- Open Vulnerability and Assessment Language -
Element Dictionary

The following is a description of the elements, types, and attributes that compose the Linux specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.

The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.



< dpkginfo_item >

This item stores DPKG package info.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
name oval-sc:EntityItemStringType 0 1
This is the pakage name to check.
arch oval-sc:EntityItemStringType 0 1
This is the architecture for which the DPKG was built, like : i386, ppc, sparc, noarch.
epoch Restriction of oval-sc:EntityItemAnySimpleType. See schema for details. 0 1
This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by dpkg) the string '(none)' should be used.
release Restriction of oval-sc:EntityItemAnySimpleType. See schema for details. 0 1
This is the release number of the build.
version Restriction of oval-sc:EntityItemAnySimpleType. See schema for details. 0 1
This is the version number of the build, changed by the vendor/builder.
evr oval-sc:EntityItemEVRStringType 0 1
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.



< iflisteners_item >

An iflisteners_item stores the results of checking for applications that are bound to an interface on the system.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
interface_name oval-sc:EntityItemStringType 0 1
This is the name of the interface (eth0, eth1, fw0, etc.).
protocol linux-sc:EntityItemProtocolType 0 1
This is the physical layer protocol used by the AF_PACKET socket.
hw_address oval-sc:EntityItemStringType 0 1
This is the hardware address associated with the interface.
program_name oval-sc:EntityItemStringType 0 1
This is the name of the communicating program.
pid oval-sc:EntityItemIntType 0 1
This is the process ID of the process. The process in question is that of the program communicating on the network.
user_id oval-sc:EntityItemStringType 0 1
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.



< inetlisteningserver_item >

An inet listening server item stores the results of checking for network servers currently active on a system. It holds information pertaining to a specific protocol-address-port combination.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
protocol oval-sc:EntityItemStringType 0 1
This is the transport-layer protocol, in lowercase: tcp or udp.
local_address oval-sc:EntityItemIPAddressStringType 0 1
This is the IP address associated with the inet listening server. Note that the IP address can be IPv4 or IPv6.
local_port oval-sc:EntityItemIntType 0 1
This is the TCP or UDP port on which the program listens.
local_full_address oval-sc:EntityItemStringType 0 1
This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
program_name oval-sc:EntityItemStringType 0 1
This is the name of the communicating program.
foreign_address oval-sc:EntityItemIPAddressStringType 0 1
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
foreign_port oval-sc:EntityItemIntType 0 1
This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *.
foreign_full_address oval-sc:EntityItemStringType 0 1
This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
pid oval-sc:EntityItemIntType 0 1
This is the process ID of the process. The process in question is that of the program communicating on the network.
user_id oval-sc:EntityItemIntType 0 1
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.



< partition_item >

The partition_item stores information about a partition on the local system.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
mount_point oval-sc:EntityItemStringType 0 1
The mount_point element contains a string that represents the mount point of a partition on the local system.
device oval-sc:EntityItemStringType 0 1
The device element contains a string that represents the name of the device.
uuid oval-sc:EntityItemStringType 0 1
The uuid element contains a string that represents the universally unique identifier associated with a partition.
fs_type linux-sc:EntityItemFileSystemTypeType 0 1
The fs_type element contains a string that represents the type of filesystem on a partition.
mount_options oval-sc:EntityItemStringType 0 unbounded
The mount_options element contains a string that represents a mount option associated with a partition on the local system.
total_space oval-sc:EntityItemIntType 0 1
The total_space element contains an integer that represents the total number of blocks on a partition.
space_used oval-sc:EntityItemIntType 0 1
The space_used element contains an integer that represents the number of blocks used on a partition.
space_left oval-sc:EntityItemIntType 0 1
The space_left element contains an integer that represents the number of blocks left on a partition.



< rpminfo_item >

This item stores rpm info.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
name oval-sc:EntityItemStringType 0 1
This is the pakage name to check.
arch oval-sc:EntityItemStringType 0 1
This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
epoch Restriction of oval-sc:EntityItemAnySimpleType. See schema for details. 0 1
This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
release Restriction of oval-sc:EntityItemAnySimpleType. See schema for details. 0 1
This is the release number of the build.
version Restriction of oval-sc:EntityItemAnySimpleType. See schema for details. 0 1
This is the version number of the build, changed by the vendor/builder. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.
evr oval-sc:EntityItemEVRStringType 0 1
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.
signature_keyid oval-sc:EntityItemStringType 0 1
This field contains the PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.



