Version 5.10 (Archived)

This page provides information on the proposed changes to the OVAL Language. All information about the new version is included in this centralized location. The major highlights of the release so far are listed below:

  • Added new functions.
  • Added support for a win-def:peheader_test
  • Added support for a win-def:cmdlet_test

All of the above items remain open for discussion and any comments or feedback is greatly appreciated. For a complete listing of the release contents see the New in Version 5.10 section. More information about the OVAL Language review process can be found here.

Test Listing

A complete listing of the tests available in this release can be found here.

Specification

The current working draft of the OVAL Language Specification is included below. Please submit any comments or questions about the current draft to oval-developer-list@lists.mitre.org. Along with any comments please specify the exact version of the document that is being commented on. Track changes has been enabled in the document and annotated documents are appreciated. If you would like to submit an annotated document please simply attach it to your email to the oval-developer-list. You may also submit comments directly to oval@mitre.org.

OVAL Language Specification 09-14-2011 (Word, 763 KB)

OVAL Language Specification 09-14-2011 (PDF, 2.7 MB)

Downloads

Includes downloads for the Version 5.10 Definition Schema, System Characteristics Schema, Results Schema, and Element Dictionaries.

KEY

Complete Schema — has all documentation embedded and the Schematron mark-up.
Minimal Schema — includes the raw xml schema only.
Schematron — a schema that can provide additional validation of OVAL V5 documents.
Documentation html — element dictionaries, which users can elect to view in a browser or save.
All files zip — all files zipped together to allow for one simple download.
xsd/sch — a user can either right click to download the file or left click to open the file in their default viewer.
Deprecation Listing — a list of all deprecated language constructs.

OVAL Definition Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Independent xsd xsd html - html
Apache xsd xsd html - html
Apple Macintosh xsd xsd html - -
Cisco CatOS xsd xsd html - html
Cisco IOS xsd xsd html - html
Cisco PixOS xsd xsd html - -
FreeBSD xsd xsd html - -
HP-UX xsd xsd html - html
IBM AIX xsd xsd html - -
Linux xsd xsd html - -
Microsoft Windows xsd xsd html - html
SharePoint xsd xsd html - -
Sun Solaris xsd xsd html - html
UNIX xsd xsd html - html
Vmware ESX xsd xsd html - html
 

OVAL System Characteristics Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Independent xsd xsd html - html
Apache xsd xsd html - html
Apple Macintosh xsd xsd html - -
Cisco CatOS xsd xsd html - html
Cisco IOS xsd xsd html - html
Cisco PixOS xsd xsd html - -
FreeBSD xsd xsd html - -
HP-UX xsd xsd html - -
IBM AIX xsd xsd html - -
Linux xsd xsd html - -
Microsoft Windows xsd xsd html - html
SharePoint xsd xsd html - -
Sun Solaris xsd xsd html - -
UNIX xsd xsd html - -
Vmware ESX xsd xsd html - html
 

OVAL Results Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
 

OVAL Variables Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
 

OVAL Directives Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Results xsd xsd html - -
 

Example XML Stylesheets

File Name Description
results_to_html.xsl The results_to_html stylesheet converts an OVAL Results document into a more readable html format.
minimal_schema.xsl The minimal_schema stylesheet removes all annotation elements from the OVAL Schema leaving only the minimal schema.
element_dictionary.xsl The element_dictionary stylesheet creates documentation files from the OVAL Schema.
reference_mapping.xsl The reference_mapping stylesheet creates a map between each OVAL Definition in a document and a specified reference source.
Back to top

New in Version 5.10

Version 5.10 of the Official OVAL Schema is a direct result of feedback from the OVAL Community. This will be a minor version change and may require some new development by tools that support earlier versions of the Language. The changes pending to the different schemas are outlined below. "Open" status means the item is under consideration or being worked upon and "Closed" status means that the item has been incorporated and work on it is completed. For full details on a particular item please expand the item by clicking the + icon in the left column.

Tracker items in this version include:

ID Title Status Date Opened Resolution
30358 Remove default value from var_check attribute. Closed 2011-05-03 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:16:13
Details:
In the EntityAttributeGroup, the var_check attribute currently has a default value of "all". The intent is that if there is a var_ref attribute but var_check is not present, var_check should be considered to be "all". However, by specifying the default "all", then when using a schema aware or validating parser a var_check attribute is always created with the value "all" - even if it is not appropriate to have a var_check attribute. This causes Schematron validation errors which enforce that when there is a var_check there should also be a var_ref.

The solution is to remove the default value and add a description of the expected behavior when var_ref is present but var_check is not present to the documentation/specification.
Follow-ups:
Date Added: 2011-05-03 19:06:19
See the associated item 24683. It states that a var_check is not required, but a best practice. The Schematron message says "a var_check must also be provided". I changed the message to say "a var_check should also be provided".

Date Added: 2011-06-10 18:02:16
This change will be included in draft 2 of version 5.10.

30359 Add explicit default "datatype" attribute values for EntityXxxxxType complex types. Closed 2011-05-03 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:16:00
Details:
Many of the EntityXxxxxType complex types do not have an explicit default value for the "datatype" attribute. It was believed that the default value would be inherited from the EntitySimpleBaseType, but testing has revealed this not to be the case.
Follow-ups:
Date Added: 2011-05-13 12:49:45
All instances of the datatype attribute have been made required with a fixed or enumerated values, or optional with a default value of "string".

Date Added: 2011-06-10 18:01:58
This change will be included in draft 2 of version 5.10.

30360 Make datatype attribute required for EVRStringTypes Closed 2011-05-03 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:15:20
Details:
Currently in oval-definitions-schema.xsd Entity(State|Object)EVRStringType have the use of the datatype attribute set to "optional". It should be required. It is required in the System Characteristics schema.
Follow-ups:
Date Added: 2011-06-10 18:01:25
This change will be included in draft 2 of version 5.10.

30493 Create a single "test" to be used for all tests. Closed 2011-05-11 Deferred
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-27 16:48:16
Details:
Currently, there are myriad xxx_test elements. All of these elements contain object and subject references. Since all of the tests are structurally the same, they could be replaced by a single, universal "test".
Follow-ups:
Date Added: 2011-05-11 17:03:10
An implementation of this was presented at the Spring 2011 SCAP Developer Days. The community was divided on the proposal and so it has been deferred - possibly for consideration in OVAL 6.0

30952 Schematron rules for objects in EntityAttributeGroup go to the wrong level. Closed 2011-06-08 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-07-25 14:32:40
Details:
The EntityAttributeGroup contains Schematron rules related to var_ref and var_check attributes. The rules search for the applicable context using */* XPath pattern. For objects, the path should always be objects/*/* as there are no deeper elements, but some of the rules have */*/*. These ought to be fixed.

However, there are changes to the language being planned that would create items at this third level down. So while the current rules are not correct, they are not causing any problems and may be put in force soon.
Follow-ups:
Date Added: 2011-07-19 11:30:48
Due to the fact that we ow have a EntityObjectRecordType we need to add */*/* to match the lower level field elements that are part of a record. This change will be included in the version 5.10 release candidate.

25830 clarify the interpretation of filesystem searching behaviors Closed 2010-04-23 Fixed
Priority: Medium High | Category: Definition Schemas | Date Closed: 2011-08-26 17:05:55
Details:
There are different ways one might implement filesystem searching behaviors.  As of this writing, the interpreter reference implementation implements a model where behaviors are applied in a second phase, after all items matching the relevant entities are found.  E.g. for recurse_direction, those directories form the base from which upward and downward recursion is done.

That model is counterintuitive for recurse_file_system.  For example, if you specify recurse_file_system=defined and an entity specifies some files/directories on C:\ with operation=pattern match, you probably intend for only files/directories on the C drive which match the entities to be collected.  But if you implement the behavior in the two phases described above, first you will get everything on the C drive and all filesystems mounted on it, and that will constitute the "defined" filesystems for the behaviors, not just the C drive filesystem.

So we need to clarify what these behaviors really mean, especially in the face of entities which use operation=pattern match, which can cause their own filesystem traversals.

Follow-ups:
Date Added: 2010-04-24 17:26:10
Related discussion: > >I just wanted to us to be clear about this. Perhaps we should specifically > >say > >that recurse_file_system=all or local applies to all paths, even before the > >recurse_direction behavior is applied. recurse_file_system=defined only > >applies > >during application of the recurse_direction behavior, simply because it's > >too > >hard to figure out what filesystems are defined from a regex. Or we could > >say > >that recurse_file_system=defined only applies to all paths, even before > >recursion behavior is applied, when the path entity uses one of the > >equals/not > >equals operations. If the pattern match operation is used, > >recurse_file_system=defined may only reasonably be applied after the > >filesystems > >are first defined by finding all matches to the pattern. And be clear that > >that > >could include a lot more filesystems than may be intended. > > This sounds right. If a use specifies a regex I don't think the 'defined' value for the behavior makes sense. (defined may not make sense at all with operation=pattern match?)

Date Added: 2010-04-24 17:29:18
schema documentation for recurse_file_system: "'recurse_file_system' defines the file system limitation of any recursion, either 'local' limiting data collection to local file systems (as opposed to file systems mounted from an external system), or 'defined' to keep any recursion within the file system that the file_object (path+filename) has specified. The default value is 'all' meaning to use all available file systems for data collection." ... the recurse_file_system behavior does not say anything about how it does or does not relate to the recurse_direction behavior. (should add that recurse_direction enables/disables recurse_file_system?)

Date Added: 2010-04-24 17:33:12
> >Another related point: it is documented that recursion behaviors are not > >applicable when the filepath entity is used. Actually, if we decide that > >behaviors apply when matching a pattern in the first phase, it would be > >just as > >applicable to filepath as when the path entity is used, when > >operation=pattern > >match. In fact, the FileFinder implementation for this actually calls > >FindPaths > >(see AbsFileFinder::GetFilePathsForPattern) to recursively search > >directories, > >and I had to pass in a recursion policy object that allowed everything, > >since > >that's how my modified API works. I could just as easily create a > >different > >filesystem recursion policy object, if we decided it was applicable to > >filepath's. > > I still don't think the recurse_direction and max_depth make sense for file paths. However, I think that recurse_file_system=local and recurse_file_system=all apply with a filepath. I think this would be consistent with your suggestion above. (document some behaviors to also be applicable to filepath?)

Date Added: 2011-08-12 00:24:18
The following clarifications were made for the second release candidate of version 5.10: - clarified that the max_depth behavior has a default value of -1 meaning no limitation to recursion. This applies to all occurrences of the max-depth behavior. - clarified the documentation on the recurse_file_system behavior to indicate that this behavior is always applicable. Added note that it is recommended to limit searching to the local file systems only. Added note that the defined value only applies when using an equality operation. Added Schematron rule to report errors when the 'defined' value is used and the operation is not 'equals'. - clarified documentation on max_depth, recurse_direction, and recurse to state that they only apply with an equality operation. Registry related behaviors of the same name were also clarified.

