The following is a description of the elements, types, and attributes that compose the Linux specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
Linux Definition
5.8
9/15/2010 1:55:33 PM
Copyright (c) 2002-2010, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.
The dpkginfo test is used to check information for a given DPKG package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dpkginfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
dpkginfo_test
dpkginfo_object
dpkginfo_state
dpkginfo_item
- the object child element of an dpkginfo_test must reference an dpkginfo_object
- the state child element of an dpkginfo_test must reference an dpkginfo_state
The dpkginfo_object element is used by a dpkginfo test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A dpkginfo object consists of a single name entity that identifies the package being checked.
This is the package name to check.
The dpkginfo_state element defines the different information that can be used to evaluate the specified DPKG package. This includes the architecture, epoch number, release, and version numbers. Please refer to the individual elements in the schema for more details about what each represents.
This is the DPKG package name to check.
This is the architecture for which the package was built, like : i386, ppc, sparc, noarch.
This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by dpkg) the string '(none)' should be used.
This is the release number of the build, changed by the vendor/builder.
This is the version number of the build.
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE".
The iflisteners_test is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an iflisteners_object and the optional iflisteners_state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
iflisteners_test
iflisteners_object
iflisteners_state
iflisteners_item
- the object child element of an iflisteners_test must reference an iflisteners_object
- the state child element of an iflisteners_test must reference an iflisteners_state
The iflisteners_object element is used by an iflisteners_test to define the specific interface to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The interface_name entity specifies the name of the interface (eth0, eth1, fw0, etc.) to check.
The iflisteners_state element defines the different information that can be used to evaluate the specified applications that are listening on interfaces on the system. This includes the interface name, protocol, hardware address, program name, pid, and user id. Please refer to the individual elements in the schema for more details about what each represents.
This is the name of the interface (eth0, eth1, fw0, etc.).
This is the physical layer protocol used by the AF_PACKET socket.
This is the hardware address associated with the interface.
This is the name of the communicating program.
The pid is the process ID of a specific process.
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
The inet listening servers test is used to check what applications are listening on the network. This is limited to applications that are listening for connections that use the TCP or UDP protocols and have addresses represented as IPv4 or IPv6 addresses (AF_INET or AF_INET6). It is generally using the parsed output of running the command netstat -tuwlnpe with root privilege. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetlisteningservers_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
inetlisteningservers_test
inetlisteningservers_object
inetlisteningservers_state
inetlisteningserver_item
- the object child element of an inetlisteningservers_test must reference an inetlisteningservers_object
- the state child element of an inetlisteningservers_test must reference an inetlisteningservers_state
The inetlisteningservers_object element is used by an inet listening servers test to define the specific protocol-address-port to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
An inet listening servers object consists of three entities. The first identifies a specific IP address. The second entity represents a certain port number. While the third identifies the protocol.
The protocol entity defines a certain transport-layer protocol, in lowercase: tcp or udp.
This is the IP address of the network interface on which an application listens. Note that the IP address can be IPv4 or IPv6.
This is the TCP or UDP port on which an application would listen. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will be represented by its own object.
The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
The protocol entity defines the specific transport-layer protocol, in lowercase: tcp or udp, associated with the inet listening server.
This is the IP address of the network interface on which the program listens. Note that the IP address can be IPv4 or IPv6.
This is the TCP or UDP port number associated with the inet listening server.
This is the IP address and network port number associated with the inet listening server, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6.
This is the name of the communicating program.
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *.
This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6.
The pid is the process ID of a specific process.
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
The partition_test is used to check the information associated with partitions on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a partition_object and the optional state element references a partition_state that specifies the information to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
partition_test
partition_object
partition_state
partition_item
- the object child element of a partition_test must reference a partition_object
- the state child element of a partition_test must reference a partition_state
The partition_object is used by a partition_test to define which partitions on the local system should be collected. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The mount_point element specifies the mount points of the partitions that should be collected from the local system.
The partition_state element defines the different information associated with a partition. This includes the name, filesystem type, mount options, total space, space used, and space left. Please refer to the individual elements in the schema for more details about what each represents.
The mount_point element contains a string that represents the mount point of a partition on the local system.
The device element contains a string that represents the name of the device.
The uuid element contains a string that represents the universally unique identifier associated with a partition.
The fs_type element contains a string that represents the type of filesystem on a partition.
The mount_options element contains a string that represents the mount options associated with a partition.
The total_space element contains an integer that represents the total number of blocks on a partition.
The space_used element contains an integer that represents the number of blocks used on a partition.
The space_left element contains an integer that represents the number of blocks left on a partition.
