, implied, optional, or specified.
+
+
+
+
+ The Get verb specifies an action that retrieves a resource.
+
+
+
+
+ The Import verb creates a resource from data that is stored in a persistent data store (such as a file) or in an interchange format.
+
+
+
+
+ The Measure verb identifies resources that are consumed by a specified operation, or retrieves statistics about a resource.
+
+
+
+
+ The Read verb acquires information from a source.
+
+
+
+
+ The Request verb asks for a resource or asks for permissions.
+
+
+
+
+ The Resolve verb maps a shorthand representation of a resource to a more complete representation.
+
+
+
+
+ The Search verb creates a reference to a resource in a container.
+
+
+
+
+ The Select verb locates a resource in a container.
+
+
+
+
+ The Show verb makes a resource visible to the user.
+
+
+
+
+ The Test verb verifies the operation or consistency of a resource.
+
+
+
+
+ The Trace verb tracks the activities of a resource.
+
+
+
+
+ The Watch verb continually inspects or monitors a resource for changes.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateCmdletVerbType restricts a string value to a set of allow cmdlet verbs. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+ The Approve verb confirms or agrees to the status of a resource or process.
+
+
+
+
+ The Assert verb affirms the state of a resource.
+
+
+
+
+ The Compare verb evaluates the data from one resource against the data from another resource.
+
+
+
+
+ The Confirm verb acknowledges, verifies, or validates, the state of a resource or process.
+
+
+
+
+ The Find verb looks for an object in a container that is unknown, implied, optional, or specified.
+
+
+
+
+ The Get verb specifies an action that retrieves a resource.
+
+
+
+
+ The Import verb creates a resource from data that is stored in a persistent data store (such as a file) or in an interchange format.
+
+
+
+
+ The Measure verb identifies resources that are consumed by a specified operation, or retrieves statistics about a resource.
+
+
+
+
+ The Read verb acquires information from a source.
+
+
+
+
+ The Request verb asks for a resource or asks for permissions.
+
+
+
+
+ The Resolve verb maps a shorthand representation of a resource to a more complete representation.
+
+
+
+
+ The Search verb creates a reference to a resource in a container.
+
+
+
+
+ The Select verb locates a resource in a container.
+
+
+
+
+ The Show verb makes a resource visible to the user.
+
+
+
+
+ The Test verb verifies the operation or consistency of a resource.
+
+
+
+
+ The Trace verb tracks the activities of a resource.
+
+
+
+
+ The Watch verb continually inspects or monitors a resource for changes.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
+
+
+
+
+
+ Indicates the 32_bit windows view.
+
+
+
+
+ Indicates the 64_bit windows view.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityObjectUserRightType restricts a string value to a specific set of values that describe the different user rights/privileges. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+ This privilege is required to assign the primary token of a process.
+
+
+
+
+ This privilege is required to generate audit-log entries.
+
+
+
+
+ This privilege is required to perform backup operations.
+
+
+
+
+ This privilege is required to receive notifications of changes to files or directories.
+
+
+
+
+ This privilege is required to create named file mapping objects in the global namespace during Terminal Services sessions.
+
+
+
+
+ This privilege is required to create a paging file.
+
+
+
+
+ This privilege is required to create a permanent object.
+
+
+
+
+ This privilege is required to create a symbolic link.
+
+
+
+
+ This privilege is required to create a primary token.
+
+
+
+
+ This privilege is required to debug and adjust the memory of a process owned by another account.
+
+
+
+
+ This privilege is required to mark user and computer accounts as trusted for delegation.
+
+
+
+
+ This privilege is required to impersonate.
+
+
+
+
+ This privilege is required to increase the base priority of a process.
+
+
+
+
+ This privilege is required to increase the quota assigned to a process.
+
+
+
+
+ This privilege is required to allocate more memory for applications that run in the context of users.
+
+
+
+
+ This privilege is required to load or unload a device driver.
+
+
+
+
+ This privilege is required to lock physical pages in memory.
+
+
+
+
+ This privilege is required to create a computer account.
+
+
+
+
+ This privilege is required to enable volume management privileges.
+
+
+
+
+ This privilege is required to gather profiling information for a single process.
+
+
+
+
+ This privilege is required to modify the mandatory integrity level of an object.
+
+
+
+
+ This privilege is required to shut down a system using a network request.
+
+
+
+
+ This privilege is required to perform restore operations.
+
+
+
+
+ This privilege is required to perform a number of security-related functions, such as controlling and viewing audit messages.
+
+
+
+
+ This privilege is required to shut down a local system.
+
+
+
+
+ This privilege is required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services.
+
+
+
+
+ This privilege is required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
+
+
+
+
+ This privilege is required to gather profiling information for the entire system.
+
+
+
+
+ This privilege is required to modify the system time.
+
+
+
+
+ This privilege is required to take ownership of an object without being granted discretionary access.
+
+
+
+
+ This privilege identifies its holder as part of the trusted computer base.
+
+
+
+
+ This privilege is required to adjust the time zone associated with the computer's internal clock.
+
+
+
+
+ This privilege is required to access Credential Manager as a trusted caller.
+
+
+
+
+ This privilege is required to undock a laptop.
+
+
+
+
+ This privilege is required to read unsolicited input from a terminal device.
+
+
+
+
+ This account right is required for an account to log on using the batch logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the batch logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the interactive logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the network logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on remotely using the interactive logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the service logon type.
+
+
+
+
+ This account right is required for an account to log on using the interactive logon type.
+
+
+
+
+ This account right is required for an account to log on using the network logon type.
+
+
+
+
+ This account right is required for an account to log on remotely using the interactive logon type.
+
+
+
+
+ This account right is required for an account to log on using the service logon type.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
+
+ The EntityStateUserRightType restricts a string value to a specific set of values that describe the different user rights/privileges. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the specified pattern restriction.
+
+
+
+
+
+ This privilege is required to assign the primary token of a process.
+
+
+
+
+ This privilege is required to generate audit-log entries.
+
+
+
+
+ This privilege is required to perform backup operations.
+
+
+
+
+ This privilege is required to receive notifications of changes to files or directories.
+
+
+
+
+ This privilege is required to create named file mapping objects in the global namespace during Terminal Services sessions.
+
+
+
+
+ This privilege is required to create a paging file.
+
+
+
+
+ This privilege is required to create a permanent object.
+
+
+
+
+ This privilege is required to create a symbolic link.
+
+
+
+
+ This privilege is required to create a primary token.
+
+
+
+
+ This privilege is required to debug and adjust the memory of a process owned by another account.
+
+
+
+
+ This privilege is required to mark user and computer accounts as trusted for delegation.
+
+
+
+
+ This privilege is required to impersonate.
+
+
+
+
+ This privilege is required to increase the base priority of a process.
+
+
+
+
+ This privilege is required to increase the quota assigned to a process.
+
+
+
+
+ This privilege is required to allocate more memory for applications that run in the context of users.
+
+
+
+
+ This privilege is required to load or unload a device driver.
+
+
+
+
+ This privilege is required to lock physical pages in memory.
+
+
+
+
+ This privilege is required to create a computer account.
+
+
+
+
+ This privilege is required to enable volume management privileges.
+
+
+
+
+ This privilege is required to gather profiling information for a single process.
+
+
+
+
+ This privilege is required to modify the mandatory integrity level of an object.
+
+
+
+
+ This privilege is required to shut down a system using a network request.
+
+
+
+
+ This privilege is required to perform restore operations.
+
+
+
+
+ This privilege is required to perform a number of security-related functions, such as controlling and viewing audit messages.
+
+
+
+
+ This privilege is required to shut down a local system.
+
+
+
+
+ This privilege is required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services.
+
+
+
+
+ This privilege is required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
+
+
+
+
+ This privilege is required to gather profiling information for the entire system.
+
+
+
+
+ This privilege is required to modify the system time.
+
+
+
+
+ This privilege is required to take ownership of an object without being granted discretionary access.
+
+
+
+
+ This privilege identifies its holder as part of the trusted computer base.
+
+
+
+
+ This privilege is required to adjust the time zone associated with the computer's internal clock.
+
+
+
+
+ This privilege is required to access Credential Manager as a trusted caller.
+
+
+
+
+ This privilege is required to undock a laptop.
+
+
+
+
+ This privilege is required to read unsolicited input from a terminal device.
+
+
+
+
+ This account right is required for an account to log on using the batch logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the batch logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the interactive logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the network logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on remotely using the interactive logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the service logon type.
+
+
+
+
+ This account right is required for an account to log on using the interactive logon type.
+
+
+
+
+ This account right is required for an account to log on using the network logon type.
+
+
+
+
+ This account right is required for an account to log on remotely using the interactive logon type.
+
+
+
+
+ This account right is required for an account to log on using the service logon type.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with variable references.
+
+
+
+
+
+
diff --git a/oval-schemas/windows-system-characteristics-schema.xsd b/oval-schemas/windows-system-characteristics-schema.xsd
new file mode 100644
index 0000000..f320d27
--- /dev/null
+++ b/oval-schemas/windows-system-characteristics-schema.xsd
@@ -0,0 +1,5696 @@
+
+
+
+
+
+ The following is a description of the elements, types, and attributes that compose the Windows specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
+ The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org.
+
+ Windows System Characteristics
+ 5.11.1:1.4
+ 01/09/2017 10:00:00 PM
+ Copyright (c) 2017, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
+
+
+
+
+
+
+
+
+
+
+ The access token item holds information about the individual privileges and rights associated with a specific access token. It is important to note that these privileges are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Each privilege and right in the data section accepts a boolean value signifying whether the privilege is granted or not. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+ 5.11
+ Replaced by the userright_item. The accesstoken_test suffers from scalability issues when run on a domain controller and should not be used. See the userright_item.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ If this privilege is enabled, it allows a parent process to replace the access token that is associated with a child process.
+
+
+
+
+ If this privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
+
+
+
+
+ If this privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
+
+
+
+
+ If this privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
+
+
+
+
+ If this privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
+
+
+
+
+ If this privilege is enabled, it allows the user to create and change the size of a pagefile.
+
+
+
+
+ If this privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
+
+
+
+
+ If this privilege is enabled, it allows a user create a symbolic link.
+
+
+
+
+ If this privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
+
+
+
+
+ If this privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
+
+
+
+
+ If this privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
+
+
+
+
+ If this privilege is enabled, it allows the user to impersonate a client after authentication.
+
+
+
+
+ If this privilege is enabled, it allows a user to increase the base priority class of a process.
+
+
+
+
+ If this privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
+
+
+
+
+ If this privilege is enabled, it allows a user to increase a process working set.
+
+
+
+
+ If this privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
+
+
+
+
+ If this privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
+
+
+
+
+ If this privilege is enabled, it allows the user to add a computer to a specific domain.
+
+
+
+
+ If this privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
+
+
+
+
+ If this privilege is enabled, it allows a user to sample the performance of an application process.
+
+
+
+
+ If this privilege is enabled, it allows a user to modify an object label.
+
+
+
+
+ If this privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
+
+
+
+
+ If this privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
+
+
+
+
+ If this privilege is enabled, it allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
+
+
+
+
+ If this privilege is enabled, it allows a user to shut down the local computer.
+
+
+
+
+ If this privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
+
+
+
+
+ If this privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
+
+
+
+
+ If this privilege is enabled, it allows a user to sample the performance of system processes.
+
+
+
+
+ If this privilege is enabled, it allows the user to adjust the time on the computer's internal clock. It is not required to change the time zone or other display characteristics of the system time.
+
+
+
+
+ If this privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
+
+
+
+
+ If this privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
+
+
+
+
+ If this privilege is enabled, it allows a user to change the time zone.
+
+
+
+
+ If this privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
+
+
+
+
+ If this privilege is enabled, it allows the user to read unsolicited data from a terminal device.
