The following is a description of the elements, types, and attributes that compose the UNIX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
Unix System Characteristics
5.7
5/3/2010 8:41:21 PM
Copyright (c) 2002-2010, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.
The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
item - datatype attribute for the domain_name entity of a dnscache_item should be 'string'
The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.
item - datatype attribute for the ttl entity of a dnscache_item should be 'int'.
The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6.
item - datatype attribute for the ip_address entity of a dnscache_item should be 'string'.
The file item holds information about the individual files found on a system. Each file item contains path and filename information as well as its type, associated user and group ids, relevant dates, and the privialeges granted. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
item - datatype attribute for the filepath entity of a file_item should be 'string'
The path element specifies the directory component of the absolute path to a file on the machine.
item - datatype attribute for the path entity of a file_item should be 'string'
The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
item - datatype attribute for the filename entity of a file_item should be 'string'
This is the file's type: regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special.
item - datatype attribute for the type entity of a file_item should be 'string'
This is the group owner of the file, by group number.
item - datatype attribute for the group_id entity of a file_item should be 'string'
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
item - datatype attribute for the user_id entity of a file_item should be 'string'
This is the time that the file was last accessed, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
item - datatype attribute for the a_time entity of a file_item should be 'string'
This is the time of the last change to the file's inode, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. An inode is a Unix data structure that stores all of the information about a particular file.
item - datatype attribute for the c_time entity of a file_item should be 'string'
This is the time of the last change to the file's contents, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
item - datatype attribute for the m_time entity of a file_item should be 'string'
This is the size of the file in bytes.
item - datatype attribute for the size entity of a file_item should be 'int'
Does the program run with the uid (thus privileges) of the file's owner, rather than the calling user?
item - datatype attribute for the suid entity of a file_item should be 'boolean'
Does the program run with the gid (thus privileges) of the file's group owner, rather than the calling user's group?
item - datatype attribute for the sgid entity of a file_item should be 'boolean'
Can users delete each other's files in this directory, when said directory is writable by those users?
item - datatype attribute for the sticky entity of a file_item should be 'boolean'
Can the owner (user owner) of the file read this file or, if a directory, read the directory contents?
item - datatype attribute for the uread entity of a file_item should be 'boolean'
Can the owner (user owner) of the file write to this file or, if a directory, write to the directory?
item - datatype attribute for the uwrite entity of a file_item should be 'boolean'
Can the owner (user owner) of the file execute it or, if a directory, change into the directory?
item - datatype attribute for the uexec entity of a file_item should be 'boolean'
Can the group owner of the file read this file or, if a directory, read the directory contents?
item - datatype attribute for the gread entity of a file_item should be 'boolean'
Can the group owner of the file write to this file, or if a directory, write to the directory?
item - datatype attribute for the gwrite entity of a file_item should be 'boolean'
Can the group owner of the file execute it or, if a directory, change into the directory?
item - datatype attribute for the gexec entity of a file_item should be 'boolean'
Can all other users read this file or, if a directory, read the directory contents?
item - datatype attribute for the oread entity of a file_item should be 'boolean'
Can the other users write to this file, or if a directory, write to the directory?
item - datatype attribute for the owrite entity of a file_item should be 'boolean'
Can the other users execute this file or, if a directory, change into the directory?
item - datatype attribute for the oexec entity of a file_item should be 'boolean'
Does the file or directory have ACL permissions applied to it? If the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the value will be 'false'. Otherwise, if a file or directory has an ACL, the value will be 'true'. If the system does not support ACLs, the status will be 'does not exist' and if the system supports ACLs, the status will be 'exists'.
item - datatype attribute for the has_extended_acl entity of a file_item should be 'boolean'
The inetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
A recognized protocol listed in the file /etc/inet/protocols.
item - datatype attribute for the protocol entity of an inetd_item should be 'string'
The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4).
item - datatype attribute for the service_name entity of an inetd_item should be 'string'
Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service.
item - datatype attribute for the server_program entity of an inetd_item should be 'string'
item - datatype attribute for the server_arguments entity of an inetd_item should be 'string'
item - datatype attribute for the endpoint_type entity of an inetd_item should be 'string'
item - datatype attribute for the exec_as_user entity of an inetd_item should be 'string'
This field has values wait or nowait. This entry specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
item - datatype attribute for the wait_status entity of an inetd_item should be 'string'
The interface item holds information about the interfaces on a system. Each interface item contains name and address information as well as any associated flags. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
The name entity is the actual name of the specific interface. Examples might be eth0, eth1, fwo, etc.
item - datatype attribute for the name entity of an interface_item should be 'string'
This element specifies the type of interface.
