The following is a description of the elements, types, and attributes that compose the tests found in Open Vulnerability and Assessment Language (OVAL) that are independent of a specific piece of software. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
The family_test element is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a family_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The family_object element is used by a family test to define those objects to evaluate based on a specified state. There is actually only one object relating to family and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check the family will reference the same family_object which is basically an empty object element.
Extends: oval-def:ObjectType
The family_state element contains a single entity that is used to check the family associated with the system. The family is a high-level classification of system types.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs family ind-def:EntityStateFamilyType 0 1 This element describes the high-level system OS type to test against. Please refer to the definition of the EntityFamilyType for more information about the possible values..
Deprecated As Of Version: 5.8 Reason: Replaced by the filehash58_test. Comment: This object has been deprecated and may be removed in a future version of the language. |
The file hash test is used to check the hashes associated with a specified file. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a filehash_object and the optional state element specifies the different hashes to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Deprecated As Of Version: 5.8 Reason: Replaced by the filehash58_object. Comment: This object has been deprecated and may be removed in a future version of the language. |
The filehash_object element is used by a file hash test to define the specific file(s) to be evaluated. The filehash_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A filehash_object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:FileBehaviors 0 1 filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityObjectStringType 1 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityObjectStringType 1 1 The filename element specifies the name of the file.
Deprecated As Of Version: 5.8 Reason: Replaced by the filehash58_state. Comment: This object has been deprecated and may be removed in a future version of the language. |
The filehash_state element contains entities that are used to check the file path, name, and the different hashes associated with a specific file.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs filepath oval-def:EntityStateStringType 0 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityStateStringType 0 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityStateStringType 0 1 The filename element specifies the name of the file. md5 oval-def:EntityStateStringType 0 1 The md5 element is the md5 hash of the file. sha1 oval-def:EntityStateStringType 0 1 The sha1 element is the sha1 hash of the file. windows_view ind-def:EntityStateWindowsViewType 0 1 The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
The file hash test is used to check a specific hash type associated with a specified file. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a filehash58_object and the optional state element specifies an expected hash value.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The filehash58_object element is used by a file hash test to define the specific file(s) to be evaluated. The filehash58_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A filehash58_object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileBehaviors complex type for more information about specific behaviors.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:FileBehaviors 0 1 filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityObjectStringType 1 1 The path entity specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityObjectStringType 1 1 The filename entity specifies the name of the file. hash_type ind-def:EntityObjectHashTypeType 1 1 The hash_type entity specifies the hash algorithm to use when collecting the hash for each of the specifed files. oval-def:filter n/a 0 unbounded
The filehash58_state element contains entities that are used to check the file path, name, hash_type, and hash associated with a specific file.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs filepath oval-def:EntityStateStringType 0 1 The filepath entity specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityStateStringType 0 1 The path entity specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityStateStringType 0 1 The filename entity specifies the name of the file. hash_type ind-def:EntityStateHashTypeType 0 1 The hash_type entity specifies the hash algorithm to use when collecting the hash for each of the specifed files. hash oval-def:EntityStateStringType 0 1 The hash entity specifies the result of applying the hash algorithm to the file. windows_view ind-def:EntityStateWindowsViewType 0 1 The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
Deprecated As Of Version: 5.8 Reason: Replaced by the environmentvariable58_test. Comment: This object has been deprecated and may be removed in a future version of the language. |
The environmentvariable_test element is used to check an environment variable found on the system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a environmentvariable_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Deprecated As Of Version: 5.8 Reason: Replaced by the environmentvariable58_object. Comment: This object has been deprecated and may be removed in a future version of the language. |
The environmentvariable_object element is used by an environment variable test to define the specific environment variable(s) to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityObjectStringType 1 1 This element describes the name of an environment variable.
Deprecated As Of Version: 5.8 Reason: Replaced by the environmentvariable58_state. Comment: This object has been deprecated and may be removed in a future version of the language. |
The environmentvariable_state element contains two entities that are used to check the name of the specified environment variable and the value associated with it.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityStateStringType 0 1 This element describes the name of an environment variable. value oval-def:EntityStateAnySimpleType 0 1 The actual value of the specified environment variable.
