- Open Vulnerability and Assessment Language -
Element Dictionary

The following is a description of the elements, types, and attributes that compose the Windows specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.

The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.



< accesstoken_item >

The access token item holds information about the individual privileges and rights associated with a specific access token. It is important to note that these privileges are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Each privilege and right in the data section accepts a boolean value signifying whether the privilege is granted or not. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
security_principle oval-sc:EntityItemStringType 0 1
Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: "domain\trustee name". For local security principles use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
seassignprimarytokenprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a parent process to replace the access token that is associated with a child process.
seauditprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
sebackupprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
sechangenotifyprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows the user only to traverse its directories.
secreateglobalprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
secreatepagefileprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to create and change the size of a pagefile.
secreatepermanentprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
secreatesymboliclinkprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user create a symbolic link.
secreatetokenprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
sedebugprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
seenabledelegationprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
seimpersonateprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to impersonate a client after authentication.
seincreasebasepriorityprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to increase the base priority class of a process.
seincreasequotaprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
seincreaseworkingsetprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to increase a process working set.
seloaddriverprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
selockmemoryprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
semachineaccountprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to add a computer to a specific domain.
semanagevolumeprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
seprofilesingleprocessprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to sample the performance of an application process.
serelabelprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to modify an object label.
seremoteshutdownprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
serestoreprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
sesecurityprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
seshutdownprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to shut down the local computer.
sesyncagentprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
sesystemenvironmentprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
sesystemprofileprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to sample the performance of system processes.
sesystemtimeprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to adjust the time on the computer's internal clock. It is not required to change the time zone or other display characteristics of the system time.
setakeownershipprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
setcbprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
setimezoneprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows a user to change the time zone.
seundockprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
seunsolicitedinputprivilege oval-sc:EntityItemBoolType 0 1
If this privilege is enabled, it allows the user to read unsolicited data from a terminal device.
sebatchlogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it can log on using the batch logon type.
seinteractivelogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it can log on using the interactive logon type.
senetworklogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it can log on using the network logon type.
seremoteinteractivelogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it can log on to the computer by using a Remote Desktop connection.
seservicelogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it can log on using the service logon type.
sedenybatchLogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it is explicitly denied the ability to log on using the batch logon type.
sedenyinteractivelogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it is explicitly denied the ability to log on using the interactive logon type.
sedenynetworklogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it is explicitly denied the ability to log on using the network logon type.
sedenyremoteInteractivelogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it is explicitly denied the ability to log on through Terminal Services.
sedenyservicelogonright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it is explicitly denied the ability to log on using the service logon type.
setrustedcredmanaccessnameright oval-sc:EntityItemBoolType 0 1
If an account is assigned this right, it can access the Credential Manager as a trusted caller.



< activedirectory_item >

Deprecated As Of Version: 5.7
Reason: Replaced by the activedirectory57_item. This item allows for single fields to be selected from active directory. A new item was created to allow more than one field to be selected in one statement. See the activedirectory57_item.
Comment: This object has been deprecated and may be removed in a future version of the language.

The active directory item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
naming_context win-sc:EntityItemNamingContextType 0 1
Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
relative_dn oval-sc:EntityItemStringType 0 1
The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the item being represented is the higher level naming context. Using xsi:nil here will result in a status of 'does not exist' for object_class, adstype, and value since these entities are not associated with a naming context by itself. Note that when xsi:nil is used for the relative dn element, the attribute element should also be nilled.
attribute oval-sc:EntityItemStringType 0 1
Specifies a named value contained by the object. If the xsi:nil attribute is set to true, then the item being represented is the higher level relative dn. Using xsi:nil here will result in a status of 'does not exist' for object_class, adstype, and value since these entities are not associated with a relative dn by itself.
object_class oval-sc:EntityItemStringType 0 1
The name of the class of which the object is an instance.
adstype win-sc:EntityItemAdstypeType 0 1
Specifies the type of information that the specified attribute represents.
value oval-sc:EntityItemAnySimpleType 0 unbounded
The actual value of the specified active directory attribute.



< activedirectory57_item >

The activedirectory57_item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
naming_context win-sc:EntityItemNamingContextType 0 1
Each object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
relative_dn oval-sc:EntityItemStringType 0 1
The relative_dn field is used to uniquely identify an object inside the specified naming context. It contains all the parts of the objects distinguished name except those outlined by the naming context. If the xsi:nil attribute is set to true, then the item being represented is the higher level naming context. Using xsi:nil here will result in a status of 'does not exist' for object_class, adstype, and value since these entities are not associated with a naming context by itself. Note that when xsi:nil is used for the relative dn element, the attribute element should also be nilled.
attribute oval-sc:EntityItemStringType 0 1
Specifies a named value contained by the object. If the xsi:nil attribute is set to true, then the item being represented is the higher level relative dn. Using xsi:nil here will result in a status of 'does not exist' for object_class, adstype, and value since these entities are not associated with a relative dn by itself.
object_class oval-sc:EntityItemStringType 0 1
The name of the class of which the object is an instance.
adstype win-sc:EntityItemAdstypeType 0 1
Specifies the type of information that the specified attribute represents.
value oval-sc:EntityItemRecordType 0 unbounded
The actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field(s) which is a requirement for fields in the 'record' datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field(s) and satisfy this requirement. If the Active Directory attribute contains a single value, the 'record' will have a single field identified by the name of the Active Directory attribute. If the Active Directory attribute contains an array of values, the 'record' will have multiple fields all identified by the name of the Active Directory attribute



< auditeventpolicy_item >

The auditeventpolicy item enumerates the different types of events the system should audit. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Note that when audinting is disabled each of the entities listed below should be set to 'AUDIT_NONE'.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
account_logon win-sc:EntityItemAuditType 0 1
Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
account_management win-sc:EntityItemAuditType 0 1
Audit attempts to create, delete, or change user or group accounts. Also, audit password changes.
detailed_tracking win-sc:EntityItemAuditType 0 1
Audit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit.
directory_service_access win-sc:EntityItemAuditType 0 1
Audit attempts to access the directory service.
logon win-sc:EntityItemAuditType 0 1
Audit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
object_access win-sc:EntityItemAuditType 0 1
Audit attempts to access securable objects, such as files.
policy_change win-sc:EntityItemAuditType 0 1
Audit attempts to change Policy object rules.
privilege_use win-sc:EntityItemAuditType 0 1
Audit attempts to use privileges.
system win-sc:EntityItemAuditType 0 1
Audit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.