item - datatype attribute for the type entity of an interface_item should be 'string'
The hardware_addr entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
item - datatype attribute for the hardware_addr entity of an interface_item should be 'string'
The inet_addr entity is the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6.
item - datatype attribute for the inet_addr entity of an interface_item should be 'string'
The broadcast_addr entity is the broadcast IP address for this interface's network. Note that the IP address can be IPv4 or IPv6.
item - datatype attribute for the broadcast_addr entity of an interface_item should be 'string'
This is the bitmask used to calculate the inteface's IP network. The network number is calculated by bitwise-ANDing this with the IP address. The host number on that network is calculated by bitwise-XORing this with the IP address. Note that the IP address can be IPv4 or IPv6.
item - datatype attribute for the netmask entity of an interface_item should be 'string'
This is the interface flag line, which generally contains flags like "UP" to denote an active interface, "PROMISC" to note that the interface is listening for Ethernet frames not specifically addressed to it, and others.
item - datatype attribute for the flag entity of an interface_item should be 'string'
/etc/passwd. See passwd(4).
This is the name of the user for which data was gathered.
item - datatype attribute for the username entity of a password_item should be 'string'
This is the encrypted version of the user's password.
item - datatype attribute for the password entity of a password_item should be 'string'
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
item - datatype attribute for the user_id entity of a password_item should be 'string'
This is the group owner of the file, by group number.
item - datatype attribute for the group_id entity of a password_item should be 'string'
item - datatype attribute for the gcos entity of a password_item should be 'string'
item - datatype attribute for the home_dir entity of a password_item should be 'string'
item - datatype attribute for the login_shell entity of a password_item should be 'string'
Output of /usr/bin/ps. See ps(1).
This specifies the command/program name about which data has has been collected.
item - datatype attribute for the command entity of a process_item should be 'string'
This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
item - datatype attribute for the exec_time entity of a process_item should be 'string'
This is the process ID of the process.
item - datatype attribute for the pid entity of a process_item should be 'int'
This is the process ID of the process's parent process.
item - datatype attribute for the ppid entity of a process_item should be 'int'
This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
item - datatype attribute for the priority entity of a process_item should be 'string'
A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc.
item - datatype attribute for the scheduling_class entity of a process_item should be 'string'
This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
item - datatype attribute for the start_time entity of a process_item should be 'string'
This is the TTY on which the process was started, if applicable.
item - datatype attribute for the tty entity of a process_item should be 'string'
This is the effective user id which represents the actual privileges of the process.
item - datatype attribute for the user_id entity of a process_item should be 'string'
The runlevel item holds information about the start or kill state of a specified service at a given runlevel. Each runlevel item contains service_name and runlevel information as well as start and kill information. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
The service_name entity is the actual name of the specific service.
item - datatype attribute for the service_name entity of a runlevel_item should be 'string'
The runlevel entity specifies is the runlevel the system is currently at.
item - datatype attribute for the runlevel entity of a runlevel_item should be 'string'
The start entity specifies whether the service is scheduled to start at the current runlevel.
item - datatype attribute for the start entity of a runlevel_item should be 'boolean'
The kill entity specifies whether the service is scheduled to be killed at the current runlevel.
item - datatype attribute for the kill entity of a runlevel_item should be 'boolean'
Specifies the absolute path to an SCCS file. A directory cannot be specified as a filepath.
item - datatype attribute for the filepath entity of a sccs_item should be 'string'
The path element specifies the directory component of the absolute path to an SCCS file.
item - datatype attribute for the path entity of a process_item should be 'string'
The name of an SCCS file.
item - datatype attribute for the filename entity of a process_item should be 'string'
item - datatype attribute for the module_name entity of a process_item should be 'int'
item - datatype attribute for the module_type entity of a process_item should be 'int'
item - datatype attribute for the release entity of a process_item should be 'string'
item - datatype attribute for the level entity of a process_item should be 'string'
item - datatype attribute for the branch entity of a process_item should be 'string'
item - datatype attribute for the sequence entity of a process_item should be 'string'
item - datatype attribute for the what_string entity of a process_item should be 'string'
/etc/shadow. See shadow(4).
