Name of Your Organization:

National Institute of Advanced Industrial Science and Technology (AIST)

Web Site:

http://www.aist.go.jp/

Adopting Capability:

SIX OVAL

Capability home page:

https://code.google.com/p/six-oval/

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Evaluator — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

The product is free and open source software, licensed under the Apache License, Version 2.0. The product is hosted on Google Code at the following URL:
https://code.google.com/p/six-oval/

The distribution archive includes a Java JAR file, source code and Javadoc API documents. Also, the documents including a user guide are published as Wiki pages on the above web site.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The supported versions of the OVAL language are indicated in the release notes on the web site.

The product, version 1.0.0, supports OVAL Schema 5.10.1.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Users can send emails to the developers and/or user’s mailing-list using information on the product’s web site.

In addition, the web site provides an issue tracking feature, and users can utilize it to report errors.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

If an error is reported by email, we reply to confirm our receipt first. Then, if it appears that is a new error, we create a new issue on the issue tracking system and send an email to the reporter to keep track of the error.

If an error is reported on the issue tracking system, we confirm a user's report by changing the status of the issue to "accepted" or "started" and add a comment.

In both cases, once an issue is created in the system, it can be traced on the web site.

The issues fixed are listed in the release notes.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

Information about the relationship between the product and OVAL is described in the documents on the web site.

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

  • aix-definitions-schema.xsd
    • fileset
    • fix
    • interim_fix
    • no
    • oslevel
  • independent-definitions-schema.xsd
    • environmentvariable
    • environmentvariable58
    • family
    • filehash
    • filehash58
    • ldap
    • sql
    • sql57
    • textfilecontent
    • textfilecontent54
    • unknown
    • variable
    • xmlfilecontent
  • ios-definitions-schema.xsd
    • global
    • interface
    • line
    • snmp
    • tclsh
    • version
    • version55
  • linux-definitions-schema.xsd
    • dpkginfo
    • inetlisteningservers
    • partition
    • rpminfo
    • rpmverify
    • selinuxboolean
    • selinuxsecuritycontext
    • slackwarepkginfo
  • macros-definitions-schema.xsd
    • accountinfo
    • diskutil
    • inetlisteningservers
    • inetlisteningserver510
    • nvram
    • plist
    • plist510
    • pwpolicy
    • pwpolicy59
  • pixos-definitions-schema.xsd
    • line
    • version
  • solaris-definitions-schema.xsd
    • isainfo
    • ndd
    • package
    • packagecheck
    • patch
    • patch54
    • smf
  • windows-definitions-schema.xsd
    • accesstoken
    • activedirectory
    • auditeventpolicy
    • auditeventpolicysubcategories
    • file
    • fileauditedpermissions
    • fileauditedpermissions53
    • fileeffectiverights
    • fileeffectiverights53
    • group
    • group_sid
    • interface
    • lockoutpolicy
    • metabase
    • passwordpolicy
    • port
    • printereffectiverights
    • process
    • process58
    • registry
    • regkeyauditedpermissions
    • regkeyauditedpermissions53
    • regkeyeffectiverights
    • regkeyeffectiverights53
    • serviceeffectiverights
    • sharedresource
    • sid
    • sid_sid
    • uac
    • user
    • user_sid
    • user_sid55
    • volume
    • wmi
    • wmi57
    • wuaupdatesearcher

Additional OS families and Tests may be supported from time to time. Please refer to the release notes for details.

List any core constructs defined in the OVAL Language that are not supported. (AR_3.2)

  • EntityAttributeGroup:mask

OVAL Assessment Method <AR_3.3>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

Assessment of state by a remote-scanning sensor.

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Users can send emails to the developers and/or user's mailing-list using information on the product's web site.

In addition, the web site provides an issue tracking feature, and we may allow users to create new issues to report errors.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

Users can send emails to the developers and/or user’s mailing-list using information on the product’s web site.

In addition, the web site provides an issue tracking feature, and we may allow users to create new issues to report errors.

Type-Specific Capability Questions

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

In an evaluation process, the product can take an OVAL Definitions document from a local file or a remote location indicated by an URL. In the latter case, the content is stored in a local file before evaluation. Users can find what Definitions are evaluated and their details in these files which conform to the OVAL Definition Schema.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

The product supports consuming OVAL content at runtime.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

At the end of an evaluation process, the OVAL Results document is stored in a local file, and an HTML-formatted version is also generated. Users can find the evaluation result in these files.

The product has features to build a results repository which is web services capable and can send an OVAL evaluation results to this repository. In this case, past results can be queried with various parameters, e.g., target system’s host name, IP address, evaluated Definition ID, etc.

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

The product provides support for the full OVAL Results format which conforms to the OVAL Results Schema. At the end of an evaluation process, the OVAL Results document is stored in a local file, and an HTML-formatted version is also generated. Users can find the evaluation result in these files.

With the web services API for the results repository, past results can be queried with various parameters, e.g., target system’s host name, IP address, evaluated Definition ID, etc.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Akihito Nakamura
TITLE: Senior Researcher

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Akihito Nakamura
TITLE: Senior Researcher

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Akihito Nakamura
TITLE: Senior Researcher

Page Last Updated: February 27, 2014