+
+
+
+
+ If an account is assigned this right, it can log on using the batch logon type.
+
+
+
+
+ If an account is assigned this right, it can log on using the interactive logon type.
+
+
+
+
+ If an account is assigned this right, it can log on using the network logon type.
+
+
+
+
+ If an account is assigned this right, it can log on to the computer by using a Remote Desktop connection.
+
+
+
+
+ If an account is assigned this right, it can log on using the service logon type.
+
+
+
+
+ If an account is assigned this right, it is explicitly denied the ability to log on using the batch logon type.
+
+
+
+
+ If an account is assigned this right, it is explicitly denied the ability to log on using the interactive logon type.
+
+
+
+
+ If an account is assigned this right, it is explicitly denied the ability to log on using the network logon type.
+
+
+
+
+ If an account is assigned this right, it is explicitly denied the ability to log on through Terminal Services.
+
+
+
+
+ If an account is assigned this right, it is explicitly denied the ability to log on using the service logon type.
+
+
+
+
+ If an account is assigned this right, it can access the Credential Manager as a trusted caller.
+
+
+
+
+
+
+
+
+
+
+
+
+ The active directory item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+ Note that this ite supports only simple (string based) value collection. For more complex values see the activedirectory57_item.
+
+
+ 5.11.1:1.2
+ Use the original activedirectory_item. The activedirectory57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated AdstypeTypes. Use the original activedirectory_test instead.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the item being represented is the higher level naming context.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified active directory attribute.
+
+
+
+
+
+
+
+
+
+
+
+
+ The activedirectory57_item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+ Note that this item supports complex values that are in the form of a record. For simple (string based) value collection see the activedirectory_item.
+
+
+
+
+
+
+
+ Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
+
+
+
+
+ The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the item being represented is the higher level naming context.
+
+
+
+
+ Specifies a named value contained by the object.
+
+
+
+
+ The name of the class of which the object is an instance.
+
+
+
+
+ Specifies the type of information that the specified attribute represents.
+
+
+
+
+ The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field(s) which is a requirement for fields in the 'record' datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field(s) and satisfy this requirement. If the Active Directory attribute contains a single value, the 'record' will have a single field identified by the name of the Active Directory attribute. If the Active Directory attribute contains an array of values, the 'record' will have multiple fields all identified by the name of the Active Directory attribute
+
+
+
+ - datatype attribute for the value entity of a activedirectory57_item must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The auditeventpolicy item enumerates the different types of events the system should audit. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+ Note that when audinting is disabled each of the entities listed below should be set to 'AUDIT_NONE'.
+
+
+
+
+
+
+
+ Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
+
+
+
+
+ Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
+
+
+
+
+ Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.
+
+
+
+
+ Audit attempts to access the directory service.
+
+
+
+
+ Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
+
+
+
+
+ Audit attempts to access securable objects, such as files.
+
+
+
+
+ Audit attempts to change Policy object rules.
+
+
+
+
+ Audit attempts to use privileges.
+
+
+
+
+ Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.
+
+
+
+
+
+
+
+
+
+
+
+
+ The auditeventpolicysubcategories_item is used to hold information about the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, if the credential_validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+ Note that when audinting is disabled each of the entities listed below should be set to 'AUDIT_NONE'.
+
+
+
+
+
+
+
+
+ Audit the events produced during the validation of a user's logon credentials. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Credential Validation
+
+
+
+
+ Audit the events produced by Kerberos authentication ticket-granting requests. This state corresponds with the following GUID specified in ntsecapi.h: 0CCE9242-69AE-11D9-BED3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerboros Authentication Service
+
+
+
+
+ Audit the events produced by Kerberos service ticket requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9240-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Kerberos Service Ticket Operations
+
+
+
+
+ Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
+
+
+ 5.11
+ This entity does not map to any known audit event policy subcategory.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9241-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Logon: Audit Other Account Logon Events
+
+
+
+
+
+ Audit the events produced by changes to application groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9239-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Application Group Management
+
+
+
+
+ Audit the events produced by changes to computer accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9236-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Computer Account Management
+
+
+
+
+ Audit the events produced by changes to distribution groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9238-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Distribution Account Management
+
+
+
+
+ Audit the events produced by other user account changes that are not covered by other events in the Account Management category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Other Account Management Events
+
+
+
+
+ Audit the events produced by changes to security groups. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9237-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit Security Group Management
+
+
+
+
+ Audit the events produced by changes to user accounts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9235-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Account Management: Audit User Account Management
+
+
+
+
+
+ Audit the events produced when requests are made to the Data Protection application interface. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit DPAPI Activity
+
+
+
+
+ Audit the events produced when a process is created or starts. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Creation
+
+
+
+
+ Audit the events produced when a process ends. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit Process Termination
+
+
+
+
+ Audit the events produced by inbound remote procedure call connections. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Detailed Tracking: Audit RPC Events
+
+
+
+
+
+ Audit the events produced when a Active Directory Domain Services object is accessed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
+
+
+
+
+ Audit the events produced when changes are made to Active Directory Domain Services objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Changes
+
+
+
+
+ Audit the events produced when two Active Directory Domain Services domain controllers are replicated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Directory Service Access
+
+
+
+
+ Audit the events produced by detailed Active Directory Domain Services replication between domain controllers. This state corresponds with the following GUID specified in ntsecapi.h: 0cce923e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: DS Access: Audit Detailed Directory Service Replication
+
+
+
+
+
+ Audit the events produced by a failed attempt to log onto a locked out account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9217-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Account Lockout
+
+
+
+
+ Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Extended Mode
+
+
+
+
+ Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9218-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logof/Logoff: Audit IPsec Main Mode
+
+
+
+
+ Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9219-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit IPsec Quick Mode
+
+
+
+
+ Audit the events produced by closing a logon session. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9216-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logoff
+
+
+
+
+ Audit the events produced by attempts to log onto a user account. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9215-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Logon
+
+
+
+
+ Audit the events produced by RADIUS and Network Access Protection user access requests. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9243-69ae-11d9-bed3-505054503030.This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Network Policy Server
+
+
+
+
+ Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921c-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Other Logon/Logoff Events
+
+
+
+
+ Audit the events produced by special logons. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921b-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit Special Logon
+
+
+
+
+ Audit user and device claims information in the user's logon token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Logon/Logoff: Audit User / Device Claims
+
+
+
+
+
+ Audit the events produced by applications that use the Windows Auditing API. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9222-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Application Generated
+
+
+
+
+ Audit the events produced by operations on Active Directory Certificate Services. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9221-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Certification Services
+
+
+
+
+ Audit the events produced by attempts to access files and folders on a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9244-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Detailed File Share
+
+
+
+
+ Audit the events produced by attempts to access a shared folder. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9224-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File Share
+
+
+
+
+ Audit the events produced user attempts to access file system objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921d-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit File System
+
+
+
+
+ Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9226-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Connection
+
+
+
+
+ Audit the events produced by packets that are dropped by Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9225-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Filtering Platform Packet Drop
+
+
+
+
+ Audit the events produced when a handle is opened or closed. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9223-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Handle Manipulation
+
+
+
+
+ Audit the events produced by attempts to access the system kernel. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Kernel Object
+
+
+
+
+ Audit the events produced by the management of Task Scheduler jobs or COM+ objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9227-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Other Object Access Events
+
+
+
+
+ Audit the events produced by attempts to access registry objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce921e-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Registry
+
+
+
+
+ Audit the events produced by attempts to access Security Accounts Manager objects. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9220-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit SAM
+
+
+
+
+ Audit events that indicate file object access attemps to removable storage. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9245-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Audit Removable Storage
+
+
+
+
+ Audit events that indicate permission granted or denied by a proposed policy differs from the current central access policy on an object. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9246-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Object Access: Central Access Policy Staging
+
+
+
+
+
+ Audit the events produced by changes in security audit policy settings. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922f-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Audit Policy Change
+
+
+
+
+ Audit the events produced by changes to the authentication policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9230-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authentication Policy Change
+
+
+
+
+ Audit the events produced by changes to the authorization policy. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9231-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Authorization Policy Change
+
+
+
+
+ Audit the events produced by changes to the Windows Filtering Platform. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9233-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Filtering Platform Policy Change
+
+
+
+
+ Audit the events produced by changes to policy rules used by the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9232-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit MPSSVC Rule-Level Policy Change
+
+
+
+
+ Audit the events produced by other security policy changes that are not covered other events in the Policy Change category. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9234-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Policy Change: Audit Other Policy Change Events
+
+
+
+
+
+ Audit the events produced by the use of non-sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9229-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Non Sensitive Privilege Use
+
+
+
+
+ This is currently not used and has been reserved by Microsoft for use in the future. This state corresponds with the following GUID specified in ntsecapi.h: 0cce922a-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Other Privilege Use Events
+
+
+
+
+ Audit the events produced by the use of sensitive privileges. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9228-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: Privilege Use: Audit Sensitive Privilege Use
+
+
+
+
+
+ Audit the events produced by the IPsec filter driver. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9213-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit IPsec Driver
+
+
+
+
+ Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9214-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Other System Events
+
+
+
+
+ Audit the events produced by changes in the security state. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9210-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security State Change
+
+
+
+
+ Audit the events produced by the security system extensions or services. This state corresponds with the following GUID specified in ntsecapi.h: cce9211-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit Security System Extension
+
+
+
+
+ Audit the events that indicate that the integrity security subsystem has been violated. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9212-69ae-11d9-bed3-505054503030. This state corresponds with the following Advanced Audit Policy: System: Audit System Integrity
+
+
+
+
+ This subcategory audits the group membership of a token for an associated log on. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9249-69ae-11d9-bed3-505054503030.
+
+
+
+
+ This subcategory audits events generated by plug and play (PNP). This state corresponds with the following GUID specified in ntsecapi.h: 0cce9248-69ae-11d9-bed3-505054503030.
+
+
+
+
+ This subcategory audits the user and device claims that are present in the token of an associated logon. This state corresponds with the following GUID specified in ntsecapi.h: 0cce9247-69ae-11d9-bed3-505054503030.
+
+
+
+
+ This subcategory audits when token privileges are enabled or disabled for a specific account’s token. This state corresponds with the following GUID specified in ntsecapi.h: 0cce924a-69ae-11d9-bed3-505054503030.
+
+
+
+
+
+
+
+
+
+
+
+
+ The cmdlet_item represents a PowerShell cmdlet, the parameters supplied to it, and the value it returned.
+
+
+
+
+
+
+
+ The name of the module that contains the cmdlet.
+
+
+
+
+ The globally unique identifier for the module.
+
+
+
+
+ The version of the module that contains the cmdlet in the form of MAJOR.MINOR.
+
+
+
+
+ The cmdlet verb.
+
+
+
+
+ The cmdlet noun.
+
+
+
+
+ A list of properties (name and value pairs) as input to invoke the cmdlet.
+
+
+
+ - datatype attribute for the parameters entity of a cmdlet_item must be 'record'
+
+
+
+
+
+
+
+ A list of fields (name and value pairs) used as input to the Select-Object cmdlet to select specific output properties.
+
+
+
+ - datatype attribute for the select entity of a cmdlet_item must be 'record'
+
+
+
+
+
+
+
+ The expected value represented as a set of fields (name and value pairs).
+
+
+
+ - datatype attribute for the value entity of a cmdlet_item must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.
+
+
+
+
+
+
+
+ The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
+
+
+
+
+ The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
+
+
+
+
+ The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+
+
+
+
+
+
+
+
+ This element describes file metadata. The time information can be retrieved by the _stst function. Development_class and other version information (company, internal name, language, original_filename, product_name, product_version) can be retrieved using the VerQueryValue function.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ Specifies the directory component of the absolute path to a file on the machine.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
+
+
+
+
+ A string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
+
+
+
+
+ Size of the file in bytes.