< auditeventpolicysubcategories_item >

The auditeventpolicysubcategories_item is used to hold information about the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, if the credential_validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Note that when audinting is disabled each of the entities listed below should be set to 'AUDIT_NONE'.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
credential_validation win-sc:EntityItemAuditType 0 1
Audit the events produced during the validation of a user's logon credentials.
kerberos_authentication_service win-sc:EntityItemAuditType 0 1
Audit the events produced by Kerberos authentication ticket-granting requests.
kerberos_service_ticket_operations win-sc:EntityItemAuditType 0 1
Audit the events produced by Kerberos service ticket requests.
kerberos_ticket_events win-sc:EntityItemAuditType 0 1
Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
other_account_logon_events win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to user accounts that are not covered by other events in the Account Logon category.
application_group_management win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to application groups.
computer_account_management win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to computer accounts.
distribution_group_management win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to distribution groups.
other_account_management_events win-sc:EntityItemAuditType 0 1
Audit the events produced by other user account changes that are not covered by other events in the Account Management category.
security_group_management win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to security groups.
user_account_management win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to user accounts.
dpapi_activity win-sc:EntityItemAuditType 0 1
Audit the events produced when requests are made to the Data Protection application interface.
process_creation win-sc:EntityItemAuditType 0 1
Audit the events produced when a process is created or starts.
process_termination win-sc:EntityItemAuditType 0 1
Audit the events produced when a process ends.
rpc_events win-sc:EntityItemAuditType 0 1
Audit the events produced by inbound remote procedure call connections.
directory_service_access win-sc:EntityItemAuditType 0 1
Audit the events produced when a Active Directory Domain Services object is accessed.
directory_service_changes win-sc:EntityItemAuditType 0 1
Audit the events produced when changes are made to Active Directory Domain Services objects.
directory_service_replication win-sc:EntityItemAuditType 0 1
Audit the events produced when two Active Directory Domain Services domain controllers are replicated.
detailed_directory_service_replication win-sc:EntityItemAuditType 0 1
Audit the events produced by detailed Active Directory Domain Services replication between domain controllers.
account_lockout win-sc:EntityItemAuditType 0 1
Audit the events produced by a failed attempt to log onto a locked out account.
ipsec_extended_mode win-sc:EntityItemAuditType 0 1
Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations.
ipsec_main_mode win-sc:EntityItemAuditType 0 1
Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations.
ipsec_quick_mode win-sc:EntityItemAuditType 0 1
Audit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations.
logoff win-sc:EntityItemAuditType 0 1
Audit the events produced by closing a logon session.
logon win-sc:EntityItemAuditType 0 1
Audit the events produced by attempts to log onto a user account.
network_policy_server win-sc:EntityItemAuditType 0 1
Audit the events produced by RADIUS and Network Access Protection user access requests.
other_logon_logoff_events win-sc:EntityItemAuditType 0 1
Audit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category.
special_logon win-sc:EntityItemAuditType 0 1
Audit the events produced by special logons.
application_generated win-sc:EntityItemAuditType 0 1
Audit the events produced by applications that use the Windows Auditing API.
certification_services win-sc:EntityItemAuditType 0 1
Audit the events produced by operations on Active Directory Certificate Services.
detailed_file_share win-sc:EntityItemAuditType 0 1
Audit the events produced by attempts to access files and folders on a shared folder.
file_share win-sc:EntityItemAuditType 0 1
Audit the events produced by attempts to access a shared folder.
file_system win-sc:EntityItemAuditType 0 1
Audit the events produced user attempts to access file system objects.
filtering_platform_connection win-sc:EntityItemAuditType 0 1
Audit the events produced by connections that are allowed or blocked by Windows Filtering Platform.
filtering_platform_packet_drop win-sc:EntityItemAuditType 0 1
Audit the events produced by packets that are dropped by Windows Filtering Platform.
handle_manipulation win-sc:EntityItemAuditType 0 1
Audit the events produced when a handle is opened or closed.
kernel_object win-sc:EntityItemAuditType 0 1
Audit the events produced by attempts to access the system kernel.
other_object_access_events win-sc:EntityItemAuditType 0 1
Audit the events produced by the management of Task Scheduler jobs or COM+ objects.
registry win-sc:EntityItemAuditType 0 1
Audit the events produced by attempts to access registry objects.
sam win-sc:EntityItemAuditType 0 1
Audit the events produced by attempts to access Security Accounts Manager objects.
audit_policy_change win-sc:EntityItemAuditType 0 1
Audit the events produced by changes in security audit policy settings.
authentication_policy_change win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to the authentication policy.
authorization_policy_change win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to the authorization policy.
filtering_platform_policy_change win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to the Windows Filtering Platform.
mpssvc_rule_level_policy_change win-sc:EntityItemAuditType 0 1
Audit the events produced by changes to policy rules used by the Windows Firewall.
other_policy_change_events win-sc:EntityItemAuditType 0 1
Audit the events produced by other security policy changes that are not covered other events in the Policy Change category.
non_sensitive_privilege_use win-sc:EntityItemAuditType 0 1
Audit the events produced by the use of non-sensitive privileges.
other_privilege_use_events win-sc:EntityItemAuditType 0 1
This is currently not used and has been reserved by Microsoft for use in the future.
sensitive_privilege_use win-sc:EntityItemAuditType 0 1
Audit the events produced by the use of sensitive privileges.
ipsec_driver win-sc:EntityItemAuditType 0 1
Audit the events produced by the IPsec filter driver.
other_system_events win-sc:EntityItemAuditType 0 1
Audit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall.
security_state_change win-sc:EntityItemAuditType 0 1
Audit the events produced by changes in the security state.
security_system_extension win-sc:EntityItemAuditType 0 1
Audit the events produced by the security system extensions or services.
system_integrity win-sc:EntityItemAuditType 0 1
Audit the events that indicate that the integrity security subsystem has been violated.



< dnscache_item >

The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
domain_name oval-sc:EntityItemStringType 0 1
The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
ttl oval-sc:EntityItemIntType 0 1
The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
ip_address oval-sc:EntityItemIPAddressStringType 0 unbounded
The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6.



< file_item >

This element describes file metadata. The time information can be retrieved by the _stst function. Development_class and other version information (company, internal name, language, original_filename, product_name, product_version) can be retrieved using the VerQueryValue function.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
filepath oval-sc:EntityItemStringType 0 1
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
path oval-sc:EntityItemStringType 0 1
Specifies the directory component of the absolute path to a file on the machine.
filename oval-sc:EntityItemStringType 0 1
The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
owner oval-sc:EntityItemStringType 0 1
A string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
size oval-sc:EntityItemIntType 0 1
Size of the file in bytes.
a_time oval-sc:EntityItemIntType 0 1
Time of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
c_time oval-sc:EntityItemIntType 0 1
Time of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
m_time oval-sc:EntityItemIntType 0 1
Time of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
ms_checksum oval-sc:EntityItemStringType 0 1
The checksum of the file as supplied by Microsoft's MapFileAndCheckSum function.
version oval-sc:EntityItemVersionType 0 1
The version of the file.
type win-sc:EntityItemFileTypeType 0 1
The type child element marks wether the file item describes a directory, named pipe, standard file, etc. These types are the return values for GetFileType, with the exception of FILE_ATTRIBUTE_DIRECTORY which is obtained by looking at GetFileAttributesEx.
development_class oval-sc:EntityItemStringType 0 1
The development_class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
company oval-sc:EntityItemStringType 0 1
This entity defines the company name held within the version-information structure.
internal_name oval-sc:EntityItemStringType 0 1
This entity defines the internal name held within the version-information structure.
language oval-sc:EntityItemStringType 0 1
This entity defines the language held within the version-information structure.
original_filename oval-sc:EntityItemStringType 0 1
This entity defines the original filename held within the version-information structure.
product_name oval-sc:EntityItemStringType 0 1
This entity defines the product name held within the version-information structure.
product_version oval-sc:EntityItemVersionType 0 1
This entity defines the product version held within the version-information structure.



< fileauditedpermissions_item >

This item stores the audited access rights of a file that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
filepath oval-sc:EntityItemStringType 0 1
Specifies the absolute path to a file on the machine from which the DACL was retrieved. A directory cannot be specified as a filepath.
path oval-sc:EntityItemStringType 0 1
This element specifies the directory component of the absolute path to a file on the machine from which the DACL was retrieved.
filename oval-sc:EntityItemStringType 0 1
The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
trustee_sid oval-sc:EntityItemStringType 0 1
The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
trustee_name oval-sc:EntityItemStringType 0 1
This element specifies the trustee name associated with this particular SACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
standard_delete win-sc:EntityItemAuditType 0 1
The right to delete the object.
standard_read_control win-sc:EntityItemAuditType 0 1
The right to read the information in the object's security descriptor, not including the information in the SACL.
standard_write_dac win-sc:EntityItemAuditType 0 1
The right to modify the DACL in the object's security descriptor.
standard_write_owner win-sc:EntityItemAuditType 0 1
The right to change the owner in the object's security descriptor.
standard_synchronize win-sc:EntityItemAuditType 0 1
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
access_system_security win-sc:EntityItemAuditType 0 1
Indicates access to a system access control list (SACL).
generic_read win-sc:EntityItemAuditType 0 1
Read access.
generic_write win-sc:EntityItemAuditType 0 1
Write access.
generic_execute win-sc:EntityItemAuditType 0 1
Execute access.
generic_all win-sc:EntityItemAuditType 0 1
Read, write, and execute access.
file_read_data win-sc:EntityItemAuditType 0 1
Grants the right to read data from the file.
file_write_data win-sc:EntityItemAuditType 0 1
Grants the right to write data to the file.
file_append_data win-sc:EntityItemAuditType 0 1
Grants the right to append data to the file.
file_read_ea win-sc:EntityItemAuditType 0 1
Grants the right to read extended attributes.
file_write_ea win-sc:EntityItemAuditType 0 1
Grants the right to write extended attributes.
file_execute win-sc:EntityItemAuditType 0 1
Grants the right to execute a file.
file_delete_child win-sc:EntityItemAuditType 0 1
Right to delete a directory and all the files it contains (its children), even if the files are read-only.
file_read_attributes win-sc:EntityItemAuditType 0 1
Grants the right to read file attributes.
file_write_attributes win-sc:EntityItemAuditType 0 1
Grants the right to change file attributes.



