From 879e24aba888881b21b2b2fc9b2e7a665f9f5dba Mon Sep 17 00:00:00 2001 From: BOUILLARD Esteban Date: Mon, 25 Jan 2021 10:19:15 +0100 Subject: [PATCH] ebouillard - On behalf of French Ministry of Army, adding AUDITDLINE_TEST and NETWORKFIREWALL_TEST to Linux OVAL schema --- linux-definitions-schema.xsd | 846 +++++++++++++++++- linux-system-characteristics-schema.xsd | 394 +++++++- x-linux-network-auditd-definitions-schema.xsd | 392 ++++++++ ...k-auditd-system-characteristics-schema.xsd | 171 ++++ 4 files changed, 1754 insertions(+), 49 deletions(-) create mode 100644 x-linux-network-auditd-definitions-schema.xsd create mode 100644 x-linux-network-auditd-system-characteristics-schema.xsd diff --git a/linux-definitions-schema.xsd b/linux-definitions-schema.xsd index 5469030..40d9a90 100644 --- a/linux-definitions-schema.xsd +++ b/linux-definitions-schema.xsd @@ -1,21 +1,121 @@ - + The following is a description of the elements, types, and attributes that compose the Linux specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here. - The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. + The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Linux Definition - 5.10.1 - 1/27/2012 1:22:32 PM - Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + 5.11.1:1.2 + 11/30/2016 09:00:00 AM + Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + The AppArmor Status Test is used to check properties representing the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an apparmorstatus_object and the optional state element specifies the data to check. + + + apparmorstatus_test + apparmorstatus_object + apparmorstatus_state + apparmorstatus_item + + + + + + - the object child element of a apparmorstatus_test must reference a apparmorstatus_object + + + - the state child element of a apparmorstatustest must reference a apparmorstatus_state + + + + + + + + + + + + + + + + + + The apparmorstatus_object element is used by an apparmorstatus test to define the different information about the current AppArmor polciy. There is actually only one object relating to AppArmor Status and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check AppArmor status will reference the same apparmorstatus_object which is basically an empty object element. + + + + + + + + + + The AppArmor Status Item displays various information about the current AppArmor policy. This item maps the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + Displays the number of loaded profiles + + + + + Displays the number of profiles in enforce mode + + + + + Displays the number of profiles in complain mode + + + + + Displays the number of processes which have profiles defined + + + + + Displays the number of processes in enforce mode + + + + + Displays the number of processes in complain mode + + + + + Displays the number of processes which are unconfined but have a profile defined + + + + + + + + @@ -164,10 +264,31 @@ - + - This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". + This represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. + + + + Warning: There are differences in the algorithms for how the version strings of Debian and RPM packages are compared. As a result, a new debian_evr_string datatype was added to the OVAL Language and should be used, for this entity, instead of the evr_string datatype. + + + + + + + + + + + + + + + + + @@ -541,21 +662,32 @@ The mount_options element contains a string that represents the mount options associated with a partition. + Implementation note: not all mount options are visible in /etc/mtab or /proc/mounts. A complete source of additional mount options is the f_flag field of 'struct statvfs'. See statvfs(2). /etc/fstab may have additional mount options, but it need not contain all mounted filesystems, so it MUST NOT be relied upon. Implementers MUST be sure to get all mount options in some way. - The total_space element contains an integer that represents the total number of blocks on a partition. + The total_space element contains an integer that represents the total number of physical blocks on a partition. - The space_used element contains an integer that represents the number of blocks used on a partition. + The space_used element contains an integer that represents the number of physical blocks used on a partition. - The space_left element contains an integer that represents the number of blocks left on a partition. + The space_left element contains an integer that represents the number of physical blocks left on a partition available to be used by privileged users. + + + + + The space_left_for_unprivileged_users element contains an integer that represents the number of physical blocks remaining on a partition that are available to be used by unprivileged users. + + + + + The block_size element contains an integer that represents the actual byte size of each physical block on the partition's block device. This is the same block size used to compute the total_space, space_used, and space_left. @@ -696,7 +828,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -725,7 +857,7 @@ - This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. + This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The 'gpg-pubkey' virtual package on RedHat and CentOS should use the string '(none)' for the architecture to construct the extended_name. @@ -746,7 +878,7 @@ 'filepaths', when true, this behavior means collect all filepaths (directory and file information) from the rpm database for the package. - + @@ -798,7 +930,7 @@ - The rpmverify_object element is used by a rpmverity_test to define a set of files within a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + The rpmverify_object element is used by a rpmverify_test to define a set of files within a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. @@ -842,7 +974,7 @@ The filepath element specifies the absolute path for a file or directory in the specified package. - + @@ -1130,7 +1262,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -1218,7 +1350,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -1282,6 +1414,18 @@ The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. + + + 5.11.1:1.1 + Replaced by the filedigest_differs entity. + This entity has been deprecated and will be removed in version 6.0 of the language. + + + + + + + The filedigest_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. This replaces the md5_differs entity due to naming changes for verification and reporting options. @@ -1356,6 +1500,13 @@ 'nomd5' when true this behavior means, don't verify the file md5 attribute. + + + 5.11.1:1.1 + Replaced by the nofiledigest RpmVerifyFileBehaviors option. + This Behavior has been deprecated and will be removed in version 6.0 of the language. + + @@ -1398,6 +1549,16 @@ 'noghostfiles' when true this behavior means, skip files that are maked with %ghost attribute marker. + + + 'nofiledigest' when true this behavior means, don't verify the file digest attribute. + + + + + 'nocaps' when true this behavior means, don't verify the presence of file capabilities. + + @@ -1437,7 +1598,7 @@ - The rpmverifypackage_object element is used by a rpmverity_test to define a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + The rpmverifypackage_object element is used by a rpmverify_test to define a set of RPMs to verify. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. @@ -1486,7 +1647,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -1569,7 +1730,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -1623,6 +1784,18 @@ The digest_check_passed entity indicates whether or not the verification of the package or header digests passed. If the digest check is not performed, due to the 'nodigest' behavior, this entity must not be collected. + + + 5.11 + The digest_check_passed entity can not be collected as implemented, and has become irrelevant. + This entity has been deprecated and will be removed in version 6.0 of the language. + + + + DEPRECATED ELEMENT: ID: + + + @@ -1633,6 +1806,18 @@ The signature_check_passed entity indicates whether or not the verification of the package or header signatures passed. If the signature check is not performed, due to the 'nosignature' behavior, this entity must not be collected. + + + 5.11 + The signature_check_passed entity can not be collected as implemented, and has become irrelevant. + This entity has been deprecated and will be removed in version 6.0 of the language. + + + + DEPRECATED ELEMENT: ID: + + + @@ -1652,6 +1837,18 @@ 'nodigest' when true this behavior means, don't verify package or header digests when reading. + + + 5.11 + The nodigest behavior has become irrelevant since the element it impacts has been deprecated. + This test has been deprecated and will be removed in version 6.0 of the language. + + + + DEPRECATED BEHAVIOR: ID: + + + @@ -1662,6 +1859,18 @@ 'nosignature' when true this behavior means, don't verify package or header signatures when reading. + + + 5.11 + The nosignature behavior has become irrelevant since the element it impacts has been deprecated. + This test has been deprecated and will be removed in version 6.0 of the language. + + + + DEPRECATED BEHAVIOR: ID: + + + @@ -1837,7 +2046,7 @@ - the max_depth, recurse, and recurse_direction behaviors are not allowed with a filepath entity - + - the recurse_file_system behavior MUST not be set to 'defined' when a pattern match is used with a filepath entity. @@ -2063,10 +2272,24 @@ This is the package name to check. - + This is the version number of the package. + + + + + + + + + + + + + + @@ -2083,6 +2306,581 @@ + + + + + + The systemdunitdependency_test is used to retrieve information about dependencies of a single systemd unit in the form of a list. This list contains all dependencies, including transitive dependencies. For more information see the output generated by systemctl list-dependencies --plain $unit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a systemdunitdependency_object and the optional state element specifies the data to check. + + + systemdunitdependency_test + systemdunitdependency_object + systemdunitdependency_state + systemdunitdependency_item + + + + + + - the object child element of a systemdunitdependency_test must reference a systemdunitdependency_object + + + - the state child element of a systemdunitdependency_test must reference a systemdunitdependency_state + + + + + + + + + + + + + + + + + + The systemdunitdependency_object element is used by a systemdunitdependency_test to define the specific units to check the dependencies of. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. + + + + + + + + + + + + + The systemdunitdependency_state element holds dependencies of a specific systemd unit. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. + + + + + The dependency entity refers to the name of a unit that was confirmed to be a dependency of the given unit. + + + + + + + + + + + + + The systemdunitproperty_test is used to retrieve information about systemd units in form of properties. For more information see the output generated by systemctl show $unit. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a systemdunitproperty_object and the optional state element specifies the data to check. + + + systemdunitproperty_test + systemdunitproperty_object + systemdunitproperty_state + systemdunitproperty_item + + + + + + - the object child element of a systemdunitproperty_test must reference a systemdunitproperty_object + + + - the state child element of a systemdunitproperty_test must reference a systemdunitproperty_state + + + + + + + + + + + + + + + + + + The systemdunitproperty_object element is used by a systemdunitproperty_test to define the specific unit and property combination to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. + + + + + The property entity refers to the systemd unit property that we are interested in. + + + + + + + + + + + + + The systemdunitproperty_state element holds information about properties of a specific systemd unit. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. + + + + + The name of the property associated with a systemd unit. + + + + + The value of the property associated with a systemd unit. + + + + + + + + + + + + + + The auditdline_test is used to check the living rules of the auditd service. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. + + + auditdline_test + auditdline_object + auditdline_state + auditdline_item + + + + + + - the object child element of a auditdline_test must reference a auditdline_object + + + - the state child element of a auditdline_test must reference a auditdline_state + + + + + + + + + + + + + + + + + + The auditdline_object element is used by a auditdline_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A auditdline_object consists of an filter_key entity that is the same as the -k parameter of the auditctl -l command. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + If the xsi:nil attribute is set to true, all auditd rules must be present in the system characteristics (auditdline_item). + + + + + + + + + + + + + The auditdline_state element defines the different information that can be used to evaluate the auditd rules. This includes the filter key, the corresponding rule and the line number of the rule. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + + + + + A rule written on a single line like returned by the auditctl -k command. + + + + + The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. + + + + + + + + + + + + + + + The networkfirewall_test is used to check the living filtering rules of the network firewall on a UNIX system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. + + + networkfirewall_test + networkfirewall_object + networkfirewall_state + networkfirewall_item + + + + + + - the object child element of a networkfirewall_test must reference a networkfirewall_object + + + - the state child element of a networkfirewall_test must reference a networkfirewall_state + + + + + + + + + + + + + + + + + + The networkfirewall_object element is used by a networkfirewall_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A networkfirewall_object provides an abstration to check authorized and blocked packets based on network interfaces and direction of the trafic. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + The xsi:nil attribute must set to true only when the attribute packet_direction is set to outgoing. + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + The xsi:nil attribute must set to true only when the attribute packet_direction is set to incoming. + + + + + + Action that can be taken on a network packet by the network firewall based on its configuration. + + + + + + + + + + + + + The networkfirewall_state element defines the different information that can be used to evaluate the network firewall configuration. This includes the packet direction, the network interfaces, the filter action, the protocol, and pairs of address/port for both source and destination. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + + + + + Action taken on a network packet by the network firewall based on its configuration. + + + + + + The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp. + + + + + Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Source port of the packets. + + + + + Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Destination port of the packets. + + + + + + + + + + + + + The EntityObjectPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStatePacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityObjectFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStateFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + @@ -2132,7 +2930,7 @@ - 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection. + 'recurse_file_system' defines the file system limitation of any searching and applies to all operations as specified on the path or filepath entity. The value of 'local' limits the search scope to local file systems (as opposed to file systems mounted from an external system). The value of 'defined' keeps any recursion within the file system that the file_object (path+filename or filepath) has specified. For example, if the path specified was "/", you would search only the filesystem mounted there, not other filesystems mounted to descendant paths. The value of 'defined' only applies when an equality operation is used for searching because the path or filepath entity must explicitly define a file system. The default value is 'all' meaning to search all available file systems for data collection. Note that in most cases it is recommended that the value of 'local' be used to ensure that file system searching is limited to only the local file systems. Searching 'all' file systems may have performance implications. @@ -2143,7 +2941,7 @@ - + The EntityStateRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. diff --git a/linux-system-characteristics-schema.xsd b/linux-system-characteristics-schema.xsd index f7e2d7e..aa22a4d 100644 --- a/linux-system-characteristics-schema.xsd +++ b/linux-system-characteristics-schema.xsd @@ -1,21 +1,78 @@ - + - + The following is a description of the elements, types, and attributes that compose the Linux specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here. - The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. + The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Linux System Characteristics - 5.10.1 - 1/27/2012 1:22:32 PM - Copyright (c) 2002-2012, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + 5.11.1:1.2 + 11/30/2016 09:00:00 AM + Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + The AppArmor Status Item displays various information about the current AppArmor policy. This item maps the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. Each item extends the standard ItemType as defined in the oval-system-characteristics-schema and one should refer to the ItemType description for more information. + + + + + + + + Displays the number of loaded profiles + + + + + Displays the number of profiles in enforce mode + + + + + Displays the number of profiles in complain mode + + + + + Displays the number of processes which have profiles defined + + + + + Displays the number of processes in enforce mode + + + + + Displays the number of processes in complain mode + + + + + Displays the number of processes which are unconfined but have a profile defined + + + + + + + + @@ -93,10 +150,31 @@ - + - This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. + This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. + + + + Warning: There are differences in the algorithms for how the version strings of Debian and RPM packages are compared. As a result, a new debian_evr_string datatype was added to the OVAL Language and should be used, for this entity, instead of the evr_string datatype. + + + + + + + + + + + + + + + + + @@ -249,21 +327,32 @@ The mount_options element contains