+
+
+
+
+ Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ The checksum of the file as supplied by Microsoft's MapFileAndCheckSum function.
+
+
+
+
+ The version of the file.
+
+
+
+
+ The type child element marks whether the file item describes a named pipe, standard file, etc. These types are the return values for GetFileType. For directories, this element must have a status of 'does not exist'.
+
+
+
+
+ The attribute child elements denote the Windows file attributes associated with the file. These types are the return values for GetFileAttributes.
+
+
+
+
+ The development_class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
+
+
+
+
+ This entity defines the company name held within the version-information structure.
+
+
+
+
+ This entity defines the internal name held within the version-information structure.
+
+
+
+
+ This entity defines the language held within the version-information structure.
+
+
+
+
+ This entity defines the original filename held within the version-information structure.
+
+
+
+
+ This entity defines the product name held within the version-information structure.
+
+
+
+
+ This entity defines the product version held within the version-information structure. This may not necessarily be a string compatible with the OVAL version datatype, in which case the string datatype should be used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the audited access rights of a file that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.
+
+
+
+
+
+
+
+ Specifies the absolute path to a file on the machine from which the DACL was retrieved. A directory cannot be specified as a filepath.
+
+
+
+
+ This element specifies the directory component of the absolute path to a file on the machine from which the DACL was retrieved.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
+
+
+
+
+ The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ This element specifies the trustee name associated with this particular SACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+ 5.3
+ Replaced by the trustee_sid entity. This entity uses trustee names for identifying trustees. Trustee names are not unique, and a new entity was created to use trustee SIDs, which are unique. See the trustee_sid.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+ Grants the right to read data from the file.
+
+
+
+
+ Grants the right to write data to the file.
+
+
+
+
+ Grants the right to append data to the file.
+
+
+
+
+ Grants the right to read extended attributes.
+
+
+
+
+ Grants the right to write extended attributes.
+
+
+
+
+ Grants the right to execute a file.
+
+
+
+
+ Right to delete a directory and all the files it contains (its children), even if the files are read-only.
+
+
+
+
+ Grants the right to read file attributes.
+
+
+
+
+ Grants the right to change file attributes.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the effective rights of a file that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+
+
+
+
+
+
+ Specifies the absolute path to a file on the machine from which the DACL was retrieved. A directory cannot be specified as a filepath.
+
+
+
+
+ This element specifies the absolute path to a file on the machine from which the DACL was retrieved.
+
+
+
+
+ The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
+
+
+
+
+ The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+ 5.3
+ Replaced by the trustee_sid entity. This entity uses trustee names for identifying trustees. Trustee names are not unique, and a new entity was created to use trustee SIDs, which are unique. See the trustee_sid.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+ Grants the right to read data from the file
+
+
+
+
+ Grants the right to write data to the file.
+
+
+
+
+ Grants the right to append data to the file.
+
+
+
+
+ Grants the right to read extended attributes.
+
+
+
+
+ Grants the right to write extended attributes.
+
+
+
+
+ Grants the right to execute a file.
+
+
+
+
+ Right to delete a directory and all the files it contains (its children), even if the files are read-only.
+
+
+
+
+ Grants the right to read file attributes.
+
+
+
+
+ Grants the right to change file attributes.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ The Windows group_item allows the different users and subgroups, that directly belong to specific groups (identified by name), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.
+
+
+ 5.11
+ Replaced by the group_sid_item. This item uses trustee names for identifying accounts on the system. Trustee names are not unique and the group_sid_item, which uses trustee SIDs which are unique, should be used instead. See the group_sid_item.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ A string the represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
+
+
+
+
+ A string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.
+ If the specified group has more than one user as a member, then multiple user elements should exist. If the specified group does not contain a single user, then a single user element should exist with a status of 'does not exist'. If there is an error determining the users that are members of the group, then a single user element should be included with a status of 'error'.
+
+
+
+
+ A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: "domain\group name". In a local environment, the subgroups should be identified in the form: "computer name\group name". If the subgroups are built-in groups, the subgroups should be identified in the form: "group name" without a domain component.
+ If the specified group has more than one subgroup as a member, then multiple subgroup elements should exist. If the specified group does not contain a single subgroup, then a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups that are members of the group, then a single subgroup element should be included with a status of 'error'.
+
+
+
+
+
+
+
+
+
+
+
+
+ The Windows group_sid_item allows the different users and subgroups, that directly belong to specific groups (identified by SID), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.
+
+
+
+
+
+
+
+ A string the represents the SID of a particular group.
+
+
+
+
+ A string that represents the SID of a particular user. If the specified group has more than one user as a member, then multiple user_sid entities should exist. If the specified group does not contain a single user, then a single user_sid entity should exist with a status of 'does not exist'. If there is an error determining the userss that are members of the group, then a single user_sid entity should be included with a status of 'error'.
+
+
+
+
+ A string that represents the SID of a particular subgroup. If the specified group has more than one subgroup as a member, then multiple subgroup_sid entities should exist. If the specified group does not contain a single subgroup, a single subgroup_sid entity should exist with a status of 'does not exist'. If there is an error determining the subgroups that are members of the group, then a single subgroup_sid entity should be included with a status of 'error'.
+
+
+
+
+
+
+
+
+
+
+
+
+ Enumerate various attributes about the interfaces on a system.
+
+
+
+
+
+
+
+ This element specifies the name of an interface.
+
+
+
+
+ This element specifies index that identifies the interface.
+
+
+
+
+ This element specifies the type of interface which is limited to certain set of values.
+
+
+
+
+ This element specifies the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
+
+
+
+
+ This element specifies the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity should be expressed as an IPv6 address prefix using CIDR notation and the netmask entity should not be collected.
+
+
+
+
+ This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This element specifies the subnet mask for the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity should not be collected.
+
+
+
+
+ This element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the addr_type element can occur multiple times.
+
+
+
+
+
+
+
+
+
+
+
+
+ The junction_item element identifies the result generated for a junction_object.
+
+
+
+
+
+
+
+ Specifies the path to the subject junction, specified by the junction_object.
+
+
+
+
+ Specifies the canonical path for the target of the Windows junction specified by the path.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ The license_item element stores the different information that can be found in the Windows license registry value. Please refer to the individual elements in the schema for more details about what each represents.
+
+
+
+
+
+
+
+ This element describes the name of a license entry.
+
+
+
+
+ Specifies the type of data stored by the license entry. Valid values are REG_BINARY, REG_DWORD and REG_SZ. Please refer to the EntityItemRegistryTypeType for more information about the different possible types.
+
+
+
+
+ The value entity holds the actual value of the specified license entry. The representation of the value as well as the associated datatype attribute depends on type of data stored in the license entry. If the specified license entry is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the registry key is of type REG_DWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.
+
+
+
+
+
+
+
+
+
+
+
+
+ The lockoutpolicy item enumerates various attributes associated with lockout information for users and global groups in the security database.
+
+
+
+
+
+
+
+ Specifies, in seconds (from a DWORD), the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
+
+
+
+ - the value of force_logoff must be greater than or equal to zero
+
+
+
+
+
+
+
+ Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
+
+
+
+ - the value of lockout_duration must be greater than or equal to zero
+
+
+
+
+
+
+
+ Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
+
+
+
+
+ Specifies the number of invalid password authentications that can occur before an account is marked "locked out." See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
+
+
+
+
+
+
+
+
+
+
+
+
+ This item gathers information from the specified metabase keys.
+
+
+
+
+
+
+
+ This element describes a metabase key to be gathered.
+
+
+
+
+ The id element specifies a particular object under the metabase key. If the xsi:nil attribute is set to true, then the item being represented is the higher level metabase key. Using xsi:nil here will result in a status of 'not collected' for the other entities associated with this item since these entities are not associated with a key by itself.
+
+
+
+
+ This element describes the name of the specified metabase object.
+
+
+
+
+ The user_type element is an unsigned 32-bit integer (DWORD) that specifies the user type of the data. See the METADATA_RECORD structure.
+
+
+
+
+ The data_type element identifies the type of data in the metabase entry. See the METADATA_RECORD structure.
+
+
+
+
+ The actual data of the named item under the specified metabase key. If the specified metabase key is of type multi string, then multiple value elements should exist to describe the array of strings.
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows ntuser_item specifies information that can be collected from a particular ntuser.dat file.
+
+
+
+
+
+
+
+ This element describes a registry key normally found in the HKCU hive to be tested.
+
+
+
+
+ This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the
+ higher level key. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not
+ associated with a key by itself.
+
+
+
+
+ This element holds a string that represents the SID of a particular user.
+
+
+
+
+ The username entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a
+ result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in
+ the form: "domain\user name". For local users use: "computer name\user name".
+
+
+
+
+ The account_type element describes if the user account is a local account or domain account.
+
+
+
+
+ The logged_on element describes if the user account is currently logged on to the computer.
+
+
+
+
+ The enabled element describes if the user account is enabled or disabled.
+
+
+
+
+ Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number
+ of 100-nanosecond intervals since January 1, 1601 (UTC).
+
+
+
+
+ The number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer.
+
+
+
+
+ This element describes the filepath of the ntuser.dat file.
+
+
+
+
+ The last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which
+ is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a hive, key,
+ or name. When collecting only information about a registry hive the last write time will be the time the hive or any of its entiries was written
+ to. When collecting only information about a registry hive and key the last write time will be the time the key or any of its entiries was written
+ to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey
+ function lpftLastWriteTime.
+
+
+
+
+ Specifies the type of data stored by the registry key. Please refer to the EntityItemRegistryTypeType for more information about the
+ different possible types.
+
+
+
+
+ The value entity holds the actual value of the specified registry key. The representation of the value as well as the associated
+ datatype attribute depends on type of data stored in the registry key. If the specified registry key is of type REG_BINARY, then the datatype
+ attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is
+ encoded as two hex digits) If the registry key is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to 'int' and the value
+ entity should represent the data as an integer. If the specified registry key is of type REG_EXPAND_SZ, then the datatype attribute should be set
+ to 'string' and the pre-expanded string should be represented by the value entity. If the specified registry key is of type REG_MULTI_SZ, then
+ multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be
+ the same number of value entities as there are strings in the reg_multi_sz array. If the specified registry key is of type REG_SZ, then the
+ datatype should be 'string' and the value entity should be a copy of the string.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry_item and activedirectory_item are of no use. If this can be figured out, then the password_policy item is not needed.
+
+
+
+
+
+
+
+ Specifies, in seconds (from a DWORD), the maximum allowable password age. A value of TIMEQ_FOREVER (max DWORD value, 4294967295) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400). See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
+
+
+
+ - the value of max_passwd_age must be greater than or equal to zero
+
+
+
+
+
+
+
+ Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
+
+
+
+
+ Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
+
+
+
+
+ Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
+
+
+
+
+ A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
+
+
+
+
+ Determines whether or not passwords are stored using reversible encryption.
+
+
+
+
+ Determines whether or not an anonymous user may query the local LSA policy.
+
+
+
+
+
+
+
+
+
+
+
+
+ The peheader_item describes the metadata associated with a PE file header. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures.
+
+
+
+
+
+
+
+ The filepath element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a filepath.
+
+
+
+
+ The path element specifies the directory component of the absolute path to a PE file on the machine.
+
+
+
+
+ The filename element specifies the name of a PE file to evaluate.
+
+
+
+
+ The header_signature entity is the signature of the header.
+
+
+
+
+ The target_machine_type entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for.
+
+
+
+
+ The number_of_sections entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00.
+
+
+
+
+ The pointer_to_symbol_table entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table.
+
+
+
+
+ The number_of_symbols entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table.
+
+
+
+
+ The size_of_optional_header entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes.
+
+
+
+
+ The image_file_relocs_stripped entity is a boolean value that specifies if the relocation information is stripped from the file.
