This document outlines the items of the OVAL System Characteristics XML schema that are independent of any specific family or platform. Each iten is an extention of a basic System Characteristics item defined in the core System Characteristics XML schema. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Independent System Characteristics 5.11.1:1.2 11/30/2016 09:00:00 AM Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. This element stores high level system OS type, otherwise known as the family. This element describes the high level system OS type, otherwise known as the family. This element stores the different hash values associated with a specific file. 5.8 Replaced by the filehash58_item which allows the hash algorithm to be specified when collecting data. See the filehash58_item. This item has been deprecated and may be removed in a future version of the language. DEPRECATED ITEM: ID: The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The name of the file. The md5 hash of the file The sha1 hash of the file The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. This element stores a hash value associated with a specific file. The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The name of the file. Identifier for the hash algorithm used to calculate the hash. The result of applying the hash algorithm to the file. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. This item stores information about environment variables and their values. 5.8 Replaced by the environmentvariable58_item. This item allows the hash algorithm to be specified. See the filehash58_item. This object has been deprecated and may be removed in a future version of the language. DEPRECATED ITEM: ID: This element describes the name of an environment variable. The actual value of the specified environment variable. This item stores information about an environment variable, the process ID of the process from which it was retrieved, and its corresponding value. The process ID of the process from which the environment variable was retrieved. This element describes the name of an environment variable. The actual value of the specified environment variable. This element holds information about specific entries in the LDAP directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it. The relative_dn field is used to uniquely identify an item inside the specified suffix. It contains all of the parts of the item's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the item being represented is the higher level suffix. Specifies a named value contained by the object. The name of the class of which the object is an instance. Specifies the type of information that the specified attribute represents. The actual value of the specified LDAP attribute. This element holds information about specific entries in the LDAP directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. 5.11.2 Use the original ldap_item. The ldap57_test suffers from ambiguity; it was never adequately specified, and it does not even seem possible to have structured data in the context of the enumerated LdaptypeTypes. Use the original ldap_test instead. This test has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ITEM: ID: Each object in an LDAP directory exists under a certain suffix (also known as a naming context). A suffix is defined as a single object in the Directory Information Tree (DIT) with every object in the tree subordinate to it. The relative_dn field is used to uniquely identify an item inside the specified suffix. It contains all of the parts of the item's distinguished name except those outlined by the suffix. If the xsi:nil attribute is set to true, then the item being represented is the higher level suffix. Specifies a named value contained by the object. The name of the class of which the object is an instance. Specifies the type of information that the specified attribute represents. The actual value of the specified LDAP attribute. Note that while an LDAP attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the 'record' datatype, it is not always the case. It also is possible that an LDAP attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field(s) which is a requirement for fields in the 'record' datatype. As a result, the name of the LDAP attribute will be used to uniquely identify the field(s) and satisfy this requirement. If the LDAP attribute contains a single value, the 'record' will have a single field identified by the name of the LDAP attribute. If the LDAP attribute contains an array of values, the 'record' will have multiple fields all identified by the name of the LDAP attribute. - datatype attribute for the value entity of a ldap57_item must be 'record' The sql_item outlines information collected from a database via an SQL query. 5.7 Replaced by the sql57_item. This item allows for single fields to be selected from a database. A new item was created to allow more than one field to be selected in one statement. See the sql57_item. This object has been deprecated and may be removed in a future version of the language. DEPRECATED ITEM: ID: The engine entity identifies the specific database engine used to connect to the database. The version entity identifies the version of the database engine used to connect to the database. The connection_string entity defines connection parameters used to connect to the specific database. The sql entity holds the specific query used to identify the object(s) in the database. The result entity specifies the result(s) of the given SQL query against the database. The sql57_item outlines information collected from a database via an SQL query. The engine entity identifies the specific database engine used to connect to the database. The version entity identifies the version of the database engine used to connect to the database. The connection_string entity defines connection parameters used to connect to the specific database. The sql entity holds the specific query used to identify the object(s) in the database. The result entity holds the results of the specified SQL statement. - datatype attribute for the result entity of a sql57_item must be 'record' The textfilecontent_item looks at the contents of a text file (aka a configuration file) by looking at individual lines. The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The filename entity specifies the name of the file (without the path) that is being represented. The pattern entity represents a regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist inbetween. Note that if the pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later. The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different textfilecontent_items that results from multiple matches of a given pattern against the same file. - the value of instance must be greater than one The line element represents a line in the file and is represented using a regular expression. 5.4 Due to the fact that the TextFileContent54_test supports multi-line pattern matching, the line entity is no longer needed. This entity has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ELEMENT: ID: The text entity represents the block of text that matched the specified pattern. The subexpression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. Note that the textfilecontent_state in the definition schema only allows a single subexpression entity. This means that the test will check that all (or at least one, none, etc.) the subexpressions pass the same check. This means that the order of multiple subexpression entities in the item does not matter. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. This item stores information about OVAL Variables and their values. The id of the variable. The value of the variable. If a variable represents and array of values, then multiple value elements should exist. This item stores results from checking the contents of an xml file. The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The filename element specifies the name of the file. Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that "equals" is the only valid operator for the xpath entity. The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this is used is entirely controlled by operator attributes. