Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal : ADDING networkfirewall_test #112

Closed
wants to merge 2 commits into from
Closed

Proposal : ADDING networkfirewall_test #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1b1b334
ebouillard - On behalf of French Ministry of Army, adding AUDITDLINE_…
ebouillard Jan 27, 2021
0431ea9
applying @wmunyan remark to move EntityItemPacketDirectionType and En…
ebouillard Feb 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
264 changes: 264 additions & 0 deletions oval-schemas/unix-definitions-schema.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2691,6 +2691,164 @@
</xsd:complexType>
</xsd:element>
<!-- =============================================================================== -->
<!-- ========================== NETWORK FIREWALL TEST ============================ -->
<!-- =============================================================================== -->
<!-- Originaly authored by French Ministry of Army (DGA-MI) -->
<xsd:element name="networkfirewall_test" substitutionGroup="oval-def:test">
<xsd:annotation>
<xsd:documentation>The networkfirewall_test is used to check the living filtering rules of the network firewall on a UNIX system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check.</xsd:documentation>
<xsd:appinfo>
<oval:element_mapping>
<oval:test>networkfirewall_test</oval:test>
<oval:object>networkfirewall_object</oval:object>
<oval:state>networkfirewall_state</oval:state>
<oval:item target_namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix">networkfirewall_item</oval:item>
</oval:element_mapping>
</xsd:appinfo>
<xsd:appinfo>
<sch:pattern id="unix-def_networkfirewalltst">
<sch:rule context="unix-def:networkfirewall_test/unix-def:object">
<sch:assert test="@object_ref=ancestor::oval-def:oval_definitions/oval-def:objects/unix-def:networkfirewall_object/@id"><sch:value-of select="../@id"/> - the object child element of a networkfirewall_test must reference a networkfirewall_object</sch:assert>
</sch:rule>
<sch:rule context="unix-def:networkfirewall_test/unix-def:state">
<sch:assert test="@state_ref=ancestor::oval-def:oval_definitions/oval-def:states/unix-def:networkfirewall_state/@id"><sch:value-of select="../@id"/> - the state child element of a networkfirewall_test must reference a networkfirewall_state</sch:assert>
</sch:rule>
</sch:pattern>
</xsd:appinfo>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-def:TestType">
<xsd:sequence>
<xsd:element name="object" type="oval-def:ObjectRefType" />
<xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<xsd:element name="networkfirewall_object" substitutionGroup="oval-def:object">
<xsd:annotation>
<xsd:documentation>The networkfirewall_object element is used by a networkfirewall_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.</xsd:documentation>
<xsd:documentation>A networkfirewall_object provides an abstration to check authorized and blocked packets based on network interfaces and direction of the trafic.</xsd:documentation>
<xsd:appinfo>
<sch:pattern id="unix-def_networkfirewall_object_verify_filter_state">
<sch:rule context="unix-def:networkfirewall_object//oval-def:filter">
<sch:let name="parent_object" value="ancestor::unix-def:networkfirewall_object"/>
<sch:let name="parent_object_id" value="$parent_object/@id"/>
<sch:let name="state_ref" value="."/>
<sch:let name="reffed_state" value="ancestor::oval-def:oval_definitions/oval-def:states/*[@id=$state_ref]"/>
<sch:let name="state_name" value="local-name($reffed_state)"/>
<sch:let name="state_namespace" value="namespace-uri($reffed_state)"/>
<sch:assert test="(($state_namespace='http://oval.mitre.org/XMLSchema/oval-definitions-5#unix') and ($state_name='networkfirewall_state'))">State referenced in filter for <sch:value-of select="name($parent_object)"/> '<sch:value-of select="$parent_object_id"/>' is of the wrong type. </sch:assert>
</sch:rule>
</sch:pattern>
</xsd:appinfo>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-def:ObjectType">
<xsd:sequence>
<xsd:choice>
<xsd:element ref="oval-def:set"/>
<xsd:sequence>
<xsd:element name="packet_direction" type="unix-def:EntityObjectPacketDirectionType">
<xsd:annotation>
<xsd:documentation>The direction (incoming, outgoing or forwarding) of the network packets.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="input_interface" type="oval-def:EntityObjectStringType" nillable="true">
<xsd:annotation>
<xsd:documentation>This is the name of the input interface (eth0, eth1, fw0, etc.).</xsd:documentation>
<xsd:documentation>The xsi:nil attribute must set to true only when the attribute packet_direction is set to outgoing.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="output_interface" type="oval-def:EntityObjectStringType" nillable="true">
<xsd:annotation>
<xsd:documentation>This is the name of the output interface (eth0, eth1, fw0, etc.).</xsd:documentation>
<xsd:documentation>The xsi:nil attribute must set to true only when the attribute packet_direction is set to incoming.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<!-- TODO : add schematron test to check consistency between nillable value (*_interface) and packet_direction) -->
<xsd:element name="filtering_action" type="unix-def:EntityObjectFilteringActionType" nillable="true">
<xsd:annotation>
<xsd:documentation>Action that can be taken on a network packet by the network firewall based on its configuration.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element ref="oval-def:filter" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:choice>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<xsd:element name="networkfirewall_state" substitutionGroup="oval-def:state">
<xsd:annotation>
<xsd:documentation>The networkfirewall_state element defines the different information that can be used to evaluate the network firewall configuration. This includes the packet direction, the network interfaces, the filter action, the protocol, and pairs of address/port for both source and destination. Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation>
</xsd:annotation>
<xsd:complexType>
<xsd:complexContent>
<xsd:extension base="oval-def:StateType">
<xsd:sequence>
<xsd:element name="packet_direction" type="unix-def:EntityStatePacketDirectionType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The direction (incoming, outgoing or forwarding) of the network packets.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="input_interface" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>This is the name of the input interface (eth0, eth1, fw0, etc.).</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="output_interface" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>This is the name of the output interface (eth0, eth1, fw0, etc.).</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="filtering_action" type="unix-def:EntityStateFilteringActionType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Action taken on a network packet by the network firewall based on its configuration.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<!--
Two ways of handling protocol attribute seen in unix schema :
- iflisteners_state.protocol with unix-def:EntityStateProtocolType
- inetlisteningservers_state.protocol with oval-def:EntityStateStringType