< fileeffectiverights_item >

This item stores the effective rights of a file that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
filepath oval-sc:EntityItemStringType 0 1
Specifies the absolute path to a file on the machine from which the DACL was retrieved. A directory cannot be specified as a filepath.
path oval-sc:EntityItemStringType 0 1
This element specifies the absolute path to a file on the machine from which the DACL was retrieved.
filename oval-sc:EntityItemStringType 0 1
The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. The other items associated with this item would then reflect the values associated with the directory.
trustee_sid oval-sc:EntityItemStringType 0 1
The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
trustee_name oval-sc:EntityItemStringType 0 1
This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
standard_delete oval-sc:EntityItemBoolType 0 1
The right to delete the object.
standard_read_control oval-sc:EntityItemBoolType 0 1
The right to read the information in the object's security descriptor, not including the information in the SACL.
standard_write_dac oval-sc:EntityItemBoolType 0 1
The right to modify the DACL in the object's security descriptor.
standard_write_owner oval-sc:EntityItemBoolType 0 1
The right to change the owner in the object's security descriptor.
standard_synchronize oval-sc:EntityItemBoolType 0 1
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
access_system_security oval-sc:EntityItemBoolType 0 1
Indicates access to a system access control list (SACL).
generic_read oval-sc:EntityItemBoolType 0 1
Read access.
generic_write oval-sc:EntityItemBoolType 0 1
Write access.
generic_execute oval-sc:EntityItemBoolType 0 1
Execute access.
generic_all oval-sc:EntityItemBoolType 0 1
Read, write, and execute access.
file_read_data oval-sc:EntityItemBoolType 0 1
Grants the right to read data from the file
file_write_data oval-sc:EntityItemBoolType 0 1
Grants the right to write data to the file.
file_append_data oval-sc:EntityItemBoolType 0 1
Grants the right to append data to the file.
file_read_ea oval-sc:EntityItemBoolType 0 1
Grants the right to read extended attributes.
file_write_ea oval-sc:EntityItemBoolType 0 1
Grants the right to write extended attributes.
file_execute oval-sc:EntityItemBoolType 0 1
Grants the right to execute a file.
file_delete_child oval-sc:EntityItemBoolType 0 1
Right to delete a directory and all the files it contains (its children), even if the files are read-only.
file_read_attributes oval-sc:EntityItemBoolType 0 1
Grants the right to read file attributes.
file_write_attributes oval-sc:EntityItemBoolType 0 1
Grants the right to change file attributes.



< group_item >

The Windows group_item allows the different users and subgroups, that directly belong to specific groups (identified by name), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
group oval-sc:EntityItemStringType 0 1
A string the represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.
user oval-sc:EntityItemStringType 0 unbounded
A string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer name\user name". For built-in accounts on the system, use the user name without a domain.If the specified group has more than one user as a member, then multiple user elements should exist. If the specified group does not contain a single user, then a single user element should exist with a status of 'does not exist'. If there is an error determining the users that are members of the group, then a single user element should be included with a status of 'error'.
subgroup oval-sc:EntityItemStringType 0 unbounded
A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: "domain\group name". In a local environment, the subgroups should be identified in the form: "computer name\group name". If the subgroups are built-in groups, the subgroups should be identified in the form: "group name" without a domain component.If the specified group has more than one subgroup as a member, then multiple subgroup elements should exist. If the specified group does not contain a single subgroup, then a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups that are members of the group, then a single subgroup element should be included with a status of 'error'.



< group_sid_item >

The Windows group_sid_item allows the different users and subgroups, that directly belong to specific groups (identified by SID), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
group_sid oval-sc:EntityItemStringType 0 1
A string the represents the SID of a particular group.
user_sid oval-sc:EntityItemStringType 0 unbounded
A string that represents the SID of a particular user. If the specified group has more than one user as a member, then multiple user_sid entities should exist. If the specified group does not contain a single user, then a single user_sid entity should exist with a status of 'does not exist'. If there is an error determining the userss that are members of the group, then a single user_sid entity should be included with a status of 'error'.
subgroup_sid oval-sc:EntityItemStringType 0 unbounded
A string that represents the SID of a particular subgroup. If the specified group has more than one subgroup as a member, then multiple subgroup_sid entities should exist. If the specified group does not contain a single subgroup, a single subgroup_sid entity should exist with a status of 'does not exist'. If there is an error determining the subgroups that are members of the group, then a single subgroup_sid entity should be included with a status of 'error'.



< interface_item >

Enumerate various attributes about the interfaces on a system.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
name oval-sc:EntityItemStringType 0 1
This element specifies the name of an interface.
index oval-sc:EntityItemIntType 0 1
This element specifies index that identifies the interface.
type win-sc:EntityItemInterfaceTypeType 0 1
This element specifies the type of interface which is limited to certain set of values.
hardware_addr oval-sc:EntityItemStringType 0 1
This element specifies the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
inet_addr oval-sc:EntityItemIPAddressStringType 0 1
This element specifies the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity should be expressed as an IPv6 address prefix using CIDR notation and the netmask entity should not be collected.
broadcast_addr oval-sc:EntityItemIPAddressStringType 0 1
This element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
netmask oval-sc:EntityItemIPAddressStringType 0 1
This element specifies the subnet mask for the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity should not be collected.
addr_type win-sc:EntityItemAddrTypeType 0 unbounded
This element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the addr_type element can occur multiple times.



< lockoutpolicy_item >

The lockoutpolicy item enumerates various attributes associated with lockout information for users and global groups in the security database.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
force_logoff oval-sc:EntityItemIntType 0 1
Specifies, in seconds, the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
lockout_duration oval-sc:EntityItemIntType 0 1
Specifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
lockout_observation_window oval-sc:EntityItemIntType 0 1
Specifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
lockout_threshold oval-sc:EntityItemIntType 0 1
Specifies the number of invalid password authentications that can occur before an account is marked "locked out." See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().



< metabase_item >

This item gathers information from the specified metabase keys.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
key oval-sc:EntityItemStringType 0 1
This element describes a metabase key to be gathered.
id oval-sc:EntityItemIntType 0 1
The id element specifies a particular object under the metabase key. If the xsi:nil attribute is set to true, then the item being represented is the higher level metabase key. Using xsi:nil here will result in a status of 'does not exist' for the other entities associated with this item since these entities are not associated with a key by itself.
name oval-sc:EntityItemStringType 0 1
This element describes the name of the specified metabase object.
user_type oval-sc:EntityItemStringType 0 1
The user_type element is a DWORD that specifies the user type of the data. See the METADATA_RECORD structure.
data_type oval-sc:EntityItemStringType 0 1
The data_type element identifies the type of data in the metabase entry. See the METADATA_RECORD structure.
data oval-sc:EntityItemAnySimpleType 0 unbounded
The actual data of the named item under the specified metabase key. If the specified metabase key is of type multi string, then multiple value elements should exist to describe the array of strings.



