The following is a description of the elements, types, and attributes that compose the Linux specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
The dpkginfo test is used to check information for a given DPKG package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dpkginfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The dpkginfo_object element is used by a dpkginfo test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A dpkginfo object consists of a single name entity that identifies the package being checked.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityObjectStringType 1 1 This is the package name to check. oval-def:filter n/a 0 unbounded
The dpkginfo_state element defines the different information that can be used to evaluate the specified DPKG package. This includes the architecture, epoch number, release, and version numbers. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityStateStringType 0 1 This is the DPKG package name to check. arch oval-def:EntityStateStringType 0 1 This is the architecture for which the package was built, like : i386, ppc, sparc, noarch. epoch Restriction of oval-def:EntityStateAnySimpleType. See schema for details. 0 1 This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by dpkg) the string '(none)' should be used. release Restriction of oval-def:EntityStateAnySimpleType. See schema for details. 0 1 This is the release number of the build, changed by the vendor/builder. version Restriction of oval-def:EntityStateAnySimpleType. See schema for details. 0 1 This is the version number of the build. evr oval-def:EntityStateEVRStringType 0 1 This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE".
The iflisteners_test is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an iflisteners_object and the optional iflisteners_state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The iflisteners_object element is used by an iflisteners_test to define the specific interface to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs interface_name oval-def:EntityObjectStringType 1 1 The interface_name entity specifies the name of the interface (eth0, eth1, fw0, etc.) to check. oval-def:filter n/a 0 unbounded
The iflisteners_state element defines the different information that can be used to evaluate the specified applications that are listening on interfaces on the system. This includes the interface name, protocol, hardware address, program name, pid, and user id. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs interface_name oval-def:EntityStateStringType 0 1 This is the name of the interface (eth0, eth1, fw0, etc.). protocol linux-def:EntityStateProtocolType 0 1 This is the physical layer protocol used by the AF_PACKET socket. hw_address oval-def:EntityStateStringType 0 1 This is the hardware address associated with the interface. program_name oval-def:EntityStateStringType 0 1 This is the name of the communicating program. pid oval-def:EntityStateIntType 0 1 The pid is the process ID of a specific process. user_id oval-def:EntityStateStringType 0 1 The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
The inet listening servers test is used to check what applications are listening on the network. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). It is generally using the parsed output of running the command netstat -tuwlnpe with root privilege. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetlisteningservers_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The inetlisteningservers_object element is used by an inet listening servers test to define the specific protocol-address-port to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
An inet listening servers object consists of three entities. The first identifies a specific IP address. The second entity represents a certain port number. While the third identifies the protocol.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs protocol oval-def:EntityObjectStringType 1 1 The protocol entity defines a certain transport-layer protocol, in lowercase: tcp or udp. local_address oval-def:EntityObjectIPAddressStringType 1 1 This is the IP address of the network interface on which an application listens. Note that the IP address can be IPv4 or IPv6. local_port oval-def:EntityObjectIntType 1 1 This is the TCP or UDP port on which an application would listen. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will be represented by its own object. oval-def:filter n/a 0 unbounded
The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs protocol oval-def:EntityStateStringType 0 1 The protocol entity defines the specific transport-layer protocol, in lowercase: tcp or udp, associated with the inet listening server. local_address oval-def:EntityStateIPAddressStringType 0 1 This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6. local_port oval-def:EntityStateIntType 0 1 This is the TCP or UDP port number associated with the inet listening server. local_full_address oval-def:EntityStateStringType 0 1 This is the IP address and network port number associated with the inet listening server, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6. program_name oval-def:EntityStateStringType 0 1 This is the name of the communicating program. foreign_address oval-def:EntityStateIPAddressStringType 0 1 This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. foreign_port oval-def:EntityStateIntType 0 1 This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *. foreign_full_address oval-def:EntityStateStringType 0 1 This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6. pid oval-def:EntityStateIntType 0 1 The pid is the process ID of a specific process. user_id oval-def:EntityStateIntType 0 1 The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
The partition_test is used to check the information associated with partitions on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a partition_object and the optional state element references a partition_state that specifies the information to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The partition_object is used by a partition_test to define which partitions on the local system should be collected. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs mount_point oval-def:EntityObjectStringType 1 1 The mount_point element specifies the mount points of the partitions that should be collected from the local system. oval-def:filter n/a 0 unbounded
The partition_state element defines the different information associated with a partition. This includes the name, filesystem type, mount options, total space, space used, and space left. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs mount_point oval-def:EntityStateStringType 0 1 The mount_point element contains a string that represents the mount point of a partition on the local system. device oval-def:EntityStateStringType 0 1 The device element contains a string that represents the name of the device. uuid oval-def:EntityStateStringType 0 1 The uuid element contains a string that represents the universally unique identifier associated with a partition. fs_type linux-def:EntityStateFileSystemTypeType 0 1 The fs_type element contains a string that represents the type of filesystem on a partition. mount_options oval-def:EntityStateStringType 0 1 The mount_options element contains a string that represents the mount options associated with a partition. total_space oval-def:EntityStateIntType 0 1 The total_space element contains an integer that represents the total number of blocks on a partition. space_used oval-def:EntityStateIntType 0 1 The space_used element contains an integer that represents the number of blocks used on a partition. space_left oval-def:EntityStateIntType 0 1 The space_left element contains an integer that represents the number of blocks left on a partition.
