- Open Vulnerability and Assessment Language -
Element Dictionary

The following is a description of the elements, types, and attributes that compose the MacOS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.

The MacOS Definition Schema was initially developed by The Center for Internet Security. Many thanks to their contributions to OVAL and the security community.

The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.



< accountinfo_test >

User account information (username, uid, gid, etc.) See netinfo(5) for field information, niutil(1) for retrieving it. As of Mac OS 10.5, niutil(1) is no longer available, however, the same functionality can be obtained using dscl(1). Specifically, the command 'dscl . -list /Users' can be used to list all users and the command 'dscl . -read /Users/some_user passwd uid gid realname home shell' can be used to retrieve the attributes associated with an account.

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< accountinfo_object >

The accountinfo_object element is used by an accountinfo_test to define the object(s) to be evaluated. This object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

An accountinfo_object consists of a single username that identifies the account from which to gather information.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
username oval-def:EntityObjectStringType 1 1
Specifies the user of the account to gather information from.
oval-def:filter n/a 0 unbounded

< accountinfo_state >

The accountinfo_state element defines the different information that can be used to evaluate the specified accounts. Please refer to the individual elements in the schema for more details about what each represents.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
username oval-def:EntityStateStringType 0 1
Specifies the user of the account to gather information from.
password oval-def:EntityStateStringType 0 1
Obfuscated (*****) or encrypted password for this user.
uid oval-def:EntityStateIntType 0 1
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
gid oval-def:EntityStateIntType 0 1
Group ID of this account.
realname oval-def:EntityStateStringType 0 1
User's real name, aka gecos field of /etc/passwd.
home_dir oval-def:EntityStateStringType 0 1
The home directory for this user account.
login_shell oval-def:EntityStateStringType 0 1
The login shell for this user account.



< diskutil_test >

The diskutil_test is used to verify disks on a Mac OS system. The information used by this test is modeled after the diskutil command. For more information, see diskutil(8). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a diskutil_object and the optional diskutil_state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< diskutil_object >

The diskutil_object element is used by a diskutil_test to define the disks to be verified on a Mac OS system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
device oval-def:EntityObjectStringType 1 1
The device entity is a string that represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device.
filepath oval-def:EntityObjectStringType 1 1
The filepath element specifies the absolute path for a file in the specified package. A directory cannot be specified as a filepath.
oval-def:filter n/a 0 unbounded

< diskutil_state >

The package_state element defines the different verification information associated with a disk on a Mac OS system. Please refer to the individual elements in the schema for more details about what each represents.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
device oval-def:EntityStateStringType 0 1
The device entity is a string that represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device.
filepath oval-def:EntityStateStringType 0 1
The filepath element specifies the absolute path for a file on the specified device. A directory cannot be specified as a filepath.
uread macos-def:EntityStatePermissionCompareType 0 1
Has the actual user read permission changed from the expected user read permission?
uwrite macos-def:EntityStatePermissionCompareType 0 1
Has the actual user write permission changed from the expected user write permission?
uexec macos-def:EntityStatePermissionCompareType 0 1
Has the actual user exec permission changed from the expected user exec permission?
gread macos-def:EntityStatePermissionCompareType 0 1
Has the actual group read permission changed from the expected group read permission?
gwrite macos-def:EntityStatePermissionCompareType 0 1
Has the actual group write permission changed from the expected group write permission?
gexec macos-def:EntityStatePermissionCompareType 0 1
Has the actual group exec permission changed from the expected group exec permission?
oread macos-def:EntityStatePermissionCompareType 0 1
Has the actual others read permission changed from the expected others read permission?
owrite macos-def:EntityStatePermissionCompareType 0 1
Has the actual others read permission changed from the expected others read permission?
oexec macos-def:EntityStatePermissionCompareType 0 1
Has the actual others read permission changed from the expected others read permission?



< inetlisteningservers_test >

This test's purpose is generally used to check if an application is listening on the network, either for a new connection or as part of an ongoing connection. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). It is generally speaking the parsed output of running the command netstat -tuwlnpe with root privilege.

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< inetlisteningservers_object >

The inetlisteningservers_object element is used by an inetlisteningserver test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
program_name oval-def:EntityObjectStringType 1 1
oval-def:filter n/a 0 unbounded

< inetlisteningservers_state >

The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
program_name oval-def:EntityStateStringType 0 1
This is the name of the communicating program.
local_address oval-def:EntityStateIPAddressStringType 0 1
This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
local_full_address oval-def:EntityStateStringType 0 1
This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
local_port oval-def:EntityStateIntType 0 1
This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this test.
foreign_address oval-def:EntityStateIPAddressStringType 0 1
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
foreign_full_address oval-def:EntityStateStringType 0 1
This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
foreign_port oval-def:EntityStateStringType 0 1
This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *.
pid oval-def:EntityStateIntType 0 1
This is the process ID of the process. The process in question is that of the program communicating on the network.
protocol oval-def:EntityStateStringType 0 1
This is the transport-layer protocol, in lowercase: tcp or udp.
user_id oval-def:EntityStateStringType 0 1
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.