28156 splist_object doesn't uniquely identify a list Closed 2010-10-27 Deferred
Priority: Very Low | Category: Definition Schemas | Date Closed: 2011-07-19 01:34:05
Details:
splist_item has fields which are easily obtainable from a Sharepoint SPList
object, but splist_object does not uniquely specify an SPList object to read.
splist_item doesn't have enough entities to be able to differentiate one item
from another.

splist_object has one entity, spsiteurl, which ostensibly identifies an SPSite. 
SPSite objects contain SPWeb objects, and SPWeb objects contain SPList objects. 

splist_item has the spsiteurl entity, and a few other non-identifying entities,
which come from an SPList object.

We need to clarify the meaning of this test, and probably add some more
identifying entities to the oval object and/or item.
Follow-ups:
Date Added: 2011-07-19 01:34:04
It looks like in the SPWeb object there is a GetList() method which allows you to specify the server-relative url of a SPList in SPWeb object. So at a minimum, we will at least need to specify the server-relative url of the list. GetList() Method http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.getlist.aspx We could simply search for the SPLists in any of the SPWeb objects in a SPSite or we could specify a single SPWeb object to search for the SPLists. We need to decide what was intended for this test. As a result, this tracker item will be deferred for the OVAL 5.10 release until we can investigate it further.

28199 update documentation to reflect that the spsiteadministration test uses the SPQuota object Closed 2010-10-29 Fixed
Priority: Very Low | Category: Definition Schemas | Date Closed: 2011-07-25 14:32:45
Details:
spsiteadministration_object is documented to get values from the SPSiteAdministration SharePoint object.  The one object entity is a site url.  The item entities simply represent some storage quota limits.  Those values are retrieved from an SPQuota object returned by the Quota property of an SPSite.  You never actually need to use SPSiteAdministration at all. The reference implementation does not use the SPSiteAdministration object.
Follow-ups:
n/a
29511 Need a none-of-the-above value for lin-def:EntityStateFileSystemTypeType Closed 2011-03-16 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:16:33
Details:
We are bound to encounter filesystem types which don't have a corresponding value in the lin-def:EntityStateFileSystemTypeType enumeration.  We need a special value to use for this.
Follow-ups:
Date Added: 2011-05-17 12:38:57
Added "UNKNOWN" to enumeration.

Date Added: 2011-06-10 18:01:35
This change will be included in draft 2 of version 5.10.

29512 Need a none-of-the-above value for linux-sc:EntityStateFileSystemTypeType Closed 2011-03-16 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2011-06-14 15:15:09
Details:
We are bound to encounter filesystem types which don't have a corresponding
value in the linux-sc:EntityStateFileSystemTypeType enumeration.  We need a
special value to use for this.
Follow-ups:
Date Added: 2011-05-12 18:28:11
Added value "UNKNOWN" to linux-definitions-schema.xsd and linux-system-characteristics-schema.xsd.

Date Added: 2011-06-10 18:01:11
This change will be included in draft 2 of version 5.10.

29906 rpmverify: allow the filepath entity to refer to directories Closed 2011-04-05 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:12:28
Details:
The 'rpm' tool can do some verifications on directories, but the schema documentation says the filepath entity cannot refer to directories.  That means some possible verification failures cannot be represented, resulting in false negatives.  We need to allow the filepath entity to refer to directories.
Follow-ups:
Date Added: 2011-06-09 17:25:37
Added path & filename elements as found in file_object & state.

Date Added: 2011-06-10 12:29:51
Reverted that change to allow a choice between path+filename and filepath. In this case the change will be to simply remove the documentation that said a directory cannot be expressed in the filepath entity. The revised documentation now says, "The filepath element specifies the absolute path for a file or directory in the specified package." This change will be available in draft 2 of version 5.10

29970 Split rpmverify test into two tests Closed 2011-04-08 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-08-26 17:08:14
Details:
The rpmverify test as it is currently defined is really a file-based test.  The behaviors which affect package-global verifications really don't belong there.  We need to split the package global parts into a different test.  Those behaviors include nodeps, noscripts, nosignature, nodigest.  The nofiles behavior would not make sense anymore.

Suggestions include moving those verifications into the rpminfo test, or creating a new test, e.g. rpmverifypackage or rpmverifyrpm.
Follow-ups:
Date Added: 2011-07-20 01:05:26
Due to discussion with the community, it has been decided that the rpmverify test should not be broken up into two tests. Please see the following oval-developer-list post for more information. http://making-security-measurable.1364806.n2.nabble.com/linux-rpmverify-test-file-vs-package-global-verifications-tp6255327p6255327.html As a result, the dependency_check_passed, digest_check_passed, verification_script_successful, and signature_check_passed entities were added to hold the results of these checks during rpm verification. Documentation was also added to the nofiles behavior to state that when nofiles behavior is used, the file-based verification checks shouldn't be collected. These changes will be available in OVAL 5.10 release candidate 1.

Date Added: 2011-08-23 16:47:45
After further consideration, it makes more sense to split the rpmverify_test into two different tests (rpmverifyfile_test and rpmverifypackage_test). The rpmverifyfile_test will handle all verification checks for the files in an rpm whereas the rpmverifypackage_test will handle all verification checks for the rpm as a whole.

Date Added: 2011-08-24 18:08:24
This change will be available in OVAL 5.10 Release Candidate 2.

30044 Need to support empty value in filename entities when operation=pattern match Closed 2011-04-13 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:14:09
Details:
There is a schematron check for the filename entity in the file_test which causes an error if the filename entity has an empty value but there is no var_ref or xsi:nil attributes.  This is incorrect because the empty string is a valid regular expression, so should be allowed if operation="pattern match", with no var_ref or xsi:nil attributes.
Follow-ups:
Date Added: 2011-05-13 12:40:02
For all filename Schematron rules that enforced the name could not be empty (all objects with filename elements) added a rule to check that the operation is not "pattern match" as an empty string is a valid pattern.

Date Added: 2011-05-16 15:29:33
Yes, I would like the schema to align with these two rules. -Danny >-----Original Message----- >From: Baker, Jon >Sent: Friday, May 13, 2011 8:15 PM >To: Haynes, Dan; Jacobsen, Jasen >Cc: Chisholm, Michael A.; oval-team-list >Subject: RE: [ oval OVAL Schema Item #30044] Need to support empty value >in filename entities when operation=pattern match (trackeritem-30044) > >I think we are agreeing that: > >1- any time the datatype is s string the value can be the empty string >2- when nil or var_ref are used the value must be the empty string > >This is slightly different than what is currently committed to svn trunk. Are >you guys confortable with updating the schema to align with the above >statement? > >Jon > >============================================ >Jonathan O. Baker >G022 - IA Industry Collaboration >The MITRE Corporation >Email: bakerj@mitre.org > > >>-----Original Message----- >>From: Haynes, Dan >>Sent: Friday, May 13, 2011 11:54 AM >>To: Baker, Jon; Jacobsen, Jasen >>Cc: Chisholm, Michael A. >>Subject: RE: [ oval OVAL Schema Item #30044] Need to support empty value >in >>filename entities when operation=pattern match (trackeritem-30044) >> >>Yeah, the schema for the various datatypes will do this. However, I am >>thinking that we don't even want the Schematron rule that allows the empty >>string only when pattern match is used with filename entities. I think we >>always want to allow the empty string as a value and Schematron enforce it >>when nil and var_ref are used. >> >>-Danny >>

Date Added: 2011-06-10 18:00:42
An empty string is now allowed when a pattern match is used. This change will be included in draft 2 of version 5.10.

30918 plist_object needs an instance entity Closed 2011-06-03 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-07-25 14:32:42
Details:
An "instance" entity was added to plist_item to disambiguate same-named keys.  That entity needs to also be added to plist_object, so that those items can be uniquely identified.
Follow-ups:
Date Added: 2011-06-30 13:59:44
This change may require the creation of a plist510_test. The instance entity will be require in the plist_object with will invalidate any content written against the current version 5.9 and earlier definition of the plist_test.

Date Added: 2011-07-19 00:16:53
This change will be included in the first release candidate for version 5.10

11802 add a new test for windows rights inheritance settings Closed 2007-05-16 Rejected
Priority: Very Low | Category: n/a | Date Closed: 2011-08-29 12:22:44
Details:
requested by NIST on 5/9/07.  Need a way to test the file permission inheritance settings.
Follow-ups:
Date Added: 2009-05-11 15:24:13
Is there more information on this tracker item? If it is s simple test addition should we be adding it to version 5.6?

Date Added: 2011-06-14 15:48:54
Rejecting this item due to lack of additional information.

12994 add win-def:sharedresourceeffectiverights_test and win-def:sharedresourceauditedpermissions_test Closed 2007-09-13 Fixed
Priority: Medium High | Category: Definition Schemas | Date Closed: 2011-07-25 14:32:50
Details:
Does OVAL have a way to itemize user-level share permissions for a directory?  For example, some security templates state items such as "Everyone" should not be included in the Share permissions on any shared folder.  It seems as though the Windows <fileeffectiverights53_test> and correlated objects and states check for Windows NTFS-style file permissions (Security tab) and that the <sharedresource_test> itemizes FAT file system style Share-level permissions.  But I have not found how to check NT-style user-level share permissions (i.e., clicking the "Permissions" button on the Sharing tab).

The <sharedresource_object> does not seem to have a method for identifying a "trustee_sid" to check the share permissions of...
Follow-ups:
Date Added: 2010-08-05 11:57:10
This item was requested in the following email message: http://making-security-measurable.1364806.n2.nabble.com/question-about-windows-share-permissions-tp23464p23464.html

Date Added: 2011-07-14 17:17:24
A shared resource test for both the SACL and the DACL is needed. This would be similar to the fileeffectiverights53_test and the fileauditedpermissions53_test.

Date Added: 2011-07-15 11:12:40
sharedresourceeffectiverights_test and sharedresourceauditedpermissions_test

Date Added: 2011-07-15 12:06:18
This request will be deferred from version 5.10 given that there is not current community support for the test. If this tests is reconsidered, the GetNamedSecurityInfo can be used to get information about a SE_LMSHARE as defined in the SE_OBJECT_TYPE Enumeration. However, at this time there does not appear to be a well documented set of object specific right for this sort of object.

Date Added: 2011-07-19 14:33:10
The win-def:sharedresourceeffectiverights_test and the win-def:sharedresourceauditedpermissions_test have been added and will be available in the release candidate for OVAL 5.10.

