The following is a description of the elements, types, and attributes that compose the Linux specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
The OVAL Schema is maintained by The Mitre Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
Linux System Characteristics
5.3
6/22/2007 11:17:59 AM
schematron validation of the Linux portion of an OVAL System Characteristics file
This item stores DPKG package info.
This is the pakage name to check.
item - datatype attribute for the name entity of a dpkginfo_item should be 'string'
This is the architecture for which the DPKG was built, like : i386, ppc, sparc, noarch.
item - datatype attribute for the arch entity of a dpkginfo_item should be 'string'
This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by rpm) is equivalent to '0'.
item - datatype attribute for the epoch entity of a dpkginfo_item should be 'string'
This is the release number of the build.
item - datatype attribute for the release entity of a dpkginfo_item should be 'string'
This is the version number of the build, changed by the vendor/builder.
item - datatype attribute for the version entity of a dpkginfo_item should be 'string'
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.
item - datatype attribute for the evr entity of a dpkginfo_item should be 'evr_string'
An inet listening server item stores the results of checking for network servers currently active on a system. It holds information pertaining to a specific protocol-address-port combination.
This is the transport-layer protocol, in lowercase: tcp or udp.
item - datatype attribute for the protocol entity of an inetlisteningserver_item should be 'string'
This is the IP address associated with the inet listening server.
item - datatype attribute for the local_address entity of an inetlisteningserver_item should be 'string'
This is the TCP or UDP port on which the program listens.
item - datatype attribute for the local_port entity of an inetlisteningserver_item should be 'string'
This is the IP address and network port on which the program listens, equivalent to local_address:local_port.
item - datatype attribute for the local_full_address entity of an inetlisteningserver_item should be 'string'
This is the name of the communicating program.
item - datatype attribute for the program_name entity of an inetlisteningserver_item should be 'string'
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server.
item - datatype attribute for the foreign_address entity of an inetlisteningserver_item should be 'string'
This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *.
item - datatype attribute for the foreign_port entity of an inetlisteningserver_item should be 'string'
This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port.
item - datatype attribute for the foreign_full_address entity of an inetlisteningserver_item should be 'string'
This is the process ID of the process. The process in question is that of the program communicating on the network.
item - datatype attribute for the pid entity of an inetlisteningserver_item should be 'int'
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
item - datatype attribute for the user_id entity of an inetlisteningserver_item should be 'string'
This item stores rpm info.
This is the pakage name to check.
item - datatype attribute for the name entity of a rpminfo_item should be 'string'
This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
item - datatype attribute for the arch entity of a rpminfo_item should be 'string'
This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) is equivalent to '0'.This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
item - datatype attribute for the epoch entity of a rpminfo_item should be 'string'
This is the release number of the build.
item - datatype attribute for the release entity of a rpminfo_item should be 'string'
This is the version number of the build, changed by the vendor/builder. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.
item - datatype attribute for the version entity of a rpminfo_item should be 'string'
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE.
item - datatype attribute for the evr entity of a rpminfo_item should be 'evr_string'
This field contains the PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
item - datatype attribute for the signature_keyid entity of a rpminfo_item should be 'string'
This item discribes info related to Slackware packages. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
This is the pakage name to check.
item - datatype attribute for the name entity of a slackwarepkginfo_item should be 'string'
This is the version number of the pakage.
item - datatype attribute for the version entity of a slackwarepkginfo_item should be 'string'
This is the architecture the package is designed for.
item - datatype attribute for the architecture entity of a slackwarepkginfo_item should be 'string'
This is the revision of the package.
item - datatype attribute for the revision entity of a slackwarepkginfo_item should be 'string'