< nvram_test >

This test pulls data from the 'nvram -p' output.

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< nvram_object >

The nvram_object element is used by a nvram test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
nvram_var oval-def:EntityObjectStringType 1 1
oval-def:filter n/a 0 unbounded

< nvram_state >

This test pulls data from the 'nvram -p' output.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
nvram_var oval-def:EntityStateStringType 0 1
This specifies the nvram variable to check.
nvram_value oval-def:EntityStateStringType 0 1
This is the value of the associated nvram variable.



< plist_test >

The plist_test is used to check the value(s) associated with property list preference keys. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a plist_object and the optional plist_state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< plist_object >

The plist_object element is used by a plist_test to define the preference keys to collect and where to look for them. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
key oval-def:EntityObjectStringType 1 1
The preference key to check. If the xsi:nil attribute is set to 'true', the plist does not have any keys associated with it (i.e. it is not a CFDictionary) and the default value of the plist will be collected.
app_id oval-def:EntityObjectStringType 1 1
The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
filepath oval-def:EntityObjectStringType 1 1
The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). A directory cannot be specified as a filepath.
oval-def:filter n/a 0 unbounded

< plist_state >

The plist_state element defines the different information that can be used to evaluate the specified property list preference key. This includes the preference key, application identifier, filepath, type, as well as the preference key's value. Please refer to the individual elements in the schema for more details about what each represents.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
key oval-def:EntityStateStringType 0 1
The preference key to check.
app_id oval-def:EntityStateStringType 0 1
The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
filepath oval-def:EntityStateStringType 0 1
The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist).
instance oval-def:EntityStateIntType 0 1
The instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for the different plist_items that result from multiple instances of a given preference key in the same plist file.
type macos-def:EntityStatePlistTypeType 0 1
The type of the preference key.
value oval-def:EntityStateAnySimpleType 0 1
The value of the preference key.



< pwpolicy_test >

Deprecated As Of Version: 5.9
Reason: Replaced by the pwpolicy59_test. The username, userpass, and directory_node entities in the pwpolicy_object, pwpolicy_state, and pwpolicy_item were underspecified and as a result their meaning was uncertain. A new test was created to resolve this issue. See the pwpolicy59_test.
Comment: This test has been deprecated and may be removed in a future version of the language.

This test pulls data from the 'pwpolicy -getpolicy' output. The actual values get stored under /var/db/netinfo/local.nidb/ in a Store.# file. Is this test actually needed, or can the text file content test be used instead?

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< pwpolicy_object >

Deprecated As Of Version: 5.9
Reason: Replaced by the pwpolicy59_object. The username, userpass, and directory_node entities in the pwpolicy_object were underspecified and as a result their meaning was uncertain. A new object was created to resolve this issue. See the pwpolicy59_object.
Comment: This object has been deprecated and may be removed in a future version of the language.

The pwpolicy_object element is used by a pwpolicy_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
username oval-def:EntityObjectStringType 1 1
userpass oval-def:EntityObjectStringType 1 1
directory_node oval-def:EntityObjectStringType 1 1
oval-def:filter n/a 0 unbounded

< pwpolicy_state >

Deprecated As Of Version: 5.9
Reason: Replaced by the pwpolicy59_state. The username, userpass, and directory_node entities in the pwpolicy_state were underspecified and as a result their meaning was uncertain. A new state was created to resolve this issue. See the pwpolicy59_state.
Comment: This state has been deprecated and may be removed in a future version of the language.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
username oval-def:EntityStateStringType 0 1
userpass oval-def:EntityStateStringType 0 1
directory_node oval-def:EntityStateStringType 0 1
maxChars oval-def:EntityStateIntType 0 1
Maximum number of characters allowed in a password.
maxFailedLoginAttempts oval-def:EntityStateIntType 0 1
Maximum number of failed logins before the account is locked.
minChars oval-def:EntityStateIntType 0 1
Minimum number of characters allowed in a password.
passwordCannotBeName oval-def:EntityStateBoolType 0 1
Defines if the password is allowed to be the same as the username or not.
requiresAlpha oval-def:EntityStateBoolType 0 1
Defines if the password must contain an alphabetical character or not.
requiresNumeric oval-def:EntityStateBoolType 0 1
Defines if the password must contain an numeric character or not.



< pwpolicy59_test >

This test retrieves password policy data from the 'pwpolicy -getpolicy -u target_user [-a username] [-p userpass] [-n directory_node]' output where username, userpass, and directory_node are optional. Please see the 'pwpolicy' man page for additional information.