This is the name of the user for which data was gathered.
item - datatype attribute for the username entity of a shadow_item should be 'string'
This is the encrypted version of the user's password.
item - datatype attribute for the password entity of a shadow_item should be 'string'
This is the date of the last password change in days since 1/1/1970.
item - datatype attribute for the chg_lst entity of a shadow_item should be 'string'
This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
item - datatype attribute for the chg_allow entity of a shadow_item should be 'string'
This describes how long a user can keep a password before the system forces her to change it.
item - datatype attribute for the chg_req entity of a shadow_item should be 'string'
This describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
item - datatype attribute for the exp_warn entity of a shadow_item should be 'string'
This describes how many days of account inactivity the system will wait after a password expires before locking the account? This window, usually only set to a few days, gives users who are logging in very seldomly a bit of extra time to receive the password expiration warning and change their password.
item - datatype attribute for the exp_inact entity of a shadow_item should be 'string'
This specifies when will the account's password expire, in days since 1/1/1970.
item - datatype attribute for the exp_date entity of a shadow_item should be 'string'
This is a reserved field that the shadow file may use in the future.
item - datatype attribute for the flag entity of a shadow_item should be 'string'
Information about the hardware the machine is running on. This information is the parsed equivalent of uname -a.
This entity specifies the machine hardware name. This corresponds to the command uname -m.
item - datatype attribute for the machine_class entity of a uname_item should be 'string'
This entity specifies the host name. This corresponds to the command uname -n.
item - datatype attribute for the node_name entity of a uname_item should be 'string'
This entity specifies the operating system name. This corresponds to the command uname -s.
item - datatype attribute for the os_name entity of a uname_item should be 'string'
This entity specifies the build version. This corresponds to the command uname -r.
item - datatype attribute for the os_release entity of a uname_item should be 'string'
This entity specifies the operating system version. This corresponds to the command uname -v.
item - datatype attribute for the os_version entity of a uname_item should be 'string'
This entity specifies the processor type. This corresponds to the command uname -p.
item - datatype attribute for the processor_type entity of a uname_item should be 'string'
The xinetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
The protocol entity describes the protocol related to the service item.
item - datatype attribute for the protocol entity of an xinetd_item should be 'string'
The service_name entity describes the name of the service.
item - datatype attribute for the service_name entity of an xinetd_item should be 'string'
The flags entity describes miscellaneous settings like TCP keepalives or libwrap deactivation.
item - datatype attribute for the flags entity of an xinetd_item should be 'string'
item - datatype attribute for the no_access entity of an xinetd_item should be 'string'
The only_from entity describes specifies an exclusive set of IP addresses that may connect to this service
item - datatype attribute for the only_from entity of an xinetd_item should be 'string'
item - datatype attribute for the port entity of an xinetd_item should be 'string'
what program listens on this port
item - datatype attribute for the server entity of an xinetd_item should be 'string'
item - datatype attribute for the server_arguments entity of an xinetd_item should be 'string'
item - datatype attribute for the socket_type entity of an xinetd_item should be 'string'
item - datatype attribute for the type entity of an xinetd_item should be 'string'
The user entity describes user that xinetd should run the service as.
item - datatype attribute for the user entity of an xinetd_item should be 'string'
The wait entity describes whether the service allows only one connection at a time.
item - datatype attribute for the wait entity of an xinetd_item should be 'boolean'
The disabled entity describes whether this service is on or not.
item - datatype attribute for the disabled entity of an xinetd_item should be 'boolean'
The EntityEndpointType complex type restricts a string value to a specific set of values that describe endpoint types associated with an Internet service. The empty string is also allowed to support empty emlement associated with error conditions.
The stream value is used to describe a stream socket.
The dgram value is used to describe a datagram socket.
The raw value is used to describe a raw socket.
The seqpacket value is used to describe a sequenced packet socket.
The tli value is used to describe all TLI endpoints.
The empty string value is permitted here to allow for detailed error reporting.
The EntityXinetdTypeStatusType complex type restricts a string value to five values, either RPC, INTERNAL, UNLISTED, TCPMUX, or TCPMUXPLUS that specify the type of service registered in xinetd. The empty string is also allowed to support empty emlement associated with error conditions.
The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself.
The RPC type is used to describe services that use remote procedure call ala NFS.
The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc.
The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake.
The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake.
The empty string value is permitted here to allow for detailed error reporting.
The EntityWaitStatusType complex type restricts a string value to two values, either wait or nowait, that specify whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The empty string is also allowed to support empty emlement associated with error conditions.
The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests.
The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service.
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemInterfaceType complex type restricts a string value to a specific set of values. These values describe the different interface types which are defined in 'if_arp.h'. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
The ARPHRD_ETHER type is used to describe ethernet interfaces.
The ARPHRD_FDDI type is used to describe fiber distributed data interfaces (FDDI).
The ARPHRD_LOOPBACK type is used to describe loopback interfaces.
The ARPHRD_VOID type is used to describe unknown interfaces.
The ARPHRD_PPP type is used to describe point-to-point protocol interfaces (PPP).
The ARPHRD_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
The ARPHRD_PRONET type is used to describe PROnet token ring interfaces.
The empty string value is permitted here to allow for detailed error reporting.