< rpmverify_item >

This item stores rpm rpmverify results similar to what is produced by the rpm -V command.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
name oval-sc:EntityItemStringType 0 1
This is the package name to check.
filepath oval-sc:EntityItemStringType 0 1
The filepath element specifies the absolute path for a file in the specified package. A directory cannot be specified as a filepath.
size_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file.
mode_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file.
md5_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file.
device_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file.
link_mismatch linux-sc:EntityItemRpmVerifyResultType 0 1
The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file.
ownership_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
group_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
mtime_differs linux-sc:EntityItemRpmVerifyResultType 0 1
The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file.
capabilities_differ linux-sc:EntityItemRpmVerifyResultType 0 1
The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file.
configuration_file oval-sc:EntityItemBoolType 0 1
The configuration_file entity represents the configuration file attribute marker that may be present on a file.
documentation_file oval-sc:EntityItemBoolType 0 1
The documentation_file entity represents the documenation file attribute marker that may be present on a file.
ghost_file oval-sc:EntityItemBoolType 0 1
The ghost_file entity represents the ghost file attribute marker that may be present on a file.
license_file oval-sc:EntityItemBoolType 0 1
The license_file entity represents the license file attribute marker that may be present on a file.
readme_file oval-sc:EntityItemBoolType 0 1
The readme_file entity represents the readme file attribute marker that may be present on a file.



< selinuxboolean_item >

This item describes the current and pending status of a SELinux boolean. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
name oval-sc:EntityItemStringType 0 1
The name of the SELinux boolean.
current_status oval-sc:EntityItemBoolType 0 1
The current_status entity indicates current state of the specified SELinux boolean.
pending_status oval-sc:EntityItemBoolType 0 1
The pending_status entity indicates the pending state of the specified SELinux boolean.



< selinuxsecuritycontext_item >

This item describes the SELinux security context of a file or process on the local system. This item follows the SELinux security context structure: user:role:type:low_sensitivity[:low_category]- high_sensitivity [:high_category]. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
filepath oval-sc:EntityItemStringType 0 1
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
path oval-sc:EntityItemStringType 0 1
The path element specifies the directory component of the absolute path to a file on the machine.
filename oval-sc:EntityItemStringType 0 1
The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
pid oval-sc:EntityItemIntType 0 1
This is the process ID of the process.
user oval-sc:EntityItemStringType 0 1
The user element specifies the SELinux user that either created the file or started the process.
role oval-sc:EntityItemStringType 0 1
The role element specifies the types that a process may transition to (domain transitions). Note that this entity is not relevant for files and will always have a value of object_r.
type oval-sc:EntityItemStringType 0 1
The type element specifies the domain in which the file is accessible or the domain in which a process executes.
low_sensitivity oval-sc:EntityItemStringType 0 1
The low_sensitivity element specifies the current sensitivity of a file or process.
low_category oval-sc:EntityItemStringType 0 1
The low_category element specifies the set of categories associated with the low sensitivity.
high_sensitivity oval-sc:EntityItemStringType 0 1
The high_sensitivity element specifies the maximum range for a file or the clearance for a process.
high_category oval-sc:EntityItemStringType 0 1
The high_category element specifies the set of categories associated with the high sensitivity.
rawlow_sensitivity oval-sc:EntityItemStringType 0 1
The rawlow_sensitivity element specifies the current sensitivity of a file or process but in its raw context.
rawlow_category oval-sc:EntityItemStringType 0 1
The rawlow_category element specifies the set of categories associated with the low sensitivity but in its raw context.
rawhigh_sensitivity oval-sc:EntityItemStringType 0 1
The rawhigh_sensitivity element specifies the maximum range for a file or the clearance for a process but in its raw context.
rawhigh_category oval-sc:EntityItemStringType 0 1
The rawhigh_category element specifies the set of categories associated with the high sensitivity but in its raw context.



< slackwarepkginfo_item >

This item describes info related to Slackware packages. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
name oval-sc:EntityItemStringType 0 1
This is the pakage name to check.
version oval-sc:EntityItemStringType 0 1
This is the version number of the pakage.
architecture oval-sc:EntityItemStringType 0 1
This is the architecture the package is designed for.
revision oval-sc:EntityItemStringType 0 1
This is the revision of the package.

== EntityItemFileSystemTypeType ==

The EntityItemFileSystemTypeType complex type restricts a string value to the set of values that are used to describe file systems on a Linux system. This list is based off of the values defined in linux/magic.h. Please consult linux/magic.h for additional information on each allowed value. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