The environmentvariable_test element is used to check an environment variable for the specified process, which is identified by its process ID, on the system . It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a environmentvariable_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The environmentvariable58_object element is used by an environmentvariable_test to define the specific environment variable(s) and process IDs to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs pid oval-def:EntityObjectIntType 1 1 The process ID of the process from which the environment variable should be retrieved. If the xsi:nil attribute is set to true, the process ID shall be the tool's running process. name oval-def:EntityObjectStringType 1 1 This element describes the name of an environment variable. oval-def:filter n/a 0 unbounded
The environmentvariable_state element contains three entities that are used to check the name of the specified environment variable, the process ID of the process from which the environment variable was retrieved, and the value associated with the environment variable.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs pid oval-def:EntityStateIntType 0 1 The process ID of the process from which the environment variable was retrieved. name oval-def:EntityStateStringType 0 1 This element describes the name of an environment variable. value oval-def:EntityStateAnySimpleType 0 1 The actual value of the specified environment variable.
The LDAP test is used to check information about specific entries in an LDAP directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an ldap_object and the optional state element, ldap_state, specifies the metadata to check.
Note that this test supports only simple (string based) value collection. For more complex values see the ldap57_test.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The ldap_object element is used by an LDAP test to define the objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Note that this object is paired with a state that supports only simple (string based) value collection. For more complex values see the ldap57_object.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:LdapBehaviors 0 1 suffix oval-def:EntityObjectStringType 1 1 Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it. relative_dn oval-def:EntityObjectStringType 1 1 The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix. attribute oval-def:EntityObjectStringType 1 1 Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative distinguished name.
The ldap_state element defines the different information that can be used to evaluate the specified entries in an LDAP directory. An ldap_test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
Note that this state supports only simple (string based) value collection. For more complex values see the ldap57_state.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs suffix oval-def:EntityStateStringType 0 1 Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it. relative_dn oval-def:EntityStateStringType 0 1 The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. attribute oval-def:EntityStateStringType 0 1 Specifies a named value contained by the object. object_class oval-def:EntityStateStringType 0 1 The name of the class of which the object is an instance. ldaptype ind-def:EntityStateLdaptypeType 0 1 Specifies the type of information that the specified attribute represents. value oval-def:EntityStateAnySimpleType 0 1 The actual value of the specified LDAP attribute.
The LdapBehaviors complex type defines a number of behaviors that allow a more detailed definition of the ldap_object being specified.
Attributes:
- scope Restriction of xsd:string (optional -- default='BASE')('BASE', 'ONE', 'SUBTREE') 'scope' defines the depth from the base distinguished name to which the search should occur. The base distinguished name is the starting point of the search and is composed of the specified suffix and relative distinguished name. A value of 'BASE' indicates to search only the entry at the base distinguished name, a value of 'ONE' indicates to search all entries one level under the base distinguished name - but NOT including the base distinguished name, and a value of 'SUBTREE' indicates to search all entries at all levels under, and including, the specified base distinguished name. The default value is 'BASE'.
The LDAP test is used to check information about specific entries in an LDAP directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an ldap57_object and the optional state element, ldap57_state, specifies the metadata to check.
Note that this test supports complex values that are in the form of a record. For simple (string based) value collection see the ldap_test.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The ldap57_object element is used by an LDAP test to define the objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Note that this object supports complex values that are in the form of a record. For simple (string based) value collection see the ldap_object.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:LdapBehaviors 0 1 suffix oval-def:EntityObjectStringType 1 1 Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it. relative_dn oval-def:EntityObjectStringType 1 1 The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix. attribute oval-def:EntityObjectStringType 1 1 Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative distinguished name. oval-def:filter n/a 0 unbounded
The ldap57_state element defines the different information that can be used to evaluate the specified entries in an LDAP directory. An ldap57_test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
Note that this state supports complex values that are in the form of a record. For simple (string based) value collection see the ldap_state.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs suffix oval-def:EntityStateStringType 0 1 Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it. relative_dn oval-def:EntityStateStringType 0 1 The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. attribute oval-def:EntityStateStringType 0 1 Specifies a named value contained by the object. object_class oval-def:EntityStateStringType 0 1 The name of the class of which the object is an instance. ldaptype ind-def:EntityStateLdaptypeType 0 1 Specifies the type of information that the specified attribute represents. value oval-def:EntityStateRecordType 0 1 The actual value of the specified LDAP attribute. Note that while an LDAP attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an LDAP attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the 'record' datatype. As a result, the name of the LDAP attribute will be used to uniquely identify the field and satisfy this requirement.
Deprecated As Of Version: 5.7 Reason: Replaced by the sql57_test. This test allows for single fields to be selected from a database. A new test was created to allow more than one field to be selected in one statement. See the sql57_test. Comment: This object has been deprecated and may be removed in a future version of the language. |
The sql test is used to check information stored in a database. It is often the case that applications store configuration settings in a database as opposed to a file. This test has been designed to enable those settings to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Deprecated As Of Version: 5.7 Reason: Replaced by the sql57_object. This object allows for single fields to be selected from a database. A new object was created to allow more than one field to be selected in one statement. See the sql57_object. Comment: This object has been deprecated and may be removed in a future version of the language. |
The sql_object element is used by a sql test to define the specific database and query to be evaluated. Connection information is supplied allowing the tool to connect to the desired database and a query is supplied to call out the desired setting. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs engine ind-def:EntityObjectEngineType 1 1 The engine entity defines the specific database engine to use. Any tool looking to collect information about this object will need to know the engine in order to use the appropriate drivers to establish a connection. version oval-def:EntityObjectStringType 1 1 The version entity defines the specific version of the database engine to use. This is also important in determining the correct driver to use for establishing a connection. connection_string oval-def:EntityObjectStringType 1 1 The connection_string entity defines specific connection parameters to be used in connecting to the database. This will help a tool connect to the correct database. sql oval-def:EntityObjectStringType 1 1 The sql entity defines a query used to identify the object(s) to test against. Any valid SQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
Deprecated As Of Version: 5.7 Reason: Replaced by the sql57_state. This state allows for single fields to be selected from a database. A new state was created to allow more than one field to be selected in one statement. See the sql57_state. Comment: This state has been deprecated and may be removed in a future version of the language. |
The sql_state element contains two entities that are used to check the name of the specified field and the value associated with it.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs engine ind-def:EntityStateEngineType 0 1 The engine entity defines a specific database engine. version oval-def:EntityStateStringType 0 1 The version entity defines a specific version of a given database engine. connection_string oval-def:EntityStateStringType 0 1 The connection_string entity defines a set of parameters that help identify the connection to the database. sql oval-def:EntityStateStringType 0 1 the sql entity defines a query used to identify the object(s) to test against. result oval-def:EntityStateAnySimpleType 0 1 The result entity specifies how to test objects in the result set of the specified SQL statement. Only one comparable field is allowed. So if the SQL statement look like 'SELECT name FROM ...', then a result entity with a value of 'Fred' would test the set of 'name' values returned by the SQL statement against the value 'Fred'.
The sql test is used to check information stored in a database. It is often the case that applications store configuration settings in a database as opposed to a file. This test has been designed to enable those settings to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The sql57_object element is used by a sql test to define the specific database and query to be evaluated. Connection information is supplied allowing the tool to connect to the desired database and a query is supplied to call out the desired setting. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs engine ind-def:EntityObjectEngineType 1 1 The engine entity defines the specific database engine to use. Any tool looking to collect information about this object will need to know the engine in order to use the appropriate drivers to establish a connection. version oval-def:EntityObjectStringType 1 1 The version entity defines the specific version of the database engine to use. This is also important in determining the correct driver to use for establishing a connection. connection_string oval-def:EntityObjectStringType 1 1 The connection_string entity defines specific connection parameters to be used in connecting to the database. This will help a tool connect to the correct database. sql oval-def:EntityObjectStringType 1 1 The sql entity defines a query used to identify the object(s) to test against. Any valid SQL query is usable with one exception, all fields must be named in the SELECT portion of the query. For example, SELECT name, number FROM ... is valid. However, SELECT * FROM ... is not valid. This is because the record element in the state and item require a unique field name value to ensure that any query results can be evaluated consistently. oval-def:filter n/a 0 unbounded
The sql57_state element contains two entities that are used to check the name of the specified field and the value associated with it.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs engine ind-def:EntityStateEngineType 0 1 The engine entity defines a specific database engine. version oval-def:EntityStateStringType 0 1 The version entity defines a specific version of a given database engine. connection_string oval-def:EntityStateStringType 0 1 The connection_string entity defines a set of parameters that help identify the connection to the database. sql oval-def:EntityStateStringType 0 1 the sql entity defines a query used to identify the object(s) to test against. result oval-def:EntityStateRecordType 0 1 The result entity specifies how to test objects in the result set of the specified SQL statement.