17373 add a new test for active network connections on windows Closed 2008-10-01 Rejected
Priority: Very Low | Category: n/a | Date Closed: 2011-08-29 12:22:58
Details:
Submitted by Ken Lassesen on 8/10/2008 to the developer list
------------------------------------------------------------

I would like the data available to be all of the items obtainable from 

Netstat -an
i.e  -a -b -e -f -n -o -p -r -s -t


port_test
 * add state, add foreign address  (if you wish to test that there are
only connections to an internal set of addresses, we need this).

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1080           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:11478          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:27015        0.0.0.0:0              LISTENING
  TCP    127.0.0.1:27015        127.0.0.1:49262        ESTABLISHED
  TCP    127.0.0.1:49262        127.0.0.1:27015        ESTABLISHED
  TCP    127.0.0.1:49307        0.0.0.0:0              LISTENING
  TCP    127.0.0.1:62514        0.0.0.0:0              LISTENING
  TCP    172.16.0.24:139        0.0.0.0:0              LISTENING
  TCP    172.16.0.24:49394      207.46.106.16:1863     ESTABLISHED
  TCP    172.16.0.24:49415      207.81.255.218:51740   ESTABLISHED
  TCP    172.16.0.24:49867      84.244.181.105:80      CLOSE_WAIT
  TCP    172.16.0.24:50296      209.85.173.147:80      CLOSE_WAIT
  TCP    172.16.0.24:50309      204.2.136.107:80       CLOSE_WAIT
  TCP    172.16.0.24:50310      204.2.136.107:80       CLOSE_WAIT
  TCP    172.16.0.24:50359      172.16.0.100:445       ESTABLISHED
  TCP    172.16.0.24:50404      66.210.59.247:80       ESTABLISHED
  TCP    172.16.0.24:50406      12.47.174.75:135       SYN_SENT
  TCP    192.168.0.3:139        0.0.0.0:0              LISTENING
  TCP    [::]:80                [::]:0                 LISTENING
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:1080              [::]:0                 LISTENING
  TCP    [::]:2869              [::]:0                 LISTENING
  TCP    [::]:3389              [::]:0                 LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING
  TCP    [::]:49152             [::]:0                 LISTENING
  TCP    [::]:49153             [::]:0                 LISTENING
  TCP    [::]:49154             [::]:0                 LISTENING
  TCP    [::]:49155             [::]:0                 LISTENING
  TCP    [::]:49157             [::]:0                 LISTENING
  TCP    [::1]:49308            [::]:0                 LISTENING
??? PortIP4_object
IPv4 Statistics

  Packets Received                   = 52035
  Received Header Errors             = 0
  Received Address Errors            = 7907
  Datagrams Forwarded                = 0    <== A potential security
concern
  Unknown Protocols Received         = 0   <== A potential security
concern
  Received Packets Discarded         = 20378
  Received Packets Delivered         = 58879
  Output Requests                    = 38648
  Routing Discards                   = 0  <== A potential security
concern
  Discarded Output Packets           = 1278 
  Output Packet No Route             = 7  <== A potential security
concern
  Reassembly Required                = 0
  Reassembly Successful              = 0
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 0
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 0

??? PortIP6_object
IPv6 Statistics

  Packets Received                   = 119
  Received Header Errors             = 0
  Received Address Errors            = 30
  Datagrams Forwarded                = 0
  Unknown Protocols Received         = 0
  Received Packets Discarded         = 89
  Received Packets Delivered         = 3114
  Output Requests                    = 3295
  Routing Discards                   = 0
  Discarded Output Packets           = 0
  Output Packet No Route             = 0
  Reassembly Required                = 0
  Reassembly Successful              = 0
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 0
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 0


??? PortICMP4_object
ICMPv4 Statistics

                            Received    Sent
  Messages                  2195        485       
  Errors                    0           0         
  Destination Unreachable   2195        485       
  Time Exceeded             0           0         
  Parameter Problems        0           0         
  Source Quenches           0           0         
  Redirects                 0           0         
  Echo Replies              0           0         
  Echos                     0           0         
  Timestamps                0           0         
  Timestamp Replies         0           0         
  Address Masks             0           0         
  Address Mask Replies      0           0         
  Router Solicitations      0           0         
  Router Advertisements     0           0         

??? PortICMP6_object
ICMPv6 Statistics

                            Received    Sent
  Messages                  3           19        
  Errors                    0           0         
  Destination Unreachable   0           0         
  Packet Too Big            0           0         
  Time Exceeded             0           0         
  Parameter Problems        0           0         
  Echos                     0           0         
  Echo Replies              0           0         
  MLD Queries               0           0         
  MLD Reports               0           0         
  MLD Dones                 0           0         
  Router Solicitations      0           15      
  Router Advertisements     3           0         
  Neighbor Solicitations    0           4         
  Neighbor Advertisements   0           0         
  Redirects                 0           0         
  Router Renumberings       0           0         


TCP Statistics for IPv4

  Active Opens                        = 1230
  Passive Opens                       = 3
  Failed Connection Attempts          = 511
  Reset Connections                   = 381
  Current Connections                 = 11
  Segments Received                   = 28402
  Segments Sent                       = 20971
  Segments Retransmitted              = 2006

TCP Statistics
fo======================================================================
=====
Interface List
 11 ...00 1a 73 d7 99 c7 ...... Broadcom 802.11b/g WLAN
 10 ...00 1e 37 67 34 83 ...... Bluetooth Device (Personal Area Network)
  8 ...00 1b 24 d0 d2 83 ...... NVIDIA nForce Networking Controller
  1 ........................... Software Loopback Interface 1
 13 ...00 00 00 00 00 00 00 e0
isatap.{0B946E98-5AB6-488A-A4FC-F66E6E99A5B6}
 12 ...00 00 00 00 00 00 00 e0
isatap.{E738985D-C727-4B72-A64C-C5C2F499DC55}
 15 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 14 ...00 00 00 00 00 00 00 e0
isatap.{3C4C231C-BD71-4AC7-A165-5023550969D3}
 22 ...00 00 00 00 00 00 00 e0
isatap.{0B946E98-5AB6-488A-A4FC-F66E6E99A5B6}
========================================================================
===

??? PortRoute4_object
IPv4 Route Table
========================================================================
===
Active Routes:
Network Destination        Netmask          Gateway       Interface
Metric
          0.0.0.0          0.0.0.0       172.16.0.1      172.16.0.24
20
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.3
40
        127.0.0.0        255.0.0.0         On-link         127.0.0.1
306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1
306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1
306
      169.254.0.0      255.255.0.0         On-link       172.16.0.24
30
  169.254.255.255  255.255.255.255         On-link       172.16.0.24
276
       172.16.0.0    255.255.255.0         On-link       172.16.0.24
276
      172.16.0.24  255.255.255.255         On-link       172.16.0.24
276
     172.16.0.255  255.255.255.255         On-link       172.16.0.24
276
      192.168.0.0    255.255.255.0         On-link       192.168.0.3
296
      192.168.0.3  255.255.255.255         On-link       192.168.0.3
296
    192.168.0.255  255.255.255.255         On-link       192.168.0.3
296
        224.0.0.0        240.0.0.0         On-link         127.0.0.1
306
        224.0.0.0        240.0.0.0         On-link       172.16.0.24
276
        224.0.0.0        240.0.0.0         On-link       192.168.0.3
296
  255.255.255.255  255.255.255.255         On-link         127.0.0.1
306
  255.255.255.255  255.255.255.255         On-link       172.16.0.24
276
  255.255.255.255  255.255.255.255         On-link       192.168.0.3
296
========================================================================
===
Persistent Routes:
  None

??? PortRoute6_object
IPv6 Route Table
========================================================================
===
Active Routes:
 If Metric Network Destination      Gateway
 15     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 15     18 2001::/32                On-link
 15    266 2001:0:4137:9e50:3c79:1e6a:b9f9:30e3/128
                                    On-link
  8    276 fe80::/64                On-link
 11    296 fe80::/64                On-link
 15    266 fe80::/64                On-link
 15    266 fe80::3c79:1e6a:b9f9:30e3/128
                                    On-link
  8    276 fe80::854c:9974:5f90:e196/128
                                    On-link
 11    296 fe80::e47b:a5ea:6279:2950/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    266 ff00::/8                 On-link
  8    276 ff00::/8                 On-link
 11    296 ff00::/8                 On-link
========================================================================
===

Persistent Routes:
  None
r IPv6

  Active Opens                        = 2
  Passive Opens                       = 1
  Failed Connection Attempts          = 1
  Reset Connections                   = 2
  Current Connections                 = 0
  Segments Received                   = 17
  Segments Sent                       = 15
  Segments Retransmitted              = 2

UDP Statistics for IPv4

  Datagrams Received    = 5771
  No Ports              = 1395
  Receive Errors        = 17223
  Datagrams Sent        = 15051

UDP Statistics for IPv6

  Datagrams Received    = 133
  No Ports              = 3
  Receive Errors        = 86
  Datagrams Sent        = 3008


This information is NOT available by any current windows WMI object that
I could find.
Follow-ups:
Date Added: 2009-05-11 15:47:58
Any thoughts on this test? Should we add it to a second draft of version 5.6?

Date Added: 2011-06-14 15:52:30
Rejecting this request since there has been no further community interest in this item.

17374 add additional protocols to the win-def:port_test Closed 2008-10-01 Rejected
Priority: Very Low | Category: n/a | Date Closed: 2011-08-29 12:23:16
Details:
The former CS instructor is me would be tempted to say yes because a
protocol is OS independent.

SCTP is specified as being used on the IANA port list, and, of course:

http://www.iana.org/assignments/sctp-parameters
http://www.iana.org/assignments/rtp-parameters 


http://wiki.wireshark.org/RTP is interesting because it has pictures of
a scanner and we also see H.245 listed as a protocol (as well as  H225,
H245, RTP and RTCP):

More important, the RFC describes it as a protocol:

RFC3550 RTP: A Transport Protocol for Real-Time Applications

http://www.cs.columbia.edu/~hgs/rtp/faq.html#transport  actually
discusses the issue and lands on it being a transport protocol.

In theory, we should also add an "UNKNOWN" for proprietary transport
protocols.

-----Original Message-----
From: Buttner, Drew [mailto:abuttner@MITRE.ORG] 
Sent: Monday, August 11, 2008 4:47 AM
To: OVAL-DEVELOPER-LIST@LISTS.MITRE.ORG
Subject: Re: [OVAL-DEVELOPER-LIST] Addendu, to port_state

Ken,

I don't personally have knowledge of these, but did 5 minutes of
research and found information on SCTP.  I noticed that SCTP (Stream
Control Transmission Protocol) is available on windows via a 3rd party
add-in.

I couldn't find information on DDCP.

