The following is a description of the elements, types, and attributes that compose the Linux specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The Mitre Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
Linux Definition
5.3
6/22/2007 11:17:55 AM
schematron validation of the Linux portion of an OVAL Definitions file
The dpkginfo test is used to check information for a given DPKG package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a dpkginfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The dpkginfo_object element is used by a dpkginfo test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A dpkginfo object consists of a single name entity that identifies the package being checked.
This is the package name to check.
- datatype attribute for the name entity of a dpkginfo_object should be 'string'
- operation attribute for the name entity of a dpkginfo_object should be 'equals', 'not equal', or 'pattern match'
The dpkginfo_state element defines the different information that can be used to evaluate the specified DPKG package. This includes the architecture, epoch number, release, and version numbers. Please refer to the individual elements in the schema for more details about what each represents.
This is the DPKG package name to check.
- datatype attribute for the name entity of a dpkginfo_state should be 'string'
- operation attribute for the name entity of a dpkginfo_state should be 'equals', 'not equal', or 'pattern match'
This is the architecture for which the package was built, like : i386, ppc, sparc, noarch.
- datatype attribute for the arch entity of a dpkginfo_state should be 'string'
- operation attribute for the arch entity of a dpkginfo_state should be 'equals', 'not equal', or 'pattern match'
This is the epoch number of the package, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking.
- datatype attribute for the epoch entity of a dpkginfo_state should be 'string'
- operation attribute for the epoch entity of a dpkginfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This is the release number of the build, changed by the vendor/builder.
- datatype attribute for the release entity of a dpkginfo_state should be 'string'
- operation attribute for the release entity of a dpkginfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This is the version number of the build.
- datatype attribute for the version entity of a dpkginfo_state should be 'string'
- operation attribute for the version entity of a dpkginfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE".
- datatype attribute for the evr entity of a dpkginfo_state should be 'evr_string'
- operation attribute for the evr entity of a dpkginfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
The inet listening servers test is used to check what applications are listening on the network. It is generally using the parsed output of running the command netstat -tuwlnpe with root privilege. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetlisteningservers_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The inetlisteningservers_object element is used by an inet listening servers test to define the specific protocol-address-port to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
An inet listening servers object consists of three entities. The first identifies a specific ip address. The second entity represents a certain port number. While the third identifies the protocol.
The protocol entity defines a certain transport-layer protocol, in lowercase: tcp or udp.
- datatype attribute for the protocol entity of an inetlisteningservers_object should be 'string'
- operation attribute for the protocol entity of an inetlisteningservers_object should be 'equals', 'not equal', or 'pattern match'
This is the IP address of the network interface on which an application listens.
- datatype attribute for the local_address entity of an inetlisteningservers_object should be 'string'
- operation attribute for the local_address entity of an inetlisteningservers_object should be 'equals', 'not equal', or 'pattern match'
This is the TCP or UDP port on which an application would listen. Note that this is not a list -- if a program listens on multiple ports, or on a combination of TCP and UDP, each will be represented by its own object.
- datatype attribute for the local_port entity of an inetlisteningservers_object should be 'string'
- operation attribute for the local_port entity of an inetlisteningservers_object should be 'equals', 'not equal', or 'pattern match'
The inetlisteningservers_state element defines the different information that can be used to evaluate the specified inet listening server. This includes the local address, foreign address, port information, and process id. Please refer to the individual elements in the schema for more details about what each represents.
The protocol entity defines the specific transport-layer protocol, in lowercase: tcp or udp, associated with the inet listening server.
- datatype attribute for the protocol entity of an inetlisteningservers_state should be 'string'
- operation attribute for the protocol entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the IP address of the network interface on which the program listens.
- datatype attribute for the local_address entity of an inetlisteningservers_state should be 'string'
- operation attribute for the local_address entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the TCP or UDP port number associated with the inet listening server.
- datatype attribute for the local_port entity of an inetlisteningservers_state should be 'string'
- operation attribute for the local_port entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the IP address and network port number associated with the inet listening server, equivalent to local_address:local_port.
- datatype attribute for the local_full_address entity of an inetlisteningservers_state should be 'string'
- operation attribute for the local_full_address entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the name of the communicating program.
