The following is a description of the elements, types, and attributes that compose the MacOS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The MacOS Definition Schema was initially developed by The Center for Internet Security. Many thanks to their contributions to OVAL and the security community.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
MacOS Definition
5.7
5/3/2010 8:41:18 PM
Copyright (c) 2002-2010, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
User account information (username, uid, gid, etc.) See netinfo(5) for field information, niutil(1) for retrieving it. We may need/want to add in data elements for things like authentication_authority, generateduid, mcx_settings (restricted account settings).
- the object child element of an accountinfo_test must reference an accountinfo_object
- the state child element of an accountinfo_test must reference an accountinfo_state
The accountinfo_object element is used by an accountinfo_test to define the object(s) to be evaluated. This object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
An accountinfo_object consists of a single username that identifies the account from which to gather information.
Specifies the user of the account to gather information from.
- datatype attribute for the username entity of an accountinfo_object should be 'string'
The accountinfo_state element defines the different information that can be used to evaluate the specified accounts. Please refer to the individual elements in the schema for more details about what each represents.
Specifies the user of the account to gather information from.
- datatype attribute for the username entity of an accountinfo_state should be 'string'
Obfuscated (*****) or encrypted password for this user.
- datatype attribute for the password entity of an accountinfo_state should be 'string'
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file.
- datatype attribute for the uid entity of an accountinfo_state should be 'int'
Group ID of this account.
- datatype attribute for the gid entity of an accountinfo_state should be 'int'
User's real name, aka gecos field of /etc/passwd.
- datatype attribute for the realname entity of an accountinfo_state should be 'string'
- datatype attribute for the home_dir entity of an accountinfo_state should be 'string'
- datatype attribute for the login_shell entity of an accountinfo_state should be 'string'
This test's purpose is generally used to check if an application is listening on the network, either for a new connection or as part of an ongoing connection. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). It is generally speaking the parsed output of running the command netstat -tuwlnpe with root privilege.
- the object child element of an inetlisteningservers_test must reference an inetlisteningservers_object
- the state child element of an inetlisteningservers_test must reference an inetlisteningservers_state
The inetlisteningservers_object element is used by an inetlisteningserver test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
- datatype attribute for the program_name entity of an inetlisteningservers_object should be 'string'
The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
This is the name of the communicating program.
- datatype attribute for the program_name entity of an inetlisteningservers_state should be 'string'
This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
- datatype attribute for the local_address entity of an inetlisteningservers_state should be 'string'
This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
- datatype attribute for the local_full_address entity of an inetlisteningservers_state should be 'string'
This is the TCP or UDP port on which the program listens. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will have its own entry in the table data stored by this test.
- datatype attribute for the local_port entity of an inetlisteningservers_state should be 'string'
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
- datatype attribute for the foreign_address entity of an inetlisteningservers_state should be 'string'
This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
- datatype attribute for the foreign_full_address entity of an inetlisteningservers_state should be 'string'
This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *.
- datatype attribute for the foreign_port entity of an inetlisteningservers_state should be 'string'
This is the process ID of the process. The process in question is that of the program communicating on the network.
- datatype attribute for the pid entity of an inetlisteningservers_state should be 'int'
This is the transport-layer protocol, in lowercase: tcp or udp.
- datatype attribute for the protocol entity of an inetlisteningservers_state should be 'string'
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
- datatype attribute for the user_id entity of an inetlisteningservers_state should be 'string'
This test pulls data from the 'nvram -p' output.
- the object child element of an nvram_test must reference an nvram_object
- the state child element of an nvram_test must reference an nvram_state
The nvram_object element is used by a nvram test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
- datatype attribute for the nvram_var entity of a nvram_object should be 'string'
This test pulls data from the 'nvram -p' output.
This specifies the nvram variable to check.
- datatype attribute for the nvram_var entity of a nvram_state should be 'string'
This is the value of the associated nvram variable.
- datatype attribute for the nvram_value entity of a nvram_state should be 'string'
This test retrieves password policy data from the 'pwpolicy -getpolicy -u target_user [-a username] [-p userpass] [-n directory_node]' output where username, userpass, and directory_node are optional. Please see the 'pwpolicy' man page for additional information.
- the object child element of an pwpolicy_test must reference an pwpolicy_object
- the state child element of an pwpolicy_test must reference an pwpolicy_state
The pwpolicy_object element is used by a pwpolicy_test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The target_user element specifies the user whose password policy information should be collected. If an operation other than equals is specified, the users on the system should be enumerated and the 'pwpolicy' command should be issued for each user that matches the target_user element.
- datatype attribute for the target_user entity of a pwpolicy_object should be 'string'
The username element specifies the username of the authenticator. If the xsi:nil attribute is set to true, authentication to the directory node will not be performed (i.e. the '-a' and '-p' command line options will not be specified when issuing the 'pwpolicy' command) and the xsi:nil attribute of the userpass element should also be set to true.
- datatype attribute for the username entity of a pwpolicy_object should be 'string'
- userpass entity must be nil when username entity is nil
The userpass element specifies the password of the authenticator as specified by the username element. If the xsi:nil attribute is set to true, authentication to the directory node will not be performed (i.e. the '-a' and '-p' command line options will not be specified when issuing the 'pwpolicy' command) and the xsi:nil attribute of the username element should also be set to true..
- datatype attribute for the userpass entity of a pwpolicy_object should be 'string'
- operation attribute for the userpass entity of a pwpolicy_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one)
- username entity must be nil when userpass entity is nil
The directory_node element specifies the directory node that you would like to retrieve the password policy information from. If the xsi:nil attribute is set to true, the default directory node is used (i.e. the '-n' command line option will not be specified when issuing the 'pwpolicy' command).
- datatype attribute for the directory_node entity of a pwpolicy_object should be 'string'
The target_user element specifies the user whose password policy information should be collected.
- datatype attribute for the target_user entity of a pwpolicy_state should be 'string'
The username element specifies the username of the authenticator.
- datatype attribute for the username entity of a pwpolicy_state should be 'string'
The userpass element specifies the password of the authenticator as specified by the username element.
- datatype attribute for the userpass entity of a pwpolicy_state should be 'string'
The directory_node element specifies the directory node that you would like to retrieve the password policy information from.
- datatype attribute for the directory_node entity of a pwpolicy_state should be 'string'
Maximum number of characters allowed in a password.
- datatype attribute for the maxChars entity of a pwpolicy_state should be 'int'
Maximum number of failed logins before the account is locked.
- datatype attribute for the maxFailedLoginAttempts entity of a pwpolicy_state should be 'int'
Minimum number of characters allowed in a password.
- datatype attribute for the minChars entity of a pwpolicy_state should be 'int'
Defines if the password is allowed to be the same as the username or not.
- datatype attribute for the passwordCannotBeName entity of a pwpolicy_state should be 'boolean'
Defines if the password must contain an alphabetical character or not.
- datatype attribute for the requiresAlpha entity of a pwpolicy_state should be 'boolean'
Defines if the password must contain an numeric character or not.
- datatype attribute for the requiresNumeric entity of a pwpolicy_state should be 'boolean'