The rpm info test is used to check the RPM header information for a given RPM package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpminfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
rpminfo_test
rpminfo_object
rpminfo_state
rpminfo_item
- the object child element of an rpminfo_test must reference an rpminfo_object
- the state child element of an rpminfo_test must reference an rpminfo_state
The rpminfo_object element is used by a rpm info test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A rpm info object consists of a single name entity that identifies the package being checked.
This is the package name to check.
The rpminfo_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
This is the package name to check.
This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
This is the release number of the build, changed by the vendor/builder.
This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
This field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to seperat the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
The rpmverify_test is used to verify the integrity of installed RPMs. This test aligns with the rpm -V command for verifying RPMs. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpmverify_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
rpmverify_test
rpmverify_object
rpmverify_state
rpmverify_item
- the object child element of an rpmverify_test must reference an rpmverify_object
- the state child element of an rpmverify_test must reference an rpmverify_state
The rpmverify_object element is used by a rpmverity_test to define a set of files within a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
This is the package name to check.
The filepath element specifies the absolute path for a file in the specified package. A directory cannot be specified as a filepath.
The rpmverify_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
This is the package name to check.
The filepath element specifies the absolute path for a file in the specified package. A directory cannot be specified as a filepath.
The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file.
The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file.
The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file.
The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file.
The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file.
The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file.
The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file.
The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file.
The configuration_file entity represents the configuration file attribute marker that may be present on a file.
The documentation_file entity represents the documenation file attribute marker that may be present on a file.
The ghost_file entity represents the ghost file attribute marker that may be present on a file.
The license_file entity represents the license file attribute marker that may be present on a file.
The readme_file entity represents the readme file attribute marker that may be present on a file.
The RpmVerifyBehaviors complex type defines a set of behaviors that for controlling how installed rpms are verified. These behaviors align with the verify-options of the rpm command with the addition of two behaviors that will indicate that a file with a given attribute marker should not be collected.
'nodeps' when true this behavior means, don't verify dependencies of packages.
'nodigest' when true this behavior means, don't verify package or header digests when reading.
'nofiles' when true this behavior means, don't verify any attributes of package files.
'noscripts' when true this behavior means, don't execute the %verifyscript scriptlet (if any).
'nosignature' when true this behavior means, don't verify package or header signatures when reading.
'nolinkto' when true this behavior means, don't verify symbolic links attribute.
'nomd5' when true this behavior means, don't verify the file md5 attribute.
'nosize' when true this behavior means, don't verify the file size attribute.
'nouser' when true this behavior means, don't verify the file owner attribute.
'nogroup' when true this behavior means, don't verify the file group owner attribute.
'nomtime' when true this behavior means, don't verify the file mtime attribute.
'nomode' when true this behavior means, don't verify the file mode attribute.
'nordev' when true this behavior means, don't verify the file rdev attribute.
'noconfigfiles' when true this behavior means, skip files that are marked with the %config attribute marker.
'noghostfiles' when true this behavior means, skip files that are maked with %ghost attribute marker.
The selinuxboolean_test is used to check the current and pending status of a SELinux boolean. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a selinuxboolean_object and the optional state element references a selinuxboolean_state that specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
selinuxboolean_test
selinuxboolean_object
selinuxboolean_state
selinuxboolean_item
- the object child element of an selinuxboolean_test must reference an selinuxboolean_object
- the state child element of an selinuxboolean_test must reference an selinuxboolean_state
The selinuxboolean_object element is used by an selinuxboolean_test to define the items to evaluate based on a specified state.
The name of the SELinux boolean.
The selinuxboolean_state element defines the different information that can be used to evaluate the specified SELinux boolean. This includes SELinux boolean's current and pending status. Please refer to the individual elements in the schema for more details about what each represents.
The name of the SELinux boolean.
The current_status entity represents the current state of the specified SELinux boolean.
The pending_status entity represents the pending state of the specified SELinux boolean.
The selinuxsecuritycontext_test is used to check the security context of a file or process on the local system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a selinuxsecuritycontext_object and the optional state element references a selinuxsecuritycontext_state that specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
selinuxsecuritycontext_test
selinuxsecuritycontext_object
selinuxsecuritycontext_state
selinuxsecuritycontext_item
- the object child element of an selinuxsecuritycontext_test must reference an selinuxsecuritycontext_object
- the state child element of an selinuxsecuritycontext_test must reference an selinuxsecuritycontext_state
The selinuxsecuritycontext_object element is used by an selinuxsecuritycontext_test to define the security contexts of files and processes to collect from the local system. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
The path element specifies the directory component of the absolute path to a file on the machine.
The filename element specifies the name of a file to evaluate. If the xsi:nil attribute is set to true, then the object being specified is the higher level directory object (not all the files in the directory). In this case, the filename element should not be used during collection and would result in the unique set of items being the directories themselves. For example, one would set xsi:nil to true if the desire was to test the attributes or permissions associated with a directory. Setting xsi:nil equal to true is different than using a .* pattern match, which says to collect every file under a given path.
