From 1b1b334a6e963dedb106f582eef0ba5562eace2c Mon Sep 17 00:00:00 2001 From: BOUILLARD Esteban Date: Wed, 27 Jan 2021 09:53:22 +0100 Subject: [PATCH 1/2] ebouillard - On behalf of French Ministry of Army, adding AUDITDLINE_TEST and NETWORKFIREWALL_TEST to Linux/Unix OVAL schema --- oval-schemas/linux-definitions-schema.xsd | 104 ++++++ .../linux-system-characteristics-schema.xsd | 32 ++ oval-schemas/unix-definitions-schema.xsd | 317 ++++++++++++++++++ .../unix-system-characteristics-schema.xsd | 62 ++++ 4 files changed, 515 insertions(+) diff --git a/oval-schemas/linux-definitions-schema.xsd b/oval-schemas/linux-definitions-schema.xsd index 5aa15c3..b85364f 100644 --- a/oval-schemas/linux-definitions-schema.xsd +++ b/oval-schemas/linux-definitions-schema.xsd @@ -2720,6 +2720,110 @@ + + + + + + The auditdline_test is used to check the living rules of the auditd service. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. + + + auditdline_test + auditdline_object + auditdline_state + auditdline_item + + + + + + - the object child element of a auditdline_test must reference a auditdline_object + + + - the state child element of a auditdline_test must reference a auditdline_state + + + + + + + + + + + + + + + + + + The auditdline_object element is used by a auditdline_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A auditdline_object consists of an filter_key entity that is the same as the -k parameter of the auditctl -l command. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + If the xsi:nil attribute is set to true, all auditd rules must be present in the system characteristics (auditdline_item). + + + + + + + + + + + + + The auditdline_state element defines the different information that can be used to evaluate the auditd rules. This includes the filter key, the corresponding rule and the line number of the rule. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + + + + + A rule written on a single line like returned by the auditctl -k command. + + + + + The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. + + + + + + + + diff --git a/oval-schemas/linux-system-characteristics-schema.xsd b/oval-schemas/linux-system-characteristics-schema.xsd index 5e2156d..f9723a3 100644 --- a/oval-schemas/linux-system-characteristics-schema.xsd +++ b/oval-schemas/linux-system-characteristics-schema.xsd @@ -1187,6 +1187,38 @@ + + + + + + This item stores results from checking the living rules of the auditd service. + + + + + + + + >As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + + + + + A rule written on a single line like returned by the auditctl -k command. + + + + + The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. + + + + + + + + diff --git a/oval-schemas/unix-definitions-schema.xsd b/oval-schemas/unix-definitions-schema.xsd index 903720e..6ff35bf 100644 --- a/oval-schemas/unix-definitions-schema.xsd +++ b/oval-schemas/unix-definitions-schema.xsd @@ -2691,6 +2691,164 @@ + + + + + + The networkfirewall_test is used to check the living filtering rules of the network firewall on a UNIX system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. + + + networkfirewall_test + networkfirewall_object + networkfirewall_state + networkfirewall_item + + + + + + - the object child element of a networkfirewall_test must reference a networkfirewall_object + + + - the state child element of a networkfirewall_test must reference a networkfirewall_state + + + + + + + + + + + + + + + + + + The networkfirewall_object element is used by a networkfirewall_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A networkfirewall_object provides an abstration to check authorized and blocked packets based on network interfaces and direction of the trafic. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + The xsi:nil attribute must set to true only when the attribute packet_direction is set to outgoing. + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + The xsi:nil attribute must set to true only when the attribute packet_direction is set to incoming. + + + + + + Action that can be taken on a network packet by the network firewall based on its configuration. + + + + + + + + + + + + + The networkfirewall_state element defines the different information that can be used to evaluate the network firewall configuration. This includes the packet direction, the network interfaces, the filter action, the protocol, and pairs of address/port for both source and destination. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + + + + + Action taken on a network packet by the network firewall based on its configuration. + + + + + + The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp. + + + + + Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Source port of the packets. + + + + + Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Destination port of the packets. + + + + + + + + @@ -3344,4 +3502,163 @@ ACTIVE_DEAD_GATEWAY_DETECTION                                 + + + The EntityObjectPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStatePacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityObjectFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStateFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityItemPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityItemFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + diff --git a/oval-schemas/unix-system-characteristics-schema.xsd b/oval-schemas/unix-system-characteristics-schema.xsd index ab7a428..e5ead8a 100644 --- a/oval-schemas/unix-system-characteristics-schema.xsd +++ b/oval-schemas/unix-system-characteristics-schema.xsd @@ -1212,6 +1212,68 @@ + + + + + + This item stores results from checking the living configuration of the network firewall on a UNIX system. + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + + + + + Action taken on a network packet by the network firewall based on its configuration. + + + + + The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp. + + + + + Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Source port of the packets. + + + + + Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Destination port of the packets. + + + + + + + + From 0431ea98ed7c5761179ab8a513792d277d7ebf39 Mon Sep 17 00:00:00 2001 From: BOUILLARD Esteban Date: Mon, 15 Feb 2021 17:25:50 +0100 Subject: [PATCH 2/2] applying @wmunyan remark to move EntityItemPacketDirectionType and EntityItemFilteringActionType out of the unix-definition-schema and into the unix-system-characteristics-schema, and kicking auditdline_test from this branch to put it in a separate one --- oval-schemas/linux-definitions-schema.xsd | 104 ------------------ .../linux-system-characteristics-schema.xsd | 32 ------ oval-schemas/unix-definitions-schema.xsd | 53 --------- .../unix-system-characteristics-schema.xsd | 53 +++++++++ 4 files changed, 53 insertions(+), 189 deletions(-) diff --git a/oval-schemas/linux-definitions-schema.xsd b/oval-schemas/linux-definitions-schema.xsd index b85364f..5aa15c3 100644 --- a/oval-schemas/linux-definitions-schema.xsd +++ b/oval-schemas/linux-definitions-schema.xsd @@ -2720,110 +2720,6 @@ - - - - - - The auditdline_test is used to check the living rules of the auditd service. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. - - - auditdline_test - auditdline_object - auditdline_state - auditdline_item - - - - - - - the object child element of a auditdline_test must reference a auditdline_object - - - - the state child element of a auditdline_test must reference a auditdline_state - - - - - - - - - - - - - - - - - - The auditdline_object element is used by a auditdline_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. - A auditdline_object consists of an filter_key entity that is the same as the -k parameter of the auditctl -l command. - - - - - - - - - - State referenced in filter for '' is of the wrong type. - - - - - - - - - - - - - - As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. - If the xsi:nil attribute is set to true, all auditd rules must be present in the system characteristics (auditdline_item). - - - - - - - - - - - - - The auditdline_state element defines the different information that can be used to evaluate the auditd rules. This includes the filter key, the corresponding rule and the line number of the rule. Please refer to the individual elements in the schema for more details about what each represents. - - - - - - - - As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. - - - - - A rule written on a single line like returned by the auditctl -k command. - - - - - The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. - - - - - - - - diff --git a/oval-schemas/linux-system-characteristics-schema.xsd b/oval-schemas/linux-system-characteristics-schema.xsd index f9723a3..5e2156d 100644 --- a/oval-schemas/linux-system-characteristics-schema.xsd +++ b/oval-schemas/linux-system-characteristics-schema.xsd @@ -1187,38 +1187,6 @@ - - - - - - This item stores results from checking the living rules of the auditd service. - - - - - - - - >As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. - - - - - A rule written on a single line like returned by the auditctl -k command. - - - - - The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. - - - - - - - - diff --git a/oval-schemas/unix-definitions-schema.xsd b/oval-schemas/unix-definitions-schema.xsd index 6ff35bf..7fd21a4 100644 --- a/oval-schemas/unix-definitions-schema.xsd +++ b/oval-schemas/unix-definitions-schema.xsd @@ -3608,57 +3608,4 @@ ACTIVE_DEAD_GATEWAY_DETECTION                                 - - - The EntityItemPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. - - - - - - Incoming packets. - - - - - Outgoing packets. - - - - - Forwarding packets. - - - - - The empty string value is permitted here to allow for empty elements associated with variable references. - - - - - - - - The EntityItemFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. - - - - - - Network packets that are allowed by the firewall. - - - - - Network packets that are denied by the firewall. - - - - - The empty string value is permitted here to allow for empty elements associated with variable references. - - - - - diff --git a/oval-schemas/unix-system-characteristics-schema.xsd b/oval-schemas/unix-system-characteristics-schema.xsd index e5ead8a..a804eff 100644 --- a/oval-schemas/unix-system-characteristics-schema.xsd +++ b/oval-schemas/unix-system-characteristics-schema.xsd @@ -1927,4 +1927,57 @@ ACTIVE_DEAD_GATEWAY_DETECTION                                 + + + The EntityItemPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityItemFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + +