The following is a description of the elements, types, and attributes that compose the HP-UX specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.
The OVAL Schema is maintained by The Mitre Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
HP-UX Definition
5.3
6/22/2007 11:17:30 AM
schematron validation of the Red Hat portion of an OVAL Definitions file
From /usr/bin/getconf. See getconf manpage for specific fields
This is the parameter name to check
- datatype attribute for the parameter_name entity of a getconf_object should be 'string'
- operation attribute for the parameter_name entity of a getconf_object should be 'equals', 'not equal', or 'pattern match'
This is the pathname to check. Note that pathname is optional in the getconf call. An empty pathname in OVAL should be interpreted as if it was not supplied to the getconf call.
- datatype attribute for the pathname entity of a getconf_object should be 'string'
- operation attribute for the pathname entity of a getconf_object should be 'equals', 'not equal', or 'pattern match'
This is the parameter name to check
- datatype attribute for the parameter_name entity of a getconf_state should be 'string'
- operation attribute for the parameter_name entity of a getconf_state should be 'equals', 'not equal', or 'pattern match'
This is the pathname to check. Note that pathname is optional in the getconf call. An empty pathname in OVAL should be interpreted as if it was not supplied to the getconf call.
- datatype attribute for the pathname entity of a getconf_state should be 'string'
- operation attribute for the pathname entity of a getconf_state should be 'equals', 'not equal', or 'pattern match'
The output produced by the getconf command.
- datatype attribute for the output entity of a getconf_state should be 'string'
- operation attribute for the output entity of a getconf_state should be 'equals', 'not equal', or 'pattern match'
From /usr/sbin/swlist -l patch PHxx_yyyyy. See swlist manpage for specific fields
HP-UX patch names begin with 'PH'
- datatype attribute for the swtype entity of a patch53_object should be 'string'
- operation attribute for the swtype entity of a patch53_object should be 'equals', 'not equal', or 'pattern match'
The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
- datatype attribute for the area_patched entity of a patch53_object should be 'string'
- operation attribute for the area_patched entity of a patch53_object should be 'equals', 'not equal', or 'pattern match'
The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch
- datatype attribute for the patch_base entity of a patch53_object should be 'string'
- operation attribute for the patch_base entity of a patch53_object should be 'equals', 'not equal', or 'pattern match'
HP-UX patch names begin with 'PH'
- datatype attribute for the swtype entity of a patch53_state should be 'string'
- operation attribute for the swtype entity of a patch53_state should be 'equals', 'not equal', or 'pattern match'
The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
- datatype attribute for the area_patched entity of a patch53_state should be 'string'
- operation attribute for the area_patched entity of a patch53_state should be 'equals', 'not equal', or 'pattern match'
The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch
- datatype attribute for the patch_base entity of a patch53_state should be 'string'
- operation attribute for the patch_base entity of a patch53_state should be 'equals', 'not equal', or 'pattern match'
This test has been deprecated and will be removed in version 6.0 of the language. Recommend use of the newer patch53_test.
From /usr/sbin/swlist -l patch PHxx_yyyyy. See swlist manpage for specific fields
This object has been deprecated and will be removed in version 6.0 of the language. Recommend use of the newer patch53_object.
This is the patch name to check
- datatype attribute for the patch_name entity of a patch_object should be 'string'
- operation attribute for the patch_name entity of a patch_object should be 'equals', 'not equal', or 'pattern match'
This state has been deprecated and will be removed in version 6.0 of the language. Recommend use of the newer patch53_state.
This is the patch name to check
- datatype attribute for the patch_name entity of a patch_state should be 'string'
- operation attribute for the patch_name entity of a patch_state should be 'equals', 'not equal', or 'pattern match'
HP-UX patch names begin with 'PH'
- datatype attribute for the swtype entity of a patch_state should be 'string'
- operation attribute for the swtype entity of a patch_state should be 'equals', 'not equal', or 'pattern match'
The third and fourth characters in HP-UX patch names indicate the area of software being patched. CO - General HP-UX commands KL - Kernel patches NE - Network specific patches SS - All other subsystems (X11, starbase, etc.)
- datatype attribute for the area_patched entity of a patch_state should be 'string'
- operation attribute for the area_patched entity of a patch_state should be 'equals', 'not equal', or 'pattern match'
The sixth through tenth characters in HP-UX patch names represent a unique numeric identifier for the patch
- datatype attribute for the patch_base entity of a patch_state should be 'string'
- operation attribute for the patch_base entity of a patch_state should be 'equals', 'not equal', or 'pattern match'
Output of /usr/sbin/swlist command. Note: A quick way to check for the installation of a specific fileset is to use the command 'swlist -a version -l fileset filesetname'. See manpage for swlist for explanation of additional command options.
This is the name of the bundle or fileset to check.
- datatype attribute for the swlist entity of a swlist_object should be 'string'
- operation attribute for the swlist entity of a swlist_object should be 'equals', 'not equal', or 'pattern match'
This is the name of the bundle or fileset to check.