The rpm info test is used to check the RPM header information for a given RPM package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpminfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The rpminfo_object element is used by a rpm info test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A rpm info object consists of a single name entity that identifies the package being checked.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityObjectStringType 1 1 This is the package name to check. oval-def:filter n/a 0 unbounded
The rpminfo_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityStateStringType 0 1 This is the package name to check. arch oval-def:EntityStateStringType 0 1 This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. epoch Restriction of oval-def:EntityStateAnySimpleType. See schema for details. 0 1 This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file release Restriction of oval-def:EntityStateAnySimpleType. See schema for details. 0 1 This is the release number of the build, changed by the vendor/builder. version Restriction of oval-def:EntityStateAnySimpleType. See schema for details. 0 1 This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. evr oval-def:EntityStateEVRStringType 0 1 This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function. signature_keyid oval-def:EntityStateStringType 0 1 This field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to seperat the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
The rpmverify_test is used to verify the integrity of installed RPMs. This test aligns with the rpm -V command for verifying RPMs. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpmverify_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The rpmverify_object element is used by a rpmverity_test to define a set of files within a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs behaviors linux-def:RpmVerifyBehaviors 0 1 name oval-def:EntityObjectStringType 1 1 This is the package name to check. filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file in the specified package. A directory cannot be specified as a filepath. oval-def:filter n/a 0 unbounded
The rpmverify_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityStateStringType 0 1 This is the package name to check. filepath oval-def:EntityStateStringType 0 1 The filepath element specifies the absolute path for a file in the specified package. A directory cannot be specified as a filepath. size_differs linux-def:EntityStateRpmVerifyResultType 0 1 The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file. mode_differs linux-def:EntityStateRpmVerifyResultType 0 1 The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file. md5_differs linux-def:EntityStateRpmVerifyResultType 0 1 The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. device_differs linux-def:EntityStateRpmVerifyResultType 0 1 The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file. link_mismatch linux-def:EntityStateRpmVerifyResultType 0 1 The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file. ownership_differs linux-def:EntityStateRpmVerifyResultType 0 1 The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file. group_differs linux-def:EntityStateRpmVerifyResultType 0 1 The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file. mtime_differs linux-def:EntityStateRpmVerifyResultType 0 1 The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file. capabilities_differ linux-def:EntityStateRpmVerifyResultType 0 1 The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file. configuration_file oval-def:EntityStateBoolType 0 1 The configuration_file entity represents the configuration file attribute marker that may be present on a file. documentation_file oval-def:EntityStateBoolType 0 1 The documentation_file entity represents the documenation file attribute marker that may be present on a file. ghost_file oval-def:EntityStateBoolType 0 1 The ghost_file entity represents the ghost file attribute marker that may be present on a file. license_file oval-def:EntityStateBoolType 0 1 The license_file entity represents the license file attribute marker that may be present on a file. readme_file oval-def:EntityStateBoolType 0 1 The readme_file entity represents the readme file attribute marker that may be present on a file.