ADFS_SUPER_MAGIC 

AFFS_SUPER_MAGIC 

AFS_SUPER_MAGIC 

AUTOFS_SUPER_MAGIC 

CODA_SUPER_MAGIC 

CRAMFS_MAGIC 

CRAMFS_MAGIC_WEND 

DEBUGFS_MAGIC 

SYSFS_MAGIC 

SECURITYFS_MAGIC 

SELINUX_MAGIC 

RAMFS_MAGIC 

TMPFS_MAGIC 

HUGETLBFS_MAGIC 

SQUASHFS_MAGIC 

EFS_SUPER_MAGIC 

EXT2_SUPER_MAGIC 

EXT3_SUPER_MAGIC 

XENFS_SUPER_MAGIC 

EXT4_SUPER_MAGIC 

BTRFS_SUPER_MAGIC 

HPFS_SUPER_MAGIC 

ISOFS_SUPER_MAGIC 

JFFS2_SUPER_MAGIC 

ANON_INODE_FS_MAGIC 

MINIX_SUPER_MAGIC 

MINIX_SUPER_MAGIC2 

MINIX2_SUPER_MAGIC 

MINIX2_SUPER_MAGIC2 

MINIX3_SUPER_MAGIC 

MSDOS_SUPER_MAGIC 

NCP_SUPER_MAGIC 

NFS_SUPER_MAGIC 

OPENPROM_SUPER_MAGIC 

PROC_SUPER_MAGIC 

QNX4_SUPER_MAGIC 

REISERFS_SUPER_MAGIC 

REISERFS_SUPER_MAGIC_STRING 

REISER2FS_SUPER_MAGIC_STRING 

REISER2FS_JR_SUPER_MAGIC_STRING 

SMB_SUPER_MAGIC 

USBDEVICE_SUPER_MAGIC 

CGROUP_SUPER_MAGIC 

FUTEXFS_SUPER_MAGIC 

STACK_END_MAGIC 

DEVPTS_SUPER_MAGIC 

SOCKFS_MAGIC 

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemRpmVerifyResultType ==

The EntityItemRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

pass 

'pass' indicates that the test passed and is equivalent to the '.' value reported by the rpm -V command.

fail 

'fail' indicates that the test failed and is equivalent to a bold charcter in the test result string reported by the rpm -V command.

not performed 

'not performed' indicates that the test could not be performed and is equivalent to the '?' value reported by the rpm -V command.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemProtocolType ==

The EntityStateProtocolType complex type restricts a string value to the set of physical layer protocols used by AF_PACKET sockets. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.

Restricts: oval-sc:EntityItemStringType

Value Description

ETH_P_LOOP 

Ethernet loopback packet.

ETH_P_PUP 

Xerox PUP packet.

ETH_P_PUPAT 

Xerox PUP Address Transport packet.

ETH_P_IP 

Internet protocol packet.

ETH_P_X25 

CCITT X.25 packet.

ETH_P_ARP 

Address resolution packet.

ETH_P_BPQ 

G8BPQ AX.25 ethernet packet.

ETH_P_IEEEPUP 

Xerox IEEE802.3 PUP packet.

ETH_P_IEEEPUPAT 

Xerox IEEE802.3 PUP address transport packet.

ETH_P_DEC 

DEC assigned protocol.

ETH_P_DNA_DL 

DEC DNA Dump/Load.

ETH_P_DNA_RC 

DEC DNA Remote Console.

ETH_P_DNA_RT 

DEC DNA Routing.

ETH_P_LAT 

DEC LAT.

ETH_P_DIAG 

DEC Diagnostics.

ETH_P_CUST 

DEC Customer use.

ETH_P_SCA 

DEC Systems Comms Arch.

ETH_P_RARP 

Reverse address resolution packet.

ETH_P_ATALK 

Appletalk DDP.

ETH_P_AARP 

Appletalk AARP.

ETH_P_8021Q 

802.1Q VLAN Extended Header.

ETH_P_IPX 

IPX over DIX.

ETH_P_IPV6 

IPv6 over bluebook.

ETH_P_SLOW 

Slow Protocol. See 802.3ad 43B.

ETH_P_WCCP 

Web-cache coordination protocol.

ETH_P_PPP_DISC 

PPPoE discovery messages.

ETH_P_PPP_SES 

PPPoE session messages.

ETH_P_MPLS_UC 

MPLS Unicast traffic.

ETH_P_MPLS_MC 

MPLS Multicast traffic.

ETH_P_ATMMPOA 

MultiProtocol Over ATM.

ETH_P_ATMFATE 

Frame-based ATM Transport over Ethernet.

ETH_P_AOE 

ATA over Ethernet.

ETH_P_TIPC 

TIPC.

ETH_P_802_3 

Dummy type for 802.3 frames.

ETH_P_AX25 

Dummy protocol id for AX.25.

ETH_P_ALL 

Every packet.

ETH_P_802_2 

802.2 frames.

ETH_P_SNAP 

Internal only.

ETH_P_DDCMP 

DEC DDCMP: Internal only

ETH_P_WAN_PPP 

Dummy type for WAN PPP frames.

ETH_P_PPP_MP 

Dummy type for PPP MP frames.

ETH_P_PPPTALK 

Dummy type for Atalk over PPP.

ETH_P_LOCALTALK 

Localtalk pseudo type.

ETH_P_TR_802_2 

802.2 frames.

ETH_P_MOBITEX 

Mobitex.

ETH_P_CONTROL 

Card specific control frames.

ETH_P_IRDA 

Linux-IrDA.

ETH_P_ECONET 

Acorn Econet.

ETH_P_HDLC 

HDLC frames.

ETH_P_ARCNET 

1A for ArcNet.

 

The empty string value is permitted here to allow for detailed error reporting.