+
+
+
+
+ The image_file_executable_image entity is a boolean value that specifies if the file is executable.
+
+
+
+
+ The image_file_line_nums_stripped entity is a boolean value that specifies if the line numbers are stripped from the file.
+
+
+
+
+ The image_file_local_syms_stripped entity is a boolean value that specifies if the local symbols are stripped from the file.
+
+
+
+
+ The image_file_aggressive_ws_trim entity is a boolean value that specifies that the working set should be aggressively trimmed.
+
+
+
+
+ The image_file_large_address_aware entity is a boolean value that specifies that the application can handle addresses larger than 2GB.
+
+
+
+
+ The image_file_16bit_machine entity is a boolean value that specifies that the computer supports 16-bit words.
+
+
+
+
+ The image_file_bytes_reversed_lo entity is a boolean value that specifies that the bytes of the word are reversed.
+
+
+
+
+ The image_file_32bit_machine entity is a boolean value that specifies that the computer supports 32-bit words.
+
+
+
+
+ The image_file_debug_stripped entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file.
+
+
+
+
+ The image_file_removable_run_from_swap entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file.
+
+
+
+
+ The image_file_system entity is a boolean value that specifies that the image is a system file.
+
+
+
+
+ The image_file_dll entity is a boolean value that specifies that the image is a DLL.
+
+
+
+
+ The image_file_up_system_only entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
+
+
+
+
+ The image_file_bytes_reversed_hi entity is a boolean value that specifies that the bytes of the word are reversed.
+
+
+
+
+ The magic_number entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file.
+
+
+
+
+ The major_linker_version entity is a BYTE that specifies the major version of the linker that produced the file.
+
+
+
+
+ The minor_linker_version entity is a BYTE that specifies the minor version of the linker that produced the file.
+
+
+
+
+ The size_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections.
+
+
+
+
+ The size_of_initialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data.
+
+
+
+
+ The size_of_uninitialized_data entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data.
+
+
+
+
+ The address_of_entry_point entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution.
+
+
+
+
+ The base_of_code entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's code section begins.
+
+
+
+
+ The base_of_data entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file's data section begins.
+
+
+
+
+ The image_base_address entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address fo the first byte of the image when it is loaded into memory.
+
+
+
+
+ The section_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory.
+
+
+
+
+ The file_alignment entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file.
+
+
+
+
+ The major_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable.
+
+
+
+
+ The minor_operating_system_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable.
+
+
+
+
+ The major_image_version entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image.
+
+
+
+
+ The minor_image_version entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image.
+
+
+
+
+ The major_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable.
+
+
+
+
+ The minor_subsystem_version entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable.
+
+
+
+
+ The size_of_image entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers.
+
+
+
+
+ The size_of_headers entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers.
+
+
+
+
+ The checksum entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file.
+
+
+
+
+ The subsystem entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface.
+
+
+
+
+ The dll_characteristics entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL's initialization function will be called..
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap.
+
+
+
+
+ The time_date_stamp entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap.
+
+
+
+
+ The loader_flags entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header.
+
+
+
+
+ The number_of_rva_and_sizes entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header.
+
+
+
+
+ The real_number_of_directory_entries entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about open listening ports.
+
+
+
+
+
+
+
+ This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This element specifies the number assigned to the local listening port.
+
+
+
+
+ This element specifies the type of listening port. It is restricted to either TCP or UDP.
+
+
+
+
+ The id given to the process that is associated with the specified listening port.
+
+
+
+
+ This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
+
+
+
+
+ This is the TCP or UDP port to which the program communicates.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+
+
+
+
+
+
+ The printer_name enitity specifies the name of the printer.
+
+
+
+
+ The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Information about running processes.
+
+
+
+
+
+
+
+ The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
+
+
+
+
+ The id given to the process that is created for a specified command line.
+
+
+
+
+ The id given to the parent of the process that is created for the specified command line
+
+
+
+
+ The base priority of the process. The priority value range is from 0 to 31.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The image_path entity represents the name of the executable file for the process.
+
+
+
+
+ The current_dir entity represents the current path to the executable file for the process.
+
+
+
+
+ The creation_time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime.
+
+
+
+
+ The dep_enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy function lpFlags.
+
+
+
+
+ The primary_window_text entity represents the title of the primary window of the process. See the GetWindowText function.
+
+
+
+
+ The name of the process.
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows registry item specifies information that can be collected about a particular registry key.
+
+
+
+
+
+
+
+ The hive that the registry key belongs to.
+
+
+
+
+ This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If the xsi:nil attribute is set to true, then the item being represented is the higher level hive or lower level name. Using xsi:nil here will result in a status of 'not collected' for this entity since the item is specific to a hive or name.
+
+
+
+
+ This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the higher level key or hive. Using xsi:nil here will result in a status of 'not collected' since the item is specific to a key or hive.
+
+
+
+
+ The last time that the key or any of its value entries were modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on any key, with hives being classified as a type of key. When collecting only information about a registry hive or key the last write time will be the time the key or any of its entries were modified. When collecting only information about a registry name the last write time will be the time the containing key was modified. Thus when collecting information about a registry name, the last write time does not correlate directly to the specified name. See the RegQueryInfoKey function lpftLastWriteTime.
+
+
+
+
+ Specifies the type of data stored by the registry key. Please refer to the EntityItemRegistryTypeType for more information about the different possible types.
+
+
+
+
+ The value entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If the value being tested is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being tested is of type REG_DWORD, REG_QWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, or REG_QWORD_LITTLE_ENDIAN then the datatype attribute should be set to 'int' and the value entity should represent the data as an unsigned integer. DWORD and QWORD values represnt unsigned 32-bit and 64-bit integers, respectively. If the value being tested is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the value being tested is of type REG_MULTI_SZ, then only a single string (one of the multiple strings) should be tested using the value entity with the datatype attribute set to 'string'. In order to test multiple values, multiple OVAL registry tests or multiple states should be combined. Reg_multi_sz values, with no values, should be given a status of "does not exist". If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string. If the value being tested is of type REG_LINK, then the datatype attribute should be set to 'string' and the null-terminated Unicode string should be represented by the value entity.
+
+
+
+
+ For registry values of type REG_EXPAND_SZ, this entity contains the expanded value. Otherwise, it should not exist.
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the audited access rights of a registry key that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.
+
+
+
+
+
+
+
+ This element specifies the hive of a registry key on the machine from which the SACL was retrieved.
+
+
+
+
+ This element specifies a registry key on the machine from which the SACL was retrieved. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
+
+
+
+
+ The security identifier (SID) of the specified trustee name.
+
+
+
+
+ This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+ 5.3
+ Replaced by the trustee_sid entity. This entity uses trustee names for identifying trustees. Trustee names are not unique, and a new entity was created to use trustee SIDs, which are unique. See the trustee_sid.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+ 5.6
+ This entity has been deprecated because registry keys do not support the SYNCHRONIZE standard access right.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+
+
+
+
+
+
+ The hive that the registry key belongs to.
+
+
+
+
+ This element describes a registry key to be gathered. Note that the hive portion of the string should not be inclueded, as this data can be found under the hive element. If the xsi:nil attribute is set to true, then the item being represented is the higher level hive.
+
+
+
+
+ The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+ 5.3
+ Replaced by the trustee_sid entity. This entity uses trustee names for identifying trustees. Trustee names are not unique, and a new entity was created to use trustee SIDs, which are unique. See the trustee_sid.
+ This entity has been deprecated and will be removed in version 6.0 of the language.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+ 5.6
+ This entity has been deprecated because registry keys do not support the SYNCHRONIZE standard access right.
+
+
+
+ DEPRECATED ELEMENT: ID:
+
+
+
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores information about Windows services that are present on the system.
+
+
+
+
+
+
+
+ The service_name element specifies the name of the service as specified in the Service Control Manager (SCM) database.
+
+
+
+
+ The display_name element specifies the name of the service as specified in tools such as Control Panel->Administrative Tools->Services.
+
+
+
+
+ The description element specifies the description of the service.
+
+
+
+
+ The service_type element specifies the type of the service.
+
+
+
+
+ The start_type element specifies when the service should be started.
+
+
+
+
+ The current_state element specifies the current state of the service.
+
+
+
+
+ The controls_accepted element specifies the control codes that a service will accept and process.
+
+
+
+
+ The start_name element specifies the account under which the process should run.
+
+
+
+
+ The path element specifies the path to the binary of the service.
+
+
+
+
+ The pid element specifies the process ID of the service.
+
+
+
+
+ The service_flag element specifies if the service is in a system process that must always run (1) or if the service is in a non-system process or is not running (0). If the service is not running, the pid will be 0. Otherwise, the pid will be non-zero.
+
+
+
+
+ The dependencies element specifies the dependencies of this service on other services.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
+
+
+
+
+
+
+
+ The service_name element specifies a service on the machine from which to retrieve the DACL. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
+
+
+
+
+ The trustee_sid element specifies the SID that is associated with a user, group, system, or program (such as a Windows service).
+
+
+
+
+ This permission is required to call the DeleteService function to delete the service.
+
+
+
+
+ This permission is required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
+
+
+
+
+ This permission is required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object's security descriptor.
+
+
+
+
+ This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object's security descriptor.
+
+
+
+
+ Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
+
+
+
+
+ Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
+
+
+
+
+ Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
+
+
+
+
+ This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
+
+
+
+
+ This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
+
+
+
+
+ This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
+
+
+
+
+ This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
+
+
+
+
+ This permission is required to call the StartService function to start the service.
+
+
+
+
+ This permission is required to call the ControlService function to stop the service.
+
+
+
+
+ This permission is required to call the ControlService function to pause or continue the service.
+
+
+
+
+ This permission is required to call the ControlService function to ask the service to report its status immediately.
+
+
+
+
+ This permission is required to call the ControlService function to specify a user-defined control code.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The share name of the resource.
+
+
+
+
+ The type of the shared resource.
+
+
+
+
+ The maximum number of concurrent connections that the shared resource can accommodate.
+
+
+
+
+ The number of current connections to the shared resource.
+
+
+
+
+ The local path for the shared resource.
+
+
+
+
+ Permission to read data from a resource and, by default, to execute the resource.
+
+
+
+
+ Permission to write data to the resource.
+
+
+
+
+ Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
+
+
+
+
+ Permission to execute the resource.
+
+
+
+
+ Permission to delete the resource.
+
+
+
+
+ Permission to modify the resource's attributes (such as the date and time when a file was last modified).
+
+
+
+
+ Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
+
+
+
+
+ Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the audited access rights of a shared resource that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL.
+
+
+
+
+
+
+
+ The netname entity specifies the name associated with a particular shared resource.
+
+
+
+
+ The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+ This item stores the effective rights of a shared resource that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL.
+
+
+
+
+
+
+
+ The netname entity specifies the name associated with a particular shared resource.
+
+
+
+
+ The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
+
+
+
+
+ The right to delete the object.
+
+
+
+
+ The right to read the information in the object's security descriptor, not including the information in the SACL.
+
+
+
+
+ The right to modify the DACL in the object's security descriptor.
+
+
+
+
+ The right to change the owner in the object's security descriptor.
+
+
+
+
+ The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
+
+
+
+
+ Indicates access to a system access control list (SACL).
+
+
+
+
+ Read access.
+
+
+
+
+ Write access.
+
+
+
+
+ Execute access.
+
+
+
+
+ Read, write, and execute access.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The security identifier (SID) of the specified trustee name.
+
+
+
+
+ The domain of the specified trustee name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The security identifier (SID) of the specified trustee name.
+
+
+
+
+ This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The domain of the specified trustee name.
+
+
+
+
+
+
+
+
+
+
+
+
+ The system metric item stores the value of a particular Windows system metric.
+
+
+
+
+
+
+
+ This element describes the index of a system metric entry.