The textfilecontent54_test element is used to check the contents of a text file (aka a configuration file) by looking at individual blocks of text. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a textfilecontent54_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The textfilecontent54_object element is used by a textfilecontent_test to define the specific block(s) of text of a file(s) to be evaluated. The textfilecontent54_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:Textfilecontent54Behaviors 0 1 filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityObjectStringType 1 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityObjectStringType 1 1 The filename entity specifies the name of a file. pattern oval-def:EntityObjectStringType 1 1 The pattern entity defines a chunk of text in a file and is represented using a regular expression. A subexpression (using parentheses) can call out a piece of the text block to test. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. The value of the subexpression can then be tested using the subexpression entity of a textfilecontent54_state. Note that if the pattern, starting at the same point in the file, matches more than one block of text, then it matches the longest. For example, given a file with abcdefxyzxyzabc, then the pattern abc(.*)xyz would match the block abcdefxyzxyz. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html. instance oval-def:EntityObjectIntType 1 1 The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern. oval-def:filter n/a 0 unbounded
The textfilecontent54_state element contains entities that are used to check the file path and name, as well as the text block in question and the value of the subexpressions.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs filepath oval-def:EntityStateStringType 0 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityStateStringType 0 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityStateStringType 0 1 The filename entity represents the name of a file. pattern oval-def:EntityStateStringType 0 1 The pattern entity represents a regular expression that is used to define a block of text. instance oval-def:EntityStateIntType 0 1 The instance entity calls out a specific match of the pattern. text oval-def:EntityStateAnySimpleType 0 1 The text entity represents the block of text that matched the specified pattern. subexpression oval-def:EntityStateAnySimpleType 0 1 The subexpression entity represents a value to test against the subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, this value is tested against all of them. For example, if the pattern abc(.*)mno(.*)xyp was supplied, and the state specifies a subexpression value of enabled, then the test would check that both (or at least one, none, etc. depending on the entity_check attribute) of the subexpressions have a value of enabled. windows_view ind-def:EntityStateWindowsViewType 0 1 The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
The Textfilecontent54Behaviors complex type defines a number of behaviors that allow a more detailed definition of the textfilecontent54_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
The Textfilecontent54Behaviors extend the ind-def:FileBehaviors and therefore include the behaviors defined by that type.
Extends: ind-def:FileBehaviors
Attributes:
- ignore_case xsd:boolean (optional -- default='false') 'ignore_case' indicates whether case should be considered when matching system values against the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 'i' modifier: if true, case will be ignored. If false, case will not be ignored. The default is false. - multiline xsd:boolean (optional -- default='true') 'multiline' enables multiple line semantics in the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 'm' modifier: if true, the '^' and '$' metacharacters will match both at the beginning/end of a string, and immediately after/before newline characters. If false, they will match only at the beginning/end of a string. The default is true. - singleline xsd:boolean (optional -- default='false') 'singleline' enables single line semantics in the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 's' modifier: if true, the '.' metacharacter will match newlines. If false, it will not. The default is false.