The RpmVerifyBehaviors complex type defines a set of behaviors that for controlling how installed rpms are verified. These behaviors align with the verify-options of the rpm command with the addition of two behaviors that will indicate that a file with a given attribute marker should not be collected.
Attributes:
- nodeps xsd:boolean (optional -- default='false') 'nodeps' when true this behavior means, don't verify dependencies of packages. - nodigest xsd:boolean (optional -- default='false') 'nodigest' when true this behavior means, don't verify package or header digests when reading. - nofiles xsd:boolean (optional -- default='false') 'nofiles' when true this behavior means, don't verify any attributes of package files. - noscripts xsd:boolean (optional -- default='false') 'noscripts' when true this behavior means, don't execute the %verifyscript scriptlet (if any). - nosignature xsd:boolean (optional -- default='false') 'nosignature' when true this behavior means, don't verify package or header signatures when reading. - nolinkto xsd:boolean (optional -- default='false') 'nolinkto' when true this behavior means, don't verify symbolic links attribute. - nomd5 xsd:boolean (optional -- default='false') 'nomd5' when true this behavior means, don't verify the file md5 attribute. - nosize xsd:boolean (optional -- default='false') 'nosize' when true this behavior means, don't verify the file size attribute. - nouser xsd:boolean (optional -- default='false') 'nouser' when true this behavior means, don't verify the file owner attribute. - nogroup xsd:boolean (optional -- default='false') 'nogroup' when true this behavior means, don't verify the file group owner attribute. - nomtime xsd:boolean (optional -- default='false') 'nomtime' when true this behavior means, don't verify the file mtime attribute. - nomode xsd:boolean (optional -- default='false') 'nomode' when true this behavior means, don't verify the file mode attribute. - nordev xsd:boolean (optional -- default='false') 'nordev' when true this behavior means, don't verify the file rdev attribute. - noconfigfiles xsd:boolean (optional -- default='false') 'noconfigfiles' when true this behavior means, skip files that are marked with the %config attribute marker. - noghostfiles xsd:boolean (optional -- default='false') 'noghostfiles' when true this behavior means, skip files that are maked with %ghost attribute marker.
The selinuxboolean_test is used to check the current and pending status of a SELinux boolean. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a selinuxboolean_object and the optional state element references a selinuxboolean_state that specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The selinuxboolean_object element is used by an selinuxboolean_test to define the items to evaluate based on a specified state.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityObjectStringType 1 1 The name of the SELinux boolean. oval-def:filter n/a 0 unbounded
The selinuxboolean_state element defines the different information that can be used to evaluate the specified SELinux boolean. This includes SELinux boolean's current and pending status. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityStateStringType 0 1 The name of the SELinux boolean. current_status oval-def:EntityStateBoolType 0 1 The current_status entity represents the current state of the specified SELinux boolean. pending_status oval-def:EntityStateBoolType 0 1 The pending_status entity represents the pending state of the specified SELinux boolean.
