The following is a description of the elements, types, and attributes that compose the Solaris specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
The isainfo test reveals information about the instruction set architectures. This information can be retrieved by the isainfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an isainfo_object and the optional state element specifies the metadata to check.
The isainfo_test was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The isainfo_object element is used by an isainfo test to define those objects to evaluated based on a specified state. There is actually only one object relating to isainfo and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check isainfo will reference the same isainfo_object which is basically an empty object element.
Extends: oval-def:ObjectType
The isainfo_state element defines the information about the instruction set architectures. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs bits oval-def:EntityStateIntType 0 1 This is the number of bits in the address space of the native instruction set (isainfo -b). kernel_isa oval-def:EntityStateStringType 0 1 This is the name of the instruction set used by kernel components (isainfo -k). application_isa oval-def:EntityStateStringType 0 1 This is the name of the instruction set used by portable applications (isainfo -n).
From /usr/bin/ndd. See ndd manpage for specific fields
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs device oval-def:EntityObjectStringType 1 1 The name of the device to examine. If multiple instances of this device exist on the system, an item for each instance will be collected. parameter oval-def:EntityObjectStringType 1 1 The name of the parameter, For example, ip_forwarding. oval-def:filter n/a 0 unbounded
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs device oval-def:EntityStateStringType 0 1 The name of the device to examine. instance oval-def:EntityStateIntType 0 1 The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, an item for each instance will be collected and will have this entity populated with its respective instance value. If only a single instance exists, this entity will not be collected. parameter oval-def:EntityStateStringType 0 1 The name of the parameter, For example, ip_forwarding. value oval-def:EntityStateAnySimpleType 0 1 The value of the named parameter.
The package test is used to check information associated with different packages installed on the system. The information used by this test is modeled after the /usr/bin/pkginfo command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The package_object element is used by a package test to define the packages to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A package object consists of a single pkginst entity that identifies the package to be used.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs pkginst oval-def:EntityObjectStringType 1 1 The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2). oval-def:filter n/a 0 unbounded
The package_state element defines the different information associated with packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs pkginst oval-def:EntityStateStringType 0 1 The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2). name oval-def:EntityStateStringType 0 1 The name entity is a text string that specifies a full package name. category oval-def:EntityStateStringType 0 1 The category entity is a string in the form of a comma-separated list of categories under which a package may be displayed. Note that a package must at least belong to the system or application category. Categories are case-insensitive and may contain only alphanumerics. Each category is limited in length to 16 characters. version oval-def:EntityStateStringType 0 1 The version entity is a text string that specifies the current version associated with the software package. The maximum length is 256 ASCII characters and the first character cannot be a left parenthesis. Current Solaris software practice is to assign this parameter monotonically increasing Dewey decimal values of the form: major_revision.minor_revision[.micro_revision] where all the revision fields are integers. The versioning fields can be extended to an arbitrary string of numbers in Dewey-decimal format, if necessary. vendor oval-def:EntityStateStringType 0 1 The vendor entity is a string used to identify the vendor that holds the software copyright (maximum length of 256 ASCII characters). description oval-def:EntityStateStringType 0 1 The description entity is a string that represents a more in-depth description of a package.
The packagecheck_test is used to verify the integrity of an installed Solaris package. The information used by this test is modeled after the pkgchk command. For more information, see pkgchk(1M). It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a packagecheck_object and the optional packagecheck_state element specifies the data to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The packagecheck_object element is used by a packagecheck_test to define the packages to be verified. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors sol-def:PackageCheckBehaviors 0 1 pkginst oval-def:EntityObjectStringType 1 1 The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2). filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file or directory in the specified package. oval-def:filter n/a 0 unbounded
The package_state element defines the different verification information associated with packages installed on the system. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs pkginst oval-def:EntityStateStringType 0 1 The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2). filepath oval-def:EntityStateStringType 0 1 The filepath element specifies the absolute path for a file or directory in the specified package. checksum_differs oval-def:EntityStateBoolType 0 1 Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed. size_differs oval-def:EntityStateBoolType 0 1 Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed. mtime_differs oval-def:EntityStateBoolType 0 1 Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed. uread sol-def:EntityStatePermissionCompareType 0 1 Has the actual user read permission changed from the expected user read permission? uwrite sol-def:EntityStatePermissionCompareType 0 1 Has the actual user write permission changed from the expected user write permission? uexec sol-def:EntityStatePermissionCompareType 0 1 Has the actual user exec permission changed from the expected user exec permission? gread sol-def:EntityStatePermissionCompareType 0 1 Has the actual group read permission changed from the expected group read permission? gwrite sol-def:EntityStatePermissionCompareType 0 1 Has the actual group write permission changed from the expected group write permission? gexec sol-def:EntityStatePermissionCompareType 0 1 Has the actual group exec permission changed from the expected group exec permission? oread sol-def:EntityStatePermissionCompareType 0 1 Has the actual others read permission changed from the expected others read permission? owrite sol-def:EntityStatePermissionCompareType 0 1 Has the actual others read permission changed from the expected others read permission? oexec sol-def:EntityStatePermissionCompareType 0 1 Has the actual others read permission changed from the expected others read permission?
The PackageCheckBehaviors complex type defines a set of behaviors that for controlling how installed packages are checked. These behaviors align with the options of the pkgchk command (specifically '-a', '-c', and '-n').