< passwordpolicy_item >

Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry_item and activedirectory_item are of no use. If this can be figured out, then the password_policy item is not needed.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
max_passwd_age oval-sc:EntityItemIntType 0 1
Specifies, in seconds, the maximum allowable password age. A value of TIMEQ_FOREVER (-1) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400).
min_passwd_age oval-sc:EntityItemIntType 0 1
Specifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
min_passwd_len oval-sc:EntityItemIntType 0 1
Specifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
password_hist_len oval-sc:EntityItemIntType 0 1
Specifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
password_complexity oval-sc:EntityItemBoolType 0 1
A boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
reversible_encryption oval-sc:EntityItemBoolType 0 1
Determines whether or not passwords are stored using reversible encryption.



< port_item >

Information about open listening ports.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
local_address oval-sc:EntityItemIPAddressStringType 0 1
This element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
local_port oval-sc:EntityItemIntType 0 1
This element specifies the number assigned to the local listening port.
protocol win-sc:EntityItemProtocolType 0 1
This element specifies the type of listening port. It is restricted to either TCP or UDP.
pid oval-sc:EntityItemIntType 0 1
The id given to the process that is associated with the specified listening port.
foreign_address oval-sc:EntityItemIPAddressStringType 0 1
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
foreign_port oval-sc:EntityItemStringType 0 1
This is the TCP or UDP port to which the program communicates.



< printereffectiverights_item >

This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
printer_name oval-sc:EntityItemStringType 0 1
The printer_name enitity specifies the name of the printer.
trustee_sid oval-sc:EntityItemStringType 0 1
The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
standard_delete oval-sc:EntityItemBoolType 0 1
The right to delete the object.
standard_read_control oval-sc:EntityItemBoolType 0 1
The right to read the information in the object's security descriptor, not including the information in the SACL.
standard_write_dac oval-sc:EntityItemBoolType 0 1
The right to modify the DACL in the object's security descriptor.
standard_write_owner oval-sc:EntityItemBoolType 0 1
The right to change the owner in the object's security descriptor.
standard_synchronize oval-sc:EntityItemBoolType 0 1
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
access_system_security oval-sc:EntityItemBoolType 0 1
Indicates access to a system access control list (SACL).
generic_read oval-sc:EntityItemBoolType 0 1
Read access.
generic_write oval-sc:EntityItemBoolType 0 1
Write access.
generic_execute oval-sc:EntityItemBoolType 0 1
Execute access.
generic_all oval-sc:EntityItemBoolType 0 1
Read, write, and execute access.
printer_access_administer oval-sc:EntityItemBoolType 0 1
printer_access_use oval-sc:EntityItemBoolType 0 1
job_access_administer oval-sc:EntityItemBoolType 0 1
job_access_read oval-sc:EntityItemBoolType 0 1



< process_item >

Information about running processes.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
command_line oval-sc:EntityItemStringType 0 1
The command_line entity is the string used to start the process. This includes any parameters that are part of the command line.
pid oval-sc:EntityItemIntType 0 1
The id given to the process that is created for a specified command line.
ppid oval-sc:EntityItemIntType 0 1
The id given to the parent of the process that is created for the specified command line
priority oval-sc:EntityItemStringType 0 1
The base priority of the process.
image_path oval-sc:EntityItemStringType 0 1
The image_path entity contains the name of the executable file in question.
current_dir oval-sc:EntityItemStringType 0 1
The current_directory entity represents the current path to the executable.



< registry_item >

The windows registry item specifies information that can be collected about a particular registry key.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
hive win-sc:EntityItemRegistryHiveType 0 1
The hive that the registry key belongs to.
key oval-sc:EntityItemStringType 0 1
This element describes a registry key to be gathered. Note that the hive portion of the string should not be inclueded, as this data can be found under the hive element. If the xsi:nil attribute is set to true, then the item being represented is the higher level hive. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not associated with a hive by itself. Note that when xsi:nil is used for the key element, the name element should also be nilled.
name oval-sc:EntityItemStringType 0 1
This element describes the name of a registry key. If the xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of 'does not exist' for the type, and value entities since these entities are not associated with a key by itself.
type win-sc:EntityItemRegistryTypeType 0 1
Specifies the type of data stored by the registry key. Please refer to the EntityItemRegistryTypeType for more information about the different possible types.
value oval-sc:EntityItemAnySimpleType 0 unbounded
The value entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If the specified registry key is of type REG_BINARY, then the datatype attribute should be set to 'binary' and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the registry key is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to 'int' and the value entity should represent the data as an integer. If the specified registry key is of type REG_EXPAND_SZ, then the datatype attribute should be set to 'string' and the pre-expanded string should be represented by the value entity. If the specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array. If the specified registry key is of type REG_SZ, then the datatype should be 'string' and the value entity should be a copy of the string.



< regkeyauditedpermissions_item >

This item stores the audited access rights of a registry key that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
hive win-sc:EntityItemRegistryHiveType 0 1
This element specifies the hive of a registry key on the machine from which the SACL was retrieved.
key oval-sc:EntityItemStringType 0 1
This element specifies a registry key on the machine from which the SACL was retrieved. Note that the hive portion of the string should not be inclueded, as this data should be found under the hive element.
trustee_sid oval-sc:EntityItemStringType 0 1
The security identifier (SID) of the specified trustee name.
trustee_name oval-sc:EntityItemStringType 0 1
This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
standard_delete win-sc:EntityItemAuditType 0 1
The right to delete the object.
standard_read_control win-sc:EntityItemAuditType 0 1
The right to read the information in the object's security descriptor, not including the information in the SACL.
standard_write_dac win-sc:EntityItemAuditType 0 1
The right to modify the DACL in the object's security descriptor.
standard_write_owner win-sc:EntityItemAuditType 0 1
The right to change the owner in the object's security descriptor.
standard_synchronize win-sc:EntityItemAuditType 0 1
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
access_system_security win-sc:EntityItemAuditType 0 1
Indicates access to a system access control list (SACL).
generic_read win-sc:EntityItemAuditType 0 1
Read access.
generic_write win-sc:EntityItemAuditType 0 1
Write access.
generic_execute win-sc:EntityItemAuditType 0 1
Execute access.
generic_all win-sc:EntityItemAuditType 0 1
Read, write, and execute access.
key_query_value win-sc:EntityItemAuditType 0 1
key_set_value win-sc:EntityItemAuditType 0 1
key_create_sub_key win-sc:EntityItemAuditType 0 1
key_enumerate_sub_keys win-sc:EntityItemAuditType 0 1
key_notify win-sc:EntityItemAuditType 0 1
key_create_link win-sc:EntityItemAuditType 0 1
key_wow64_64key win-sc:EntityItemAuditType 0 1
key_wow64_32key win-sc:EntityItemAuditType 0 1
key_wow64_res win-sc:EntityItemAuditType 0 1