The selinuxsecuritycontext_test is used to check the security context of a file or process on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a selinuxsecuritycontext_object and the optional state element references a selinuxsecuritycontext_state that specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The selinuxsecuritycontext_object element is used by an selinuxsecuritycontext_test to define the security contexts of files and processes to collect from the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs filepath oval-def:EntityObjectStringType 1 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityObjectStringType 1 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityObjectStringType 1 1 The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path. pid oval-def:EntityObjectIntType 1 1 The pid entity is the process ID of the process. If the xsi:nil attribute is set to true, the process ID shall be the tool's running process. oval-def:filter n/a 0 unbounded
The selinuxsecuritycontext_state element defines the different information that can be used to evaluate the specified SELinux security context. This includes SELinux security context's user, type role, low sensitivity, low category, high sensitivity, high category, raw low sensitivity, raw low category, raw high sensitivity, and raw high category. This state follows the SELinux security context structure: user:role:type:low_sensitivity[:low_category]- high_sensitivity [:high_category]. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs filepath oval-def:EntityStateStringType 0 1 The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. path oval-def:EntityStateStringType 0 1 The path element specifies the directory component of the absolute path to a file on the machine. filename oval-def:EntityStateStringType 0 1 The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. pid oval-def:EntityStateIntType 0 1 This is the process ID of the process. user oval-def:EntityStateStringType 0 1 The user element specifies the SELinux user that either created the file or started the process. role oval-def:EntityStateStringType 0 1 The role element specifies the types that a process may transition to (domain transitions). Note that this entity is not relevant for files and will always have a value of object_r. type oval-def:EntityStateStringType 0 1 The type element specifies the domain in which the file is accessible or the domain in which a process executes. low_sensitivity oval-def:EntityStateStringType 0 1 The low_sensitivity element specifies the current sensitivity of a file or process. low_category oval-def:EntityStateStringType 0 1 The low_category element specifies the set of categories associated with the low sensitivity. high_sensitivity oval-def:EntityStateStringType 0 1 The high_sensitivity element specifies the maximum range for a file or the clearance for a process. high_category oval-def:EntityStateStringType 0 1 The high_category element specifies the set of categories associated with the high sensitivity. rawlow_sensitivity oval-def:EntityStateStringType 0 1 The rawlow_sensitivity element specifies the current sensitivity of a file or process but in its raw context. rawlow_category oval-def:EntityStateStringType 0 1 The rawlow_category element specifies the set of categories associated with the low sensitivity but in its raw context. rawhigh_sensitivity oval-def:EntityStateStringType 0 1 The rawhigh_sensitivity element specifies the maximum range for a file or the clearance for a process but in its raw context. rawhigh_category oval-def:EntityStateStringType 0 1 The rawhigh_category element specifies the set of categories associated with the high sensitivity but in its raw context.
The slackware package info test is used to check information associated with a given Slackware package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a slackwarepkginfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
Extends: oval-def:TestType
Child Elements Type MinOccurs MaxOccurs object oval-def:ObjectRefType 1 1 state oval-def:StateRefType 0 unbounded
The slackwarepkginfo_object element is used by a slackware package info test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A slackware package info object consists of a single name entity that identifies the package being checked.
Extends: oval-def:ObjectType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityObjectStringType 1 1 This is the package name to check. oval-def:filter n/a 0 unbounded
The slackwarepkginfo_state element defines the different information that can be used to evaluate the specified package. This includes the version, architecture, and revision. Please refer to the individual elements in the schema for more details about what each represents.
Extends: oval-def:StateType
Child Elements Type MinOccurs MaxOccurs name oval-def:EntityStateStringType 0 1 This is the package name to check. version oval-def:EntityStateStringType 0 1 This is the version number of the package. architecture oval-def:EntityStateStringType 0 1 revision oval-def:EntityStateStringType 0 1
The EntityStateFileSystemTypeType complex type restricts a string value to the set of values that are used to describe file systems on a Linux system. This list is based off of the values defined in linux/magic.h. Please consult linux/magic.h for additional information on each allowed value. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Restricts: oval-def:EntityStateStringType
Value Description ADFS_SUPER_MAGIC
AFFS_SUPER_MAGIC
AFS_SUPER_MAGIC
AUTOFS_SUPER_MAGIC
CODA_SUPER_MAGIC
CRAMFS_MAGIC
CRAMFS_MAGIC_WEND
DEBUGFS_MAGIC
SYSFS_MAGIC
SECURITYFS_MAGIC
SELINUX_MAGIC
RAMFS_MAGIC
TMPFS_MAGIC
HUGETLBFS_MAGIC
SQUASHFS_MAGIC
EFS_SUPER_MAGIC
EXT2_SUPER_MAGIC
EXT3_SUPER_MAGIC
XENFS_SUPER_MAGIC
EXT4_SUPER_MAGIC
BTRFS_SUPER_MAGIC
HPFS_SUPER_MAGIC
ISOFS_SUPER_MAGIC
JFFS2_SUPER_MAGIC
ANON_INODE_FS_MAGIC
MINIX_SUPER_MAGIC
MINIX_SUPER_MAGIC2
MINIX2_SUPER_MAGIC
MINIX2_SUPER_MAGIC2
MINIX3_SUPER_MAGIC
MSDOS_SUPER_MAGIC
NCP_SUPER_MAGIC
NFS_SUPER_MAGIC
OPENPROM_SUPER_MAGIC
PROC_SUPER_MAGIC
QNX4_SUPER_MAGIC
REISERFS_SUPER_MAGIC
REISERFS_SUPER_MAGIC_STRING
REISER2FS_SUPER_MAGIC_STRING
REISER2FS_JR_SUPER_MAGIC_STRING
SMB_SUPER_MAGIC
USBDEVICE_SUPER_MAGIC
CGROUP_SUPER_MAGIC
FUTEXFS_SUPER_MAGIC
STACK_END_MAGIC
DEVPTS_SUPER_MAGIC
SOCKFS_MAGIC
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Restricts: oval-def:EntityStateStringType
Value Description pass
'pass' indicates that the test passed and is equivalent to the '.' value reported by the rpm -V command.
