The following is a description of the elements, types, and attributes that compose the Solaris specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
Solaris Definition
5.10.1
1/27/2012 1:22:32 PM
Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
The isainfo test reveals information about the instruction set architectures. This information can be retrieved by the isainfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an isainfo_object and the optional state element specifies the metadata to check.
The isainfo_test was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project.
isainfo_test
isainfo_object
isainfo_state
isainfo_item
- the object child element of an isainfo_test must reference an isainfo_object
- the state child element of an isainfo_test must reference an isainfo_state
The isainfo_object element is used by an isainfo test to define those objects to evaluated based on a specified state. There is actually only one object relating to isainfo and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check isainfo will reference the same isainfo_object which is basically an empty object element.
The isainfo_state element defines the information about the instruction set architectures. Please refer to the individual elements in the schema for more details about what each represents.
This is the number of bits in the address space of the native instruction set (isainfo -b).
This is the name of the instruction set used by kernel components (isainfo -k).
This is the name of the instruction set used by portable applications (isainfo -n).
From /usr/bin/ndd. See ndd manpage for specific fields
ndd_test
ndd_object
ndd_state
ndd_item
- the object child element of an ndd_test must reference an ndd_object
- the state child element of an ndd_test must reference an ndd_state
State referenced in filter for '' is of the wrong type.
The name of the device to examine. If multiple instances of this device exist on the system, an item for each instance will be collected.
The name of the parameter, For example, ip_forwarding.
The name of the device to examine.
The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, an item for each instance will be collected and will have this entity populated with its respective instance value. If only a single instance exists, this entity will not be collected.
The name of the parameter, For example, ip_forwarding.
The value of the named parameter.
The package test is used to check information associated with different packages installed on the system. The information used by this test is modeled after the /usr/bin/pkginfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
package_test
package_object
package_state
package_item
- the object child element of a package_test must reference a package_object
- the state child element of a package_test must reference a package_state
The package_object element is used by a package test to define the packages to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A package object consists of a single pkginst entity that identifies the package to be used.
State referenced in filter for '' is of the wrong type.
The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
The package_state element defines the different information associated with packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
The name entity is a text string that specifies a full package name.
The category entity is a string in the form of a comma-separated list of categories under which a package may be displayed. Note that a package must at least belong to the system or application category. Categories are case-insensitive and may contain only alphanumerics. Each category is limited in length to 16 characters.
The version entity is a text string that specifies the current version associated with the software package. The maximum length is 256 ASCII characters and the first character cannot be a left parenthesis. Current Solaris software practice is to assign this parameter monotonically increasing Dewey decimal values of the form: major_revision.minor_revision[.micro_revision] where all the revision fields are integers. The versioning fields can be extended to an arbitrary string of numbers in Dewey-decimal format, if necessary.
The vendor entity is a string used to identify the vendor that holds the software copyright (maximum length of 256 ASCII characters).
The description entity is a string that represents a more in-depth description of a package.
The packagecheck_test is used to verify the integrity of an installed Solaris package. The information used by this test is modeled after the pkgchk command. For more information, see pkgchk(1M). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagecheck_object and the optional packagecheck_state element specifies the data to check.
packagecheck_test
packagecheck_object
packagecheck_state
packagecheck_item
- the object child element of a packagecheck_test must reference a packagecheck_object
- the state child element of a packagecheck_test must reference a packagecheck_state
The packagecheck_object element is used by a packagecheck_test to define the packages to be verified. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
State referenced in filter for '' is of the wrong type.
The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
The filepath element specifies the absolute path for a file or directory in the specified package.
The package_state element defines the different verification information associated with packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2).
The filepath element specifies the absolute path for a file or directory in the specified package.
Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed.
Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed.
Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed.
Has the actual user read permission changed from the expected user read permission?
Has the actual user write permission changed from the expected user write permission?
Has the actual user exec permission changed from the expected user exec permission?
Has the actual group read permission changed from the expected group read permission?
Has the actual group write permission changed from the expected group write permission?
Has the actual group exec permission changed from the expected group exec permission?
Has the actual others read permission changed from the expected others read permission?
Has the actual others read permission changed from the expected others read permission?
Has the actual others read permission changed from the expected others read permission?