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of '32_bit' indicates the Item was collected from the 32-bit view. A value of '64-bit' indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems. The EntityItemEngineType complex type defines a string entity value that is restricted to an enumeration. Each valid entry in the enumeration is a valid database engine. The access value describes the Microsoft Access database engine. The db2 value describes the IBM DB2 database engine. The cache value describes the InterSystems Cache database engine. The firebird value describes the Firebird database engine. The firstsql value describes the FirstSQL database engine. The foxpro value describes the Microsoft FoxPro database engine. The informix value describes the IBM Informix database engine. The ingres value describes the Ingres database engine. The interbase value describes the Embarcadero Technologies InterBase database engine. The lightbase value describes the Light Infocon LightBase database engine. The maxdb value describes the SAP MaxDB database engine. The monetdb value describes the MonetDB SQL database engine. The mimer value describes the Mimer SQL database engine. The mysql value describes the MySQL database engine. The oracle value describes the Oracle database engine. The paradox value describes the Paradox database engine. The pervasive value describes the Pervasive PSQL database engine. The postgre value describes the PostgreSQL database engine. The sqlbase value describes the Unify SQLBase database engine. The sqlite value describes the SQLite database engine. The sqlserver value describes the Microsoft SQL database engine. The sybase value describes the Sybase database engine. The empty string value is permitted here to allow for detailed error reporting. The EntityItemFamilyType complex type defines a string entity value that is restricted to a set of enumerations. Each valid enumeration is a high-level family of system operating system. The android value describes the Android mobile operating system. The apple_ios value describes the iOS mobile operating system. The asa value describes the Cisco ASA security devices. The catos value describes the Cisco CatOS operating system. The ios value describes the Cisco IOS operating system. The iosxe value describes the Cisco IOS-XE operating system. The junos value describes the Juniper JunOS operating system. The macos value describes the Mac operating system. The pixos value describes the Cisco PIX operating system. The undefined value is to be used when the desired family is not available. The unix value describes the UNIX operating system. The vmware_infrastructure value describes VMWare Infrastructure. The windows value describes the Microsoft Windows operating system. The empty string value is permitted here to allow for detailed error reporting. The EntityItemHashTypeType complex type restricts a string value to a specific set of values that specify the different hash algorithms that are supported. The empty string is also allowed to support empty elements associated with variable references. The MD5 hash algorithm. The SHA-1 hash algorithm. The SHA-224 hash algorithm. The SHA-256 hash algorithm. The SHA-384 hash algorithm. The SHA-512 hash algorithm. The empty string value is permitted here to allow for detailed error reporting. The EntityItemVariableRefType complex type defines a string item entity that has a valid OVAL variable id as the value. The EntityItemLdaptypeType complex type restricts a string value to a specific set of values that specify the different types of information that an ldap attribute can represent. The empty string value is permitted here to allow for detailed error reporting. ACI Item, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.1 Access Point, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.2 Attribute Type Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.3 Audio, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.4 Binary, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.5 Bit String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.6 Boolean, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.7 Certificate, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.8 Certificate List, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.9 Certificate Pair, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.10 Country String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.11 DN, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.12 Data Quality Syntax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.13 Delivery Method, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.14 Directory String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.15 DIT Content Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.16 DIT Structure Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.17 DL Submit Permission, corresponding to OID Y 1.3.6.1.4.1.1466.115.121.1.18 DSA Quality Syntax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.19 DSE Type, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.20 Enhanced Guide, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.21 Facsimile Telephone Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.22 Fax, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.23 Generalized Time, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.24 Guide, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.25 IA5 String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.26 INTEGER, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.27 JPEG, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.28 LDAP Syntax Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.54 LDAP Schema Definition, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.56 LDAP Schema Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.57 Master And Shadow Access Points, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.29 Matching Rule Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.30 Matching Rule Use Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.31 Mail Preference, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.32 MHS OR Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.33 Modify Rights, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.55 Name And Optional UID, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.34 Name Form Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.35 Numeric String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.36 Object Class Description, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.37 Octet String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.40 OID, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.38 Other Mailbox, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.39 Postal Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.41 Protocol Information, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.42 Presentation Address, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.43 Printable String, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.44 Substring Assertion, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.58 Subtree Specification, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.45 Supplier Information, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.46 Supplier Or Consumer, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.47 Supplier And Consumer, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.48 Supported Algorithm, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.49 Telephone Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.50 Teletex Terminal Identifier, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.51 Telex Number, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.52 UTC Time, corresponding to OID 1.3.6.1.4.1.1466.115.121.1.53 The data is of a time stamp in seconds. 5.7 This value was accidently carried over from the win-sc:EntityItemAdstypeType as it was used as a template for the ind-sc:EntityItemLdaptypeType. This value has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ELEMENT VALUE IN: ldap_item ELEMENT VALUE: The data is of an e-mail message. 5.7 This value was accidently carried over from the win-sc:EntityItemAdstypeType as it was used as a template for the ind-sc:EntityItemLdaptypeType. This value has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ELEMENT VALUE IN: ldap_item ELEMENT VALUE: The empty string value is permitted here to allow for detailed error reporting. The EntityItemWindowsViewType restricts a string value to a specific set of values: 32-bit and 64-bit. These values describe the different values possible for the windows view behavior. Indicates the 32_bit windows view. Indicates the 64_bit windows view. The empty string value is permitted here to allow for empty elements associated with variable references.