For RTP (Real-time Transport Protocol), the information I looked at
seemed to suggest that it is build on top of UDP.  Is this really a
separate protocol in terms of the OVAL test?

I did find the following site that lists all the assigned internet
protocols.  SCTP is in the list, but the other two are not.

http://www.iana.org/assignments/protocol-numbers

Are all of these valid for the Windows port_test - 'protocol' entity?

Thanks
Drew




>-----Original Message-----
>From: Ken Lassesen [mailto:ken.lassesen@LUMENSION.COM]
>Sent: Sunday, August 10, 2008 3:12 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Addendu, to port_state
>
>Currently UDP and TCP are the only allowed values:
>
>Checking http://www.iana.org/assignments/port-numbers,
>
>We should add:
>+ sctp
>+ ddcp
>+ RTP
>
>To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>DEVELOPER-LIST-request@LISTS.MITRE.ORG.

To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.

To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
Follow-ups:
Date Added: 2009-05-04 13:56:50
Danny. having just completed the port _test, can you verify that this makes sense to add?

Date Added: 2011-06-14 15:53:44
Rejecting this item due to lack of community support.

27121 hpux-def:getconf_object/pathname entity should be nillable Closed 2010-07-29 Fixed
Priority: Medium High | Category: Definition Schemas | Date Closed: 2011-06-14 15:15:39
Details:
Currently the documentation for this entity says "This is the pathname to check. Note that pathname is optional in the getconf call. An empty pathname in OVAL should be interpreted as if it was not supplied to the getconf call."

Normally in OVAL the condition described where the pathname is not supplied is supported by making the entity nillable.
Follow-ups:
Date Added: 2010-08-05 12:01:50
For the time being this item should be left as is since there are not currently any known issues with the item. However, with the next major revision this issue should be corrected.

Date Added: 2011-06-09 12:44:46
Made pathname nillable.

Date Added: 2011-06-10 17:58:24
This change will be included in draft 2 of version 5.10.

27201 document the unix-def:xinetd_test, unix-def:xinetd_object, unix-def:xinetd_state, and unix-sc:xinetd_item Closed 2010-08-05 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-05-13 11:09:30
Details:
The documentation is currently missing from most of these items.
Follow-ups:
Date Added: 2011-05-13 11:01:30
Fixed in version 5.10 Draft 1.

29139 create a gobal oval-def:definition element Closed 2011-02-02 Fixed
Priority: Very Low | Category: Definition Schemas | Date Closed: 2011-04-12 17:05:42
Details:
A request was made to create a global element for defintion in the oval-definitions-schema and change the DefinitionsType (and any other uses of DefinitionType) to reference the new element.  

This will allow OVAL definitions to be standalone XML instances just like states, objects, tests, and variables.  This would provide a namespace aware method for storing the definition as an XML fragment that is not as easy to do today.

This topic was discussed on the oval-developer-list here:

http://making-security-measurable.1364806.n2.nabble.com/REMINDER-Version-5-9-Release-Candidate-Planned-for-Tomorrow-tp5980952p5981434.html
Follow-ups:
Date Added: 2011-03-01 00:08:35
This issue has been fixed int he first draft of version 5.10

30052 improve documentation of unix-def:FileBehaviors Closed 2011-04-14 Duplicate
Priority: Medium High | Category: Definition Schemas | Date Closed: 2011-06-08 11:34:18
Details:
The file behaviors in the unix-definitions-schema need to be documented more explicitly. Add documentation to each value
Follow-ups:
Date Added: 2011-06-07 16:25:31
The behaviors appear to be documented. I'm unclear what needs to be added.

Date Added: 2011-06-07 17:40:25
Is this a duplicate of tracker #25830? I added that one awhile ago now, with a lot more information.

Date Added: 2011-06-08 11:34:17
Closing this item as a duplicate of #25830

30891 add <last_write_time> entity to the <win-def:registry_state> and <win-sc:registry_item> Closed 2011-06-02 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:17:16
Details:
This information is available via the RegQueryInfoKey API (lpftLastWriteTime parameter).

This timestamp is useful when combined with other information for the detection of malicious artifacts, and there may be other possible use cases.

See oval-developer-list archives:
http://making-security-measurable.1364806.n2.nabble.com/Registry-State-Last-Written-Time-Proposal-tp6429646p6429646.html
Follow-ups:
Date Added: 2011-06-02 11:12:24
This entity has been added to draft 2 of version 5.10

31054 add test to support using PowerShell cmdlets to collect system state information Closed 2011-06-17 Fixed
Priority: High | Category: n/a | Date Closed: 2011-08-17 12:40:48
Details:
A request for a new test that will leverage PowerShell cmdlets was submitted. cmdlet access is needed because configuration settings on Windows are increasingly only accessible via cmdlets.

The oval-developer-list discussion on this topic can be found here:
http://making-security-measurable.1364806.n2.nabble.com/Windows-PowerShell-Proposal-for-SCAP-tp6464505p6464505.html
Follow-ups:
Date Added: 2011-06-29 12:16:55
This test will be added to draft 3 of version 5.10.

31319 add support for the TPM (tpm-definitions-schema) Closed 2011-07-14 Deferred
Priority: Medium | Category: n/a | Date Closed: 2011-07-14 12:15:01
Details:
Recently, MITRE/SEDI developed a new draft component schema for OVAL to support interaction with the Trusted Platform Module (TPM). At a basic level, this is no different than most other component schemas: it simply expands OVAL's ability to collect system state information into a new component. However, because of some of the unique features of the TPM, this expansion of OVAL also supports a greater degree of trust in the results provided by an OVAL assessment. This document is intended to educate the OVAL community about TPMs in general and about the exciting possibilities made possible by OVAL interactions with the TPM.

The above document can be found here:
https://oval.mitre.org/language/about/docs/OVAL_and_TPM_White_Paper.pdf

This topic was discussed on the oval-developer-list here:
http://making-security-measurable.1364806.n2.nabble.com/OVAL-and-the-TPM-tp6204855p6204855.html
Follow-ups:
n/a
31351 add DEP status entity to the <win-def:file_state> and <win-sc:file_item> Closed 2011-07-18 Rejected
Priority: Medium | Category: n/a | Date Closed: 2011-08-29 12:22:16
Details:
Details of this request are outlined in the following developer list message:
http://making-security-measurable.1364806.n2.nabble.com/Developer-Days-Artifact-Hunting-Slides-tp6463048p6463048.html
See slide 4.
Follow-ups:
Date Added: 2011-07-19 15:08:14
This information is already available via a combination of WMI and the registry. The system wide DEP policy can be found by using WMI (see: http://support.microsoft.com/kb/912923). From there, you will either have an absolute setting (AlwaysOn or AlwaysOff) or one of the opt in/out types (OptIn, OptOut). For the opt in/out ones, you can get the exceptions via the registry (see: http://www.winserverhelp.com/2011/02/add-dep-exception-program-application-windows-server-core).

31582 product_name in the GeneratorType SHOULD be a CPE Name Closed 2011-08-04 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-26 17:08:02
Details:
Change schema documentation to suggest using a CPE Name for the product_name field in the GeneratorType. Use CPE Names as defined in CPE 2.3
Follow-ups:
Date Added: 2011-08-04 15:03:19
This documentation change will be included in the second release candidate of version 5.10.

31729 change all uses of the xsd:any element from @processContents="skip" to @processContents="lax" Closed 2011-08-17 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-26 17:07:53
Details:
This change will allow tools to optionally validate the content of the xsd:any element. With @processContents="skip" we are instructing tools to always skip the content of the <xsd:any> element. Tools should be allowed to validate this content.
Follow-ups:
Date Added: 2011-08-17 15:52:31
This change will be added to the second release candidate of version 5.10.

31730 removed win-def_affected_platform schematron rule from windows-definitions-schema Closed 2011-08-17 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-08-26 17:07:25
Details:
This rule was intended to ensure that any OVAL Definition that had an affected family of "windows" only used a specific set of string for the platform element. When there are new versions of windows this rule must be updated to include the name of the new version of windows. Unfortunately, this means that there are times when a new version of windows will be reported as an error until the schema can be updated. We ran into this problem earlier this week when processing the recent Microsoft patch Tuesday content. One of the OVAL Definitions attempted to set the platform to "Microsoft Windows Server 2008 R2". Our tools reported this content as invalid. 
Follow-ups:
Date Added: 2011-08-26 17:07:25
This change will be included in the second release candidate of version 5.10.

31348 add ASLR status entity to the <win-def:process58_state> and <win-sc:process58_item> Open 2011-07-18 Rejected
Priority: Medium | Category: n/a | Date Closed: n/a
Details:
Details of this request are outlined in the following developer list message:
http://making-security-measurable.1364806.n2.nabble.com/Developer-Days-Artifact-Hunting-Slides-tp6463048p6463048.html
See slide 11.
Follow-ups:
Date Added: 2011-07-19 17:57:41
The ASLR information seems to only be available via the PE Header, which means it will be added to the pefile test, instead of the process58_test. (http://msdn.microsoft.com/en-us/magazine/ms809762.aspx)

31350 add ASLR status entity to the <win-def:file_state> and <win-sc:file_item> Open 2011-07-18 Rejected
Priority: Medium | Category: n/a | Date Closed: n/a
Details:
Details of this request are outlined in the following developer list message:
http://making-security-measurable.1364806.n2.nabble.com/Developer-Days-Artifact-Hunting-Slides-tp6463048p6463048.html
See slide 4.
Follow-ups:
Date Added: 2011-07-19 17:58:02
The ASLR information seems to only be available via the PE Header, which means it will be added to the pefile test, instead of the file_test. (http://msdn.microsoft.com/en-us/magazine/ms809762.aspx)

26796 ensure that states referenced by filters match their parent objects Closed 2010-07-09 Fixed
Priority: Low | Category: n/a | Date Closed: 2011-08-26 17:06:36
Details:
In the current schema, nothing is done to ensure that the states referenced by filters correspond to the parent objects that contain them (i.e. a registry_object should only contain filters that reference registry_states).  We should change the schema so that this is enforced.  
Follow-ups:
Date Added: 2011-07-14 16:12:11
XSD Schema does not support the sort of interdependency checking that is proposed. A similar enforcement is done between object and state types in a test. This enforcement is done with a Schematron rule in every test definition. A similar technique could be used on every object definition that supports a filter. Or, the appropriate Schematron rules could be generated dynamically by the code that extracts the Schematron rules from the XSD. I believe the element_mapping contains all of the necessary information to generate these rules. This technique was proposed to support the "one test" proposal. The downside to this approach is that the Schematron is no longer embedded in the XSD and a separate Schematron file MUST be generated and used for validation. A final approach would be to generate all of the rules and then copy & paste them into the XSD by hand. This could be done, but is rather labor intensive. We do not want to generate the rules INTO the XSDs because the XSD files have hand-crafted formatting that would be changed if the XSDs were to be processed by XSLT (but I suppose a pure text based approach could be used and not mess up the formatting).