Deprecated As Of Version: 5.4 Reason: Replaced by the textfilecontent54_test. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new test was created to reflect these changes. See the textfilecontent54_test. Comment: This test has been deprecated and will be removed in version 6.0 of the language. |
The textfilecontent_test element is used to check the contents of a text file (aka a configuration file) by looking at individual lines. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a textfilecontent_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Deprecated As Of Version: 5.4 Reason: Replaced by the textfilecontent54_object. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new object was created to reflect these changes. See the textfilecontent54_object. Comment: This object has been deprecated and will be removed in version 6.0 of the language. |
The textfilecontent_object element is used by a text file content test to define the specific line(s) of a file(s) to be evaluated. The textfilecontent_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:FileBehaviors 0 1 path oval-def:EntityObjectStringType 1 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityObjectStringType 1 1 The filename element specifies the name of the file. line oval-def:EntityObjectStringType 1 1 The line element represents a line in the file and is represented using a regular expression. A single subexpression can be called out using parentheses. The value of this subexpression can then be checked using a textfilecontent_state.Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
Deprecated As Of Version: 5.4 Reason: Replaced by the textfilecontent54_state. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new state was created to reflect these changes. See the textfilecontent54_state. Comment: This state has been deprecated and will be removed in version 6.0 of the language. |
The textfilecontent_state element contains entities that are used to check the file path and name, as well as the line in question and the value of the specific subexpression.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs path oval-def:EntityStateStringType 0 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityStateStringType 0 1 The name of the file. line oval-def:EntityStateStringType 0 1 The line element represents a line in the file that was collected. subexpression oval-def:EntityStateAnySimpleType 0 1 Each subexpression in the regular expression of the line element is then tested against the value specified in the subexpression element. windows_view ind-def:EntityStateWindowsViewType 0 1 The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
An unknown_test acts as a placeholder for tests whose implementation is unknown. This test always evaluates to a result of 'unknown'. Any information that is known about the test should be held in the notes child element that is available through the extension of the abstract test element. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. Note that for an unknown_test, the required check attribute that is part of the extended TestType should be ignored during evaluation and hence can be set to any valid value.
Extends: oval-def:TestType
The variable test allows the value of a variable to be compared to a defined value. As an example one might use this test to validate that a variable being passed in from an external source falls within a specified range. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a variable_object and the optional state element specifies the value to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs var_ref ind-def:EntityObjectVariableRefType 1 1 The id of the variable you want. oval-def:filter n/a 0 unbounded
The variable_state element contains two entities that are used to check the var_ref of the specified varible and the value associated with it.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs var_ref ind-def:EntityStateVariableRefType 0 1 The id of the variable. value oval-def:EntityStateAnySimpleType 0 1 The value of the variable.
The xmlfilecontent_test element is used to explore the contents of an xml file. This test allows specific pieces of an xml document specified using xpath to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a xmlfilecontent_object and the optional state element specifies the metadata to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The xmlfilecontent_object element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. The xmlfilecontent_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors ind-def:FileBehaviors 0 1 filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityObjectStringType 1 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityObjectStringType 1 1 The filename element specifies the name of the file. xpath oval-def:EntityObjectStringType 1 1 Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a give xpath would be impossible. oval-def:filter n/a 0 unbounded
The xmlfilecontent_state element contains entities that are used to check the file path and name, as well as the xpath used and the value of the this xpath.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs filepath oval-def:EntityStateStringType 0 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityStateStringType 0 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityStateStringType 0 1 The filename element specifies the name of the file. xpath oval-def:EntityStateStringType 0 1 Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. value_of oval-def:EntityStateAnySimpleType 0 1 The value_of element checks the value(s) of the text node(s) or attribute(s) found. windows_view ind-def:EntityStateWindowsViewType 0 1 The windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
The FileBehaviors complex type defines a number of behaviors that allow a more detailed definition of a set of files or file related items to collect. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
