The following is a description of the elements, types, and attributes that compose the tests found in Open Vulnerability and Assessment Language (OVAL) that are independent of a specific piece of software. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
Independent Definition
5.7
5/3/2010 8:41:18 PM
Copyright (c) 2002-2010, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
The family_test element is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a family_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of a family_test must reference a family_object
- the state child element of a family_test must reference a family_state
The family_object element is used by a family test to define those objects to evaluate based on a specified state. There is actually only one object relating to family and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check the family will reference the same family_object which is basically an empty object element.
The family_state element contains a single entity that is used to check the family associated with the system. The family is a high-level classification of system types.
This element describes the high-level system OS type to test against. Please refer to the definition of the EntityFamilyType for more information about the possible values..
- datatype attribute for the family entity of a family_state should be 'string'
The file hash test is used to check the hashes associated with a specified file. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a filehash_object and the optional state element specifies the different hashes to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of a filehash_test must reference a filesha1_object
- the state child element of a filehash_test must reference a filesha1_state
The filehash_object element is used by a file hash test to define the specific file(s) to be evaluated. The filehash_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A filehash_object defines the path and filename of the file(s). In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FilehashBehaviors complex type for more information about specific behaviors.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
- datatype attribute for the filepath entity of a filehash_object should be 'string'
- the max_depth and recurse_direction behaviors are not allowed with a filepath entity
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a filehash_object should be 'string'
The filename element specifies the name of the file.
- datatype attribute for the filename entity of a filehash_object should be 'string'
The filehash_state element contains entities that are used to check the file path, name, and the different hashes associated with a specific file.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
- datatype attribute for the filepath entity of a filehash_state should be 'string'
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a filehash_state should be 'string'
The filename element specifies the name of the file.
- datatype attribute for the filename entity of a filehash_state should be 'string'
The md5 element is the md5 hash of the file.
- datatype attribute for the md5 entity of a filehash_state should be 'string'
The sha1 element is the sha1 hash of the file.
- datatype attribute for the sha1 entity of a filehash_state should be 'string'
The FilehashBehaviors complex type defines a number of behaviors that allow a more detailed definition of the filehash_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
'max_depth' defines how many directories to recurse when a recures direction is specified. The default value is '-1' meaning no limitation. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on.
'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth has to be specified for recursion to take place and for this attribute to mean anything. Also note that this behavior does not apply to Windows systems since they do not support symbolic links. On Windows systems the 'recurse' behavior is always equivalent to directories.
'recurse_direction' defines the direction to recurse, either 'up' to parent directories, or 'down' into child directories. The default value is 'none' for no recursion.
'recurse_file_system' defines the file system limitation of any recursion, either 'local' limiting data collection to local file systems (as opposed to file systems mounted from an external system), or 'defined' to keep any recursion within the file system that the file_object (path+filename) has specified. The default value is 'all' meaning to use all available file systems for data collection.
The environmentvariable_test element is used to check an environment variable found on the system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a environmentvariable_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of an environmentvariable_test must reference a environmentvariable_object
- the state child element of an environmentvariable_test must reference a environmentvariable_state
The environmentvariable_object element is used by an environment variable test to define the specific environment variable(s) to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
This element describes the name of an environment variable.
- datatype attribute for the name entity of an environmentvariable_object should be 'string'
The environmentvariable_state element contains two entities that are used to check the name of the specified environment varible and the value associated with it.
This element describes the name of an environment variable.
- datatype attribute for the name entity of an environmentvariable_state should be 'string'
The actual value of the specified environment variable.
- datatype attribute for the entity of an should not be 'record'
The LDAP test is used to check information about specific entries in an LDAP directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an ldap_object and the optional state element, ldap_state, specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
5.7
Replaced by the ldap57_test. This test allows for single fields to be selected from a ldap. A new test was created to allow more than one field to be selected in one statement. See the ldap57_test.
This object has been deprecated and may be removed in a future version of the language.