a string that represents a mount option associated with a partition on the local system. + Implementation note: not all mount options are visible in /etc/mtab or /proc/mounts. A complete source of additional mount options is the f_flag field of 'struct statvfs'. See statvfs(2). /etc/fstab may have additional mount options, but it need not contain all mounted filesystems, so it MUST NOT be relied upon. Implementers MUST be sure to get all mount options in some way. - The total_space element contains an integer that represents the total number of blocks on a partition. + The total_space element contains an integer that represents the total number of physical blocks on a partition. - The space_used element contains an integer that represents the number of blocks used on a partition. + The space_used element contains an integer that represents the number of physical blocks used on a partition. - The space_left element contains an integer that represents the number of blocks left on a partition. + The space_left element contains an integer that represents the number of physical blocks left on a partition available to be used by privileged users. + + + + + The space_left_for_unprivileged_users element contains an integer that represents the number of physical blocks remaining on a partition that are available to be used by unprivileged users. + + + + + The block_size element contains an integer representing the actual byte size of each physical block on the partition's block device. This is the same block size used to compute the total_space, space_used, and space_left. @@ -306,9 +395,9 @@ - + - + @@ -325,14 +414,14 @@ - + - + - This is the version number of the build, changed by the vendor/builder. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build, changed by the vendor/builder. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -344,10 +433,10 @@ - + - - + + @@ -361,7 +450,7 @@ - This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. + This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The 'gpg-pubkey' virtual package on RedHat and CentOS should use the string '(none)' for the architecture to construct the extended_name. @@ -390,7 +479,7 @@ DEPRECATED ITEM: ID: - + @@ -519,7 +608,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -583,6 +672,18 @@ The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. + + + 5.11.1:1.1 + Replaced by the filedigest_differs entity. + This entity has been deprecated and will be removed in version 6.0 of the language. + + + + + + + The filedigest_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. This replaces the md5_differs entity due to naming changes for verification and reporting options. @@ -682,7 +783,7 @@ - This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4. + This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. @@ -736,16 +837,40 @@ The digest_check_passed entity indicates whether or not the verification of the package or header digests passed. If the digest check is not performed, due to the 'nodigest' behavior, this entity must not be collected. + + + 5.11 + The digest_check_passed item entity can not be collected as implemented, and has become irrelevant. + This item entity has been deprecated and will be removed in version 6.0 of the language. + + + + DEPRECATED ELEMENT: ID: + + + The verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the 'noscripts' behavior, this entity must not be collected. - + The signature_check_passed entity indicates whether or not the verification of the package or header signatures passed. If the signature check is not performed, due to the 'nosignature' behavior, this entity must not be collected. + + + 5.11 + The signature_check_passed item entity can not be collected as implemented, and has become irrelevant. + This item entity has been deprecated and will be removed in version 6.0 of the language. + + + + DEPRECATED ELEMENT: ID: + + + @@ -891,10 +1016,24 @@ This is the pakage name to check. - + This is the version number of the pakage. + + + + + + + + + + + + + + @@ -912,6 +1051,158 @@ + + + + + This item stores the dependencies of the systemd unit. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. + + + + + The dependency entity refers to the name of a unit that was confirmed to be a dependency of the given unit. + + + + + + + + + + + + + This item stores the properties and values of a systemd unit. + + + + + + + + The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. + + + + + The name of the property associated with a systemd unit. + + + + + The value of the property associated with a systemd unit. Exactly one value shall be used for all property types except dbus arrays - each array element shall be represented by one value. + + + + + + + + + + + + + + This item stores results from checking the living rules of the auditd service. + + + + + + + + >As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + + + + + A rule written on a single line like returned by the auditctl -k command. + + + + + The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. + + + + + + + + + + + + + + + This item stores results from checking the living configuration of the network firewall on a UNIX system. + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + + + + + Action taken on a network packet by the network firewall based on its configuration. + + + + + The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp. + + + + + Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Source port of the packets. + + + + + Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Destination port of the packets. + + + + + + + + @@ -1207,4 +1498,57 @@ + + + The EntityItemPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityItemFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + diff --git a/x-linux-network-auditd-definitions-schema.xsd b/x-linux-network-auditd-definitions-schema.xsd new file mode 100644 index 0000000..6166d63 --- /dev/null +++ b/x-linux-network-auditd-definitions-schema.xsd @@ -0,0 +1,392 @@ + + + + + + The following is a description of the elements, types, and attributes that compose the Linux specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here. + The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. + + Linux Definition + 5.11.2 + 2/26/2013 12:57:23 PM + Copyright (c) 2002-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + + The auditdline_test is used to check the living rules of the auditd service. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. + + + auditdline_test + auditdline_object + auditdline_state + auditdline_item + + + + + + - the object child element of a auditdline_test must reference a auditdline_object + + + - the state child element of a auditdline_test must reference a auditdline_state + + + + + + + + + + + + + + + + + + The auditdline_object element is used by a auditdline_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A auditdline_object consists of an filter_key entity that is the same as the -k parameter of the auditctl -l command. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + If the xsi:nil attribute is set to true, all auditd rules must be present in the system characteristics (auditdline_item). + + + + + + + + + + + + + The auditdline_state element defines the different information that can be used to evaluate the auditd rules. This includes the filter key, the corresponding rule and the line number of the rule. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + + + + + A rule written on a single line like returned by the auditctl -k command. + + + + + The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. + + + + + + + + + + + + + + + The networkfirewall_test is used to check the living filtering rules of the network firewall on a UNIX system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check. + + + networkfirewall_test + networkfirewall_object + networkfirewall_state + networkfirewall_item + + + + + + - the object child element of a networkfirewall_test must reference a networkfirewall_object + + + - the state child element of a networkfirewall_test must reference a networkfirewall_state + + + + + + + + + + + + + + + + + + The networkfirewall_object element is used by a networkfirewall_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A networkfirewall_object provides an abstration to check authorized and blocked packets based on network interfaces and direction of the trafic. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + The xsi:nil attribute must set to true only when the attribute packet_direction is set to outgoing. + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + The xsi:nil attribute must set to true only when the attribute packet_direction is set to incoming. + + + + + + Action that can be taken on a network packet by the network firewall based on its configuration. + + + + + + + + + + + + + The networkfirewall_state element defines the different information that can be used to evaluate the network firewall configuration. This includes the packet direction, the network interfaces, the filter action, the protocol, and pairs of address/port for both source and destination. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + + + + + Action taken on a network packet by the network firewall based on its configuration. + + + + + + The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp. + + + + + Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Source port of the packets. + + + + + Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Destination port of the packets. + + + + + + + + + + + + + + The EntityObjectPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStatePacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityObjectFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityStateFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + \ No newline at end of file diff --git a/x-linux-network-auditd-system-characteristics-schema.xsd b/x-linux-network-auditd-system-characteristics-schema.xsd new file mode 100644 index 0000000..fb7dd63 --- /dev/null +++ b/x-linux-network-auditd-system-characteristics-schema.xsd @@ -0,0 +1,171 @@ + + + + + + The following is a description of the elements, types, and attributes that compose the linux specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here. + The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org. + + linux System Characteristics + 5.10 + 2/26/2013 12:57:23 PM + Copyright (c) 2002-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + + This item stores results from checking the living rules of the auditd service. + + + + + + + + >As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule. + + + + + A rule written on a single line like returned by the auditctl -k command. + + + + + The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1. + + + + + + + + + + + + + + + This item stores results from checking the living configuration of the network firewall on a UNIX system. + + + + + + + + The direction (incoming, outgoing or forwarding) of the network packets. + + + + + This is the name of the input interface (eth0, eth1, fw0, etc.). + + + + + This is the name of the output interface (eth0, eth1, fw0, etc.). + + + + + Action taken on a network packet by the network firewall based on its configuration. + + + + + The transport_protocol entity defines the specific transport-layer protocol, in lowercase: sctp, tcp or udp. + + + + + Source address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Source port of the packets. + + + + + Destination address of the packets. According to this OVAL datatype, it describes any IPv4/IPv6 address, address prefix, or its string representation. Note that the IP address can be IPv4 or IPv6. + + + + + Destination port of the packets. + + + + + + + + + + + + + + The EntityItemPacketDirectionType complex type restricts a string value to a specific set of values that specify the direction of network packets. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Incoming packets. + + + + + Outgoing packets. + + + + + Forwarding packets. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + + + The EntityItemFilteringActionType complex type restricts a string value to a specific set of values that specify the filtering action of the network firewall. The empty string is also allowed to support empty elements associated with variable references. + + + + + + Network packets that are allowed by the firewall. + + + + + Network packets that are denied by the firewall. + + + + + The empty string value is permitted here to allow for empty elements associated with variable references. + + + + + + +