Attributes:
- max_depth Restriction of xsd:integer (optional -- default='-1') 'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. For a 'max_depth' of -1 or any value of 1 or more the starting directory must be considered in the recursive search.Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.Note that this behavior only applies with the equality operation on the path entity. - recurse Restriction of xsd:string (optional -- default='symlinks and directories')('directories', 'symlinks', 'symlinks and directories') 'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth other than 0 has to be specified for recursion to take place and for this attribute to mean anything. Also note that this behavior does not apply to Windows systems since they do not support symbolic links. On Windows systems the 'recurse' behavior is always equivalent to directories.Note that this behavior only applies with the equality operation on the path entity. - recurse_direction Restriction of xsd:string (optional -- default='none')('none', 'up', 'down') 'recurse_direction' defines the direction to recurse, either 'up' to parent directories, or 'down' into child directories. The default value is 'none' for no recursion.Note that this behavior only applies with the equality operation on the path entity. - recurse_file_system Restriction of xsd:string (optional -- default='all')('all', 'local', 'defined') 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection.Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications. - windows_view Restriction of xsd:string (optional -- default='64_bit')('32_bit', '64_bit') 64-bit versions of Windows provide an alternate file system and registry views to 32-bit applications. This behavior allows the OVAL Object to specify which view should be examined. This behavior only applies to 64-bit Windows, and must not be applied on other platforms.Note that the values have the following meaning: '64_bit' – Indicates that the 64-bit view on 64-bit Windows operating systems must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. '32_bit' – Indicates that the 32-bit view must be examined. On a 32-bit system, the Object must be evaluated without applying the behavior. It is recommended that the corresponding 'windows_view' entity be set on the OVAL Items that are collected when this behavior is used to distinguish between the OVAL Items that are collected in the 32-bit or 64-bit views.
The EntityObjectEngineType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a valid database engine. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityStateStringType
Value Description access
The access value describes the Microsoft Access database engine.
db2
The db2 value describes the IBM DB2 database engine.
cache
The cache value describes the InterSystems Cache database engine.
firebird
The firebird value describes the Firebird database engine.
firstsql
The firstsql value describes the FirstSQL database engine.
foxpro
The foxpro value describes the Microsoft FoxPro database engine.
informix
The informix value describes the IBM Informix database engine.
ingres
The ingres value describes the Ingres database engine.
interbase
The interbase value describes the Embarcadero Technologies InterBase database engine.
lightbase
The lightbase value describes the Light Infocon LightBase database engine.
maxdb
The maxdb value describes the SAP MaxDB database engine.
monetdb
The monetdb value describes the MonetDB SQL database engine.
mimer
The mimer value describes the Mimer SQL database engine.
mysql
The mysql value describes the MySQL database engine.
oracle
The oracle value describes the Oracle database engine.
paradox
The paradox value describes the Paradox database engine.
pervasive
The pervasive value describes the Pervasive PSQL database engine.
postgre
The postgre value describes the PostgreSQL database engine.
sqlbase
The sqlbase value describes the Unify SQLBase database engine.
sqlite
The sqlite value describes the SQLite database engine.
sqlserver
The sqlserver value describes the Microsoft SQL database engine.
sybase
The sybase value describes the Sybase database engine.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateEngineType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a valid database engine. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityStateStringType
Value Description access
The access value describes the Microsoft Access database engine.
db2
The db2 value describes the IBM DB2 database engine.
cache
The cache value describes the InterSystems Cache database engine.
firebird
The firebird value describes the Firebird database engine.
firstsql
The firstsql value describes the FirstSQL database engine.
foxpro
The foxpro value describes the Microsoft FoxPro database engine.
informix
The informix value describes the IBM Informix database engine.
ingres
The ingres value describes the Ingres database engine.
interbase
The interbase value describes the Embarcadero Technologies InterBase database engine.
lightbase
The lightbase value describes the Light Infocon LightBase database engine.
maxdb
The maxdb value describes the SAP MaxDB database engine.
monetdb
The monetdb value describes the MonetDB SQL database engine.
mimer
The mimer value describes the Mimer SQL database engine.
oracle
The oracle value describes the Oracle database engine.
paradox
The paradox value describes the Paradox database engine.
pervasive
The pervasive value describes the Pervasive PSQL database engine.
postgre
The postgre value describes the PostgreSQL database engine.
sqlbase
The sqlbase value describes the Unify SQLBase database engine.
sqlite
The sqlite value describes the SQLite database engine.
sqlserver
The sqlserver value describes the Microsoft SQL database engine.