DEPRECATED TEST: ID:
- the object child element of an ldap_test must reference an ldap_object
- the state child element of an ldap_test must reference an ldap_state
The ldap_object element is used by an LDAP test to define the objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
5.7
Replaced by the ldap57_object. This object allows for single fields to be selected from ldap. A new object was created to allow more than one field to be selected in one statement. See the ldap57_object.
This object has been deprecated and may be removed in a future version of the language.
DEPRECATED OBJECT: ID:
Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
- datatype attribute for the suffix entity of an ldap_object should be 'string'
The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix.
- datatype attribute for the relative_dn entity of an ldap_object should be 'string'
Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative distinguished name.
- datatype attribute for the attribute entity of an ldap_object should be 'string'
The ldap_state element defines the different information that can be used to evaluate the specified entries in an LDAP directory. An ldap_test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
5.7
Replaced by the ldap57_state. This state allows for single fields to be selected from ldap. A new state was created to allow more than one field to be selected in one statement. See the ldap57_state.
This state has been deprecated and may be removed in a future version of the language.
DEPRECATED STATE: ID:
Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
- datatype attribute for the suffix entity of an ldap_state should be 'string'
The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix. Note that when xsi:nil is used for the relative_dn element, the attribute element should also have the xsi:nil attribute set to true.
- datatype attribute for the relative_dn entity of an ldap_state should be 'string'
Specifies a named value contained by the object.
- datatype attribute for the attribute entity of an ldap_state should be 'string'
The name of the class of which the object is an instance.
- datatype attribute for the object_class entity of an ldap_state should be 'string'
Specifies the type of information that the specified attribute represents.
- datatype attribute for the ldaptype entity of an ldap_state should be 'string'
The actual value of the specified LDAP attribute.
- datatype attribute for the entity of an should not be 'record'
The LdapBehaviors complex type defines a number of behaviors that allow a more detailed definition of the ldap_object being specified.
'scope' defines the depth from the base distinguished name to which the search should occur. The base distinguished name is the starting point of the search and is composed of the specified suffix and relative distinguished name. A value of 'BASE' indicates to search only the entry at the base distinguished name, a value of 'ONE' indicates to search all entries one level under the base distinguished name - but NOT including the base distinguished name, and a value of 'SUBTREE' indicates to search all entries at all levels under, and including, the specified base distinguished name. The default value is 'BASE'.
The LDAP test is used to check information about specific entries in an LDAP directory. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an ldap57_object and the optional state element, ldap57_state, specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of an ldap57_test must reference an ldap57_object
- the state child element of an ldap57_test must reference an ldap57_state
The ldap57_object element is used by an LDAP test to define the objects to be evaluated based on a specified state. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
- datatype attribute for the suffix entity of an ldap57_object should be 'string'
The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix.
- datatype attribute for the relative_dn entity of an ldap57_object should be 'string'
Specifies a named value contained by the object. If the xsi:nil attribute is set to true, the attribute element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every attribute under a given relative distinguished name.
- datatype attribute for the attribute entity of an ldap57_object should be 'string'
The ldap57_state element defines the different information that can be used to evaluate the specified entries in an LDAP directory. An ldap57_test will reference a specific instance of this state that defines the exact settings that need to be evaluated. Please refer to the individual elements in the schema for more details about what each represents.
Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it.
- datatype attribute for the suffix entity of an ldap57_state should be 'string'
The relative_dn field is used to uniquely identify an object inside the specified suffix. It contains all of the parts of the object's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the object being specified is the higher level suffix. In this case, the relative_dn element should not be collected or used in analysis. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every relative distinguished name under a given suffix. Note that when xsi:nil is used for the relative_dn element, the attribute element should also have the xsi:nil attribute set to true.
- datatype attribute for the relative_dn entity of an ldap57_state should be 'string'
Specifies a named value contained by the object.
- datatype attribute for the attribute entity of an ldap57_state should be 'string'
The name of the class of which the object is an instance.
- datatype attribute for the object_class entity of an ldap57_state should be 'string'
Specifies the type of information that the specified attribute represents.
