The following is a description of the elements, types, and attributes that compose the Windows specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The Mitre Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
The access token test is used to check the properties of a Windows' access token as well as individual privileges and rights associated with it. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an accesstoken_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The accesstoken_object element is used by an access token test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
An access token object consists of a single security principle that identifies user, group, or compter account that is associated with the token.
Child Elements Type MinOccurs MaxOccurs behaviors win-def:AccesstokenBehaviors 0 security_principle oval-def:EntityObjectStringType
The accesstoken_state element defines the different information that can be used to evaluate the specified access tokens. This includes the multitude of user rights and permissions that can be granted. Please refer to the individual elements in the schema for more details about what each represents.
These behaviors allow a more detailed definition of the accesstoken_object being specified.
Attributes:
- include_group xsd:boolean (optional -- default='true') - resolve_group xsd:boolean (optional -- default='false')
The active directory test is used to check information about specific entries in active directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an activedirectory_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The activedirectory_object element is used by an active directory test to define those objects to evaluated based on a specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
An active directory object consists of three pieces of information, a naming context, a relative distinguished name, and an attribute. Each piece helps identify a specific active directory entry.
Child Elements Type MinOccurs MaxOccurs naming_context win-def:EntityObjectNamingContextType relative_dn oval-def:EntityObjectStringType attribute oval-def:EntityObjectStringType
The activedirectory_state element defines the different information that can be used to evaluate the specified entries in active directory. An active directory test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs naming_context win-def:EntityStateNamingContextType 0 relative_dn oval-def:EntityStateStringType 0 attribute oval-def:EntityStateStringType 0 object_class oval-def:EntityStateStringType 0 adstype win-def:EntityStateAdstypeType 0 value oval-def:EntityStateAnyType 0 unbounded
The audit event policy test is used to check different types of events the system should audit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditeventpolicy_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The auditeventpolicy_object element is used by an audit event policy test to define those objects to evaluate based on a specified state. There is actually only one object relating to audit event policy and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check audit event policy will reference the same auditeventpolicy_object which is basically an empty object element.
The auditeventpolicy_state element specifies the different system activities that can be audited. An audit event policy test will reference a specific instance of this state that defines the exact settings that need to be evaluated. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs account_logon win-def:EntityStateAuditType 0 account_management win-def:EntityStateAuditType 0 detailed_tracking win-def:EntityStateAuditType 0 directory_service_access win-def:EntityStateAuditType 0 logon win-def:EntityStateAuditType 0 object_access win-def:EntityStateAuditType 0 policy_change win-def:EntityStateAuditType 0 privilege_use win-def:EntityStateAuditType 0 system win-def:EntityStateAuditType 0
The audit event policy subcategories test is used to check different types of events the system should audit. These subcategories are new for Windows Vista. The test extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditeventpolicy_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The auditeventpolicysubcategories_object element is used by an audit event policy subcategories test to define those objects to evaluate based on a specified state. There is actually only one object relating to audit event policy subcategories and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check audit event policy subcategories will reference the same auditeventpolicysubcategories_object which is basically an empty object element.
The auditeventpolicysubcategories_state element specifies the different system activities that can be audited. An audit event policy subcategories test will reference a specific instance of this state that defines the exact subcategories that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs credential_validation win-def:EntityStateAuditType 0 kerberos_ticket_events win-def:EntityStateAuditType 0 other_account_logon_events win-def:EntityStateAuditType 0 application_group_management win-def:EntityStateAuditType 0 computer_account_management win-def:EntityStateAuditType 0 distribution_group_management win-def:EntityStateAuditType 0 other_account_management_events win-def:EntityStateAuditType 0 security_group_management win-def:EntityStateAuditType 0 user_account_management win-def:EntityStateAuditType 0 dpapi_activity win-def:EntityStateAuditType 0 process_creation win-def:EntityStateAuditType 0 process_termination win-def:EntityStateAuditType 0 rpc_events win-def:EntityStateAuditType 0 directory_service_access win-def:EntityStateAuditType 0 directory_service_changes