Extends: oval-def:TestType

Child Elements Type MinOccurs MaxOccurs
object oval-def:ObjectRefType 1 1
state oval-def:StateRefType 0 unbounded

< pwpolicy59_object >

The pwpolicy59_object element is used by a pwpolicy59_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.

Extends: oval-def:ObjectType

Child Elements Type MinOccurs MaxOccurs
target_user oval-def:EntityObjectStringType 1 1
The target_user element specifies the user whose password policy information should be collected. If an operation other than equals is specified, the users on the system should be enumerated and the 'pwpolicy' command should be issued for each user that matches the target_user element.
username oval-def:EntityObjectStringType 1 1
The username element specifies the username of the authenticator. If the xsi:nil attribute is set to true, authentication to the directory node will not be performed (i.e. the '-a' and '-p' command line options will not be specified when issuing the 'pwpolicy' command) and the xsi:nil attribute of the userpass element should also be set to true.
userpass oval-def:EntityObjectStringType 1 1
The userpass element specifies the password of the authenticator as specified by the username element. If the xsi:nil attribute is set to true, authentication to the directory node will not be performed (i.e. the '-a' and '-p' command line options will not be specified when issuing the 'pwpolicy' command) and the xsi:nil attribute of the username element should also be set to true.
directory_node oval-def:EntityObjectStringType 1 1
The directory_node element specifies the directory node that you would like to retrieve the password policy information from. If the xsi:nil attribute is set to true, the default directory node is used (i.e. the '-n' command line option will not be specified when issuing the 'pwpolicy' command).
oval-def:filter n/a 0 unbounded

< pwpolicy59_state >

The pwpolicy59_state element defines the different information that can be used to evaluate the password policy for the target user in the specified directory node. Please refer to the individual elements in the schema for more details about what each represents.

Extends: oval-def:StateType

Child Elements Type MinOccurs MaxOccurs
target_user oval-def:EntityStateStringType 0 1
The target_user element specifies the user whose password policy information should be collected.
username oval-def:EntityStateStringType 0 1
The username element specifies the username of the authenticator.
userpass oval-def:EntityStateStringType 0 1
The userpass element specifies the password of the authenticator as specified by the username element.
directory_node oval-def:EntityStateStringType 0 1
The directory_node element specifies the directory node that you would like to retrieve the password policy information from.
maxChars oval-def:EntityStateIntType 0 1
Maximum number of characters allowed in a password.
maxFailedLoginAttempts oval-def:EntityStateIntType 0 1
Maximum number of failed logins before the account is locked.
minChars oval-def:EntityStateIntType 0 1
Minimum number of characters allowed in a password.
passwordCannotBeName oval-def:EntityStateBoolType 0 1
Defines if the password is allowed to be the same as the username or not.
requiresAlpha oval-def:EntityStateBoolType 0 1
Defines if the password must contain an alphabetical character or not.
requiresNumeric oval-def:EntityStateBoolType 0 1
Defines if the password must contain an numeric character or not.

== EntityStatePermissionCompareType ==

The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.

Restricts: oval-def:EntityStateStringType

Value Description

more 

The actual permission is more restrictive than the expected permission.

less 

The actual permission is less restrictive than the expected permission.

same 

The actual permission is the same as the expected permission.

 

The empty string value is permitted here to allow for empty elements associated with variable references.


== EntityStatePlistTypeType ==

The EntityStatePlistTypeType complex type restricts a string value to the seven values CFString, CFNumber, CFBoolean, CFDate, CFData, CFArray, and CFDictionary that specify the datatype of the value associated with a property list preference key. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.

Restricts: oval-def:EntityStateStringType

Value Description

CFString 

The CFString type is used to describe a preference key that has a string value. The OVAL string datatype should be used to represent CFString values.

CFNumber 

The CFNumber type is used to describe a preference key that has a integer or float value. The OVAL int and float datatypes should be used, as appropriate, to represent CFNumber values.

CFBoolean 

The CFBoolean type is used to describe a preference key that has a boolean value. The OVAL boolean datatype should be used to represent CFBoolean values.

CFDate 

The CFDate type is used to describe a preference key that has a date value. The OVAL string datatype should be used to represent CFDate values.

CFData 

The CFData type is used to describe a preference that has a base64-encoded binary value. The OVAL string datatype should be used to represent CFData values.

CFArray 

The CFArray type is used to describe a preference key that has a collection of values. This is represented as multiple value entities.

CFDictionary 

The CFDictionary type is used to describe a preference key that has a collection of key-value pairs. Note that the collection of CFDictionary values is not supported. If an attempt is made to collect a CFDictionary value, an error should be reported.

 

The empty string value is permitted here to allow for empty elements associated with variable references.