+
+
+
+
+ The value entity holds the actual value of the specified system metric index.
+
+
+
+
+
+
+
+
+
+
+
+
+ The uac_item is used to hold information about settings related to User Access Control within Windows.
+
+
+
+
+
+
+
+ Admin Approval Mode for the Built-in Administrator account.
+
+
+
+
+ Behavior of the elevation prompt for administrators in Admin Approval Mode.
+
+
+
+
+ Behavior of the elevation prompt for standard users.
+
+
+
+
+ Detect application installations and prompt for elevation.
+
+
+
+
+ Only elevate executables that are signed and validated.
+
+
+
+
+ Only elevate UIAccess applications that are installed in secure locations.
+
+
+
+
+ Run all administrators in Admin Approval Mode.
+
+
+
+
+ Switch to the secure desktop when prompting for elevation.
+
+
+
+
+ Virtualize file and registry write failures to per-user locations.
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows user_item allows the different groups (identified by name) that a user belongs to be collected.
+
+
+ 5.11
+ Replaced by the user_sid_item. This item uses trustee names for identifying accounts on the system. Trustee names are not unique and the user_sid_item, which uses trustee SIDs which are unique, should be used instead. See the user_sid_item.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ A string the represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer_name\user_name". For built-in accounts on the system, use the user name without a domain.
+
+
+
+
+ A boolean that represents whether the particular user is enabled or not.
+
+
+
+
+ A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
+ If the specified user belongs to more than one group, then multiple group elements should exist. If the specified user is not a member of a single group, then a single group element should exist with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single group element should be included with a status of 'error'.
+
+
+
+
+ The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT. If the target system is a domain controller, this data is maintained separately on each backup domain controller (BDC) in the domain. To obtain an accurate value, you must query each BDC in the domain. The last logoff occurred at the time indicated by the largest retrieved value.
+
+
+
+
+ A Unicode string that contains the full name of the user. This string can be a NULL string, or it can have any number of characters before the terminating null character.
+
+
+
+
+ A Unicode string that contains a comment to associate with the user account. The string can be a NULL string, or it can have any number of characters before the terminating null character.
+
+
+
+
+ The number of full days that have elapsed since the password was last changed, meaning data calulated should be truncated. Ex: 89.5 days = 89, 90.01 = 90
+
+
+
+
+ The account is currently locked out.
+
+
+
+
+ No password is required.
+
+
+
+
+ The password should never expire on the account.
+
+
+
+
+ The user's password is stored under reversible encryption in the Active Directory.
+
+
+
+
+ Marks the account as "sensitive"; other users cannot act as delegates of this user account.
+
+
+
+
+ Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
+
+
+
+
+ This account does not require Kerberos preauthentication for logon.
+
+
+
+
+ The password expiration information. Zero if the password has not expired (and nonzero if it has).
+
+
+
+
+ Requires the user to log on to the user account with a smart card.
+
+
+
+
+ The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
+
+
+
+
+ The account is trusted to authenticate a user outside of the Kerberos security package and delegate that user through constrained delegation. This is a security-sensitive setting; accounts with this option enabled should be tightly controlled. This setting allows a service running under the account to assert a client's identity and authenticate as that user to specifically configured services on the network. Windows 2000: This value is not supported.
+
+
+
+
+
+
+
+
+
+
+
+
+ The windows user_sid_item allows the different groups (identified by SID) that a user belongs to be collected.
+
+
+
+
+
+
+
+ A string the represents the SID of a particular user.
+
+
+
+
+ A boolean that represents whether the particular user is enabled or not.
+
+
+
+
+ A string that represents the SID of a particular group. If the specified user belongs to more than one group, then multiple group_sid elements should exist. If the specified user is not a member of a single group, then a single group_sid element should exist with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single group_sid element should be included with a status of 'error'.
+
+
+
+
+ The date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The userright_item is used to specify a trustee name and corresponding SID that has been granted a user right/privilege.
+
+
+
+
+
+
+ The userright entity holds a string that represents the name of a particular user right/privilege.
+
+
+
+
+ The trustee_name entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
+
+
+
+
+ The trustee_sid entity identifies the SID that has been granted the specified user right/privilege.
+
+
+
+
+
+
+
+
+
+
+
+
+ The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.
+
+
+
+
+
+
+
+ A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
+
+
+
+
+ The type of filesystem. For example FAT or NTFS.
+
+
+
+
+ The name of the volume.
+
+
+
+
+ The drive type of the volume.
+
+
+
+
+ The volume_max_component_length element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
+
+
+
+
+ The volume serial number.
+
+
+
+
+ The file system supports case-sensitive file names.
+
+
+
+
+ The file system preserves the case of file names when it places a name on disk.
+
+
+
+
+ The file system supports Unicode in file names as they appear on disk.
+
+
+
+
+ The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
+
+
+
+
+ The file system supports file-based compression.
+
+
+
+
+ The file system supports disk quotas.
+
+
+
+
+ The file system supports sparse files.
+
+
+
+
+ The file system supports reparse points.
+
+
+
+
+ The file system supports remote storage.
+
+
+
+
+ The specified volume is a compressed volume; for example, a DoubleSpace volume.
+
+
+
+
+ The file system supports object identifiers.
+
+
+
+
+ The file system supports the Encrypted File System (EFS).
+
+
+
+
+ The file system supports named streams.
+
+
+
+
+ The specified volume is read-only.
+
+
+
+
+ The file system supports one time writes in sequential order.
+
+
+
+
+ The file system supports transaction processing.
+
+
+
+
+ The file system supports direct links to other devices and partitions.
+
+
+
+
+ The file system supports extended attributes.
+
+
+
+
+ The file system supports fileID.
+
+
+
+
+ The file system supports update sequence number journals.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wmi_item outlines information to be checked through Microsoft's WMI interface.
+
+
+ 5.7
+ Replaced by the wmi57_item. This item allows for single fields to be selected from WMI. A new item was created to allow more than one field to be selected in one statement. See the wmi57_item.
+ This object has been deprecated and may be removed in a future version of the language.
+
+
+
+ DEPRECATED ITEM: ID:
+
+
+
+
+
+
+
+
+
+
+ The WMI namespaces of the specific object.
+
+
+
+
+ A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
+
+
+
+
+ The result element specifies how to test objects in the result set of the specified WQL statement. Only one comparable field is allowed. So if the WQL statement look like 'SELECT name FROM ...', then a result element with a value of 'Fred' would test that value against the names returned by the WQL statement. If the WQL statement returns more than one instance of the specified field, then multiple result elements should exist to describe each instance.
+
+
+
+
+
+
+
+
+
+
+
+
+ The wmi57_item outlines information to be checked through Microsoft's WMI interface.
+
+
+
+
+
+
+
+ The WMI namespaces of the specific object.
+
+
+
+
+ A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, all fields must be named. For example SELECT name, age FROM ... is valid, but SELECT * FROM ... is not valid. This is because the record entity supports only named fields.
+
+
+
+
+ The result entity holds the results of the specified WQL statement.
+
+
+
+ - datatype attribute for the result entity of a wmi57_item must be 'record'
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The wuaupdatesearcher_item outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft's WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. The test extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
+
+
+
+
+
+
+
+
+
+
+
+
+ The update_id entity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface's Search method. Note that multiple update identifiers can be associated with a give search criteria and thus multiple entities can exist for this item.
+
+
+
+
+
+
+
+
+
+
+
+
+ The EntityItemAddrTypeType restricts a string value to a specific set of values that describe the different address types of interfaces. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The stated IP address is being deleted. The unsigned short value that this corresponds to is 0x0040
+
+
+
+
+ The stated IP address is on a disconnected interface. The unsigned short value that this corresponds to is 0x0008.
+
+
+
+
+ The stated IP address is a dynamic IP address. The unsigned short value that this corresponds to is 0x0004.
+
+
+
+
+ The stated IP address is a primary IP address. The unsigned short value that this corresponds to is 0x0001.
+
+
+
+
+ The stated IP address is a transient IP address. The unsigned short value that this corresponds to is 0x0080
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemAdstypeType restricts a string value to a specific set of values that describe the possible types associated with an Active Directory attribute. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The data type is invalid.
+
+
+
+
+ The string is of Distinguished Name (path) of a directory service object.
+
+
+
+
+ The string is of the case-sensitive type.
+
+
+
+
+ The string is of the case-insensitive type.
+
+
+
+
+ The string is displayable on the screen or in print.
+
+
+
+
+ The string is of a numeric value to be interpreted as text.
+
+
+
+
+ The data is of a Boolean value.
+
+
+
+
+ The data is of an integer value.
+
+
+
+
+ The string is of a byte array.
+
+
+
+
+ The data is of the universal time as expressed in Universal Time Coordinate (UTC).
+
+
+
+
+ The data is of a long integer value.
+
+
+
+
+ The string is of a provider-specific string.
+
+
+
+
+ Not used.
+
+
+
+
+ The data is of a list of case insensitive strings.
+
+
+
+
+ The data is of a list of octet strings.
+
+
+
+
+ The string is of a directory path.
+
+
+
+
+ The string is of the postal address type.
+
+
+
+
+ The data is of a time stamp in seconds.
+
+
+
+
+ The string is of a back link.
+
+
+
+
+ The string is of a typed name.
+
+
+
+
+ The data is of the Hold data structure.
+
+
+
+
+ The string is of a net address.
+
+
+
+
+ The data is of a replica pointer.
+
+
+
+
+ The string is of a fax number.
+
+
+
+
+ The data is of an e-mail message.
+
+
+
+
+ The data is of Windows NT/Windows 2000 Security Descriptor as represented by a byte array.
+
+
+
+
+ The data is of an undefined type.
+
+
+
+
+ The data is of ADS_DN_WITH_BINARY used for mapping a distinguished name to a non varying GUID.
+
+
+
+
+ The data is of ADS_DN_WITH_STRING used for mapping a distinguished name to a non-varying string value.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemAuditType restricts a string value to a specific set of values: AUDIT_NONE, AUDIT_SUCCESS, AUDIT_FAILURE, and AUDIT_SUCCESS_FAILURE. These values describe which audit records should be generated. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.
+
+
+
+
+ The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.
+
+
+
+
+ The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.
+
+
+
+
+ The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemDriveTypeType complex type defines the different values that are valid for the drive_type entity of a win-sc:volume_item. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The DRIVE_UNKNOWN type means that drive type cannot be determined. The UINT value that this corresponds to is 0.
+
+
+
+
+ The DRIVE_NO_ROOT_DIR type means that the root path is not valid. The UINT value that this corresponds to is 1.
+
+
+
+
+ The DRIVE_REMOVABLE type means that the drive contains removable media. The UINT value that this corresponds to is 2.
+
+
+
+
+ The DRIVE_FIXED type means that the drive contains fixed media. The UINT value that this corresponds to is 3.
+
+
+
+
+ The DRIVE_REMOTE type means that the drive is a remote drive (i.e. network drive). The UINT value that this corresponds to is 4.
+
+
+
+
+ The DRIVE_CDROM type means that the drive is a CD-ROM drive. The UINT value that this corresponds to is 5.
+
+
+
+
+ The DRIVE_RAMDISK type means that the drive is a RAM disk. The UINT value that this corresponds to is 6.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemFileTypeType restricts a string value to a specific set of values that describe the different types of files. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The specified file is a character file, typically an LPT device or a console.
+
+
+
+
+ The specified file is a disk file.
+
+
+
+
+ The specified file is a socket, a named pipe, or an anonymous pipe.
+
+
+
+
+ Unused.
+
+
+
+
+ Either the type of the specified file is unknown, or the function failed.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemFileAttributeType restricts a string value to a specific set of values that describe the different Windows file attributes. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ A file or directory that is an archive file or directory. Applications typically use this attribute to mark files for backup or removal.