- datatype attribute for the swlist entity of a swlist_state should be 'string'
- operation attribute for the swlist entity of a swlist_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the bundle entity of a swlist_state should be 'string'
- operation attribute for the bundle entity of a swlist_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the fileset entity of a swlist_state should be 'string'
- operation attribute for the fileset entity of a swlist_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the version entity of a swlist_state should be 'string'
- operation attribute for the version entity of a swlist_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the title entity of a swlist_state should be 'string'
- operation attribute for the title entity of a swlist_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the vendor entity of a swlist_state should be 'string'
- operation attribute for the vendor entity of a swlist_state should be 'equals', 'not equal', or 'pattern match'
This test allows for analysis of account settings in trusted HP-UX installations
This is the name of the user being checked
- datatype attribute for the username entity of a trusted_object should be 'string'
- operation attribute for the username entity of a trusted_object should be 'equals', 'not equal', or 'pattern match'
This is the name of the user being checked
- datatype attribute for the username entity of a trusted_state should be 'string'
- operation attribute for the username entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The user's ID
- datatype attribute for the uid entity of a trusted_state should be 'string'
- operation attribute for the uid entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
This is the encrypted version of the user's password
- datatype attribute for the password entity of a trusted_state should be 'string'
- operation attribute for the password entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The Account owner for pseudo-users
- datatype attribute for the account_owner entity of a trusted_state should be 'string'
- operation attribute for the account_owner entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Boot authorization
- datatype attribute for the boot_auth entity of a trusted_state should be 'string'
- operation attribute for the boot_auth entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
getprpwaid uses the audit ID rather than the UID
- datatype attribute for the audit_id entity of a trusted_state should be 'string'
- operation attribute for the audit_id entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
- datatype attribute for the audit_flag entity of a trusted_state should be 'string'
- operation attribute for the audit_flag entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Minimum time between password changes
- datatype attribute for the pw_change_min entity of a trusted_state should be 'string'
- operation attribute for the pw_change_min entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Maximum password length in characters
- datatype attribute for the pw_max_size entity of a trusted_state should be 'string'
- operation attribute for the pw_max_size entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Password expiration time in seconds
- datatype attribute for the pw_expiration entity of a trusted_state should be 'string'
- operation attribute for the pw_expiration entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Trusted lifetime, after which the account is locked
- datatype attribute for the pw_life entity of a trusted_state should be 'string'
- operation attribute for the pw_life entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Time of last successful password change
- datatype attribute for the pw_change_s entity of a trusted_state should be 'string'
- operation attribute for the pw_change_s entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Time of last unsuccessful password change
- datatype attribute for the pw_change_u entity of a trusted_state should be 'string'
- operation attribute for the pw_change_u entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Absolute account lifetime in seconds
- datatype attribute for the acct_expire entity of a trusted_state should be 'string'
- operation attribute for the acct_expire entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Maximum time allowed between logins before the account is locked
- datatype attribute for the max_llogin entity of a trusted_state should be 'string'
- operation attribute for the max_llogin entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The time in seconds before expiration when a warning will appear
- datatype attribute for the exp_warning entity of a trusted_state should be 'string'
- operation attribute for the exp_warning entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Who can change this user's password
- datatype attribute for the usr_chg_pw entity of a trusted_state should be 'string'
- operation attribute for the usr_chg_pw entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Allows user to use system-generated passwords
- datatype attribute for the gen_pw entity of a trusted_state should be 'string'
- operation attribute for the gen_pw entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Whether a triviality check is performed on user-generated passwords
- datatype attribute for the pw_restrict entity of a trusted_state should be 'string'
- operation attribute for the pw_restrict entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Determines if null passwords are allowed for this account
- datatype attribute for the pw_null entity of a trusted_state should be 'string'
- operation attribute for the pw_null entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Allows password generator to use random printable ASCII characters
- datatype attribute for the pw_gen_char entity of a trusted_state should be 'string'
- operation attribute for the pw_gen_char entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Allows password generator to use random letters
- datatype attribute for the pw_gen_let entity of a trusted_state should be 'string'
- operation attribute for the pw_gen_let entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Specifies the times when the user may login to this account
- datatype attribute for the login_time entity of a trusted_state should be 'string'
- operation attribute for the login_time entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The user ID of the user who last changed the password on the user's account, if it was not the account owner
- datatype attribute for the pw_changer entity of a trusted_state should be 'string'
- operation attribute for the pw_changer entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The time of the last successful login using this account
- datatype attribute for the login_time_s entity of a trusted_state should be 'string'
- operation attribute for the login_time_s entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The time of the last unsuccessful login using this account
- datatype attribute for the login_time_u entity of a trusted_state should be 'string'
- operation attribute for the login_time_u entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The terminal or remote host associated with the last successful login to the account
- datatype attribute for the login_tty_s entity of a trusted_state should be 'string'
- operation attribute for the login_tty_s entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The terminal or remote hosts associated with the last unsuccessful login to the account
- datatype attribute for the login_tty_u entity of a trusted_state should be 'string'
- operation attribute for the login_tty_u entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The number of unsuccessful login attempts since that last successful login
- datatype attribute for the num_u_logins entity of a trusted_state should be 'string'
- operation attribute for the num_u_logins entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
The maximum number of unsuccessful login attempts before the account is locked
- datatype attribute for the max_u_logins entity of a trusted_state should be 'string'
- operation attribute for the max_u_logins entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'
Indicates whether the administrative lock on the account is set
- datatype attribute for the lock_flag entity of a trusted_state should be 'string'
- operation attribute for the lock_flag entity of a trusted_state should be 'equals', 'not equal', or 'pattern match'