- datatype attribute for the ldaptype entity of an ldap57_state should be 'string'
The actual value of the specified LDAP attribute.
- datatype attribute for the entity of an should be 'record'
The sql test is used to check information stored in a database. It is often the case that applications store configuration settings in a database as opposed to a file. This test has been designed to enable those settings to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
5.7
Replaced by the sql57_test. This test allows for single fields to be selected from a database. A new test was created to allow more than one field to be selected in one statement. See the sql57_test.
This object has been deprecated and may be removed in a future version of the language.
DEPRECATED TEST: ID:
- the object child element of a sql_test must reference a sql_object
- the state child element of a sql_test must reference a sql_state
The sql_object element is used by a sql test to define the specific database and query to be evaluated. Connection information is supplied allowing the tool to connect to the desired database and a query is supplied to call out the desired setting. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
5.7
Replaced by the sql57_object. This object allows for single fields to be selected from a database. A new object was created to allow more than one field to be selected in one statement. See the sql57_object.
This object has been deprecated and may be removed in a future version of the language.
DEPRECATED OBJECT: ID:
The engine entity defines the specific database engine to use. Any tool looking to collect information about this object will need to know the engine in order to use the appropriate drivers to establish a connection.
- datatype attribute for the engine entity of an sql_object should be 'string'
- operation attribute for the engine entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The version entity defines the specific version of the database engine to use. This is alos important in determining the correct driver to use for establishing a connection.
- datatype attribute for the version entity of an sql_object should be 'string'
- operation attribute for the version entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The connection_string entity defines specific connection parameters to be used in connecting to the database. This will help a tool connect to the correct database.
- datatype attribute for the connection_string entity of an sql_object should be 'string'
- operation attribute for the connection_string entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The sql entity defines a query used to identify the object(s) to test against. Any valid SQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
- datatype attribute for the sql entity of a sql_object should be 'string'
- operation attribute for the sql entity of an sql_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The sql_state element contains two entities that are used to check the name of the specified field and the value associated with it.
5.7
Replaced by the sql57_state. This state allows for single fields to be selected from a database. A new state was created to allow more than one field to be selected in one statement. See the sql57_state.
This state has been deprecated and may be removed in a future version of the language.
DEPRECATED STATE: ID:
The engine entity defines a specific database engine.
- datatype attribute for the engine entity of an sql_state should be 'string'
The version entity defines a specific version of a given database engine.
- datatype attribute for the version entity of an sql_state should be 'string'
The connection_string entity defines a set of parameters that help identify the connection to the database.
- datatype attribute for the connection_string entity of an sql_state should be 'string'
the sql entity defines a query used to identify the object(s) to test against.
- datatype attribute for the sql entity of a sql_state should be 'string'
The result entity specifies how to test objects in the result set of the specified SQL statement. Only one comparable field is allowed. So if the SQL statement look like 'SELECT name FROM ...', then a result entity with a value of 'Fred' would test the set of 'name' values returned by the SQL statement against the value 'Fred'.
- datatype attribute for the entity of an should not be 'record'
The sql test is used to check information stored in a database. It is often the case that applications store configuration settings in a database as opposed to a file. This test has been designed to enable those settings to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a wmi_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of a sql57_test must reference a sql57_object
- the state child element of a sql57_test must reference a sql57_state
The sql57_object element is used by a sql test to define the specific database and query to be evaluated. Connection information is supplied allowing the tool to connect to the desired database and a query is supplied to call out the desired setting. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The engine entity defines the specific database engine to use. Any tool looking to collect information about this object will need to know the engine in order to use the appropriate drivers to establish a connection.
- datatype attribute for the engine entity of an sql57_object should be 'string'
- operation attribute for the engine entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The version entity defines the specific version of the database engine to use. This is alos important in determining the correct driver to use for establishing a connection.
- datatype attribute for the version entity of an sql57_object should be 'string'
- operation attribute for the version entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The connection_string entity defines specific connection parameters to be used in connecting to the database. This will help a tool connect to the correct database.