+
+
+
+
+ A file or directory that is compressed. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories.
+
+
+
+
+ This value is reserved for system use.
+
+
+
+
+ The handle that identifies a directory.
+
+
+
+
+ A file or directory that is encrypted. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories.
+
+
+
+
+ The file or directory is hidden. It is not included in an ordinary directory listing.
+
+
+
+
+ The directory or user data stream is configured with integrity (only supported on ReFS volumes). It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set.
+ Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows Server 2012.
+
+
+
+
+ A file that does not have other attributes set. This attribute is valid only when used alone.
+
+
+
+
+ The file or directory is not to be indexed by the content indexing service.
+
+
+
+
+ The user data stream not to be read by the background data integrity scanner (AKA scrubber). When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes. It is not included in an ordinary directory listing.
+ Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: This flag is not supported until Windows 8 and Windows Server 2012.
+
+
+
+
+ The data of a file is not available immediately. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute.
+
+
+
+
+ A file that is read-only. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories.
+
+
+
+
+ A file or directory that has an associated reparse point, or a file that is a symbolic link.
+
+
+
+
+ A file that is a sparse file.
+
+
+
+
+ A file or directory that the operating system uses a part of, or uses exclusively.
+
+
+
+
+ A file that is being used for temporary storage. File systems avoid writing data back to mass storage if sufficient cache memory is available, because typically, an application deletes a temporary file after the handle is closed. In that scenario, the system can entirely avoid writing the data. Otherwise, the data is written after the handle is closed.
+
+
+
+
+ This value is reserved for system use.
+
+
+
+
+
+
+
+ The EntityItemInterfaceTypeType restricts a string value to a specific set of values that describe the different types of interfaces. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The MIB_IF_TYPE_ETHERNET type is used to describe ethernet interfaces.
+
+
+
+
+ The MIB_IF_TYPE_FDDI type is used to describe fiber distributed data interfaces (FDDI).
+
+
+
+
+ The MIB_IF_TYPE_LOOPBACK type is used to describe loopback interfaces.
+
+
+
+
+ The MIB_IF_TYPE_OTHER type is used to describe unknown interfaces.
+
+
+
+
+ The MIB_IF_TYPE_PPP type is used to describe point-to-point protocol interfaces (PPP).
+
+
+
+
+ The MIB_IF_TYPE_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
+
+
+
+
+ The MIB_IF_TYPE_TOKENRING type is used to describe token ring interfaces..
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different naming context found withing Active Directory. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
+
+
+
+
+ The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
+
+
+
+
+ The schema naming context contains all of the Active Directory object definitions.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemNTUserAccountTypeType restricts a string value to a specific set of values that describe the different types of accounts. The empty string is also
+ allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ Local accounts are accounts that were created directly on the machine being tested and should be in the form of
+ machinename\username
+
+
+
+
+ Domain accounts are accounts that were created on a domain controller and should be in the form of domain\username
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemPeTargetMachineType enumeration identifies the valid machine targets that can be specified in the PE file header. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The IMAGE_FILE_MACHINE_UNKNOWN type is used to indicate an unknown machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_ALPHA type is used to indicate an Alpha APX machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_ARM type is used to indicate an ARM little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_ALPHA64 type is used to indicate an 64-bit Alpha APX machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_I386 type is used to indicate an Intel 386 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_IA64 type is used to indicate an Intel Itanium machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_M68K type is used to indicate an M68K machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_MIPS16 type is used to indicate a MIPS16 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_MIPSFPU type is used to indicate an MIPS machine with FPU.
+
+
+
+
+ The IMAGE_FILE_MACHINE_MIPSFPU16 type is used to indicate a MIPS16 machine with FPU.
+
+
+
+
+ The IMAGE_FILE_MACHINE_POWERPC type is used to indicate an Power PC little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_R3000 type is used to indicate a MIPS little endian, 0x160 big endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_R4000 type is used to indicate a MIPS little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_10000 type is used to indicate a MIPS little endian machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_SH3 type is used to indicate a Hitachi SH3 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_SH4 type is used to indicate a Hitachi SH4 machine.
+
+
+
+
+ The IMAGE_FILE_MACHINE_THUMB type is used to indicate an ARM or Thumb ("interworking") machine.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemPeSubsystemType enumeration identifies the valid subsystem types that can be specified in the PE file header. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The IMAGE_SUBSYSTEM_UNKNOWN type is used to indicate an unknown subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_NATIVE type is used to indicate that no subsystem is required.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_GUI type is used to indicate a Windows graphical user interface (GUI) subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_CUI type is used to indicate a Windows character-mode user interface (CUI) subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_OS2_CUI type is used to indicate an OS/2 CUI subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_POSIX_CUI type is used to indicate a POSIX CUI subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_CE_GUI type is used to indicate a Windows CE system.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_APPLICATION type is used to indicate an Extensible Firmware Interface (EFI) application.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER type is used to indicate a EFI driver with boot services.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER type is used to indicate a EFI driver with run-time services subsystem.
+
+
+
+
+ The IMAGE_SUBSYSTEM_EFI_ROM type is used to indicate an EFI ROM image.
+
+
+
+
+ The IMAGE_SUBSYSTEM_XBOX type is used to indicate an Xbox system.
+
+
+
+
+ The IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION type is used to indicate a boot application.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemProtocolType restricts a string value to a specific set of values that describe the different available protocols. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The port uses the Transmission Control Protocol (TCP).
+
+
+
+
+ The port uses the User Datagram Protocol (UDP).
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRegistryHiveType restricts a string value to a specific set of values that describe the different registry hives. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
+
+
+
+
+ This registry subtree contains configuration data for the current hardware profile.
+
+
+
+
+ This registry subtree contains the user profile of the user that is currently logged into the system.
+
+
+
+
+ Registry entries subordinate to this key define preferences of the current user that are local to the machine. These entries are not included in the per-user registry portion of a roaming user profile. This key is supported starting with Windows 7 and Windows Server 2008 R2.
+
+
+
+
+ This registry subtree contains information about the local system.
+
+
+
+
+ This registry subtree contains user-specific data.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemRegistryTypeType defines the different values that are valid for the type entity of a registry item. These values describe the possible types of data stored in a registry key. restricts a string value to a specific set of values that describe the different registry types. The empty string is also allowed as a valid value to support empty emlements associated with error conditions. Please note that the values identified are for the type entity and are not valid values for the datatype attribute. For information about how to encode registry data in OVAL for each of the different types, please visit the registry_item documentation.
+
+
+
+
+
+ The reg_binary type is used by registry keys that specify binary data in any form.
+
+
+
+
+ The reg_dword type is used by registry keys that specify an unsigned 32-bit integer.
+
+
+
+
+ The reg_dword_little_endian type is used by registry keys that specify an unsigned 32-bit little-endian integer. It is designed to run on little-endian computer architectures.
+
+
+ 5.11.1:1.1
+ Defined to have same value as reg_dword.
+ This registry type enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The reg_dword_big_endian type is used by registry keys that specify an unsigned 32-bit big-endian integer. It is designed to run on big-endian computer architectures.
+
+
+
+
+ The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").
+
+
+
+
+ The reg_link type is used by the registry keys for null-terminated unicode strings. It is related to target path of a symbolic link created by the RegCreateKeyEx function.
+
+
+
+
+ The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.
+
+
+
+
+ The reg_none type is used by registry keys that have no defined value type.
+
+
+
+
+ The reg_qword type is used by registry keys that specify an unsigned 64-bit integer.
+
+
+
+
+ The reg_qword_little_endian type is used by registry keys that specify an unsigned 64-bit integer in little-endian computer architectures.
+
+
+ 5.11.1:1.1
+ Defined to have same value as reg_qword.
+ This registry type enumeration value has been deprecated and may be removed in a future version of the language.
+
+
+
+
+
+
+ The reg_sz type is used by registry keys that specify a single null-terminated string.
+
+
+
+
+ The reg_resource_list type is used by registry keys that specify a resource list.
+
+
+
+
+ The reg_full_resource_descriptor type is used by registry keys that specify a full resource descriptor.
+
+
+
+
+ The reg_resource_requirements_list type is used by registry keys that specify a resource requirements list.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemServiceAcceptedControlsType complex type defines the different values that are valid for the controls_accepted entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010.
+
+
+
+
+ The SERVICE_ACCEPT_PARAMCHANGE type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008.
+
+
+
+
+ The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100.
+
+
+
+
+ The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004.
+
+
+
+
+ The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020.
+
+
+
+
+ The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040.
+
+
+
+
+ The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080.
+
+
+
+
+ The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200.
+
+
+
+
+ The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemServiceCurrentStateType complex type defines the different values that are valid for the current_state entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000005.
+
+
+
+
+ The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006.
+
+
+
+
+ The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007.
+
+
+
+
+ The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004.
+
+
+
+
+ The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003.
+
+
+
+
+ The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemServiceStartTypeType complex type defines the different values that are valid for the start_type entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000.
+
+
+
+
+ The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003.
+
+
+
+
+ The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004.
+
+
+
+
+ The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemServiceTypeType complex type defines the different values that are valid for the service_type entity of a service. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010.
+
+
+
+
+ The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020.
+
+
+
+
+ The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSharedResourceTypeType complex type defines the different values that are valid for the type entity of a shared resource item. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed to support empty elements associated with error conditions.
+ It is also important to note that special shared resources are those reserved for remote administration, interprocess communication, and administrative shares.
+
+
+
+
+
+ The STYPE_DISKTREE type means that the shared resource is a disk drive. The DWORD value that this corresponds to is 0x00000000.
+
+
+
+
+ The STYPE_DISKTREE_SPECIAL type means that the shared resource is a special disk drive. The DWORD value that this corresponds to is 0x80000000.
+
+
+
+
+ The STYPE_DISKTREE_TEMPORARY type means that the shared resource is a temporary disk drive. The DWORD value that this corresponds to is 0x40000000.
+
+
+
+
+ The STYPE_DISKTREE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special disk drive. The DWORD value that this corresponds to is 0xC0000000.
+
+
+
+
+ The STYPE_PRINTQ type means that the shared resource is a print queue. The DWORD value that this corresponds to is 0x00000001.
+
+
+
+
+ The STYPE_PRINTQ_SPECIAL type means that the shared resource is a special print queue. The DWORD value that this corresponds to is 0x80000001.
+
+
+
+
+ The STYPE_PRINTQ_TEMPORARY type means that the shared resource is a temporary print queue. The DWORD value that this corresponds to is 0x40000001.
+
+
+
+
+ The STYPE_PRINTQ_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special print queue. The DWORD value that this corresponds to is 0xC0000001.
+
+
+
+
+ The STYPE_DEVICE type means that the shared resource is a communication device. The DWORD value that this corresponds to is 0x00000002.
+
+
+
+
+ The STYPE_DEVICE_SPECIAL type means that the shared resource is a special communication device. The DWORD value that this corresponds to is 0x80000002.
+
+
+
+
+ The STYPE_DEVICE_TEMPORARY type means that the shared resource is a temporary communication device. The DWORD value that this corresponds to is 0x40000002.
+
+
+
+
+ The STYPE_DEVICE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special communication device. The DWORD value that this corresponds to is 0xC0000002.
+
+
+
+
+ The STYPE_IPC type means that the shared resource is a interprocess communication. The DWORD value that this corresponds to is 0x00000003.
+
+
+
+
+ The STYPE_IPC_SPECIAL type means that the shared resource is a special interprocess communication. The DWORD value that this corresponds to is 0x80000003.
+
+
+
+
+ The STYPE_IPC_TEMPORARY type means that the shared resource is a temporary interprocess communication. The DWORD value that this corresponds to is 0x40000003.
+
+
+
+
+ The STYPE_IPC_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special interprocess communication. The DWORD value that this corresponds to is 0xC0000003.