< regkeyeffectiverights_item >

This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
hive win-sc:EntityItemRegistryHiveType 0 1
The hive that the registry key belongs to.
key oval-sc:EntityItemStringType 0 1
This element describes a registry key to be gathered. Note that the hive portion of the string should not be inclueded, as this data can be found under the hive element. If the xsi:nil attribute is set to true, then the item being represented is the higher level hive.
trustee_sid oval-sc:EntityItemStringType 0 1
The trustee_sid entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
trustee_name oval-sc:EntityItemStringType 0 1
This element specifies the trustee name associated with this particular DACL. A trustee can be a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
standard_delete oval-sc:EntityItemBoolType 0 1
The right to delete the object.
standard_read_control oval-sc:EntityItemBoolType 0 1
The right to read the information in the object's security descriptor, not including the information in the SACL.
standard_write_dac oval-sc:EntityItemBoolType 0 1
The right to modify the DACL in the object's security descriptor.
standard_write_owner oval-sc:EntityItemBoolType 0 1
The right to change the owner in the object's security descriptor.
standard_synchronize oval-sc:EntityItemBoolType 0 1
The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
access_system_security oval-sc:EntityItemBoolType 0 1
Indicates access to a system access control list (SACL).
generic_read oval-sc:EntityItemBoolType 0 1
Read access.
generic_write oval-sc:EntityItemBoolType 0 1
Write access.
generic_execute oval-sc:EntityItemBoolType 0 1
Execute access.
generic_all oval-sc:EntityItemBoolType 0 1
Read, write, and execute access.
key_query_value oval-sc:EntityItemBoolType 0 1
key_set_value oval-sc:EntityItemBoolType 0 1
key_create_sub_key oval-sc:EntityItemBoolType 0 1
key_enumerate_sub_keys oval-sc:EntityItemBoolType 0 1
key_notify oval-sc:EntityItemBoolType 0 1
key_create_link oval-sc:EntityItemBoolType 0 1
key_wow64_64key oval-sc:EntityItemBoolType 0 1
key_wow64_32key oval-sc:EntityItemBoolType 0 1
key_wow64_res oval-sc:EntityItemBoolType 0 1



< service_item >

This item stores information about Windows services that are present on the system.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
service_name oval-sc:EntityItemStringType 0 1
The service_name element specifies the name of the service as specified in the Service Control Manager (SCM) database.
display_name oval-sc:EntityItemStringType 0 1
The display_name element specifies the name of the service as specified in tools such as Control Panel->Administrative Tools->Services.
description oval-sc:EntityItemStringType 0 1
The description element specifies the description of the service.
service_type win-sc:EntityItemServiceTypeType 0 unbounded
The service_type element specifies the type of the service.
start_type win-sc:EntityItemServiceStartTypeType 0 1
The start_type element specifies when the service should be started.
current_state win-sc:EntityItemServiceCurrentStateType 0 1
The current_state element specifies the current state of the service.
controls_accepted win-sc:EntityItemServiceControlsAcceptedType 0 unbounded
The controls_accepted element specifies the control codes that a service will accept and process.
start_name oval-sc:EntityItemStringType 0 1
The start_name element specifies the account under which the process should run.
path oval-sc:EntityItemStringType 0 1
The path element specifies the path to the binary of the service.
pid oval-sc:EntityItemIntType 0 1
The pid element specifies the process ID of the service.
service_flag oval-sc:EntityItemBoolType 0 1
The service_flag element specifies if the service is in a system process that must always run (1) or if the service is in a non-system process or is not running (0). If the service is not running, the pid will be 0. Otherwise, the pid will be non-zero.
dependencies oval-sc:EntityItemStringType 0 unbounded
The dependencies element specifies the dependencies of this service on other services.



< serviceeffectiverights_item >

This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
service_name oval-sc:EntityItemStringType 0 1
The service_name element specifies a service on the machine from which to retrieve the DACL. Note that the service_name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify 'wuauserv' for the service_name element not 'Automatic Updates'.
trustee_sid oval-sc:EntityItemStringType 0 1
The trustee_sid element specifies the SID that is associated with a user, group, system, or program (such as a Windows service).
standard_delete oval-sc:EntityItemBoolType 0 1
This permission is required to call the DeleteService function to delete the service.
standard_read_control oval-sc:EntityItemBoolType 0 1
This permission is required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
standard_write_dac oval-sc:EntityItemBoolType 0 1
This permission is required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object's security descriptor.
standard_write_owner oval-sc:EntityItemBoolType 0 1
This permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object's security descriptor.
generic_read oval-sc:EntityItemBoolType 0 1
Read access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
generic_write oval-sc:EntityItemBoolType 0 1
Write access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
generic_execute oval-sc:EntityItemBoolType 0 1
Execute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
service_query_conf oval-sc:EntityItemBoolType 0 1
This permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
service_change_conf oval-sc:EntityItemBoolType 0 1
This permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
service_query_stat oval-sc:EntityItemBoolType 0 1
This permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
service_enum_dependents oval-sc:EntityItemBoolType 0 1
This permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
service_start oval-sc:EntityItemBoolType 0 1
This permission is required to call the StartService function to start the service.
service_stop oval-sc:EntityItemBoolType 0 1
This permission is required to call the ControlService function to stop the service.
service_pause oval-sc:EntityItemBoolType 0 1
This permission is required to call the ControlService function to pause or continue the service.
service_interrogate oval-sc:EntityItemBoolType 0 1
This permission is required to call the ControlService function to ask the service to report its status immediately.
service_user_defined oval-sc:EntityItemBoolType 0 1
This permission is required to call the ControlService function to specify a user-defined control code.



< sharedresource_item >

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
netname oval-sc:EntityItemStringType 0 1
The share name of the resource.
shared_type win-sc:EntityItemSharedResourceTypeType 0 1
The type of the shared resource.
max_uses oval-sc:EntityItemIntType 0 1
The maximum number of concurrent connections that the shared resource can accommodate.
current_uses oval-sc:EntityItemIntType 0 1
The number of current connections to the shared resource.
local_path oval-sc:EntityItemStringType 0 1
The local path for the shared resource.
access_read_permission oval-sc:EntityItemBoolType 0 1
Permission to read data from a resource and, by default, to execute the resource.
access_write_permission oval-sc:EntityItemBoolType 0 1
Permission to write data to the resource.
access_create_permission oval-sc:EntityItemBoolType 0 1
Permission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
access_exec_permission oval-sc:EntityItemBoolType 0 1
Permission to execute the resource.
access_delete_permission oval-sc:EntityItemBoolType 0 1
Permission to delete the resource.
access_atrib_permission oval-sc:EntityItemBoolType 0 1
Permission to modify the resource's attributes (such as the date and time when a file was last modified).
access_perm_permission oval-sc:EntityItemBoolType 0 1
Permission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
access_all_permission oval-sc:EntityItemBoolType 0 1
Permission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.



< sid_item >

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
trustee_name oval-sc:EntityItemStringType 0 1
This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
trustee_sid oval-sc:EntityItemStringType 0 1
The security identifier (SID) of the specified trustee name.
trustee_domain oval-sc:EntityItemStringType 0 1
The domain of the specified trustee name.



< sid_sid_item >

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
trustee_sid oval-sc:EntityItemStringType 0 1
The security identifier (SID) of the specified trustee name.
trustee_name oval-sc:EntityItemStringType 0 1
This element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: "domain\trustee name". For local trustee names use: "computer name\trustee name". For built-in accounts on the system, use the trustee name without a domain.
trustee_domain oval-sc:EntityItemStringType 0 1
The domain of the specified trustee name.



< uac_item >

The uac_item is used to hold information about settings related to User Access Control within Windows.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
admin_approval_mode oval-sc:EntityItemBoolType 0 1
Admin Approval Mode for the Built-in Administrator account.
elevation_prompt_admin oval-sc:EntityItemStringType 0 1
Behavior of the elevation prompt for administrators in Admin Approval Mode.
elevation_prompt_standard oval-sc:EntityItemStringType 0 1
Behavior of the elevation prompt for standard users.
detect_installations oval-sc:EntityItemBoolType 0 1
Detect application installations and prompt for elevation.
elevate_signed_executables oval-sc:EntityItemBoolType 0 1
Only elevate executables that are signed and validated.
elevate_uiaccess oval-sc:EntityItemBoolType 0 1
Only elevate UIAccess applications that are installed in secure locations.
run_admins_aam oval-sc:EntityItemBoolType 0 1
Run all administrators in Admin Approval Mode.
secure_desktop oval-sc:EntityItemBoolType 0 1
Switch to the secure desktop when prompting for elevation.
virtualize_write_failures oval-sc:EntityItemBoolType 0 1
Virtualize file and registry write failures to per-user locations.