Date Added: 2011-08-11 19:25:04
Created an XSLT stylesheet that processes the component definition schemas and generates the necessary Schematron patterns & rules from the element_mapping of each test. Then copy & pasted all of the rules into the object definitions of each component schema.

Date Added: 2011-08-26 17:06:36
This change will be included in the second release candidate of version 5.10.

27587 add support for a count function Closed 2010-09-02 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2011-05-13 11:15:38
Details:
Request from Brady Alleman:

"I've been looking for a way to define a variable as the count of items in another variable, but have not found a solution.  Is there a general way to accomplish this?  If no method exists, I'd like to suggest a "count" function be added to provide this capability."

For more information regarding this proposal, please see the following link.

http://making-security-measurable.1364806.n2.nabble.com/Item-Counting-UNCLASSIFIED-tp5488303.html
Follow-ups:
Date Added: 2010-09-02 18:51:41
For clarification purposes, in the documentation for this function, we will want to say that the function can count the number of values (rather than items) in a variable as using the term items may be confusing.

Date Added: 2011-05-13 11:15:38
Fixed in version 5.10 Draft 1.

27593 add support for a unique function Closed 2010-09-02 Fixed
Priority: High | Category: n/a | Date Closed: 2011-05-13 11:15:14
Details:
Request from Brady Alleman:

>>>Thinking about this further, could a "unique" function also be added?
>>>This would remove duplicate items, to allow counting only unique items.

>>So here what you want to do is if you used the split function with
>>delimiter = "-" and input string = "---", which would return four empty
>>string values, you would like to have a unique function that would return
>>only one empty string value.

>Yes.  

>Another example:  If the input string values are 
>("A", "B", "C", "C", "D", "D", "D") the output string values will be 
>("A", "B", "C", "D").  

For more information regarding this proposal, please see the following link.

http://making-security-measurable.1364806.n2.nabble.com/Item-Counting-UNCLASSIFIED-tp5488303.html
Follow-ups:
Date Added: 2011-05-13 11:15:14
Added Unique and Count functions. Fixed in version 5.10 Draft 1.

28566 macos-def:inetlisteningservers_object does not uniquely identify an item Closed 2010-11-30 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-05-13 11:11:47
Details:
The macos-def:inetlisteningservers_object does not uniquely identify an item because multiple instances of a listening application can run on different addresses, ports, and protocols resulting in multiple items with the same program name.  As a result, to uniquely identify an item, a new test will need to be created.

Also, this was previously an issue with the linux-def:inetlisteningservers_object and the original post can be seen at the following link.

http://making-security-measurable.1364806.n2.nabble.com/inetd-and-inetlisteningservers-test-td22762.html
Follow-ups:
Date Added: 2010-12-01 14:57:44
The documentation associated with this test should also be updated because 'netstat -tuwlnpe' with root privileges does not appear to retrieve all of the information, required for the test, on Mac OS such as program name, process id, and user id. netstat man page http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/netstat.1.html Looking into this quickly 'lsof -i -P -n' provides this information. lsof man page http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/lsof.8.html We need to further investigate this issue in order to determine what the best method for collecting this information is.

Date Added: 2011-05-13 11:11:47
Fixed in version 5.10 Draft 1.

28740 deprecate the unix-def:sccs_test Closed 2010-12-20 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-04-12 17:20:11
Details:
We should look into the possibility of deprecating the unix-def:sccs_test.
Follow-ups:
Date Added: 2011-04-12 17:20:11
This item was deprecated in draft 1 of version 5.10.

28917 determine if additional information should be collected in the macos-def:accountinfo_test Closed 2011-01-12 Rejected
Priority: Medium | Category: n/a | Date Closed: 2011-07-18 18:51:21
Details:
The current documentation for the macos-def:accountinfo_test states that:

"We may need/want to add in data elements for things like authentication_authority, generateduid, mcx_settings (restricted account settings)"

I am removing this from the documentation and adding a tracker so it can be determined if this information is necessary.
Follow-ups:
Date Added: 2011-07-18 18:51:21
The issue of whether or not we need to add the above entities to the accountinfo_test was raised over the oval-developer-list in the following oval-developer-list post. http://making-security-measurable.1364806.n2.nabble.com/Is-There-a-Need-for-Additional-macos-def-accountinfo-test-Entities-td6153511.html Due to a lack of community interest, in adding these entities, it appears that these entities are not needed in OVAL. As a result, we have decided not to include them in OVAL 5.10 release and we will close out this tracker item.

29010 consider the outstanding issues associated with the mask attribute Closed 2011-01-24 Fixed
Priority: High | Category: n/a | Date Closed: 2011-07-25 14:32:44
Details:
The primary issues with the mask attribute are:

- The OVAL System Characteristics Schema has a misplaced Schematron rule. This rule MUST be moved to the OVAL Results Schema.

- There is no documentation to explain how to handle conflicting mask attribute settings. Conflicting settings can occur across object and state definitions and when two objects identify the same item.

- The source OVAL Definitions document MUST be modified in order to properly implement support for the mask attribute. The current documentation for the mask attribute states that, "If the mask attribute is set to 'true', then the value of this field, along with the operation used, should not appear in the results file." On many entities both the operation and datatype are required. Removing them will result in invalid XML.

- The mask attribute defines capabilities that overlap with OVAL Results Directives. If the directives indicate that the source definitions should be excluded then there is no need to alter the source definitions as the mask attribute documentation dictates. excluding source definitions obviates this portion of the mask attribute capability. Secondly, if the directives specify a content level of "thin", system characteristics data is excluded as well as any details of the evaluation. "thin" content obviates the evaluation process and value hiding capabilities of the mask attribute.

Please see the following oval-developer-list post for additional information.
http://making-security-measurable.1364806.n2.nabble.com/mask-attribute-handling-tp5940155p5940155.html

The issues with the mask attribute were discussed at the March 2011 Developer Days event. Here is a link the slides and the minutes from that discussion:
SLIDES:
http://oval.mitre.org/community/docs/OVAL_Slides_Spring_2011_Dev_Days.zip

MINUTES:
http://oval.mitre.org/community/docs/OVAL_Spring_2011_Developer_Days_Minutes.pdf
Follow-ups:
Date Added: 2011-06-30 14:14:09
Added text to address the issue of conflicting mask attributes. The text now reads as follows: "It is possible for masking conflicts to occur where one entity has mask set to true and another entity has mask set to false. A conflict will occur when the mask attribute is set differently on an OVAL Object and matching OVAL State or when two OVAL Objects identify the same OVAL Item(s). When such a conflict occurs the result is always to mask the entity."

Date Added: 2011-06-30 19:30:43
The misplaced Schematron rule referenced above has been moved to the results schema. This change and and the documentation clarification for proper handling of conflicts will be included in draft 3 of version 5.10.

Date Added: 2011-07-14 14:00:04
In order to address the fact that as currently defined, the mask attribute requires modification to the source OVAL Definitions document we should alter the schema documentation and remove the statement requiring modification of source OVAL Definitions. In fact, this may really be a simple wording issue. The wording can be clarified to state the following: "...If the mask attribute is set to 'true', then the value of this field, along with the operation used, should not appear in the results section of an OVAL Results document. Note that this value would appear in the copy of the system characteristics contained in the results file. In this case, the results file should make use of the corresponding mask attribute in the system characteristics schema and should be set to true and the value should be omitted. In addition to the value being omitted from the copy of the system characteristics file...." This rewording specifically removes "the copy of the definition file should also omit the value and operation used for testing". With the above change the major deficiencies in the definition of the mask attribute will be resolved.

Date Added: 2011-07-14 14:47:23
The removal of documentation requiring the altering of the source OVAL Definitions will be included in version 5.10 release candidate 1.

29318 remove the documentation mentioning the service_name entity in the sol-def:smf_object Closed 2011-02-25 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-05-13 11:12:58
Details:
Please see the following oval-developer-list discussion for additional information.

http://making-security-measurable.1364806.n2.nabble.com/service-name-entity-in-smf-object-td6058033.html
Follow-ups:
Date Added: 2011-05-13 11:12:58
Fixed in version 5.10 Draft 1.

29338 further discuss and specify the variable_instance attribute Closed 2011-03-03 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-07-01 11:17:47
Details:
The variable_instance attribute is an underspecified feature in the OVAL Language.  We should further discuss and specify this feature.

The following issues need to be considered:
- the documentation says a "set of variable values" What constitutes a set?
- 
Follow-ups:
Date Added: 2011-06-29 19:31:13
Removed "set", "array" other mismatched terms. Harmonized the schema documentation.

Date Added: 2011-06-30 19:45:31
This change will be included in draft 3 of version 5.10.

29491 clarify unix-def:runlevel_test documentation Closed 2011-03-16 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:12:38
Details:
We need to clarify the unix-def:runlevel_test documentation.
Follow-ups:
Date Added: 2011-05-11 17:25:00
Please see the following oval-developer-list post for additional information. http://making-security-measurable.1364806.n2.nabble.com/Clarifying-the-unix-def-runlevel-test-Documentation-td6261603.html

Date Added: 2011-06-10 18:03:56
This change will be included in draft 2 of version 5.10.

29708 add an enumeration value for MySQL to the various EngineType enumerations associated with the sql57_test Closed 2011-03-28 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-07-01 11:17:39
Details:
We need to add an enumeration value for MySQL to the various EngineType enumerations associated with the sql57_test.
Follow-ups:
Date Added: 2011-06-28 12:45:10
This change will be added to draft 3 of version 5.10.

29779 add new entities to the macos-def:pwpolicy59_state and macos-sc:pwpolicy59_item Closed 2011-03-31 Fixed
Priority: High | Category: n/a | Date Closed: 2011-06-14 15:16:51
Details:
We need to add support for the following entities in the the macos-def:pwpolicy59_state and macos-sc:pwpolicy59_item:

maxMinutesUntilChangePassword 
minMinutesUntilChangePassword
requiresMixedCase
requiresSymbol
minutesUntilFailedLoginReset
Follow-ups:
Date Added: 2011-06-07 15:08:13
I can't find anything in Apple's documentation on pwpolicy referring to the minMinutesUntilChangePassword requiresMixedCase requiresSymbol minutesUntilFailedLoginReset values. They may exist, but the man pages do not list them as known policies. And searching Apple's developer library returns no results.

Date Added: 2011-06-07 18:20:16
Running pwpolicy -n /Local/Default -getglobalpolicy on my local Mac running OS X 10.6.7 returns: usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=12/31/69 hardExpireDateGMT=12/31/69 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 requiresSymbol=0 newPasswordRequired=0 minutesUntilFailedLoginReset=0 notGuessablePattern=0 Should all of these values be captured?