- datatype attribute for the program_name entity of an inetlisteningservers_state should be 'string'
- operation attribute for the program_name entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server.
- datatype attribute for the foreign_address entity of an inetlisteningservers_state should be 'string'
- operation attribute for the foreign_address entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this is usually a *.
- datatype attribute for the foreign_port entity of an inetlisteningservers_state should be 'string'
- operation attribute for the foreign_port entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port.
- datatype attribute for the foreign_full_address entity of an inetlisteningservers_state should be 'string'
- operation attribute for the foreign_full_address entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
The pid is the process ID of a specific process.
- datatype attribute for the pid entity of an inetlisteningservers_state should be 'int'
- operation attribute for the pid entity of an inetlisteningservers_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', or 'less than or equal'
The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.
- datatype attribute for the user_id entity of an inetlisteningservers_state should be 'string'
- operation attribute for the user_id entity of an inetlisteningservers_state should be 'equals', 'not equal', or 'pattern match'
The rpm info test is used to check the RPM header information for a given RPM package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a rpminfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The rpminfo_object element is used by a rpm info test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A rpm info object consists of a single name entity that identifies the package being checked.
This is the package name to check.
- datatype attribute for the name entity of a rpminfo_object should be 'string'
- operation attribute for the name entity of a rpminfo_object should be 'equals', 'not equal', or 'pattern match'
The rpminfo_state element defines the different information that can be used to evaluate the specified rpm. This includes the architecture, epoch number, and version numbers. Most of this information can be obtained through the rpm function. Please refer to the individual elements in the schema for more details about what each represents.
This is the package name to check.
- datatype attribute for the name entity of a rpminfo_state should be 'string'
- operation attribute for the name entity of a rpminfo_state should be 'equals', 'not equal', or 'pattern match'
This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
- datatype attribute for the arch entity of a rpminfo_state should be 'string'
- operation attribute for the arch entity of a rpminfo_state should be 'equals', 'not equal', or 'pattern match'
This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) is equivalent to '0'. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file
- datatype attribute for the epoch entity of a rpminfo_state should be 'string'
- operation attribute for the epoch entity of a rpminfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This is the release number of the build, changed by the vendor/builder.
- datatype attribute for the release entity of a rpminfo_state should be 'string'
- operation attribute for the release entity of a rpminfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.
- datatype attribute for the version entity of a rpminfo_state should be 'string'
- operation attribute for the version entity of a rpminfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm's rpmvercmp() function.
- datatype attribute for the evr entity of a rpminfo_state should be 'evr_string'
- operation attribute for the evr entity of a rpminfo_state should be 'equals', 'not equal', 'greater than', 'greater than or equal', 'less than', 'less than or equal', or 'pattern match'
This field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to seperat the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
- datatype attribute for the signature_keyid entity of a rpminfo_state should be 'string'
- operation attribute for the signature_keyid entity of a rpminfo_state should be 'equals', 'not equal', or 'pattern match'
The slackware package info test is used to check information associated with a given Slackware package. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a slackwarepkginfo_object and the optional state element specifies the data to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The slackwarepkginfo_object element is used by a slackware package info test to define the object to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.
A slackware package info object consists of a single name entity that identifies the package being checked.
This is the package name to check.
- datatype attribute for the name entity of a slackwarepkginfo_object should be 'string'
- operation attribute for the name entity of a slackwarepkginfo_object should be 'equals', 'not equal', or 'pattern match'
The slackwarepkginfo_state element defines the different information that can be used to evaluate the specified package. This includes the version, architecture, and revision. Please refer to the individual elements in the schema for more details about what each represents.
This is the package name to check.
- datatype attribute for the name entity of a slackwarepkginfo_state should be 'string'
- operation attribute for the name entity of a slackwarepkginfo_state should be 'equals', 'not equal', or 'pattern match'
This is the version number of the package.
- datatype attribute for the version entity of a slackwarepkginfo_state should be 'string'
- operation attribute for the version entity of a slackwarepkginfo_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the architecture entity of a slackwarepkginfo_state should be 'string'
- operation attribute for the architecture entity of a slackwarepkginfo_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the revision entity of a slackwarepkginfo_state should be 'string'
- operation attribute for the revision entity of a slackwarepkginfo_state should be 'equals', 'not equal', or 'pattern match'