< user_item >

The windows user_item allows the different groups (identified by name) that a user belongs to be collected.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
user oval-sc:EntityItemStringType 0 1
A string the represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: "domain\user name". For local users use: "computer_name\user_name". For built-in accounts on the system, use the user name without a domain.
enabled oval-sc:EntityItemBoolType 0 1
A boolean that represents whether the particular user is enabled or not.
group oval-sc:EntityItemStringType 0 unbounded
A string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: "domain\group name". For local groups use: "computer name\group name". For built-in accounts on the system, use the group name without a domain.If the specified user belongs to more than one group, then multiple group elements should exist. If the specified user is not a member of a single group, then a single group element should exist with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single group element should be included with a status of 'error'.



< user_sid_item >

The windows user_sid_item allows the different groups (identified by SID) that a user belongs to be collected.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
user_sid oval-sc:EntityItemStringType 0 1
A string the represents the SID of a particular user.
enabled oval-sc:EntityItemBoolType 0 1
A boolean that represents whether the particular user is enabled or not.
group_sid oval-sc:EntityItemStringType 0 unbounded
A string that represents the SID of a particular group. If the specified user belongs to more than one group, then multiple group_sid elements should exist. If the specified user is not a member of a single group, then a single group_sid element should exist with a status of 'does not exist'. If there is an error determining the groups that the user belongs to, then a single group_sid element should be included with a status of 'error'.



< volume_item >

The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
rootpath oval-sc:EntityItemStringType 0 1
A string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as "\\MyServer\MyShare\", or the C drive as "C:\".
file_system oval-sc:EntityItemStringType 0 1
The type of filesystem. For example FAT or NTFS.
name oval-sc:EntityItemStringType 0 1
The name of the volume.
drive_type win-sc:EntityItemDriveTypeType 0 1
The drive type of the volume.
volume_max_component_length oval-sc:EntityItemIntType 0 1
The volume_max_component_length element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
serial_number oval-sc:EntityItemIntType 0 1
The volume serial number.
file_case_sensitive_search oval-sc:EntityItemBoolType 0 1
The file system supports case-sensitive file names.
file_case_preserved_names oval-sc:EntityItemBoolType 0 1
The file system preserves the case of file names when it places a name on disk.
file_unicode_on_disk oval-sc:EntityItemBoolType 0 1
The file system supports Unicode in file names as they appear on disk.
file_persistent_acls oval-sc:EntityItemBoolType 0 1
The file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
file_file_compression oval-sc:EntityItemBoolType 0 1
The file system supports file-based compression.
file_volume_quotas oval-sc:EntityItemBoolType 0 1
The file system supports disk quotas.
file_supports_sparse_files oval-sc:EntityItemBoolType 0 1
The file system supports sparse files.
file_supports_reparse_points oval-sc:EntityItemBoolType 0 1
The file system supports reparse points.
file_supports_remote_storage oval-sc:EntityItemBoolType 0 1
The specified volume is a compressed volume; for example, a DoubleSpace volume.
file_volume_is_compressed oval-sc:EntityItemBoolType 0 1
The specified volume is a compressed volume; for example, a DoubleSpace volume.
file_supports_object_ids oval-sc:EntityItemBoolType 0 1
The file system supports object identifiers.
file_supports_encryption oval-sc:EntityItemBoolType 0 1
The file system supports the Encrypted File System (EFS).
file_named_streams oval-sc:EntityItemBoolType 0 1
The file system supports named streams.
file_read_only_volume oval-sc:EntityItemBoolType 0 1
The specified volume is read-only.



< wmi_item >

Deprecated As Of Version: 5.7
Reason: Replaced by the wmi57_item. This item allows for single fields to be selected from WMI. A new item was created to allow more than one field to be selected in one statement. See the wmi57_item.
Comment: This object has been deprecated and may be removed in a future version of the language.

The wmi_item outlines information to be checked through Microsoft's WMI interface.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
namespace oval-sc:EntityItemStringType 0 1
The WMI namespaces of the specific object.
wql oval-sc:EntityItemStringType 0 1
A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, at most one field is allowed in the SELECT portion of the query. For example SELECT name FROM ... is valid, as is SELECT 'true' FROM ..., but SELECT name, number FROM ... is not valid. This is because the result element in the data section is only designed to work against a single field.
result oval-sc:EntityItemAnySimpleType 0 unbounded
The result element specifies how to test objects in the result set of the specified WQL statement. Only one comparable field is allowed. So if the WQL statement look like 'SELECT name FROM ...', then a result element with a value of 'Fred' would test that value against the names returned by the WQL statement. If the WQL statement returns more than one instance of the specified field, then multiple result elements should exist to describe each instance.



< wmi57_item >

The wmi57_item outlines information to be checked through Microsoft's WMI interface.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
namespace oval-sc:EntityItemStringType 0 1
The WMI namespaces of the specific object.
wql oval-sc:EntityItemStringType 0 1
A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, all fields must be named. For example SELECT name, age FROM ... is valid, but SELECT * FROM ... is not valid. This is because the record entity supports only named fields.
result oval-sc:EntityItemRecordType 0 unbounded
The result entity holds the results of the specified WQL statement.



< wuaupdatesearcher_item >

The wuaupdatesearcher_item outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft's WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. The test extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.

Extends: oval-sc:ItemType

Child Elements Type MinOccurs MaxOccurs
search_criteria oval-sc:EntityItemStringType 0 1
update_id oval-sc:EntityItemStringType 0 unbounded
The update_id entity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface's Search method. Note that multiple update identifiers can be associated with a give search criteria and thus multiple entities can exist for this item.



== EntityItemAddrTypeType ==

The EntityItemAddrTypeType restricts a string value to a specific set of values that describe the different address types of interfaces. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

MIB_IPADDR_DELETED 

The stated IP address is being deleted. The unsigned short value that this corresponds to is 0x0040

MIB_IPADDR_DISCONNECTED 

The stated IP address is on a disconnected interface. The unsigned short value that this corresponds to is 0x0008.

MIB_IPADDR_DYNAMIC 

The stated IP address is a dynamic IP address. The unsigned short value that this corresponds to is 0x0004.

MIB_IPADDR_PRIMARY 

The stated IP address is a primary IP address. The unsigned short value that this corresponds to is 0x0001.

MIB_IPADDR_TRANSIENT 

The stated IP address is a transient IP address. The unsigned short value that this corresponds to is 0x0080

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemAdstypeType ==

The EntityItemAdstypeType restricts a string value to a specific set of values that describe the possible types associated with an Active Directory attribute. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

ADSTYPE_INVALID 

The data type is invalid.

ADSTYPE_DN_STRING 

The string is of Distinguished Name (path) of a directory service object.

ADSTYPE_CASE_EXACT_STRING 

The string is of the case-sensitive type.

ADSTYPE_CASE_IGNORE_STRING 

The string is of the case-insensitive type.

ADSTYPE_PRINTABLE_STRING 

The string is displayable on the screen or in print.

ADSTYPE_NUMERIC_STRING 

The string is of a numeric value to be interpreted as text.

ADSTYPE_BOOLEAN 

The data is of a Boolean value.

ADSTYPE_INTEGER 

The data is of an integer value.

ADSTYPE_OCTET_STRING 

The string is of a byte array.

ADSTYPE_UTC_TIME 

The data is of the universal time as expressed in Universal Time Coordinate (UTC).

ADSTYPE_LARGE_INTEGER 

The data is of a long integer value.

ADSTYPE_PROV_SPECIFIC 

The string is of a provider-specific string.

ADSTYPE_OBJECT_CLASS 

Not used.

ADSTYPE_CASEIGNORE_LIST 

The data is of a list of case insensitive strings.

ADSTYPE_OCTET_LIST 

The data is of a list of octet strings.

ADSTYPE_PATH 

The string is of a directory path.

ADSTYPE_POSTALADDRESS 

The string is of the postal address type.

ADSTYPE_TIMESTAMP 

The data is of a time stamp in seconds.