The second seems simpler and is used here. Wrong choice ?
-->
<xsd:element name="transport_protocol" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="source_inet_address" type="oval-def:EntityStateIPAddressStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="source_port" type="oval-def:EntityStateIntType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Source port of the packets.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="destination_inet_address" type="oval-def:EntityStateIPAddressStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6.</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="destination_port" type="oval-def:EntityStateIntType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>Destination port of the packets.</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
</xsd:element>
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<!-- =============================================================================== -->
<xsd:complexType name="EntityStateCapabilityType">
Expand Down Expand Up @@ -3344,4 +3502,110 @@ ACTIVE_DEAD_GATEWAY_DETECTION                                
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityObjectPacketDirectionType">
<xsd:annotation>
<xsd:documentation>The EntityObjectPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityObjectStringType">
<xsd:enumeration value="INCOMING">
<xsd:annotation>
<xsd:documentation>Incoming packets.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="OUTGOING">
<xsd:annotation>
<xsd:documentation>Outgoing packets.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="FORWARDING">
<xsd:annotation>
<xsd:documentation>Forwarding packets.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="">
<xsd:annotation>
<xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityStatePacketDirectionType">
<xsd:annotation>
<xsd:documentation>The EntityStatePacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityStateStringType">
<xsd:enumeration value="INCOMING">
<xsd:annotation>
<xsd:documentation>Incoming packets.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="OUTGOING">
<xsd:annotation>
<xsd:documentation>Outgoing packets.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="FORWARDING">
<xsd:annotation>
<xsd:documentation>Forwarding packets.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="">
<xsd:annotation>
<xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityObjectFilteringActionType">
<xsd:annotation>
<xsd:documentation>The EntityObjectFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityObjectStringType">
<xsd:enumeration value="ALLOW">
<xsd:annotation>
<xsd:documentation>Network packets that are allowed by the firewall.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="DENY">
<xsd:annotation>
<xsd:documentation>Network packets that are denied by the firewall.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="">
<xsd:annotation>
<xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
<xsd:complexType name="EntityStateFilteringActionType">
<xsd:annotation>
<xsd:documentation>The EntityStateFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
<xsd:simpleContent>
<xsd:restriction base="oval-def:EntityStateStringType">
<xsd:enumeration value="ALLOW">
<xsd:annotation>
<xsd:documentation>Network packets that are allowed by the firewall.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="DENY">
<xsd:annotation>
<xsd:documentation>Network packets that are denied by the firewall.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
<xsd:enumeration value="">
<xsd:annotation>
<xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation>
</xsd:annotation>
</xsd:enumeration>
</xsd:restriction>
</xsd:simpleContent>
</xsd:complexType>
</xsd:schema>
Loading