win-def:EntityStateAuditType 0 directory_service_replication win-def:EntityStateAuditType 0 detailed_directory_service_replication win-def:EntityStateAuditType 0 account_lockout win-def:EntityStateAuditType 0 ipsec_extended_mode win-def:EntityStateAuditType 0 ipsec_main_mode win-def:EntityStateAuditType 0 ipsec_quick_mode win-def:EntityStateAuditType 0 logoff win-def:EntityStateAuditType 0 logon win-def:EntityStateAuditType 0 other_logon_logoff_events win-def:EntityStateAuditType 0 special_logon win-def:EntityStateAuditType 0 application_generated win-def:EntityStateAuditType 0 certification_services win-def:EntityStateAuditType 0 file_share win-def:EntityStateAuditType 0 file_system win-def:EntityStateAuditType 0 filtering_platform_connection win-def:EntityStateAuditType 0 filtering_platform_packet_drop win-def:EntityStateAuditType 0 handle_manipulation win-def:EntityStateAuditType 0 kernel_object win-def:EntityStateAuditType 0 other_object_access_events win-def:EntityStateAuditType 0 registry win-def:EntityStateAuditType 0 sam win-def:EntityStateAuditType 0 audit_policy_change win-def:EntityStateAuditType 0 authentication_policy_change win-def:EntityStateAuditType 0 authorization_policy_change win-def:EntityStateAuditType 0 filtering_platform_policy_change win-def:EntityStateAuditType 0 mpssvc_rule_level_policy_change win-def:EntityStateAuditType 0 other_policy_change_events win-def:EntityStateAuditType 0 non_sensitive_privilege_use win-def:EntityStateAuditType 0 other_privilege_use_events win-def:EntityStateAuditType 0 sensitive_privilege_use win-def:EntityStateAuditType 0 ipsec_driver win-def:EntityStateAuditType 0 other_system_events win-def:EntityStateAuditType 0 security_state_change win-def:EntityStateAuditType 0 security_system_extension win-def:EntityStateAuditType 0 system_integrity win-def:EntityStateAuditType 0
The file test is used to check metadata associated with Windows files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a file_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The file_object element is used by a file test to define the specific file(s) to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A file object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
Child Elements Type MinOccurs MaxOccurs behaviors win-def:FileBehaviors 0 path oval-def:EntityObjectStringType filename oval-def:EntityObjectStringType
The file_state element defines the different metadata associate with a Windows file. This includes the path, filename, owner, size, last modified time, version, etc. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs path oval-def:EntityStateStringType 0 filename oval-def:EntityStateStringType 0 owner oval-def:EntityStateStringType 0 size oval-def:EntityStateIntType 0 a_time oval-def:EntityStateIntType 0 c_time oval-def:EntityStateIntType 0 m_time oval-def:EntityStateIntType 0 ms_checksum oval-def:EntityStateStringType 0 version oval-def:EntityStateStringType 0 type win-def:EntityStateFileTypeType 0 development_class oval-def:EntityStateStringType 0 company oval-def:EntityStateStringType 0 internal_name oval-def:EntityStateStringType 0 language oval-def:EntityStateStringType 0 original_filename oval-def:EntityStateStringType 0 product_name oval-def:EntityStateStringType 0 product_version oval-def:EntityStateStringType 0
The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of the file objects being specified.
Attributes:
- max_depth n/a (optional -- default='-1') - recurse_direction n/a (optional -- default='none')
The file audit permissions test is used to check the audit permissions associated with Windows files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The fileauditedpermissions53_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
A fileauditedpermissions53_object is defined as a combination of a Windows file and trustee sid. The file represents the file to be evaluated while the trustee sid represents the account (sid) to check audited permissions of. If multiple files or sids are matched by either reference, then each possible combination of file and sid is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissions53Behaviors complex type for more information about specific behaviors.
Child Elements Type MinOccurs MaxOccurs behaviors win-def:FileAuditPermissions53Behaviors 0 path oval-def:EntityObjectStringType filename oval-def:EntityObjectStringType trustee_sid oval-def:EntityObjectStringType
The fileauditedpermissions53_state element defines the different audit permissions that can be associated with a given fileauditedpermissions53_object. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs path oval-def:EntityStateStringType 0 filename oval-def:EntityStateStringType 0 trustee_sid oval-def:EntityStateStringType 0 standard_delete win-def:EntityStateAuditType 0 standard_read_control win-def:EntityStateAuditType 0 standard_write_dac win-def:EntityStateAuditType 0 standard_write_owner win-def:EntityStateAuditType 0 standard_synchronize win-def:EntityStateAuditType 0 access_system_security win-def:EntityStateAuditType 0 generic_read win-def:EntityStateAuditType 0 generic_write win-def:EntityStateAuditType 0 generic_execute win-def:EntityStateAuditType 0 generic_all win-def:EntityStateAuditType 0 file_read_data win-def:EntityStateAuditType 0 file_write_data win-def:EntityStateAuditType 0 file_append_data win-def:EntityStateAuditType 0 file_read_ea win-def:EntityStateAuditType 0 file_write_ea win-def:EntityStateAuditType 0 file_execute win-def:EntityStateAuditType 0 file_delete_child win-def:EntityStateAuditType 0 file_read_attributes win-def:EntityStateAuditType 0 file_write_attributes win-def:EntityStateAuditType 0
These behaviors allow a more detailed definition of the fileauditpermissions53_objects being specified.