- datatype attribute for the connection_string entity of an sql57_object should be 'string'
- operation attribute for the connection_string entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The sql entity defines a query used to identify the object(s) to test against. Any valid SQL query is usable with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
- datatype attribute for the sql entity of a sql57_object should be 'string'
- operation attribute for the sql entity of an sql57_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The sql57_state element contains two entities that are used to check the name of the specified field and the value associated with it.
The engine entity defines a specific database engine.
- datatype attribute for the engine entity of an sql57_state should be 'string'
The version entity defines a specific version of a given database engine.
- datatype attribute for the version entity of an sql57_state should be 'string'
The connection_string entity defines a set of parameters that help identify the connection to the database.
- datatype attribute for the connection_string entity of an sql57_state should be 'string'
the sql entity defines a query used to identify the object(s) to test against.
- datatype attribute for the sql entity of a sql57_state should be 'string'
The result entity specifies how to test objects in the result set of the specified SQL statement.
- datatype attribute for the entity of an should be 'record'
The textfilecontent54_test element is used to check the contents of a text file (aka a configuration file) by looking at individual blocks of text. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a textfilecontent54_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of a textfilecontent54_test must reference a textfilecontent54_object
- the state child element of a textfilecontent54_test must reference a textfilecontent54_state
The textfilecontent54_object element is used by a textfilecontent_test to define the specific block(s) of text of a file(s) to be evaluated. The textfilecontent54_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
- datatype attribute for the filepath entity of a textfilecontent54_object should be 'string'
- the max_depth and recurse_direction behaviors are not allowed with a filepath entity
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a textfilecontent54_object should be 'string'
The filename entity specifies the name of a file.
- datatype attribute for the filename entity of a textfilecontent54_object should be 'string'
The pattern entity defines a chunk of text in a file and is represented using a regular expression. A subexpression (using parentheses) can call out a piece of the text block to test. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. The value of the subexpression can then be tested using the subexpression entity of a textfilecontent54_state. Note that if the pattern, starting at the same point in the file, matches more than one block of text, then it matches the longest. For example, given a file with abcdefxyzxyzabc, then the pattern abc(.*)xyz would match the block abcdefxyzxyz. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
- datatype attribute for the pattern entity of a textfilecontent54_object should be 'string'
- operation attribute for the pattern entity of a textfilecontent54_object should be 'pattern match'
The instance entity calls out a specific match of the pattern. The first match is given an instance value of 1, the second match is given and instance value of 2, and so on. Note that the main purpose of this entity is to provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. Most likely this entity will be defined as greater than or equal to 1 which would result in the object representing the set of all matches of the pattern.
- datatype attribute for the instance entity of a textfilecontent54_object should be 'int'
The textfilecontent54_state element contains entities that are used to check the file path and name, as well as the text block in question and the value of the subexpressions.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
- datatype attribute for the filepath entity of a textfilecontent54_state should be 'string'
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a textfilecontent_state should be 'string'
The filename entity represents the name of a file.
- datatype attribute for the filename entity of a textfilecontent54_state should be 'string'
The pattern entity represents a regular expression that is used to define a block of text.
- datatype attribute for the pattern entity of a textfilecontent54_state should be 'string'
The instance entity calls out a specific match of the pattern.
- datatype attribute for the instance entity of a textfilecontent54_state should be 'int'
The text entity represents the block of text that matched the specified pattern.
- datatype attribute for the text entity of a textfilecontent_state should be 'string'
The subexpression entity represents a value to test against the subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, this value is tested against all of them. For example, if the pattern abc(.*)mno(.*)xyp was supplied, and the state specifies a subexpression value of enabled, then the test would check that both (or at least one, none, etc. depending on the entity_check attribute) of the subexpressions have a value of enabled.
- datatype attribute for the entity of an should not be 'record'
The Textfilecontent54Behaviors complex type defines a number of behaviors that allow a more detailed definition of the textfilecontent54_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth has to be specified for recursion to take place and for this attribute to mean anything. Also note that this behavior does not apply to Windows systems since they do not support symbolic links. On Windows systems the 'recurse' behavior is always equivalent to directories.
