The following is a description of the elements, types, and attributes that compose the Cisco ASA specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Thanks to Omar Santos and Panos Kampanakis of Cisco for providing these tests. Cisco ASA System Characteristics 5.11.1:1.2 11/30/2016 09:00:00 AM Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. Stores command that are part of a asa configuration section. For example all configuration lines under an interface. It should not store configurations for configs that already have a separate item. For example OSPF has a router item and should not also be stored in a acl_item. Element with the name of the ACL. Element with the IP version of the ACL. Element with the feature where the ACL is used. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created. Element with the name of where the ACL is used. For example if use is 'INTERFACE', use_in will be the name of the interface. If the same ACL is applied in more than one feature (i.e interface and crypto map), multiple items needs to be created. Element with the direction the ACL is applied to an interface using the access-group command. Element with the value returned with all config lines of the ACL. Element with the value returned with one ACL config line at a time. Stores information about the MPF class-map configuration in ASA. That information includes the name, the type, the inspection type, the match type, the match commands, the policy-map or class-map it is used and the action in the policy-map. element with the name of the class-map. Element with the type of the 'class-map nameX type' command. Element with the inspection type of the class-map ('class-map type inspect' command). Element with the 'match-all' or 'match-any' type of the class-map. ASA's defaults to 'match-any'. Element with the match command in the class-map. Element with the name of the class-map (for nested class-maps) that this class-map is used in. Element with the name of the policy-map that this class-map is used in. Element with the command that identifies the action for the class. For example that could be 'inspect protocolX', 'drop' or 'police 1000' or 'set connection advanced-options tcpmapX'. Stores information about interfaces on an Cisco ASA device. Element with the interface name. Element that is true if the proxy_arp command is enabled on the interface. The default is true. Element that is true if the interface is shut down. The default is false. Element with the interface hardware (MAC) address. Element with the interface IPv4 address and mask. This element should only allow 'ipv4_address' of the oval:SimpleDatatypeEnumeration. Element with the interface IPv6 address and mask. This element should only allow 'ipv6_address' of the oval:SimpleDatatypeEnumeration. Element with the ingress or egress IPv4 ACL name applied on the interface. Element with the ingress or egress IPv6 ACL name applied on the interface. Element with the ingress or egress UACL name applied on the interface. Element with the crypto map name applied to the interface. Element with the uRPF command for IPv4 under the interface. Element with the uRPF command for IPv6 under the interface. Element with the uRPF command under the interface. 5.11.1:1.1 This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities. Warning: DEPRECATED ENTITY: . This entity has been deprecated because it was replaced by the ipv4_urpf_command and ipv6_urpf_command entities. Stores the configuration information associated with the evaluation of a SHOW sub-command on Cisco ASA. This includes the name of ths sub-command and the corresponding config line. The name of the SHOW sub-command. The value returned from by the specified SHOW sub-command. Stores information about a policy-map configuration in ASA. That information includes the policy-map name, the inspection type, the paremeters, the match and action commands, the policy-map it is used in and the service-policy that applies it. Element with the policy-map name. Element with the inspection type of the class-map. Element with the parameter commands of the policy-map. Element with the in-line match command and the action in the policy-map seperated by delimeter '_-_'. For example an http inspect policy-map could have 'match body regex regexnameX' and the action be 'drop'. Then this element would be 'body regex regexnameX_-_drop'. Element with the name of policy-map that includes the policy-map('policy-map type inspect' in this case) or the serice-policy that applies the policy-map (non 'type inspect' in this case). For example, the former could be when a http inspection policy-map policymapnameX is used in a policy-map policymapnameY as its 'inspect http policymapnameX' command. The latter could be when policymapnameY is applied globally with 'service-policy policymapnameY global'. There is no chance where a policy-map can be used in both a policy-map and a service policy at the same time. Stores information about an MPF service-policy configuration in ASA. That information includes the service-policy name, where it is applied and the interface it is applied (if applicable). Element with the service-policy name. Element with where the service-policy is applied. Element with the interface the service-policy is applied (of the 'applied' element has value "INTERFACE'). Stores information about the SNMP host configuration in ASA. That information includes the host, the community or user strings, the SNMP version, the snmp security (if the SNMP version is SNMPv3) and the SNMP traps. Element with the interface configured for the host. Element with the SNMP host address or hostname. Element with the community sting or SNMPv3 user configured for the host. Element with the SNMP version. Element used for when the SNMP polls are enabled for the host. Element used for when the SNMP polls are enabled for the host. Element used for the SNMP port configured for the host. Stores information about an SNMP user configuration in ASA. That information includes the user name, the SNMP group he belongs to, the SNMP version, the IPv4 or IPv6 ACL it is applied to, the Security Level and the Authentication type that apply to the user (for SNMPv3). Element with the SNMP user name. Element with the SNMP group the user belongs to. Element with the SNMP encryption type for the user (for SNMPv3). Element with the SNMP authentication type for the user (for SNMPv3). Stores information about an SNMP group configuration in ASA. That information includes the group name, the SNMP version, the IPv4 or IPv6 ACL it is applied to and the read, write and/or notify views applied to the group. Element with the SNMP group name. Element with the SNMPv3 security configure for the group. Stores information about MPF tcp-map configuration in ASA. That information includes the tcp-map name and its configured options. Element with the tcp-map name. Element with the configured commends in the tcp-map. These could include TCP options, flags and other options of the tcp-map. Stores the version information held within a Cisco ASA software release. The asa_release element specifies the whole ASA version information. The asa_major_release, asa_minor_release and asa_build elements specify seperated parts of ASA software version information. For instance, if the ASA version is 8.4(2.3)49, then asa_release is 8.4(2.3)49, asa_major_release is 8.4, asa_minor_release is 2.3 and asa_build is 49. See the SHOW VERSION command within ASA for more information. The asa_release element specifies the whole ASA version information. The asa_major_release is the dotted version that starts a version string. For example the asa_release 8.4(2.3)49 has a asa_major_release of 8.4. The asa_minor_release is the dotted version that starts a version string. For example the asa_release 8.4(2.3)49 has a asa_minor_release of 2.3. The asa_build is an integer. For example the asa_release 8.4(2.3)49 has a asa_build of 49. The EntityItemAccessListIPVersionType complex type restricts a string value to a specific set of values: IPV4, IPV6 or IPV4_V6 (both). These values describe if an ACL is for IPv4 or both for UACLs or IPv6 in a Cisco asa configuration. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemAccessListUseType complex type restricts a string value to a specific set of values: INTERFACE, INTERFACE_CP (control plane interface ACL), CRYPTO_MAP_MATCH, CLASS_MAP_MATCH, ROUTE_MAP_MATCH, IGMP_FILTER, NONE. These values describe the ACL use in a Cisco asa configuration. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemAccessListInterfaceDirectionType complex type restricts a string value to a specific set of values: IN, OUT. These values describe the inbound or outbound ACL direction on an interface in a Cisco ASA configuration. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemClassMapType complex type restricts a string value to a specific set of values: INSPECT, REGEX, MANAGEMENT. These values describe the MPF class-map types in Cisco ASA MPF configurations. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemInspectionType complex type restricts a string value to a specific set of values. These values describe the MPF inspection types of class-map and policy-map configurations in Cisco ASA MPF configurations. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemApplyServicePolicyType complex type restricts a string value to a specific set of values: GLOBAL, INTERFACE. These values describe where a service-policy is applied in a Cisco ASA MPF configuration. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemMatchType complex type restricts a string value to a specific set of values: ANY, ALL. These values describe the match type of a class-map in a Cisco ASA MPF configuration. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemSNMPVersionStringType complex type restricts a string value to a specific set of values: 1, 2c, 3. These values describe the SNMP version in a Cisco ASA configuration. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemSNMPSecLevelStringType complex type restricts a string value to a specific set of values: PRIV, AUTH, NO_AUTH. These values describe the SNMP security level (encryption, Authentication, None) in a Cisco ASA SNMPv3 related configurations. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemSNMPAuthStringType complex type restricts a string value to a specific set of values: MD5, SHA. These values describe the authentication algorithm in a Cisco ASA SNMPv3 related configurations. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions. The EntityItemSNMPPrivStringType complex type restricts a string value to a specific set of values: DES, 3DES, AES128, AES192, and AES256. These values describe the encryption algorithm in a Cisco ASA SNMPv3 related configurations. The empty string is also allowed to support empty element associated with error conditions. The empty string value is permitted here to allow for empty elements associated with error conditions.