+
+
+
+
+ The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemSystemMetricIndexType complex type defines the different values that are valid for the index entity of a system_metric item. These values describe the system metric or configuration setting to be retrieved. The empty string is also allowed to support empty elements associated with error conditions. Please note that the values identified are for the index entity and are not valid values for the datatype attribute.
+
+
+
+
+
+ The flags that specify how the system arranged minimized windows.
+
+
+
+
+ The value that specifies how the system is started.
+
+
+
+
+ The number of display monitors on a desktop.
+
+
+
+
+ The number of buttons on a mouse, or zero if no mouse is installed.
+
+
+
+
+ The width of a window border, in pixels. This is equivalent to the SM_CXEDGE value for windows with the 3-D look.
+
+
+
+
+ The width of a cursor, in pixels. The system cannot create cursors of other sizes.
+
+
+
+
+ This value is the same as SM_CXFIXEDFRAME.
+
+
+
+
+ The width of the rectangle around the location of a first click in a double-click sequence, in pixels.
+
+
+
+
+ The number of pixels on either side of a mouse-down point that the mouse pointer can move before a drag operation begins.
+
+
+
+
+ The width of a 3-D border, in pixels. This metric is the 3-D counterpart of SM_CXBORDER.
+
+
+
+
+ The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
+
+
+
+
+ The width of the left and right edges of the focus rectangle that the DrawFocusRect draws.
+
+
+
+
+ This value is the same as SM_CXSIZEFRAME.
+
+
+
+
+ The width of the client area for a full-screen window on the primary display monitor, in pixels.
+
+
+
+
+ The width of the arrow bitmap on a horizontal scroll bar, in pixels.
+
+
+
+
+ The width of the thumb box in a horizontal scroll bar, in pixels.
+
+
+
+
+ The default width of an icon, in pixels.
+
+
+
+
+ The width of a grid cell for items in large icon view, in pixels.
+
+
+
+
+ The default width, in pixels, of a maximized top-level window on the primary display monitor.
+
+
+
+
+ The default maximum width of a window that has a caption and sizing borders, in pixels.
+
+
+
+
+ The width of the default menu check-mark bitmap, in pixels.
+
+
+
+
+ The width of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
+
+
+
+
+ The minimum width of a window, in pixels.
+
+
+
+
+ The width of a minimized window, in pixels.
+
+
+
+
+ The width of a grid cell for a minimized window, in pixels.
+
+
+
+
+ The minimum tracking width of a window, in pixels.
+
+
+
+
+ The amount of border padding for captioned windows, in pixels.
+
+
+
+
+ The width of the screen of the primary display monitor, in pixels.
+
+
+
+
+ The width of a button in a window caption or title bar, in pixels.
+
+
+
+
+ The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
+
+
+
+
+ The recommended width of a small icon, in pixels.
+
+
+
+
+ The width of small caption buttons, in pixels.
+
+
+
+
+ The width of the virtual screen, in pixels.
+
+
+
+
+ The width of a vertical scroll bar, in pixels.
+
+
+
+
+ The height of a window border, in pixels.
+
+
+
+
+ The height of a caption area, in pixels.
+
+
+
+
+ The height of a cursor, in pixels.
+
+
+
+
+ This value is the same as SM_CYFIXEDFRAME.
+
+
+
+
+ The height of the rectangle around the location of a first click in a double-click sequence, in pixels.
+
+
+
+
+ The number of pixels above and below a mouse-down point that the mouse pointer can move before a drag operation begins.
+
+
+
+
+ The height of a 3-D border, in pixels. This is the 3-D counterpart of SM_CYBORDER.
+
+
+
+
+ The thickness of the frame around the perimeter of a window that has a caption but is not sizable, in pixels.
+
+
+
+
+ The height of the top and bottom edges of the focus rectangle drawn by DrawFocusRect. This value is in pixels.
+
+
+
+
+ This value is the same as SM_CYSIZEFRAME.
+
+
+
+
+ The height of the client area for a full-screen window on the primary display monitor, in pixels.
+
+
+
+
+ The height of a horizontal scroll bar, in pixels.
+
+
+
+
+ The default height of an icon, in pixels.
+
+
+
+
+ The height of a grid cell for items in large icon view, in pixels.
+
+
+
+
+ For double byte character set versions of the system, this is the height of the Kanji window at the bottom of the screen, in pixels.
+
+
+
+
+ The default height, in pixels, of a maximized top-level window on the primary display monitor.
+
+
+
+
+ The default maximum height of a window that has a caption and sizing borders, in pixels.
+
+
+
+
+ The height of a single-line menu bar, in pixels.
+
+
+
+
+ The height of the default menu check-mark bitmap, in pixels.
+
+
+
+
+ The height of menu bar buttons, such as the child window close button that is used in the multiple document interface, in pixels.
+
+
+
+
+ The minimum height of a window, in pixels.
+
+
+
+
+ The height of a minimized window, in pixels.
+
+
+
+
+ The height of a grid cell for a minimized window, in pixels.
+
+
+
+
+ The minimum tracking height of a window, in pixels.
+
+
+
+
+ The height of the screen of the primary display monitor, in pixels.
+
+
+
+
+ The height of a button in a window caption or title bar, in pixels.
+
+
+
+
+ The thickness of the sizing border around the perimeter of a window that can be resized, in pixels.
+
+
+
+
+ The height of a small caption, in pixels.
+
+
+
+
+ The recommended height of a small icon, in pixels.
+
+
+
+
+ The height of small caption buttons, in pixels.
+
+
+
+
+ The height of the virtual screen, in pixels. The virtual screen is the bounding rectangle of all display monitors.
+
+
+
+
+ The height of the arrow bitmap on a vertical scroll bar, in pixels.
+
+
+
+
+ The height of the thumb box in a vertical scroll bar, in pixels.
+
+
+
+
+ Nonzero if User32.dll supports DBCS; otherwise, 0.
+
+
+
+
+ Nonzero if the debug version of User.exe is installed; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is Windows 7 or Windows Server 2008 R2 and the Tablet PC Input service is started; otherwise, 0. The return value is a bitmask that specifies the type of digitizer input supported by the device.
+
+
+
+
+ Nonzero if Input Method Manager/Input Method Editor features are enabled; otherwise, 0.
+
+
+
+
+ Nonzero if there are digitizers in the system; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is the Windows XP, Media Center Edition, 0 if not.
+
+
+
+
+ Nonzero if drop-down menus are right-aligned with the corresponding menu-bar item; 0 if the menus are left-aligned.
+
+
+
+
+ Nonzero if the system is enabled for Hebrew and Arabic languages, 0 if not.
+
+
+
+
+ Nonzero if a mouse is installed; otherwise, 0.
+
+
+
+
+ Nonzero if a mouse with a horizontal scroll wheel is installed; otherwise 0.
+
+
+
+
+ Nonzero if a mouse with a vertical scroll wheel is installed; otherwise 0.
+
+
+
+
+ The least significant bit is set if a network is present; otherwise, it is cleared.
+
+
+
+
+ Nonzero if the Microsoft Windows for Pen computing extensions are installed; zero otherwise.
+
+
+
+
+ This system metric is used in a Terminal Services environment to determine if the current Terminal Server session is being remotely controlled. Its value is nonzero if the current session is remotely controlled; otherwise, 0.
+
+
+
+
+ This system metric is used in a Terminal Services environment. If the calling process is associated with a Terminal Services client session, the return value is nonzero. If the calling process is associated with the Terminal Services console session, the return value is 0.
+
+
+
+
+ Nonzero if all the display monitors have the same color format, otherwise, 0.
+
+
+
+
+ This system metric should be ignored; it always returns 0.
+
+
+
+
+ The build number if the system is Windows Server 2003 R2; otherwise, 0.
+
+
+
+
+ Nonzero if the user requires an application to present information visually in situations where it would otherwise present the information only in audible form; otherwise, 0.
+
+
+
+
+ Nonzero if the current session is shutting down; otherwise, 0.
+
+
+
+
+ Nonzero if the computer has a low-end (slow) processor; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is Windows 7 Starter Edition, Windows Vista Starter, or Windows XP Starter Edition; otherwise, 0.
+
+
+
+
+ Nonzero if the meanings of the left and right mouse buttons are swapped; otherwise, 0.
+
+
+
+
+ Nonzero if the current operating system is the Windows XP Tablet PC edition or if the current operating system is Windows Vista or Windows 7 and the Tablet PC Input service is started; otherwise, 0.
+
+
+
+
+ The coordinates for the left side of the virtual screen.
+
+
+
+
+ The coordinates for the top of the virtual screen.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
+
+ The EntityItemGUIDType restricts a string value to a representation of a GUID, used for module ID. The empty string is also allowed to support empty element associated with error conditions.
+
+
+
+
+
+
+
+
+
+ The EntityItemCmdletVerbType restricts a string value to a set of allow cmdlet verbs. The empty string is also allowed to support empty element associated with error conditions.
+
+
+
+
+
+ The Approve verb confirms or agrees to the status of a resource or process.
+
+
+
+
+ The Assert verb affirms the state of a resource.
+
+
+
+
+ The Compare verb evaluates the data from one resource against the data from another resource.
+
+
+
+
+ The Confirm verb acknowledges, verifies, or validates, the state of a resource or process.
+
+
+
+
+ The Find verb looks for an object in a container that is unknown, implied, optional, or specified.
+
+
+
+
+ The Get verb specifies an action that retrieves a resource.
+
+
+
+
+ The Import verb creates a resource from data that is stored in a persistent data store (such as a file) or in an interchange format.
+
+
+
+
+ The Measure verb identifies resources that are consumed by a specified operation, or retrieves statistics about a resource.
+
+
+
+
+ The Read verb acquires information from a source.
+
+
+
+
+ The Request verb asks for a resource or asks for permissions.
+
+
+
+
+ The Resolve verb maps a shorthand representation of a resource to a more complete representation.
+
+
+
+
+ The Search verb creates a reference to a resource in a container.
+
+
+
+
+ The Select verb locates a resource in a container.
+
+
+
+
+ The Show verb makes a resource visible to the user.
+
+
+
+
+ The Test verb verifies the operation or consistency of a resource.
+
+
+
+
+ The Trace verb tracks the activities of a resource.
+
+
+
+
+ The Watch verb continually inspects or monitors a resource for changes.
+
+
+
+
+ The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
+
+
+
+
+
+ Indicates the 32_bit windows view.
+
+
+
+
+ Indicates the 64_bit windows view.
+
+
+
+
+ The empty string value is permitted here to allow for empty elements associated with error conditions.
+
+
+
+
+
+
+
+ The EntityItemUserRightType restricts a string value to a specific set of values that describe the different user rights/privileges. The empty string is also allowed to support empty elements associated with error conditions.
+
+
+
+
+
+ This privilege is required to assign the primary token of a process.
+
+
+
+
+ This privilege is required to generate audit-log entries.
+
+
+
+
+ This privilege is required to perform backup operations.
+
+
+
+
+ This privilege is required to receive notifications of changes to files or directories.
+
+
+
+
+ This privilege is required to create named file mapping objects in the global namespace during Terminal Services sessions.
+
+
+
+
+ This privilege is required to create a paging file.
+
+
+
+
+ This privilege is required to create a permanent object.
+
+
+
+
+ This privilege is required to create a symbolic link.
+
+
+
+
+ This privilege is required to create a primary token.
+
+
+
+
+ This privilege is required to debug and adjust the memory of a process owned by another account.
+
+
+
+
+ This privilege is required to mark user and computer accounts as trusted for delegation.
+
+
+
+
+ This privilege is required to impersonate.
+
+
+
+
+ This privilege is required to increase the base priority of a process.
+
+
+
+
+ This privilege is required to increase the quota assigned to a process.
+
+
+
+
+ This privilege is required to allocate more memory for applications that run in the context of users.