Attributes:
- fileattributes_only xsd:boolean (optional -- default='false') 'fileattributes_only' when true this behavior means only check the file attributes and do not check file contents. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-a'. - filecontents_only xsd:boolean (optional -- default='false') 'filecontents_only' when true this behavior means only check the file contents and do not check file attributes. When false, both file attributes and contents will be checked. This aligns with the pkgchk option '-c'. - no_volatileeditable xsd:boolean (optional -- default='false') 'no_volatileeditable' when true this behavior means do not check volatile or editable files' contents. When false, volatile and editable files' contents will be checked. This aligns with the pkgchk option '-n'.
The patch test is used to check information associated with different patches installed on the system. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
Deprecated As Of Version: 5.4 Reason: Replaced by the patch54_test. The new test includes additional functionality that allows the object element to match both the original patch and any superseding patches. As a result of this new functionality, the patch_object was also expanded to include behaviors and version entities. See the patch54_test. Comment: This test has been deprecated and will be removed in version 6.0 of the language. |
The patch test is used to check information associated with different patches installed on the system. The information being tested is based off the /usr/bin/showrev -p command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The patch54_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A patch object consists of a base entity that identifies the patch to be used, and a version entity that represent the patch revision number.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors sol-def:PatchBehaviors 0 1 base oval-def:EntityObjectIntType 1 1 The base entity represents a patch base code found before the hyphen. version oval-def:EntityObjectIntType 1 1 The version entity represents a patch version number found after the hyphen. oval-def:filter n/a 0 unbounded
Deprecated As Of Version: 5.4 Reason: Replaced by the patch54_object. Due to the additional functionality that allows the object element to match both the original patch and any superseding patches, a new object was created that includes behaviors and version entities. See the patch54_object. Comment: This object has been deprecated and will be removed in version 6.0 of the language. |
The patch_object element is used by a patch test to define the specific patch to be evaluated. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A patch object consists of a single base entity that identifies the patch to be used.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs base oval-def:EntityObjectIntType 1 1 The base entity reresents a patch base code found before the hyphen.
The patch_state element defines the different information associated with a specific patch installed on the system. Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs base oval-def:EntityStateIntType 0 1 The base entity reresents a patch base code found before the hyphen. version oval-def:EntityStateIntType 0 1 The version entity represents a patch version number found after the hyphen.
The PatchBehaviors complex type defines a number of behaviors that allow a more detailed definition of the patch_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes:
- supersedence Restriction of xsd:boolean (optional -- default='false') 'supersedence' specifies that the object should also match any superseding patches to the one being specified. In Solaris, a patch can be superseded in two ways. The first way is implicitly when a new revision of a patch is released (e.g. patch 12345-02 supersedes patch 12345-01). The second way is explicitly where a new patch contains the complete functionality of another patch. If set to 'true', the resulting object set would be the original patch specified plus any superseding patches. The default value is 'false' meaning the object should only match the specified patch.
The smf_test is used to check service management facility controlled services including traditional unix rc level start/kill scrips and inetd daemon services. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a smf_object and the optional state element specifies the information to check.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The smf_object element is used by a smf_test to define the specific service instance to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A smf_object consists of a fmri entity that represents the Fault Management Resource Identifier (FMRI) which uniquely identifies a service.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs fmri oval-def:EntityObjectStringType 1 1 The FMRI (Fault Managed Resource Identifier) entity is used to identify system objects for which advanced fault and resource management capabilities are provided. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used. oval-def:filter n/a 0 unbounded
The smf_state element defines the different information associated with a specific smf controlled service. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs fmri oval-def:EntityStateStringType 0 1 The FMRI (Fault Managed Resource Identifier) entity describes a possible identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used. service_name oval-def:EntityStateStringType 0 1 The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log. service_state sol-def:EntityStateSmfServiceStateType 0 1 The service_state entity describes a possible state that the service may be in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN. protocol sol-def:EntityStateSmfProtocolType 0 1 The protocol entity describes a possible protocol supported by the service. Possible values are tcp, tcp6, tcp6only, udp, udp6, and udp6only server_executable oval-def:EntityStateStringType 0 1 The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a' server_arguements oval-def:EntityStateStringType 0 1 The server_arguments entity describes possible parameters that are passed to the service. exec_as_user oval-def:EntityStateStringType 0 1 The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root
The EntityStatePermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Restricts: oval-def:EntityStateStringType
Value Description more
The actual permission is more restrictive than the expected permission.
less
The actual permission is less restrictive than the expected permission.
same
The actual permission is the same as the expected permission.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateSmfProtocolType complex type defines the different values that are valid for the protocol entity of a smf_state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Restricts: oval-def:EntityStateStringType
Value Description tcp
tcp6
tcp6only
Request that service listen only for and pass on true IPv6 requests (not IPv4 mapped ones).
udp
udp6
udp6only
Request that service listen only for and pass on true IPv6 requests (not IPv4 mapped ones).
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateSmfServiceStateType complex type defines the different values that are valid for the service_state entity of a smf_state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity.
Restricts: oval-def:EntityStateStringType
Value Description DEGRADED
The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation.
DISABLED
The instance is disabled.
MAINTENANCE
The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states.
LEGACY-RUN
This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running.
OFFLINE
The instance is enabled, but not yet running or available to run.
ONLINE
The instance is enabled and running or is available to run.
UNINITIALIZED
This is the initial state for all service instances.
The empty string value is permitted here to allow for empty elements associated with variable references.