The PackageCheckBehaviors complex type defines a set of behaviors that for controlling how installed packages are checked. These behaviors align with the options of the pkgchk command (specifically '-a', '-c', and '-n').
'fileattributes_only' when true this behavior means only check the file attributes and do not check file contents. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-a'.
'filecontents_only' when true this behavior means only check the file contents and do not check file attributes. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-c'.
'no_volatileeditable' when true this behavior means do not check volatile or editable files' contents. When false, volatile and editable files' contents will be checked. This aligns with the pkgchk option '-n'.
The patch test is used to check information associated with different patches installed on the system. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
patch54_test
patch54_object
patch_state
patch_item
- the object child element of a patch54_test must reference a patch54_object
- the state child element of a patch54_test must reference a patch_state
The patch test is used to check information associated with different patches installed on the system. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
patch_test
patch_object
patch_state
patch_item
5.4
Replaced by the patch54_test. The new test includes additional functionality that allows the object element to match both the original patch and any superseding patches. As a result of this new functionality, the patch_object was also expanded to include behaviors and version entities. See the patch54_test.
This test has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED TEST: ID:
- the object child element of a patch_test must reference a patch_object
- the state child element of a patch_test must reference a patch_state
The patch54_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A patch object consists of a base entity that identifies the patch to be used, and a version entity that represent the patch revision number.
State referenced in filter for '' is of the wrong type.
The base entity represents a patch base code found before the hyphen.
The version entity represents a patch version number found after the hyphen.
The patch_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A patch object consists of a single base entity that identifies the patch to be used.
5.4
Replaced by the patch54_object. Due to the additional functionality that allows the object element to match both the original patch and any superseding patches, a new object was created that includes behaviors and version entities. See the patch54_object.
This object has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED OBJECT: ID:
The base entity reresents a patch base code found before the hyphen.
The patch_state element defines the different information associated with a specific patch installed on the system. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Please refer to the individual elements in the schema for more details about what each represents.
The base entity reresents a patch base code found before the hyphen.
The version entity represents a patch version number found after the hyphen.
The PatchBehaviors complex type defines a number of behaviors that allow a more detailed definition of the patch_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
'supersedence' specifies that the object should also match any superseding patches to the one being specified. In Solaris, a patch can be superseded in two ways. The first way is implicitly when a new revision of a patch is released (e.g. patch 12345-02 supersedes patch 12345-01). The second way is explicitly where a new patch contains the complete functionality of another patch. If set to 'true', the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
The smf_test is used to check service management facility controlled services including traditional unix rc level start/kill scrips and inetd daemon services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a smf_object and the optional state element specifies the information to check.
smf_test
smf_object
smf_state
smf_item
- the object child element of a smf_test must reference a smf_object
- the state child element of a smf_test must reference a smf_state
The smf_object element is used by a smf_test to define the specific service instance to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A smf_object consists of a fmri entity that represents the Fault Management Resource Identifier (FMRI) which uniquely identifies a service.
State referenced in filter for '' is of the wrong type.
The FMRI (Fault Managed Resource Identifier) entity is used to identify system objects for which advanced fault and resource management capabilities are provided. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
The smf_state element defines the different information associated with a specific smf controlled service. Please refer to the individual elements in the schema for more details about what each represents.
The FMRI (Fault Managed Resource Identifier) entity describes a possible identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used.
The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log.
The service_state entity describes a possible state that the service may be in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN.
The protocol entity describes a possible protocol supported by the service. Possible values are tcp, tcp6, tcp6only, udp, udp6, and udp6only
The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a'
The server_arguments entity describes possible parameters that are passed to the service.
The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root
The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
The actual permission is more restrictive than the expected permission.
The actual permission is less restrictive than the expected permission.
The actual permission is the same as the expected permission.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateSmfProtocolType complex type defines the different values that are valid for the protocol entity of a smf_state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Request that service listen only for and pass on true IPv6 requests (not IPv4 mapped ones).
Request that service listen only for and pass on true IPv6 requests (not IPv4 mapped ones).
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateSmfServiceStateType complex type defines the different values that are valid for the service_state entity of a smf_state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity.
The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation.
The instance is disabled.
The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states.
This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running.
The instance is enabled, but not yet running or available to run.
The instance is enabled and running or is available to run.
This is the initial state for all service instances.
The empty string value is permitted here to allow for empty elements associated with variable references.