'recurse_direction' defines the direction, either 'up' to parent directories, or 'down' into child directories to recursively search for files. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
'recurse_file_system' defines the file system limitation of any recursion, either 'local' limiting data collection to local file systems (as opposed to file systems mounted from an external system), or 'defined' to keep any recursion within the file system that the file_object (path+filename) has specified. The default value is 'all' meaning to use all available file systems for data collection.
'ignore_case' indicates whether case should be considered when matching system values against the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 'i' modifier: if true, case will be ignored. If false, case will not be ignored. The default is false.
'multiline' enables multiple line semantics in the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 'm' modifier: if true, the '^' and '$' metacharacters will match both at the beginning/end of a string, and immediately after/before newline characters. If false, they will match only at the beginning/end of a string. The default is true.
'singleline' enables single line semantics in the regular expression provided by the pattern entity. This behavior is intended to align with the Perl regular expression 's' modifier: if true, the '.' metacharacter will match newlines. If false, it will not. The default is false.
The textfilecontent_test element is used to check the contents of a text file (aka a configuration file) by looking at individual lines. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a textfilecontent_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
5.4
Replaced by the textfilecontent54_test. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new test was created to reflect these changes. See the textfilecontent54_test.
This test has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED TEST: ID:
- the object child element of a textfilecontent_test must reference a textfilecontent_object
- the state child element of a textfilecontent_test must reference a textfilecontent_state
The textfilecontent_object element is used by a text file content test to define the specific line(s) of a file(s) to be evaluated. The textfilecontent_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
5.4
Replaced by the textfilecontent54_object. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new object was created to reflect these changes. See the textfilecontent54_object.
This object has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED OBJECT: ID:
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a textfilecontent_object should be 'string'
The filename element specifies the name of the file.
- datatype attribute for the filename entity of a textfilecontent_object should be 'string'
The line element represents a line in the file and is represented using a regular expression. A single subexpression can be called out using parentheses. The value of this subexpression can then be checked using a textfilecontent_state.
Note that when using regular expressions, OVAL supports a common subset of the regular expression character classes, operations, expressions and other lexical tokens defined within Perl 5's regular expression specification. For more information on the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html.
- datatype attribute for the line entity of a textfilecontent_object should be 'string'
- operation attribute for the line entity of a textfilecontent_object should be 'pattern match'
The textfilecontent_state element contains entities that are used to check the file path and name, as well as the line in question and the value of the specific subexpression.
5.4
Replaced by the textfilecontent54_state. Support for multi-line pattern matching and multi-instance matching was added. Therefore, a new state was created to reflect these changes. See the textfilecontent54_state.
This state has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED STATE: ID:
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a textfilecontent_state should be 'string'
The name of the file.
- datatype attribute for the filename entity of a textfilecontent_state should be 'string'
The line element represents a line in the file that was collected.
- datatype attribute for the line entity of a textfilecontent_state should be 'string'
Each subexpression in the regular expression of the line element is then tested against the value specified in the subexpression element.
- datatype attribute for the entity of an should not be 'record'
The TextfilecontentBehaviors complex type defines a number of behaviors that allow a more detailed definition of the textfilecontent_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
'recurse_direction' defines the direction, either 'up' to parent directories, or 'down' into child directories to recursively search for files. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
An unknown test acts as a placeholder for tests whose implementation is unknown. Any information that is known about the test should be held in the notes child element that is available through the extension of the abstract test element. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. Note that for an unknown test, the required check attribute that is part of the extended TestType should be ignored during evaluation and hence can be set to any valid value.
The variable test allows the value of a variable to be compared to a defined value. As an example one might use this test to validate that a variable being passed in from an external source falls within a specified range. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a variable_object and the optional state element specifies the value to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of a variable_test must reference a variable_object
- the state child element of a variable_test must reference a variable_state
The id of the variable you want.
- datatype attribute for the var_ref entity of a variable_object should be 'string'
- var_ref attribute for the var_ref entity of a variable_object is prohibited.