sybase
The sybase value describes the Sybase database engine.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateFamilyType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a high-level family of system operating system. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityStateStringType
Value Description catos
The catos value describes the Cisco CatOS operating system.
ios
The ios value describes the Cisco IOS operating system.
macos
The macos value describes the Mac operating system.
pixos
The pixos value describes the Cisco PIX operating system.
undefined
The undefined value is to be used when the desired family is not available.
unix
The unix value describes the UNIX operating system.
vmware_infrastructure
The vmware_infrastructure value describes VMWare Infrastructure.
windows
The windows value describes the Microsoft Windows operating system.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityObjectHashTypeType complex type restricts a string value to a specific set of values that specify the different hash algorithms that are supported. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityObjectStringType
Value Description MD5
The MD5 hash algorithm.
SHA-1
The SHA-1 hash algorithm.
SHA-224
The SHA-224 hash algorithm.
SHA-256
The SHA-256 hash algorithm.
SHA-384
The SHA-384 hash algorithm.
SHA-512
The SHA-512 hash algorithm.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateHashTypeType complex type restricts a string value to a specific set of values that specify the different hash algorithms that are supported. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityStateStringType
Value Description MD5
The MD5 hash algorithm.
SHA-1
The SHA-1 hash algorithm.
SHA-224
The SHA-224 hash algorithm.
SHA-256
The SHA-256 hash algorithm.
SHA-384
The SHA-384 hash algorithm.
SHA-512
The SHA-512 hash algorithm.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityObjectVariableRefType complex type defines a string object entity that has a valid OVAL variable id as the value. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityObjectStringType
Pattern (oval:[A-Za-z0-9_\-\.]+:var:[1-9][0-9]*){0,}
The EntityStateVariableRefType complex type defines a string state entity that has a valid OVAL variable id as the value. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityStateStringType
Pattern (oval:[A-Za-z0-9_\-\.]+:var:[1-9][0-9]*){0,}
The EntityStateLdaptypeType complex type restricts a string value to a specific set of values that specify the different types of information that an ldap attribute can represent. The empty string is also allowed to support empty elements associated with variable references.
Restricts: oval-def:EntityStateStringType
Value Description LDAPTYPE_ATTRIBUTE_TYPE_DESCRIP_STRING
The data type is the attribute type description.
LDAPTYPE_DN_STRING
The string is of Distinguished Name (path) of a directory service object.
LDAPTYPE_BIT_STRING
The bit string type.
LDAPTYPE_PRINTABLE_STRING
The string is displayable on screen or in print.
LDAPTYPE_NUMERIC_STRING
The string is of a numeral to be interpreted as text.
LDAPTYPE_BOOLEAN
The data is of a Boolean value.
LDAPTYPE_INTEGER
The data is of an integer value.
LDAPTYPE_UTC_TIME
The data is of the universal time as expressed in Universal Time Coordinate (UTC).
LDAPTYPE_GENERALIZED_TIME
The data is of generalized time.
LDAPTYPE_DIRECTORY_STRING
The directory string.
LDAPTYPE_OBJECT_CLASS_DESCRIP_STRING
The object class description type.
LDAPTYPE_BINARY
The data is binary.
LDAPTYPE_TIMESTAMP
The data is of a time stamp in seconds.
Deprecated As Of Version: 5.7
Reason: This value was accidently carried over from the win-def:EntityStateAdstypeType as it was used as a template for the ind-def:EntityStateLdaptypeType.
Comment: This value has been deprecated and will be removed in version 6.0 of the language.LDAPTYPE_EMAIL
The data is of an e-mail message.
Deprecated As Of Version: 5.7
Reason: This value was accidently carried over from the win-def:EntityStateAdstypeType as it was used as a template for the ind-def:EntityStateLdaptypeType.
Comment: This value has been deprecated and will be removed in version 6.0 of the language.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior.
Restricts: oval-def:EntityStateStringType
Value Description 32_bit
Indicates the 32_bit windows view.
64_bit
Indicates the 64_bit windows view.
The empty string value is permitted here to allow for empty elements associated with variable references.