The pid entity is the process ID of the process. If the xsi:nil attribute is set to true, the process ID shall be the tool's running process.
The selinuxsecuritycontext_state element defines the different information that can be used to evaluate the specified SELinux security context. This includes SELinux security context's user, type role, low sensitivity, low category, high sensitivity, high category, raw low sensitivity, raw low category, raw high sensitivity, and raw high category. This state follows the SELinux security context structure: user:role:type:low_sensitivity[:low_category]- high_sensitivity [:high_category]. Please refer to the individual elements in the schema for more details about what each represents.
The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
The path element specifies the directory component of the absolute path to a file on the machine.
The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity.
This is the process ID of the process.
The user element specifies the SELinux user that either created the file or started the process.
The role element specifies the types that a process may transition to (domain transitions). Note that this entity is not relevant for files and will always have a value of object_r.
The type element specifies the domain in which the file is accessible or the domain in which a process executes.
The low_sensitivity element specifies the current sensitivity of a file or process.
The low_category element specifies the set of categories associated with the low sensitivity.
The high_sensitivity element specifies the maximum range for a file or the clearance for a process.
The high_category element specifies the set of categories associated with the high sensitivity.
The rawlow_sensitivity element specifies the current sensitivity of a file or process but in its raw context.
The rawlow_category element specifies the set of categories associated with the low sensitivity but in its raw context.
The rawhigh_sensitivity element specifies the maximum range for a file or the clearance for a process but in its raw context.
The rawhigh_category element specifies the set of categories associated with the high sensitivity but in its raw context.
The slackware package info test is used to check information associated with a given Slackware package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a slackwarepkginfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
slackwarepkginfo_test
slackwarepkginfo_object
slackwarepkginfo_state
slackwarepkginfo_item
- the object child element of an slackwarepkginfo_test must reference an slackwarepkginfo_object
- the state child element of an slackwarepkginfo_test must reference an slackwarepkginfo_state
The slackwarepkginfo_object element is used by a slackware package info test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A slackware package info object consists of a single name entity that identifies the package being checked.
This is the package name to check.
The slackwarepkginfo_state element defines the different information that can be used to evaluate the specified package. This includes the version, architecture, and revision. Please refer to the individual elements in the schema for more details about what each represents.
This is the package name to check.
This is the version number of the package.
The EntityStateFileSystemTypeType complex type restricts a string value to the set of values that are used to describe file systems on a Linux system. This list is based off of the values defined in linux/magic.h. Please consult linux/magic.h for additional information on each allowed value. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
'pass' indicates that the test passed and is equivalent to the '.' value reported by the rpm -V command.
'fail' indicates that the test failed and is equivalent to a bold charcter in the test result string reported by the rpm -V command.
'not performed' indicates that the test could not be performed and is equivalent to the '?' value reported by the rpm -V command.
The empty string value is permitted here to allow for empty elements associated with variable references.
The EntityStateProtocolType complex type restricts a string value to the set of physical layer protocols used by AF_PACKET sockets. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
Ethernet loopback packet.
Xerox PUP packet.
Xerox PUP Address Transport packet.
Internet protocol packet.
CCITT X.25 packet.
Address resolution packet.
G8BPQ AX.25 ethernet packet.
Xerox IEEE802.3 PUP packet.
Xerox IEEE802.3 PUP address transport packet.
DEC assigned protocol.
DEC DNA Dump/Load.
DEC DNA Remote Console.
DEC DNA Routing.
DEC LAT.
DEC Diagnostics.
DEC Customer use.
DEC Systems Comms Arch.
Reverse address resolution packet.
Appletalk DDP.
Appletalk AARP.
802.1Q VLAN Extended Header.
IPX over DIX.
IPv6 over bluebook.
Slow Protocol. See 802.3ad 43B.
Web-cache coordination protocol.
PPPoE discovery messages.
PPPoE session messages.
MPLS Unicast traffic.
MPLS Multicast traffic.
MultiProtocol Over ATM.
Frame-based ATM Transport over Ethernet.
ATA over Ethernet.
TIPC.
Dummy type for 802.3 frames.
Dummy protocol id for AX.25.
Every packet.
802.2 frames.
Internal only.
DEC DDCMP: Internal only
Dummy type for WAN PPP frames.
Dummy type for PPP MP frames.
Dummy type for Atalk over PPP.
Localtalk pseudo type.
802.2 frames.
Mobitex.
Card specific control frames.
Linux-IrDA.
Acorn Econet.
HDLC frames.
1A for ArcNet.
The empty string value is permitted here to allow for empty elements associated with variable references.