The variable_state element contains two entities that are used to check the var_ref of the specified varible and the value associated with it.
The id of the variable.
- datatype attribute for the var_ref entity of a variable_state should be 'string'
- var_ref attribute for the var_ref entity of a variable_state is prohibited.
The value of the variable.
The xmlfilecontent_test element is used to explore the contents of an xml file. This test allows specific pieces of an xml document specified using xpath to be tested. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a xmlfilecontent_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
- the object child element of a xmlfilecontent_test must reference a xmlfilecontent_object
- the state child element of a xmlfilecontent_test must reference a xmlfilecontent_state
The xmlfilecontent_object element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. The xmlfilecontent_object will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The set of files to be evaluated may be identified with either a complete filepath or a path and filename. Only one of these options may be selected.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
- datatype attribute for the filepath entity of a xmlfilecontent_object should be 'string'
- the max_depth and recurse_direction behaviors are not allowed with a filepath entity
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a xmlfilecontent_object should be 'string'
The filename element specifies the name of the file.
- datatype attribute for the filename entity of a xmlfilecontent_object should be 'string'
Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath. This is because the value_of element in the data section is only designed to work against a single field. The only valid operator for xpath is equals since there is an infinite number of possible xpaths and determinining all those that do not equal a give xpath would be impossible.
- datatype attribute for the xpath entity of a xmlfilecontent_object should be 'string'
- operation attribute for the xpath entity of a xmlfilecontent_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
The xmlfilecontent_state element contains entities that are used to check the file path and name, as well as the xpath used and the value of the this xpath.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
- datatype attribute for the filepath entity of a xmlfilecontent_state should be 'string'
The path element specifies the directory component of the absolute path to a file on the machine.
- datatype attribute for the path entity of a xmlfilecontent_state should be 'string'
The filename element specifies the name of the file.
- datatype attribute for the filename entity of a xmlfilecontent_state should be 'string'
Specifies an Xpath expression describing the text node(s) or attribute(s) to look at.
- datatype attribute for the xpath entity of a xmlfilecontent_state should be 'string'
The value_of element checks the value(s) of the text node(s) or attribute(s) found.
- datatype attribute for the value_of entity of a xmlfilecontent_state should be 'string'
The XmlfilecontentBehaviors complex type defines a number of behaviors that allow a more detailed definition of the xmlfilecontent_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the 'max_depth' and 'recurse_direction' attributes of the 'behaviors' element do not apply to the 'filepath' element, only to the 'path' and 'filename' elements. This is because the 'filepath' element represents an absolute path to a particular file and it is not possible to recurse over a file.
'max_depth' defines the maximum depth of recursion to perform when a recurse_direction is specified. A value of '0' is equivalent to no recursion, '1' means to step only one directory level up/down, and so on. The default value is '-1' meaning no limitation. Note that the default recurse_direction behavior is 'none' so even though max_depth specifies no limitation by default, the recurse_direction behavior turns recursion off.
'recurse' defines how to recurse into the path entity, in other words what to follow during recursion. Options include symlinks, directories, or both. Note that a max-depth has to be specified for recursion to take place and for this attribute to mean anything. Also note that this behavior does not apply to Windows systems since they do not support symbolic links. On Windows systems the 'recurse' behavior is always equivalent to directories.
'recurse_direction' defines the direction, either 'up' to parent directories, or 'down' into child directories to recursively search for files. When recursing up or down, one is limited by the max_depth behavior. Note that it is not an error if max_depth specifies a certain level of recursion and that level does not exist. Recursing should only go as deep as available. The default value is 'none' for no recursion.
'recurse_file_system' defines the file system limitation of any recursion, either 'local' limiting data collection to local file systems (as opposed to file systems mounted from an external system), or 'defined' to keep any recursion within the file system that the file_object (path+filename) has specified. The default value is 'all' meaning to use all available file systems for data collection.
The EntityObjectEngineType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a valid database engine. The empty string is also allowed to support empty emlement associated with variable references.
The access value describes the Microsoft Access database engine.