fail
'fail' indicates that the test failed and is equivalent to a bold charcter in the test result string reported by the rpm -V command.
not performed
'not performed' indicates that the test could not be performed and is equivalent to the '?' value reported by the rpm -V command.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateProtocolType complex type restricts a string value to the set of physical layer protocols used by AF_PACKET sockets. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Restricts: oval-def:EntityStateStringType
Value Description ETH_P_LOOP
Ethernet loopback packet.
ETH_P_PUP
Xerox PUP packet.
ETH_P_PUPAT
Xerox PUP Address Transport packet.
ETH_P_IP
Internet protocol packet.
ETH_P_X25
CCITT X.25 packet.
ETH_P_ARP
Address resolution packet.
ETH_P_BPQ
G8BPQ AX.25 ethernet packet.
ETH_P_IEEEPUP
Xerox IEEE802.3 PUP packet.
ETH_P_IEEEPUPAT
Xerox IEEE802.3 PUP address transport packet.
ETH_P_DEC
DEC assigned protocol.
ETH_P_DNA_DL
DEC DNA Dump/Load.
ETH_P_DNA_RC
DEC DNA Remote Console.
ETH_P_DNA_RT
DEC DNA Routing.
ETH_P_LAT
DEC LAT.
ETH_P_DIAG
DEC Diagnostics.
ETH_P_CUST
DEC Customer use.
ETH_P_SCA
DEC Systems Comms Arch.
ETH_P_RARP
Reverse address resolution packet.
ETH_P_ATALK
Appletalk DDP.
ETH_P_AARP
Appletalk AARP.
ETH_P_8021Q
802.1Q VLAN Extended Header.
ETH_P_IPX
IPX over DIX.
ETH_P_IPV6
IPv6 over bluebook.
ETH_P_SLOW
Slow Protocol. See 802.3ad 43B.
ETH_P_WCCP
Web-cache coordination protocol.
ETH_P_PPP_DISC
PPPoE discovery messages.
ETH_P_PPP_SES
PPPoE session messages.
ETH_P_MPLS_UC
MPLS Unicast traffic.
ETH_P_MPLS_MC
MPLS Multicast traffic.
ETH_P_ATMMPOA
MultiProtocol Over ATM.
ETH_P_ATMFATE
Frame-based ATM Transport over Ethernet.
ETH_P_AOE
ATA over Ethernet.
ETH_P_TIPC
TIPC.
ETH_P_802_3
Dummy type for 802.3 frames.
ETH_P_AX25
Dummy protocol id for AX.25.
ETH_P_ALL
Every packet.
ETH_P_802_2
802.2 frames.
ETH_P_SNAP
Internal only.
ETH_P_DDCMP
DEC DDCMP: Internal only
ETH_P_WAN_PPP
Dummy type for WAN PPP frames.
ETH_P_PPP_MP
Dummy type for PPP MP frames.
ETH_P_PPPTALK
Dummy type for Atalk over PPP.
ETH_P_LOCALTALK
Localtalk pseudo type.
ETH_P_TR_802_2
802.2 frames.
ETH_P_MOBITEX
Mobitex.
ETH_P_CONTROL
Card specific control frames.
ETH_P_IRDA
Linux-IrDA.
ETH_P_ECONET
Acorn Econet.
ETH_P_HDLC
HDLC frames.
ETH_P_ARCNET
1A for ArcNet.
The empty string value is permitted here to allow for empty elements associated with variable references.