Date Added: 2011-06-08 13:48:43
Yes. Capture all of the above values.

Date Added: 2011-06-08 18:21:23
NOTE: The element entity names are in lower camelcase. This should be changed to all lowercase as per OVAL convention at some point.

Date Added: 2011-06-10 17:57:38
This change will be included in draft 2 of version 5.10.

29911 add FileBehaviors to the selinuxsecuritycontext_object Closed 2011-04-05 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:15:49
Details:
We need to add support for FileBehaviors in the selinuxsecuritycontext_object. We should do a quick check to make sure that we have not forgotten to include FileBehaviors on any other objects that require it.
Follow-ups:
Date Added: 2011-05-13 15:46:26
Is it acceptable to use the ind-def:FileBehaviors? This would require importing the ind-def schema. Something that the other component schemas do not do. Is there a design decision for the component schemas not to import other component schemas?

Date Added: 2011-05-16 13:27:24
As per Jon Baker: No. The component schemas are to be kept independent of each other. The "independent" schema is considered a component schema and therefore should not be imported by other component schemas. FileBehaviors may be revisited in the future to move it to the oval-definitions schema so that the component schemas can import it in accordance with our design rules. FileBehaviors added to linux-def schema.

Date Added: 2011-06-10 18:01:49
This change will be included in draft 2 of version 5.10.

29912 fix the inconsistent documentation regarding the status of entities where xsi:nil="true" Closed 2011-04-05 Fixed
Priority: Medium High | Category: n/a | Date Closed: 2011-07-01 11:17:46
Details:
There are quite a few places in the various component definitions schemas where we say:

"If the xsi:nil attribute is set to true, the <entity_name> element should not be collected or used in analysis."

This contradicts the documentation associated with the "does not exist" StatusEnumeration value in the oval-system-characteristics-schema which states:

"A status of 'does not exist' says that the item or specific piece of information does not exist and therefore has not been collected. This status assumes that an attempt was made to collect the information, but the information just does't exist. This can happen when a certain entity is only pertinent to particular instances, or when xsi:nil is used to refer to a higher level object."

We should remove this contradictory documentation from the "does not exist" StatusEnumeration value and any other places where it is present.
 
Follow-ups:
Date Added: 2011-06-30 19:45:15
This change will be included in draft 3 of version 5.10.

30013 discuss and clarify the documentation changes made to oval-sc:ObjectType (tracker items 24219 and 24220) during the OVAL 5.7 release Closed 2011-04-11 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2011-08-17 12:40:51
Details:
There have been ambiguity issues raised over the oval-developer-list regarding the documentation changes made to oval-sc:ObjectType (tracker items 24219 and 24220) during the OVAL 5.7 release.  We should discuss these issues and determine the best way forward. For more information, please see the following oval-developer-list posts.

http://making-security-measurable.1364806.n2.nabble.com/ItemType-documentation-ambiguity-td6064514.html

http://making-security-measurable.1364806.n2.nabble.com/Re-ItemType-documentation-ambiguity-td6262760.html
Follow-ups:
Date Added: 2011-07-19 03:25:45
The ItemType documentation has been re-factored for improved readability and documentation has been added to explicitly state that the use of partial matches, when an OVAL Item does not exist, is completely optional. This change will appear in the release candidate of OVAL 5.10.

30045 schematron rule prevents the use of an empty value in the user_id and group_id entities Closed 2011-04-13 Fixed
Priority: Medium High | Category: n/a | Date Closed: 2011-06-14 15:13:46
Details:
In the unix-def:file_state, we have the following documentation for the group_id and user_id entities.

"The group_id entity represents the group owner of a file, by group number. To test for a file with no group assigned to it, this entity would be used with an empty value."

"The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file. To test for a file with no user assigned to it, this entity would be used with an empty value."

Specifically, the documentation states that if a content author wants to test for a file with no user/group assigned to it, they should use an empty value. Unfortunately, this is not allowed due to the following schematron rule in oval-def:EntityAttributeGroup.

<sch:pattern id="oval-def_definition_entity_type_check_rules">
    <sch:rule context="oval-def:objects/*/*[not(@xsi:nil=true()) and 
	                   not(@var_ref) and @datatype='int']|
		           oval-def:states/*/*[not(@xsi:nil=true()) and 
			   not(@var_ref) and @datatype='int']">
        <sch:assert test="(not(contains(.,'.'))) and (number(.) = floor(.))">
	    <sch:value-of select="../@id"/> - The datatype for the 
            <sch:value-of select="name()"/> entity is 'int' but the value is   
            not an integer.
	</sch:assert>
        <!--  Must test for decimal point because number(x.0) = floor(x.0) is 
        true -->
    </sch:rule>
</sch:pattern>

We need to either allow for the use of an empty value in these entities or remove the documentation that says content authors can use an empty value.
Follow-ups:
Date Added: 2011-06-01 15:29:58
I made the two elements nillable.

Date Added: 2011-06-10 12:01:53
The elements will not be nillable. The final change was to simply remove the confusing documentation that said, "To test for a file with no group assigned to it, this entity would be used with an empty value." A file will always have a group_id and user_id. This change will be included in draft 2 of version 5.10

30046 we need to document the unix-def:password_object, unix-def:password_state, and unix-sc:password_item constructs Closed 2011-04-13 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:13:57
Details:
We need to document the unix-def:password_object, unix-def:password_state, and unix-sc:password_item constructs.  Many of the entities are missing documentation.
Follow-ups:
Date Added: 2011-05-18 15:12:19
The current documentation says "A password object consists of a single username entity that identifies the user whose passwords are to be evaluated." Notice the use of "passwords" plural. I don't see how a user can have multiple passwords, nor does the reference probe appear to support multiple passwords for a user. There may be multiple users evaluated/queried, but each gets only one password - as far as I can tell.

Date Added: 2011-06-10 17:59:29
unix-def:password_object, unix-def:password_state, and unix-sc:password_item have been documented. This change will be included in draft 2 of version 5.10.

30138 the datatype of the user_id entity in the linux-def:iflisteners_test and the linux-sc:iflisteners_item should be an int Closed 2011-04-21 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-07-01 11:17:44
Details:
The datatype of the user_id entity in the linux-def:iflisteners_test and the linux-sc:iflisteners_item should be an int because the user_id is an integer value. Changing the datatype from string to int would break backwards compatibility.  This should be considered under the Exceptions clause of the OVAL Language Versioning Methodology.
Follow-ups:
Date Added: 2011-06-16 21:39:26
This topic was raised on the developer list and the schema was changed. This change was made for draft 3 of version 5.10.

30301 add support for a test that can collect the last login time of a user - similar to the lastlog command on unix Closed 2011-04-28 Fixed
Priority: Medium High | Category: n/a | Date Closed: 2011-07-25 14:32:43
Details:
There was a request for a test that can collect the last login time of a user on a system.  On Linux, we can do this using lastlog.  We need to consider whether or not a similar test is needed for other platforms. 

Please see the following oval-developer-list post for more information.

http://making-security-measurable.1364806.n2.nabble.com/How-to-check-for-users-not-logged-in-for-x-amount-of-time-tp6245621p6245621.html
Follow-ups:
Date Added: 2011-07-19 20:14:52
added last_logon entity to win-def:user_state and win-sc:user_item added last_logon entity to unix-def:password_state and unix-sc:password_item This change will be included in version 5.10 release candidate 1.

30362 update the tables in the EntityStateRoutingTableFlagsType and the EntityItemRoutingTableFlagsType documentation Closed 2011-05-04 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-07-01 11:17:48
Details:
We should update the tables in the EntityStateRoutingTableFlagsType and
EntityItemRoutingTableFlagsType documentation according to the changes described in the oval-developer-list post.

http://making-security-measurable.1364806.n2.nabble.com/Routing-collector-flags-for-AIX-tp6328235p6328235.html
Follow-ups:
Date Added: 2011-06-30 19:53:08
Table modified as suggested. See https://computing.llnl.gov/tutorials/performance_tools/man/netstat.txt for AIX routing table flag codes.

Date Added: 2011-06-30 19:59:29
This change will be included in draft 3 of version 5.10.

30364 change the unix-def:sysctl_item/value entity such that it has a maxOccurs='unbounded' Closed 2011-05-04 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2011-06-14 15:14:51
Details:
We need to change the unix-def:sysctl_item/value entity such that it has a maxOccurs='unbounded' because it is possible for a kernel parameter to have more than one value.  Please see the following oval-developer-list post for additional information.

http://making-security-measurable.1364806.n2.nabble.com/Sysctl-test-for-Linux-OSX-tp6327887p6327887.html
Follow-ups:
Date Added: 2011-06-10 18:00:58
This change will be included in draft 2 of version 5.10.

30410 allow for the filepath entity in the sol-def:packagecheck_object, sol-def:packagecheck_state, and sol-sc:packagecheck_item to refer to directories Closed 2011-05-05 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:13:28
Details:
The current documentation for the filepath entity in the sol-def:packagecheck_object, sol-def:packagecheck_state, and sol-sc:packagecheck_item only allows for the specification of absolute paths to files (i.e. non-directories).  However, the pkgchk can also check directories.  As a result, we should remove the filepath entity documentation that restricts it to only allow for the specification of absolute paths to files.
Follow-ups:
Date Added: 2011-06-09 17:36:32
Added path & filename elements.

Date Added: 2011-06-10 12:32:14
Reverted that change to allow a choice between path+filename and filepath. In this case the change will be to simply remove the documentation that said a directory cannot be expressed in the filepath entity. The revised documentation now says, "The filepath element specifies the absolute path for a file or directory in the specified package." This change will be available in draft 2 of version 5.10

30485 add enumeration values to the linux-def:EntityStateFileSystemTypeType and linux-sc:EntityItemFileSystemTypeType enumerations Closed 2011-05-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:12:49
Details:
We should add the enumeration values, present in the Linux man page filesystem(5), to the linux-def:EntityStateFileSystemTypeType and linux-sc:EntityItemFileSystemTypeType enumerations.
Follow-ups:
Date Added: 2011-05-26 20:12:23
We should consider removing the enumeration restriction and allowing any string value for the filesystem type. Please see the following oval-developer-list for additional information. http://making-security-measurable.1364806.n2.nabble.com/Partition-test-more-questions-tp6348424p6355894.html

Date Added: 2011-05-31 18:29:02
Removed the enumeration thus making the Type a restriction of StringType with an empty restriction element.

Date Added: 2011-06-01 16:31:26
Removed the FileSystemType altogether and changed to StringType.

Date Added: 2011-06-10 18:03:17
This change will be included in draft 2 of version 5.10.