+
+
+
+
+ This privilege is required to load or unload a device driver.
+
+
+
+
+ This privilege is required to lock physical pages in memory.
+
+
+
+
+ This privilege is required to create a computer account.
+
+
+
+
+ This privilege is required to enable volume management privileges.
+
+
+
+
+ This privilege is required to gather profiling information for a single process.
+
+
+
+
+ This privilege is required to modify the mandatory integrity level of an object.
+
+
+
+
+ This privilege is required to shut down a system using a network request.
+
+
+
+
+ This privilege is required to perform restore operations.
+
+
+
+
+ This privilege is required to perform a number of security-related functions, such as controlling and viewing audit messages.
+
+
+
+
+ This privilege is required to shut down a local system.
+
+
+
+
+ This privilege is required for a domain controller to use the Lightweight Directory Access Protocol directory synchronization services.
+
+
+
+
+ This privilege is required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
+
+
+
+
+ This privilege is required to gather profiling information for the entire system.
+
+
+
+
+ This privilege is required to modify the system time.
+
+
+
+
+ This privilege is required to take ownership of an object without being granted discretionary access.
+
+
+
+
+ This privilege identifies its holder as part of the trusted computer base.
+
+
+
+
+ This privilege is required to adjust the time zone associated with the computer's internal clock.
+
+
+
+
+ This privilege is required to access Credential Manager as a trusted caller.
+
+
+
+
+ This privilege is required to undock a laptop.
+
+
+
+
+ This privilege is required to read unsolicited input from a terminal device.
+
+
+
+
+ This account right is required for an account to log on using the batch logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the batch logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the interactive logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the network logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on remotely using the interactive logon type.
+
+
+
+
+ This account right explicitly denies an account the right to log on using the service logon type.
+
+
+
+
+ This account right is required for an account to log on using the interactive logon type.
+
+
+
+
+ This account right is required for an account to log on using the network logon type.
+
+
+
+
+ This account right is required for an account to log on remotely using the interactive logon type.
+
+
+
+
+ This account right is required for an account to log on using the service logon type.
+
+
+
+
+ The empty string value is permitted here to allow for detailed error reporting.
+
+
+
+
+
+
diff --git a/oval-schemas/xmldsig-core-schema.xsd b/oval-schemas/xmldsig-core-schema.xsd
new file mode 100644
index 0000000..a5bc342
--- /dev/null
+++ b/oval-schemas/xmldsig-core-schema.xsd
@@ -0,0 +1,309 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/oval-specifications/oval-language-specification.docx b/oval-specifications/oval-language-specification.docx
new file mode 100644
index 0000000..1da1d77
Binary files /dev/null and b/oval-specifications/oval-language-specification.docx differ
diff --git a/oval-specifications/oval-unix-extension-specification.docx b/oval-specifications/oval-unix-extension-specification.docx
new file mode 100644
index 0000000..e551657
Binary files /dev/null and b/oval-specifications/oval-unix-extension-specification.docx differ
diff --git a/oval-specifications/oval-windows-extension-specification.docx b/oval-specifications/oval-windows-extension-specification.docx
new file mode 100644
index 0000000..87f2418
Binary files /dev/null and b/oval-specifications/oval-windows-extension-specification.docx differ
diff --git a/terms-of-use.rst b/terms-of-use.rst
new file mode 100644
index 0000000..a2cdb1c
--- /dev/null
+++ b/terms-of-use.rst
@@ -0,0 +1,43 @@
+Terms of Use
+============
+
+Introduction
+------------
+OVAL is an open standard developed by the information security community as represented by the OVAL Board and the OVAL discussion lists, and maintained by the Center for Internet Security, Inc. under license from the United States Department of Homeland Security (U.S. DHS) on this public OVAL Website.
+
+The OVAL Language and any resulting OVAL content based upon the language that is stored in the OVAL Repository are free to use by any organization or individual for any research, development, and/or commercial purposes, per below.
+
+The United States Government has copyrighted the OVAL Language for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content by government, vendors, and/or users. The United States Government has trademarked ® the OVAL acronym and the OVAL logo to protect its sole and ongoing use by the OVAL effort within the information security arena.
+
+Please contact oval@cisecurity.org if you require further clarification on this issue.
+
+Open Vulnerability and Assessment Language (OVAL®) License
+----------------------------------------------------------
+
+Your use of OVAL is conditioned upon acceptance of the following terms and conditions:
+
+OVAL is comprised of the OVAL Language, OVAL Content, and the OVAL Repository. Each is defined below:
+
+* The OVAL Language serves as the framework and vocabulary of OVAL. The Language covers the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.
+* OVAL Content is content written in the OVAL Language. All content written in the OVAL Language is considered OVAL Content.
+* The OVAL Repository is a collection of OVAL Content hosted by the Center for Internet Security, Inc. under license from the U.S. DHS. It is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Each definition in the OVAL Repository determines whether a specified software vulnerability, configuration issue, program, or patch is present on a system.
+
+The Center for Internet Security, Inc. (CIS) under license from U.S. DHS hereby grants you a non-exclusive, royalty-free, worldwide license to use OVAL for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce the United States Government’s copyright designation and this license in any such copy.
+
+The OVAL Language is the copyrighted work of the United States Government. No ownership or other proprietary interest in the OVAL Language is granted to you other than what is granted in this license.
+
+The names and trademarks for OVAL may not be used in association with commercial products. Notwithstanding the foregoing, commercial products that are based upon or incorporate any portion of OVAL may use a word mark as part of a factual statement that references the commercial products' use of OVAL materials, but only in a manner that does not imply DHS’s endorsement of the commercial product.
+
+OVAL Content, whether already in the OVAL Repository hosted by CIS under license from the U.S. DHS or developed by you and sent to CIS via the discussion forums or any other means to be deposited into the OVAL Repository, is fully available for public use free of charge. In addition, to the extent that contributed OVAL Content involves pre-existing copyrighted works, you hereby grant to CIS and the United States Government an irrevocable, worldwide, royalty-free, non-exclusive, license, for the duration of the copyright, to do the following:
+
+* to reproduce such OVAL Content, either alone or as part of a collective work;
+* to translate, adapt, alter, transform, modify, or arrange such OVAL Content, thereby creating derivative works ("Derivative Works"); and
+* to distribute, display, or communicate copies of such OVAL Content to the public free of charge.
+
+ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE CENTER FOR INTERNET SECURITY, INC., ITS DIRECTORS, OFFICERS, EMPLOYEES CONTRACTORS, AND AGENTS, AND THE UNITED STATES GOVERNMENT DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+You understand that any export of the OVAL Language, OVAL Content, or OVAL Repository may require an export license and you assume full responsibility for obtaining such license.
+
+This License shall be construed, governed, interpreted and applied in accordance with the laws of the State of New York without regard to any conflict of law rules and you agree to submit to the exclusive jurisdiction of the State of New York courts.
+
+Copyright © 2010 United States Government. All Rights Reserved.
\ No newline at end of file
diff --git a/tools/ExtractSchFromXSD.xsl b/tools/ExtractSchFromXSD.xsl
new file mode 100644
index 0000000..5857b3e
--- /dev/null
+++ b/tools/ExtractSchFromXSD.xsl
@@ -0,0 +1,77 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/tools/oval_xsd2md.xsl b/tools/oval_xsd2md.xsl
new file mode 100644
index 0000000..179361f
--- /dev/null
+++ b/tools/oval_xsd2md.xsl
@@ -0,0 +1,606 @@
+
+
+
+
+
+
+
+
+ oval
+ oval-def
+ oval-sc
+ oval-res
+ oval-var
+ ds
+
+
+
+ ______________
+
+
+
+ # Open Vulnerability and Assessment Language: Element Dictionary
+
+
+ * Schema:
+ * Version:
+ * Release Date:
+
+
+
+
+
+
+
+
+ ## Test Listing
+
+ *
+
+
+ [ ~~~~ ](#)
+
+
+ [ ](#)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ <
+ >
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ==
+ ==
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ --
+ --
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ** Union of **
+
+
+
+
+
+ ,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ --
+ --
+
+
+
+
+
+
+
+
+
+
+
+ --
+ --
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ #### Attributes:
+
+
+ *
+
+ ~~
+ ****
+
+
+
+
+
+ Restriction of
+
+
+
+
+ n/a
+
+
+
+
+
+
+
+
+
+
+ ( -- default='' -- fixed='')
+
+
+ (
+
+
+
+ '~~~~'
+
+
+ ''
+
+
+ ,
+
+ )
+
+
+ ~~
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ | Child Elements | Type (MinOccurs..MaxOccurs) |
+ |:-------------- |:--------------------------- |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ **Simple Content:**
+
+
+
+
+
+
+
+ **Simple Content:**
+
+
+ Union of
+
+
+
+
+
+ ,
+
+
+
+ Restricts
+
+
+
+
+
+
+
+
+
+ **Pattern:**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ | Value | Description |
+ | ----- | ----------- |
+
+
+ |
+ ~~
+
+ ~~
+ |
+
+ ~~
+ <div></div>
+ ~~
+
+
+ > :small_red_triangle: **Deprecated As Of Version ** :small_red_triangle: <br />
+ **Reason:** <br />
+
+ **Comment:** <br />
+
+
+ |
+
+
+
+
+
+
+
+ ```
+
+ ```
+
+
+
+ ##### Example:
+
+
+ XML
+
+
+
+
+ **Extends:**
+
+
+
+
+
+
+
+
+ **Restricts:**
+
+
+
+
+
+
+
+
+ > :small_red_triangle: **Deprecated As Of Version ** :small_red_triangle: <br />
+ **Reason:** <br />
+
+ **Comment:** <br />
+
+
+
+
+
+
+ |
+ ~~
+
+
+
+
+
+
+
+
+ xsd:any
+
+
+
+
+ ~~
+ |
+ ~~
+
+
+
+
+
+
+ Restriction of
+
+
+
+ . See schema for details.
+
+ n/a
+
+
+
+
+
+
+
+
+
+ (
+
+
+
+
+
+ 1
+
+
+ ..
+
+
+
+
+
+ 1
+
+
+ ~~
+ ) |
+
+ ||
+ ~~
+
+
+ <div></div>
+
+
+ ~~
+ |
+
+
+
+
+
+
+
+ ## <a name=""></a>
+
+
+
+ ~~~~
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [](oval-common-schema.md#)
+
+
+ [](oval-definitions-schema.md#)
+
+
+ [](oval-system-characteristics-schema.md#)
+
+
+ [](oval-results-schema.md#)
+
+
+ [](oval-variables-schema.md#)
+
+
+ [](http://www.w3.org/TR/xmldsig-core/#sec-)
+
+
+ [](#)
+
+
+
+
+
diff --git a/tools/requirements.txt b/tools/requirements.txt
new file mode 100644
index 0000000..513d138
--- /dev/null
+++ b/tools/requirements.txt
@@ -0,0 +1,30 @@
+alabaster==0.7.10
+argh==0.26.2
+Babel==2.5.3
+certifi==2018.1.18
+chardet==3.0.4
+CommonMark==0.5.4
+docutils==0.14
+idna==2.6
+imagesize==1.0.0
+Jinja2==2.10
+livereload==2.5.1
+MarkupSafe==1.0
+packaging==17.1
+pathtools==0.1.2
+port-for==0.3.1
+Pygments==2.2.0
+pyparsing==2.2.0
+pytz==2018.3
+PyYAML==3.12
+recommonmark==0.4.0
+requests==2.18.4
+six==1.11.0
+snowballstemmer==1.2.1
+Sphinx==1.7.1
+sphinx-autobuild==0.7.1
+sphinx-rtd-theme==0.2.4
+sphinxcontrib-websupport==1.0.1
+tornado==5.0
+urllib3==1.22
+watchdog==0.8.3