The db2 value describes the IBM DB2 database engine.
The cache value describes the InterSystems Cache database engine.
The firebird value describes the Firebird database engine.
The firstsql value describes the FirstSQL database engine.
The foxpro value describes the Microsoft FoxPro database engine.
The informix value describes the IBM Informix database engine.
The ingres value describes the Ingres database engine.
The interbase value describes the Embarcadero Technologies InterBase database engine.
The lightbase value describes the Light Infocon LightBase database engine.
The maxdb value describes the SAP MaxDB database engine.
The monetdb value describes the MonetDB SQL database engine.
The mimer value describes the Mimer SQL database engine.
The oracle value describes the Oracle database engine.
The paradox value describes the Paradox database engine.
The pervasive value describes the Pervasive PSQL database engine.
The postgre value describes the PostgreSQL database engine.
The sqlbase value describes the Unify SQLBase database engine.
The sqlite value describes the SQLite database engine.
The sqlserver value describes the Microsoft SQL database engine.
The sybase value describes the Sybase database engine.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateEngineType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a valid database engine. The empty string is also allowed to support empty emlement associated with variable references.
The access value describes the Microsoft Access database engine.
The db2 value describes the IBM DB2 database engine.
The cache value describes the InterSystems Cache database engine.
The firebird value describes the Firebird database engine.
The firstsql value describes the FirstSQL database engine.
The foxpro value describes the Microsoft FoxPro database engine.
The informix value describes the IBM Informix database engine.
The ingres value describes the Ingres database engine.
The interbase value describes the Embarcadero Technologies InterBase database engine.
The lightbase value describes the Light Infocon LightBase database engine.
The maxdb value describes the SAP MaxDB database engine.
The monetdb value describes the MonetDB SQL database engine.
The mimer value describes the Mimer SQL database engine.
The oracle value describes the Oracle database engine.
The paradox value describes the Paradox database engine.
The pervasive value describes the Pervasive PSQL database engine.
The postgre value describes the PostgreSQL database engine.
The sqlbase value describes the Unify SQLBase database engine.
The sqlite value describes the SQLite database engine.
The sqlserver value describes the Microsoft SQL database engine.
The sybase value describes the Sybase database engine.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateFamilyType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a high-level family of system operating system. The empty string is also allowed to support empty emlement associated with variable references.
The ios value describes the Cisco IOS operating system.
The macos value describes the Mac operating system.
The unix value describes the UNIX operating system.
The windows value describes the Windows operating system.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityObjectVariableRefType complex type defines a string object entity that has a valid OVAL variable id as the value. The empty string is also allowed to support empty emlement associated with variable references.
The EntityStateVariableRefType complex type defines a string state entity that has a valid OVAL variable id as the value. The empty string is also allowed to support empty emlement associated with variable references.
The EntityStateLdaptypeType complex type restricts a string value to a specific set of values that specify the different types of information that an ldap attribute can represent. The empty string is also allowed to support empty elements associated with variable references.
The data type is the attribute type description.
The string is of Distinguished Name (path) of a directory service object.
The bit string type.
The string is displayable on screen or in print.
The string is of a numeral to be interpreted as text.
The data is of a Boolean value.
The data is of an integer value.
The data is of the universal time as expressed in Universal Time Coordinate (UTC).
The data is of generalized time.
The directory string.
The object class description type.
The data is binary.
The data is of a time stamp in seconds.
5.7
This value was accidently carried over from the win-def:EntityStateAdstypeType as it was used as a template for the ind-def:EntityStateLdaptypeType.
This value has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED ELEMENT VALUE IN: ldap_state ELEMENT VALUE:
The data is of an e-mail message.
5.7
This value was accidently carried over from the win-def:EntityStateAdstypeType as it was used as a template for the ind-def:EntityStateLdaptypeType.
This value has been deprecated and will be removed in version 6.0 of the language.
DEPRECATED ELEMENT VALUE IN: ldap_state ELEMENT VALUE:
The empty string value is permitted here to allow for empty elements associated with variable references.