30857 clarify set operators' documentation Closed 2011-05-26 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-07-01 11:17:40
Details:
We should clarify the set operators' documentation so that it is clear that the result of applying all of the operators will be a unique set of OVAL Items (i.e. no duplicate OVAL Items).

Please see the following oval-developer-list post for additional information.

http://making-security-measurable.1364806.n2.nabble.com/Gconf-test-tp6407354p6407562.html

Follow-ups:
Date Added: 2011-06-24 18:05:29
Note: I did not add any documentation clarifying what "duplicate" or "unique" mean. There was some discussion in the thread of what these terms mean and how they are calculated.

Date Added: 2011-06-28 12:45:33
This change will be added to draft 3 of version 5.10.

30893 we need to document the result of evaluating a deprecated definition Closed 2011-06-02 Fixed
Priority: Medium High | Category: n/a | Date Closed: 2011-07-01 11:17:38
Details:
If a definition is deprecated, it is possible that it may not contain a criteria construct.  Deprecated definitions should evaluate to a result of 'not evaluated'.  We should add documentation to specify this.
Follow-ups:
Date Added: 2011-06-27 16:02:06
“When the deprecated attribute is set to true, the definition is considered to be deprecated. The criteria child element of a deprecated definition is optional. If a deprecated definition does not contain a criteria child element, the definition must evaluate to "not evaluated". If a deprecated definition contains a criteria child element, an interpreter should evaluate the definition as if it were not deprecated, but an interpreter may evaluate the definition to "not evaluated".” Jon ============================================ Jonathan O. Baker G022 - IA Industry Collaboration The MITRE Corporation Email: bakerj@mitre.org

Date Added: 2011-06-28 12:44:21
This change will be added to draft 3 of version 5.10.

30926 investigate the current state of implementing the operations for the fileset_revision datatype Closed 2011-06-06 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-07-25 14:32:41
Details:
The documentation for the fileset_revision datatype says:

"As far as implementing operations, right now there is a IP licensing issue being discussed on our ability to publicize the method to do this; however, the HP-UX team is willing to discuss how to implement this with anyone who would like to do it while we are waiting for the IP licensing issue to be resolved."

Is this still the case?  We should investigate this further to see if any progress has been made in this area.
Follow-ups:
Date Added: 2011-07-15 16:18:13
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02023876/c02023876.pdf "Software Distributor Administration Guide" Page 19-20 presents the following example: "HPUX11i-TCOE B.11.23.0512 HP-UX Technical Computing Operating Environment Component The above revision string represents the following: B.11.23 = HP-UX 11i v2 0512 = December 2005 Update Release" Page 48 provides the best guidance: "The <op> (relational operator) component performs individual comparisons on dot-separated fields and can be of the form: =,==,>=,<=,<,>, or!= For example, r>=B.11.11 chooses all revisions greater than or equal to B.11.11. The system compares each dot-separated field to find matches." Pages 234 and 244 specify the size of a revision_string, but do not specify any semantics. Assuming the guidance on page 48 is authoritative, it looks straightforward to implement the comparison operators in OVAL.

Date Added: 2011-07-19 12:55:03
Perhaps a better reference to the manual cited above: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01919399/c01919399.pdf In the version 5.10 release candidate this reference will be added to the definition of the fileset_revision datatype.

30937 allow the filepath entity in the macos-def:diskutil_test to contain a directory Closed 2011-06-07 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-07-01 11:17:36
Details:
We should allow for the filepath entity to contain a directory because it is possible that the permissions, for a directory, may differ.  We just need to remove the documentation that prohibits the specification of a directory in the filepath entity documentation.
Follow-ups:
Date Added: 2011-06-14 15:23:53
This change will be included in draft 3 of version 5.10.

31008 update the linux-def:iflisteners_test such that only applications bound to ethernet interfaces are considered Closed 2011-06-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:13:19
Details:
The linux-def:iflisteners_test does not currently specify what types of interfaces should be supported.  Given that ethernet interfaces should cover the majority of the cases, we should update the linux-def:iflisteners_test such that only applications bound to ethernet interfaces are considered.
Follow-ups:
Date Added: 2011-06-10 18:05:23
This change will be included in draft 2 of version 5.10.

31009 add creation_time, dep_enabled, and primary_window_text entities to the win-def:process58_test Closed 2011-06-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-06-14 15:17:17
Details:
We should add the ability to search based on the executable file and primary window text for processes.  Since this information is not needed to uniquely identify a process, the primary window text entity should just be added to the win-def:process58_state and win-sc:process_item.  The image_path entity is already present.  From there, a search based on the image_path or primary_window_text entity can be accomplished by using an OVAL Filter.  We should also add support for the collection of the process' creation time as well as whether or not data execution prevention is enabled for the process.
Follow-ups:
Date Added: 2011-06-10 18:04:39
This change will be included in draft 2 of version 5.10.

31014 add support for a win-def:peheader_test Closed 2011-06-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-17 12:40:50
Details:
In order to support the collection of information from a PE file header, we should add a win-def:peheader_test.
Follow-ups:
Date Added: 2011-06-28 12:42:08
This test was added to draft 2 of version 5.10

31246 schematron rules for reporting deprecated constructs should not report errors Closed 2011-07-01 Rejected
Priority: High | Category: n/a | Date Closed: 2011-07-14 15:10:23
Details:
The schematron rules that check for deprecated constructs are currently reporting errors.  For example:

Engine name: ISO Schematron
Severity: error
Description: DEPRECATED TEST: fileauditedpermissions_test ID: oval:sample:tst:1 

We should not be reporting errors when a deprecated construct is found because it is still valid to use deprecated constructs in content.
Follow-ups:
Date Added: 2011-07-14 15:10:23
All Schematron rules for reporting deprecation status use the sch:report construct. Tools may differentiate deprecation statements based upon the use of sch:report. This is documented in the deprecation policy (https://oval.mitre.org/language/about/deprecation.html).

31389 deprecate the include_group behavior wherever the resolve_group behavior is deprecated Closed 2011-07-19 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-07-25 14:32:38
Details:
We deprecated the resolve_group behavior, in many tests, because we wanted to leave the job of resolving the members of groups to tests (sid_object and sid_sid_object) that could do it more efficiently rather than every test that utilized trustee names and SIDs.  However, in doing so, we did not deprecate the include_group behavior and it does not make sense without the resolve_group behavior.  As a result, we should also deprecate the include_group behavior in these instances and recommend that it be used with the sid_object or sid_sid_object like the resolve_group behavior.
Follow-ups:
Date Added: 2011-07-20 01:16:21
This change will be included in version 5.10 release candidate 1.

31761 allow for the ability to map between the linux-def:rpminfo_test and the linux-def:rpmverifyfile_test and linux-def:rpmverifypackage_test Closed 2011-08-23 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-26 17:07:09
Details:
Allow for the ability to map between the linux-def:rpminfo_test and the linux-def:rpmverifyfile_test and linux-def:rpmverifypackage_test.  For the RHEL 5 USGCB, there is a need to both verify the contents of an rpm as well as check its signature, however, the current version of the linux-def:rpminfo_test and the linux-def:rpmverify_test does not support the ability to map between the two tests. To support this use case, an extended_name entity (name-epoch:version-release.architecture) is needed in the OVAL States and OVAL Items for the linux-def:rpminfo_test, the linux-def:rpmverifyfile_test, and the linux-def:rpmverifypackage_test. 
Follow-ups:
Date Added: 2011-08-24 18:09:11
This change will be available in OVAL 5.10 Release Candidate 2.

31762 the name entity in the rpm-based tests does not uniquely identify an rpm on the system Closed 2011-08-23 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-26 17:07:02
Details:
The name entity in the rpm-based tests does not uniquely identify an rpm on the system. The specification of the name, epoch, version, release, and architecture is needed, in the object, to uniquely identify an rpm on the system.  This change should be made to the linux-def:rpmverifyfile_test and the linux-def:rpmverifypackage_test. This change will not be made to the linux-def:rpminfo_test in order to prevent deprecating a large amount of existing content and needing to update the tools that generate this content.
Follow-ups:
Date Added: 2011-08-24 18:09:54
This change will be available in OVAL 5.10 Release Candidate 2.

31783 add documentation specifying the order in which instance values should be assigned for the macos-def:plist510_test Closed 2011-08-25 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-26 17:06:53
Details:
We should add documentation specifying the order in which instance values should be assigned for the macos-def:plist510_test when multiple instances of a key are discovered.  To make it consistent with a content author examining a plist file, the instance values must be assigned using a depth-first approach.
Follow-ups:
Date Added: 2011-08-26 14:03:57
This change will be available in the OVAL 5.10 Release Candidate 2.

31790 discuss and address registry and file system redirection on 64-bit windows Closed 2011-08-26 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-08-26 21:57:42
Details:
Please see the following oval-developer-list posts for additional information.

http://making-security-measurable.1364806.n2.nabble.com/OVAL-Community-Call-Discuss-32-64-Bit-Issues-on-64-bit-Windows-tp6652547p6652547.html

http://making-security-measurable.1364806.n2.nabble.com/Re-OVAL-DISCUSSION-LIST-OVAL-Community-Call-Discuss-32-64-Bit-Issues-on-64-bit-Windows-tp6672063p6672063.html

http://making-security-measurable.1364806.n2.nabble.com/Community-Call-8-10-2011-tp6676791p6676791.html

http://making-security-measurable.1364806.n2.nabble.com/32-64-bit-updated-proposal-tp6716130p6716130.html

http://making-security-measurable.1364806.n2.nabble.com/Fwd-Re-OVAL-DEVELOPER-LIST-32-64-bit-updated-proposal-tp6721038p6721038.html
Follow-ups:
Date Added: 2011-08-27 00:10:12
This change will be included in version 5.10 RC 2.

31870 file behavior documentation clarifications Closed 2011-09-05 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2011-09-15 01:40:36
Details:
We need to make the following clarifications to the FileBehaviors documentation:

We need to change all occurrences of "Note that a max-depth other than -1 has to be specified for recursion to take place and for this attribute to mean anything" to "Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything".  This is wrong because "-1" means limitless recursion.

We also need to specify which entities we are referring to (e.g. path and filepath) when we say that "Note that this behavior only applies with an equality operation.".
Follow-ups:
Date Added: 2011-09-08 20:10:48
Please see the following oval-developer-list post for additional information. http://making-security-measurable.1364806.n2.nabble.com/Version-5-10-Release-Candidate-2-Available-tt6730602.html

Date Added: 2011-09-08 20:30:42
These changes will be available in the final release of OVAL 5.10.

32092 document the status to use when the information for an entity is not set Closed 2011-09-12 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2011-09-12 19:43:09
Details:
When the information for an entity is not set, the status for that entity should be 'does not exist'.