ADSTYPE_BACKLINK 

The string is of a back link.

ADSTYPE_TYPEDNAME 

The string is of a typed name.

ADSTYPE_HOLD 

The data is of the Hold data structure.

ADSTYPE_NETADDRESS 

The string is of a net address.

ADSTYPE_REPLICAPOINTER 

The data is of a replica pointer.

ADSTYPE_FAXNUMBER 

The string is of a fax number.

ADSTYPE_EMAIL 

The data is of an e-mail message.

ADSTYPE_NT_SECURITY_DESCRIPTOR 

The data is of Windows NT/Windows 2000 Security Descriptor as represented by a byte array.

ADSTYPE_UNKNOWN 

The data is of an undefined type.

ADSTYPE_DN_WITH_BINARY 

The data is of ADS_DN_WITH_BINARY used for mapping a distinguished name to a non varying GUID.

ADSTYPE_DN_WITH_STRING 

The data is of ADS_DN_WITH_STRING used for mapping a distinguished name to a non-varying string value.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemAuditType ==

The EntityItemAuditType restricts a string value to a specific set of values: AUDIT_NONE, AUDIT_SUCCESS, AUDIT_FAILURE, and AUDIT_SUCCESS_FAILURE. These values describe which audit records should be generated. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

AUDIT_FAILURE 

The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.

AUDIT_NONE 

The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.

AUDIT_SUCCESS 

The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.

AUDIT_SUCCESS_FAILURE 

The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemDriveTypeType ==

The EntityItemDriveTypeType complex type defines the different values that are valid for the drive_type entity of a win-sc:volume_item. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

DRIVE_UNKNOWN 

The DRIVE_UNKNOWN type means that drive type cannot be determined. The UINT value that this corresponds to is 0.

DRIVE_NO_ROOT_DIR 

The DRIVE_NO_ROOT_DIR type means that the root path is not valid. The UINT value that this corresponds to is 1.

DRIVE_REMOVABLE 

The DRIVE_REMOVABLE type means that the drive contains removable media. The UINT value that this corresponds to is 2.

DRIVE_FIXED 

The DRIVE_FIXED type means that the drive contains fixed media. The UINT value that this corresponds to is 3.

DRIVE_REMOTE 

The DRIVE_REMOTE type means that the drive is a remote drive (i.e. network drive). The UINT value that this corresponds to is 4.

DRIVE_CDROM 

The DRIVE_CDROM type means that the drive is a CD-ROM drive. The UINT value that this corresponds to is 5.

DRIVE_RAMDISK 

The DRIVE_RAMDISK type means that the drive is a RAM disk. The UINT value that this corresponds to is 6.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemFileTypeType ==

The EntityItemFileTypeType restricts a string value to a specific set of values that describe the different types of files. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

FILE_ATTRIBUTE_DIRECTORY 

The handle identifies a directory.

FILE_TYPE_CHAR 

The specified file is a character file, typically an LPT device or a console.

FILE_TYPE_DISK 

The specified file is a disk file.

FILE_TYPE_PIPE 

The specified file is a socket, a named pipe, or an anonymous pipe.

FILE_TYPE_REMOTE 

Unused.

FILE_TYPE_UNKNOWN 

Either the type of the specified file is unknown, or the function failed.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemInterfaceTypeType ==

The EntityItemInterfaceTypeType restricts a string value to a specific set of values that describe the different types of interfaces. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

MIB_IF_TYPE_ETHERNET 

The MIB_IF_TYPE_ETHERNET type is used to describe ethernet interfaces.

MIB_IF_TYPE_FDDI 

The MIB_IF_TYPE_FDDI type is used to describe fiber distributed data interfaces (FDDI).

MIB_IF_TYPE_LOOPBACK 

The MIB_IF_TYPE_LOOPBACK type is used to describe loopback interfaces.

MIB_IF_TYPE_OTHER 

The MIB_IF_TYPE_OTHER type is used to describe unknown interfaces.

MIB_IF_TYPE_PPP 

The MIB_IF_TYPE_PPP type is used to describe point-to-point protocol interfaces (PPP).

MIB_IF_TYPE_SLIP 

The MIB_IF_TYPE_SLIP type is used to describe serial line internet protocol interfaces (SLIP).

MIB_IF_TYPE_TOKENRING 

The MIB_IF_TYPE_TOKENRING type is used to describe token ring interfaces..

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemNamingContextType ==

The EntityItemNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different naming context found withing Active Directory. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

domain 

The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).

configuration 

The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.

schema 

The schema naming context contains all of the Active Directory object definitions.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemProtocolType ==

The EntityItemProtocolType restricts a string value to a specific set of values that describe the different available protocols. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

TCP 

The port uses the Transmission Control Protocol (TCP).

UDP 

The port uses the User Datagram Protocol (UDP).

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemRegistryHiveType ==

The EntityItemRegistryHiveType restricts a string value to a specific set of values that describe the different registry hives. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

HKEY_CLASSES_ROOT 

This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).

HKEY_CURRENT_CONFIG 

This registry subtree contains configuration data for the current hardware profile.

HKEY_CURRENT_USER 

This registry subtree contains the user profile of the user that is currently logged into the system.

HKEY_LOCAL_MACHINE 

This registry subtree contains information about the local system.

HKEY_USERS 

This registry subtree contains user-specific data.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemRegistryTypeType ==

The EntityItemRegistryTypeType defines the different values that are valid for the type entity of a registry item. These values describe the possible types of data stored in a registry key. restricts a string value to a specific set of values that describe the different registry types. The empty string is also allowed as a valid value to support empty emlements associated with error conditions. Please note that the values identified are for the type entity and are not valid values for the datatype attribute. For information about how to encode registry data in OVAL for each of the different types, please visit the registry_item documentation.

Restricts: oval-sc:EntityItemStringType

Value Description

reg_binary 

The reg_binary type is used by registry keys that specify binary data in any form.

reg_dword 

The reg_dword type is used by registry keys that specify a 32-bit number.

reg_expand_sz 

The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").

reg_multi_sz 

The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.

reg_none 

The reg_none type is used by registry keys that have no defined value type.

reg_qword 

The reg_qword type is used by registry keys that specify a 64-bit number.

reg_sz 

The reg_sz type is used by registry keys that specify a single null-terminated string.

 

The empty string value is permitted here to allow for detailed error reporting.


== EntityItemServiceControlsAcceptedType ==

The EntityItemServiceAcceptedControlsType complex type defines the different values that are valid for the controls_accepted entity of a service. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

SERVICE_ACCEPT_NETBINDCHANGE 

The SERVICE_ACCEPT_NETBINDCHANGE type means that the service is a network component and can accept changes in its binding without being stopped or restarted. The DWORD value that this corresponds to is 0x00000010.

SERVICE_ACCEPT_PARAMCHANGE 

The SERVICE_ACCEPT_PARAMCHANGE type means that the service can re-read its startup parameters without being stopped or restarted. The DWORD value that this corresponds to is 0x00000008.

SERVICE_ACCEPT_PAUSE_CONTINUE 

The SERVICE_ACCEPT_PAUSE_CONTINUE type means that the service can be paused or continued. The DWORD value that this corresponds to is 0x00000002.

SERVICE_ACCEPT_PRESHUTDOWN 

The SERVICE_ACCEPT_PRESHUTDOWN type means that the service can receive pre-shutdown notifications. The DWORD value that this corresponds to is 0x00000100.

SERVICE_ACCEPT_SHUTDOWN 

The SERVICE_ACCEPT_SHUTDOWN type means that the service can receive shutdown notifications. The DWORD value that this corresponds to is 0x00000004.

SERVICE_ACCEPT_STOP 

The SERVICE_ACCEPT_STOP type means that the service can be stopped. The DWORD value that this corresponds to is 0x00000001.