Attributes:
- max_depth n/a (optional -- default='-1') - recurse_direction n/a (optional -- default='none') - include_group xsd:boolean (optional -- default='true') - resolve_group xsd:boolean (optional -- default='false')
This test has been deprecated and will be removed in version 6.0 of the language. Recommend use of the newer fileauditedpermissions53_test.
The file audit permissions test is used to check the audit permissions associated with Windows files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
This object has been deprecated and will be removed in version 6.0 of the language. Recommend use of the newer fileauditedpermissions53_object.
The fileauditedpermissions_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
A fileauditedpermissions_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (sid) to check audited permissions of. If multiple files or sids are matched by either reference, then each possible combination of file and sid is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissionsBehaviors complex type for more information about specific behaviors.
Child Elements Type MinOccurs MaxOccurs behaviors win-def:FileAuditPermissionsBehaviors 0 path oval-def:EntityObjectStringType filename oval-def:EntityObjectStringType trustee_name oval-def:EntityObjectStringType
This state has been deprecated and will be removed in version 6.0 of the language. Recommend use of the newer fileauditedpermissions53_state.
The fileauditedpermissions_state element defines the different audit permissions that can be associated with a given fileauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs path oval-def:EntityStateStringType 0 filename oval-def:EntityStateStringType 0 trustee_name oval-def:EntityStateStringType 0 standard_delete win-def:EntityStateAuditType 0 standard_read_control win-def:EntityStateAuditType 0 standard_write_dac win-def:EntityStateAuditType 0 standard_write_owner win-def:EntityStateAuditType 0 standard_synchronize win-def:EntityStateAuditType 0 access_system_security win-def:EntityStateAuditType 0 generic_read win-def:EntityStateAuditType 0 generic_write win-def:EntityStateAuditType 0 generic_execute win-def:EntityStateAuditType 0 generic_all win-def:EntityStateAuditType 0 file_read_data win-def:EntityStateAuditType 0 file_write_data win-def:EntityStateAuditType 0 file_append_data win-def:EntityStateAuditType 0 file_read_ea win-def:EntityStateAuditType 0 file_write_ea win-def:EntityStateAuditType 0 file_execute win-def:EntityStateAuditType 0 file_delete_child win-def:EntityStateAuditType 0 file_read_attributes win-def:EntityStateAuditType 0 file_write_attributes win-def:EntityStateAuditType 0
These behaviors allow a more detailed definition of the fileauditpermissions_objects being specified.
Attributes:
- max_depth n/a (optional -- default='-1') - recurse_direction n/a (optional -- default='none') - include_group xsd:boolean (optional -- default='true') - resolve_group xsd:boolean (optional -- default='false')
The file effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member. The fileeffectiverights53_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileeffectiverights53_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType state oval-def:StateRefType 0
The fileeffectiverights53_object element is used by a file effective rights test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
A fileeffectiverights53_object is defined as a combination of a Windows file and trustee sid. The file represents the file to be evaluated while the trustee sid represents the account (sid) to check effective rights of. If multiple files or sids are matched by either reference, then each possible combination of file and sid is a matching file effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileEffectiveRights53Behaviors complex type for more information about specific behaviors.
Child Elements Type MinOccurs MaxOccurs behaviors win-def:FileEffectiveRights53Behaviors 0 path oval-def:EntityObjectStringType filename oval-def:EntityObjectStringType trustee_sid oval-def:EntityObjectStringType
The fileeffectiverights53_state element defines the different rights that can be associated with a given fileeffectiverights53_object. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements Type MinOccurs MaxOccurs path oval-def:EntityStateStringType 0 filename oval-def:EntityStateStringType 0 trustee_sid oval-def:EntityStateStringType 0 standard_delete oval-def:EntityStateBoolType 0 standard_read_control oval-def:EntityStateBoolType 0 standard_write_dac oval-def:EntityStateBoolType 0 standard_write_owner oval-def:EntityStateBoolType 0 standard_synchronize oval-def:EntityStateBoolType 0 access_system_security oval-def:EntityStateBoolType 0 generic_read oval-def:EntityStateBoolType 0 generic_write oval-def:EntityStateBoolType 0 generic_execute oval-def:EntityStateBoolType 0 generic_all oval-def:EntityStateBoolType 0 file_read_data oval-def:EntityStateBoolType 0 file_write_data oval-def:EntityStateBoolType 0 file_append_data oval-def:EntityStateBoolType 0 file_read_ea oval-def:EntityStateBoolType 0 file_write_ea oval-def:EntityStateBoolType 0