Please see the following oval-developer-list posts for additional information.

http://making-security-measurable.1364806.n2.nabble.com/Shadow-object-collection-tp6073989p6073989.html

http://making-security-measurable.1364806.n2.nabble.com/Re-Shadow-object-collection-td6243589.html



Follow-ups:
n/a
32105 clarify the documentation around the PSLanguageMode enumeration Closed 2011-09-13 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-09-15 01:42:00
Details:
We should specify that people should look at Microsoft's documentation for more information on the PSLanguageMode enumeration.  Otherwise, people may think to look in the schemas.
Follow-ups:
n/a
27913 spjobdefinition_object underspecifies the item Closed 2010-10-06 Fixed
Priority: Very Low | Category: Definition Schemas | Date Closed: 2011-07-25 14:32:49
Details:
spjobdefinition_object underspecifies the SPJobDefinition object it is supposed to capture.  Currently, the spjobdefinition_object has a single entity, webappuri.  This entity specifies the SPWebApplication, which may contain several SPJobDefinition objects.  I recommend adding an additional entity to the spjobdefinition_object to specify some unique attribute of a SPJobDefinition, such as Title.

Sharepoint SDK information:
SPWebApplication.JobDefinitions -> returns SPJobDefinitionCollection
SPWebApplication has a URL, and contains many SPJobDefinition objects

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.spwebapplication.jobdefinitions.aspx
Follow-ups:
Date Added: 2011-07-14 18:59:29
In version 5.10 the sp-def:spjobdefinition_object will be deprecated and replaced with a sp-def:spjobdefinition510_object. the new object will include the displayname entity to distinguish individual jobs. Note that the test, state, and item associated with spjobdefinitions have also been replaced.

27919 spwebapplication_state entity naming inconsistency Closed 2010-10-06 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-07-25 14:32:48
Details:
The outboundmailserverinstance entity of the spwebapplication_state is inconsistent with the Sharepoint SDK.  The proper entity name is "outboundmailserviceinstance".  This error also exists in the spwebapplication_item.

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.spwebapplication.outboundmailserviceinstance.aspx
Follow-ups:
Date Added: 2011-05-26 16:15:58
The correction is: server -> service

Date Added: 2011-07-14 18:15:58
For version 5.10 we will add schema documentation noting this naming inconsistency. Renaming the entity would result in the creation of a new version of this test which does not seem to be warranted here.

27922 spsite_state has duplicate url entity Closed 2010-10-07 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-07-25 14:32:47
Details:
On the spsite_state, the entities <sitecollectionurl> and <url> seem to be redundant.  The SPSite object, which refers to a site collection, has a URL that uniquely identifies it.  This should not be confused with a SPSiteCollection, which is a collection of all the SPSite objects in the Web application.  I recommend removing one of these url entities (also in the item).
Follow-ups:
Date Added: 2011-07-14 18:33:36
For version 5.10 we will deprecate the url entity.

28043 spantivirussettings_state timeout entity is underspecified Closed 2010-10-15 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-07-01 11:17:42
Details:
spantivirussettings_state (and item) <timeout> entity specifies a timeout value, but does not give the units of this value.  This should be changed to specify seconds or minutes.  Currently the probe returns seconds, but minutes are also accessible from the API.
Follow-ups:
Date Added: 2011-06-16 21:30:33
This documentation has been updated to indicate that seconds must be reported. This change will be included in draft 3 of version 5.10.

28044 spwebapplication_state timeout entity is underspecified Closed 2010-10-15 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-07-01 11:17:41
Details:
spwebapplication_state (and item) <timeout> entity specifies a timeout value, but does not give the units of this value.  This should be changed to specify seconds or minutes.  Currently the probe returns seconds, but minutes are also accessible from the API.
Follow-ups:
Date Added: 2011-06-16 19:50:27
The documentation has been changed to reflect that seconds must be used. This change will be included in draft 3 of version 5.10

28625 spwebapplication_object outboundmailserverinstance entity should be renamed Closed 2010-12-03 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-07-01 11:17:43
Details:
The outboundmailserverinstance object entity should be renamed to something like outboundmailserverinstancename, to signify that the element represents a string, as opposed to checking existence or something else.
Follow-ups:
Date Added: 2011-06-16 19:46:51
Clarified documentation to reflect that this entity is the name of the instance. This change will be included in draft 3 of version 5.10.

29420 Add Schematron rule to check datatype for count function Closed 2011-03-11 Rejected
Priority: Medium High | Category: Definition Schemas | Date Closed: 2011-06-09 12:41:22
Details:
We have added the 'count' function to the 5.10 draft, but probably should add a Schematron rule to capture the following:

* Any local_variable that uses the 'count' function should have its datatype be a int

See the rule for the 'arithmetic' function as an example.
Follow-ups:
Date Added: 2011-06-01 17:32:12
As far as I can tell, none of the other function elements ensure that their result is placed in the proper type of variable. I see rules to ensure the items being operated upon are the correct type for the operation, but nothing about the result container. Should rules be added for ALL of the function types? Or is there a reason the result type is not enforced? Or perhaps I'm missing something?

Date Added: 2011-06-09 12:11:45
After further discussion via email, it has been decided that this rule is not necessary.

30102 document usage of Asset Identificaiton (AI) in OVAL Closed 2011-04-19 Fixed
Priority: High | Category: System Characteristics Schemas | Date Closed: 2011-07-01 11:17:45
Details:
We have identified two locations where an integration with the Asset Identification (AI) spec might make sense:

1. Within the system characteristics file, in the system_info element to identify the asset being analyzed.  

2. Within the 'generator' element in oval-definitions, oval-system-characteristics, and oval-results.

As part of March 2011 Developer Days, discussions on this topic were held, and it was decided that the best way to achieve this integration was to add documentation in the form of a comment to the schema/spec that would suggest and show how to do this via the existing 'any' elements.
Follow-ups:
Date Added: 2011-06-30 16:27:11
Added documentation pointing to the AI spec, noting why AI is useful, and providing guidance on the AI element to use for each case.

Date Added: 2011-06-30 17:36:10
This update will be included in draft 3 of version 5.10.

30418 Add 'applicability_check' attribute to Criteria, Criterion, & Extend_Definition. Closed 2011-05-06 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-06-14 15:13:03
Details:
There is an outstanding request from the community to add an attribute to the Criteria, Criterion, & Extend_Definition constructs that allows explicitly marking a Test as an applicability Test.  The following email from Michael Sainsbury explains the detailed request:

http://making-security-measurable.1364806.n2.nabble.com/Proposal-for-extending-Oval-criteria-criterion-and-extend-definition-to-specify-applicabilityChecks-tp6271556p6271556.html

Note that we are only planning on implementing proposal #1 from Michael's email at this point.  
Follow-ups:
Date Added: 2011-06-10 10:30:50
This capability has been added to version 5.10 draft 2.

32445 spelling error in linux-def:rpmverify_object and linux-def:rpmverifypackage_object Open 2011-10-28 n/a
Priority: Low | Category: Definition Schemas | Date Closed: n/a
Details:
In the linux-definitions-schema.xsd file, linux-def:rpmverify_object and linux-def:rpmverifypackage_object both contain the documentation annotation:
"...element is used by a rpmverity_test...

rpmverity should read as rpmverify, and rpmverifypackage respectively.
Follow-ups:
n/a
Back to top

Timeline for Version 5.10

PLANNING DRAFT RELEASE CANDIDATE OFFICIAL
12 January 2011 10 March 2011 19 July 2011 14 September 2011
Back to top

Status Reports

Status updates are included below. You may also review the OVAL Developer’s Forum Archives for discussions about Version 5.10.

[2011-09-14]

Version 5.10 has been officially released. Many thanks to all in the community who helped with this minor release.

[2011-08-26]

Version 5.10 Release Candidate 2 is now available for community review and comment. This second release candidate includes several minor documentation fixes in component schemas, the addition of a behavior and corresponding state and item entities to support 32-bit redirection on 64-bit Microsoft Windows systems, and updates to the RPM related tests. Each of these changes is documented with a tracker item.

[2011-08-15]

The official release date for Version 5.10 has been moved to September 14th to allow for one more release candidate and additional time to both content authors and tool vendors to make any needed updates. A second release candidate will be available soon.

[2011-07-19]

Version 5.10 Release Candidate 1 is now available for community review and comment. As a reminder a release candidate signifies that the proposed OVAL Language revision has reached a level of consensus within the OVAL Community, and the OVAL Moderator has verified that the language is valid. In the release candidate stage, the language remains frozen for a period of time determined by the OVAL Board. It is during this stage that vendors and tool developers should update their tools with the knowledge that the schema will remain reasonably stable. Subsequent release candidates may be released if a serious problem is discovered in the proposed language. This release candidate represents a complete implementation of all planned changes for Version 5.10 and includes the following updates since the last draft:

  • deprecated the include_group behavior wherever the resolve_group behavior is deprecated (windows component schemas only)
  • completed test to support using PowerShell cmdlets to collect system state information (win-def:cmdlet_test)
  • completed win-def:peheader_test
  • corrected Schematron rules for objects in EntityAttributeGroup that did not account for the new EntityObjectRecordType(oval-definitions-schema.xsd)
  • added documentation on implementing the operations for the fileset_revision datatype
  • added instance entity to the macos-def:plist_object - created macos-def:plist510_object
  • added last_logon entity to win-def:user_state, win-sc:user_item, unix-def:password_state, and unix-sc:password_item
  • clarified documentation around handling of recording partial matches in system characteristics items
  • clarified documentation and added dependency_check_passed, digest_check_passed, verification_script_successful, and signature_check_passed entities to the lin-def:rpmverify_test
  • corrected conflicting and invalid documentation of the mask attribute
  • added add win-def:sharedresourceeffectiverights_test and win-def:sharedresourceauditedpermissions_test
  • corrected several issues in the sharepoint component schema

[2011-06-30]

Version 5.10 Draft 3 is now available for community review and comment. This draft includes numerous documentation clarifications, a new PowerShell cmdlet test, and several minor fixes.

[2011-06-10]

Version 5.10 Draft 2 is now available for community review and comment. This second draft will serve as a basis for discussion at Developer Days to be held at MITRE June 14-17, 2011. For more information on this event see the developer days page.

[2011-03-10]

Version 5.10 Draft 1 is now available for community review and comment. This first draft includes the addition of a tpm component schema, a new single test structure to replace all existing tests, two new functions, and integration of the NIST Asset Identification specification(NIST Interagency Report 7693). This first draft will serve as a basis for discussion at the March Developer Days to be held at NIST. For more information in this event see the developer days page.

[2011-01-12]

Version 5.10 is currently in the planning stage. If you have any suggestions for changes that should be included, please send them to the OVAL Community.

Back to top

Page Last Updated: May 13, 2013