SERVICE_ACCEPT_HARDWAREPROFILECHANGE 

The SERVICE_ACCEPT_HARDWAREPROFILECHANGE type means that the service can receive notifications when the system's hardware profile changes. The DWORD value that this corresponds to is 0x00000020.

SERVICE_ACCEPT_POWEREVENT 

The SERVICE_ACCEPT_POWEREVENT type means that the service can receive notifications when the system's power status has changed. The DWORD value that this corresponds to is 0x00000040.

SERVICE_ACCEPT_SESSIONCHANGE 

The SERVICE_ACCEPT_SESSIONCHANGE type means that the service can receive notifications when the system's session status has changed. The DWORD value that this corresponds to is 0x00000080.

SERVICE_ACCEPT_TIMECHANGE 

The SERVICE_ACCEPT_TIMECHANGE type means that the service can receive notifications when the system time changes. The DWORD value that this corresponds to is 0x00000200.

SERVICE_ACCEPT_TRIGGEREVENT 

The SERVICE_ACCEPT_TRIGGEREVENT type means that the service can receive notifications when an event that the service has registered for occurs on the system. The DWORD value that this corresponds to is 0x00000400.

 

The empty string value is permitted here to allow for empty elements associated with variable references.


== EntityItemServiceCurrentStateType ==

The EntityItemServiceCurrentStateType complex type defines the different values that are valid for the current_state entity of a service. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

SERVICE_CONTINUE_PENDING 

The SERVICE_CONTINUE_PENDING type means that the service has been sent a command to continue, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000005.

SERVICE_PAUSE_PENDING 

The SERVICE_PAUSE_PENDING type means that the service has been sent a command to pause, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000006.

SERVICE_PAUSED 

The SERVICE_PAUSED type means that the service is paused. The DWORD value that this corresponds to is 0x00000007.

SERVICE_RUNNING 

The SERVICE_RUNNING type means that the service is running. The DWORD value that this corresponds to is 0x00000004.

SERVICE_START_PENDING 

The SERVICE_START_PENDING type means that the service has been sent a command to start, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000002.

SERVICE_STOP_PENDING 

The SERVICE_STOP_PENDING type means that the service has been sent a command to stop, however, the command has not yet been executed. The DWORD value that this corresponds to is 0x00000003.

SERVICE_STOPPED 

The SERVICE_STOPPED type means that the service is stopped. The DWORD value that this corresponds to is 0x00000001.

 

The empty string value is permitted here to allow for empty elements associated with variable references.


== EntityItemServiceStartTypeType ==

The EntityItemServiceStartTypeType complex type defines the different values that are valid for the start_type entity of a service. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

SERVICE_AUTO_START 

The SERVICE_AUTO_START type means that the service is started automatically by the Service Control Manager (SCM) during startup. The DWORD value that this corresponds to is 0x00000002.

SERVICE_BOOT_START 

The SERVICE_BOOT_START type means that the driver service is started by the system loader. The DWORD value that this corresponds to is 0x00000000.

SERVICE_DEMAND_START 

The SERVICE_DEMAND_START type means that the service is started by the Service Control Manager (SCM) when StartService() is called. The DWORD value that this corresponds to is 0x00000003.

SERVICE_DISABLED 

The SERVICE_DISABLED type means that the service cannot be started. The DWORD value that this corresponds to is 0x00000004.

SERVICE_SYSTEM_START 

The SERVICE_SYSTEM_START type means that the service is a device driver started by IoInitSystem(). The DWORD value that this corresponds to is 0x00000001.

 

The empty string value is permitted here to allow for empty elements associated with variable references.


== EntityItemServiceTypeType ==

The EntityItemServiceTypeType complex type defines the different values that are valid for the service_type entity of a service. The empty string is also allowed to support empty elements associated with error conditions.

Restricts: oval-sc:EntityItemStringType

Value Description

SERVICE_FILE_SYSTEM_DRIVER 

The SERVICE_FILE_SYSTEM_DRIVER type means that the service is a file system driver. The DWORD value that this corresponds to is 0x00000002.

SERVICE_KERNEL_DRIVER 

The SERVICE_KERNEL_DRIVER type means that the service is a driver. The DWORD value that this corresponds to is 0x00000001.

SERVICE_WIN32_OWN_PROCESS 

The SERVICE_WIN32_OWN_PROCESS type means that the service runs in its own process. The DWORD value that this corresponds to is 0x00000010.

SERVICE_WIN32_SHARE_PROCESS 

The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000020.

SERVICE_INTERACTIVE_PROCESS 

The SERVICE_WIN32_SHARE_PROCESS type means that the service runs in a process with other services. The DWORD value that this corresponds to is 0x00000100.

 

The empty string value is permitted here to allow for empty elements associated with variable references.


== EntityItemSharedResourceTypeType ==

The EntityItemSharedResourceTypeType complex type defines the different values that are valid for the type entity of a shared resource item. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed to support empty elements associated with error conditions.

It is also important to note that special shared resources are those reserved for remote administration, interprocess communication, and administrative shares.

Restricts: oval-sc:EntityItemStringType

Value Description

STYPE_DISKTREE 

The STYPE_DISKTREE type means that the shared resource is a disk drive. The DWORD value that this corresponds to is 0x00000000.

STYPE_DISKTREE_SPECIAL 

The STYPE_DISKTREE_SPECIAL type means that the shared resource is a special disk drive. The DWORD value that this corresponds to is 0x80000000.

STYPE_DISKTREE_TEMPORARY 

The STYPE_DISKTREE_TEMPORARY type means that the shared resource is a temporary disk drive. The DWORD value that this corresponds to is 0x40000000.

STYPE_DISKTREE_SPECIAL_TEMPORARY 

The STYPE_DISKTREE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special disk drive. The DWORD value that this corresponds to is 0xC0000000.

STYPE_PRINTQ 

The STYPE_PRINTQ type means that the shared resource is a print queue. The DWORD value that this corresponds to is 0x00000001.

STYPE_PRINTQ_SPECIAL 

The STYPE_PRINTQ_SPECIAL type means that the shared resource is a special print queue. The DWORD value that this corresponds to is 0x80000001.

STYPE_PRINTQ_TEMPORARY 

The STYPE_PRINTQ_TEMPORARY type means that the shared resource is a temporary print queue. The DWORD value that this corresponds to is 0x40000001.

STYPE_PRINTQ_SPECIAL_TEMPORARY 

The STYPE_PRINTQ_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special print queue. The DWORD value that this corresponds to is 0xC0000001.

STYPE_DEVICE 

The STYPE_DEVICE type means that the shared resource is a communication device. The DWORD value that this corresponds to is 0x00000002.

STYPE_DEVICE_SPECIAL 

The STYPE_DEVICE_SPECIAL type means that the shared resource is a special communication device. The DWORD value that this corresponds to is 0x80000002.

STYPE_DEVICE_TEMPORARY 

The STYPE_DEVICE_TEMPORARY type means that the shared resource is a temporary communication device. The DWORD value that this corresponds to is 0x40000002.

STYPE_DEVICE_SPECIAL_TEMPORARY 

The STYPE_DEVICE_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special communication device. The DWORD value that this corresponds to is 0xC0000002.

STYPE_IPC 

The STYPE_IPC type means that the shared resource is a interprocess communication. The DWORD value that this corresponds to is 0x00000003.

STYPE_IPC_SPECIAL 

The STYPE_IPC_SPECIAL type means that the shared resource is a special interprocess communication. The DWORD value that this corresponds to is 0x80000003.

STYPE_IPC_TEMPORARY 

The STYPE_IPC_TEMPORARY type means that the shared resource is a temporary interprocess communication. The DWORD value that this corresponds to is 0x40000003.

STYPE_IPC_SPECIAL_TEMPORARY 

The STYPE_IPC_SPECIAL_TEMPORARY type means that the shared resource is a temporary, special interprocess communication. The DWORD value that this corresponds to is 0xC0000003.

 

The empty string is also allowed to support empty elements associated with error conditions.