The following is a description of the elements, types, and attributes that compose the Linux specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Linux System Characteristics 5.11.1:1.2 11/30/2016 09:00:00 AM Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. The AppArmor Status Item displays various information about the current AppArmor policy. This item maps the counts of profiles and processes as per the results of the "apparmor_status" or "aa-status" command. Each item extends the standard ItemType as defined in the oval-system-characteristics-schema and one should refer to the ItemType description for more information. Displays the number of loaded profiles Displays the number of profiles in enforce mode Displays the number of profiles in complain mode Displays the number of processes which have profiles defined Displays the number of processes in enforce mode Displays the number of processes in complain mode Displays the number of processes which are unconfined but have a profile defined This item stores DPKG package info. This is the pakage name to check. This is the architecture for which the DPKG was built, like : i386, ppc, sparc, noarch. This is the epoch number of the DPKG. For a null epoch (or '(none)' as returned by dpkg) the string '(none)' should be used. This is the release number of the build. This is the version number of the build, changed by the vendor/builder. This type represents the epoch, upstream_version, and debian_revision fields, for a Debian package, as a single version string. It has the form "EPOCH:UPSTREAM_VERSION-DEBIAN_REVISION". Note that a null epoch (or '(none)' as returned by dpkg) is equivalent to '0' and would hence have the form 0:UPSTREAM_VERSION-DEBIAN_REVISION. Warning: There are differences in the algorithms for how the version strings of Debian and RPM packages are compared. As a result, a new debian_evr_string datatype was added to the OVAL Language and should be used, for this entity, instead of the evr_string datatype. An iflisteners_item stores the results of checking for applications that are bound to an interface on the system. Only applications that are bound to an ethernet interface should be collected. This is the name of the interface (eth0, eth1, fw0, etc.). This is the physical layer protocol used by the AF_PACKET socket. This is the hardware address associated with the interface. This is the name of the communicating program. This is the process ID of the process. The process in question is that of the program communicating on the network. The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program. An inet listening server item stores the results of checking for network servers currently active on a system. It holds information pertaining to a specific protocol-address-port combination. This is the transport-layer protocol, in lowercase: tcp or udp. This is the IP address associated with the inet listening server. Note that the IP address can be IPv4 or IPv6. This is the TCP or UDP port on which the program listens. This is the IP address and network port on which the program listens, equivalent to local_address:local_port. Note that the IP address can be IPv4 or IPv6. This is the name of the communicating program. This is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6. This is the TCP or UDP port to which the program communicates. In the case of a listening program accepting new connections, this value will be 0. This is the IP address and network port to which the program is communicating or will accept communications from, equivalent to foreign_address:foreign_port. Note that the IP address can be IPv4 or IPv6. This is the process ID of the process. The process in question is that of the program communicating on the network. The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program. The partition_item stores information about a partition on the local system. The mount_point element contains a string that represents the mount point of a partition on the local system. The device element contains a string that represents the name of the device. The uuid element contains a string that represents the universally unique identifier associated with a partition. The fs_type element contains a string that represents the type of filesystem on a partition. The mount_options element contains a string that represents a mount option associated with a partition on the local system. Implementation note: not all mount options are visible in /etc/mtab or /proc/mounts. A complete source of additional mount options is the f_flag field of 'struct statvfs'. See statvfs(2). /etc/fstab may have additional mount options, but it need not contain all mounted filesystems, so it MUST NOT be relied upon. Implementers MUST be sure to get all mount options in some way. The total_space element contains an integer that represents the total number of physical blocks on a partition. The space_used element contains an integer that represents the number of physical blocks used on a partition. The space_left element contains an integer that represents the number of physical blocks left on a partition available to be used by privileged users. The space_left_for_unprivileged_users element contains an integer that represents the number of physical blocks remaining on a partition that are available to be used by unprivileged users. The block_size element contains an integer representing the actual byte size of each physical block on the partition's block device. This is the same block size used to compute the total_space, space_used, and space_left. This item stores rpm info. This is the pakage name to check. This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file This is the release number of the build. This is the version number of the build, changed by the vendor/builder. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. This represents the epoch, version, and release fields as a single version string. It has the form "EPOCH:VERSION-RELEASE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form 0:VERSION-RELEASE. This field contains the PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code. This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The 'gpg-pubkey' virtual package on RedHat and CentOS should use the string '(none)' for the architecture to construct the extended_name. This field contains the absolute path of a file or directory included in the rpm. This item stores rpm verification results similar to what is produced by the rpm -V command. 5.10 Replaced by the rpmverifyfile_item and rpmverifypackage_item. The rpmverify_item was split into two items to distinguish between the verification of the files in an rpm and the verification of an rpm as a whole. By making this distinction, content authoring is simplified and information is no longer duplicated across items. See the rpmverifyfile_item and rpmverifypackage_item. This state has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ITEM: ID: This is the package name to check. The filepath element specifies the absolute path for a file or directory in the specified package. The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file. The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file. The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file. The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file. The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file. The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file. The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file. The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file. The configuration_file entity represents the configuration file attribute marker that may be present on a file. The documentation_file entity represents the documenation file attribute marker that may be present on a file. The ghost_file entity represents the ghost file attribute marker that may be present on a file. The license_file entity represents the license file attribute marker that may be present on a file. The readme_file entity represents the readme file attribute marker that may be present on a file. This item stores the verification results of the individual files in an rpm similar to what is produced by the rpm -V command. This is the package name to check. This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. This is the release number of the build, changed by the vendor/builder. This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. The filepath element specifies the absolute path for a file or directory in the specified package. This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The size_differs entity aligns with the first character ('S' flag) in the character string in the output generated by running rpm –V on a specific file. The mode_differs entity aligns with the second character ('M' flag) in the character string in the output generated by running rpm –V on a specific file. The md5_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. 5.11.1:1.1 Replaced by the filedigest_differs entity. This entity has been deprecated and will be removed in version 6.0 of the language. The filedigest_differs entity aligns with the third character ('5' flag) in the character string in the output generated by running rpm –V on a specific file. This replaces the md5_differs entity due to naming changes for verification and reporting options. The device_differs entity aligns with the fourth character ('D' flag) in the character string in the output generated by running rpm –V on a specific file. The link_mismatch entity aligns with the fifth character ('L' flag) in the character string in the output generated by running rpm –V on a specific file. The ownership_differs entity aligns with the sixth character ('U' flag) in the character string in the output generated by running rpm –V on a specific file. The group_differs entity aligns with the seventh character ('U' flag) in the character string in the output generated by running rpm –V on a specific file. The mtime_differs entity aligns with the eighth character ('T' flag) in the character string in the output generated by running rpm –V on a specific file. The size_differs entity aligns with the ninth character ('P' flag) in the character string in the output generated by running rpm –V on a specific file. The configuration_file entity represents the configuration file attribute marker that may be present on a file. The documentation_file entity represents the documenation file attribute marker that may be present on a file. The ghost_file entity represents the ghost file attribute marker that may be present on a file. The license_file entity represents the license file attribute marker that may be present on a file. The readme_file entity represents the readme file attribute marker that may be present on a file. This item stores the rpm verification results of an rpm similar to what is produced by the rpm -V command. This is the package name to check. This is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or '(none)' as returned by rpm) the string '(none)' should be used.. This number is not revealed by a normal query of the RPM's information -- you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q --qf '%{EPOCH}\n' installed_rpm For an RPM file that has not been installed: rpm -qp --qf '%{EPOCH}\n' rpm_file This is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 2.0.40. This is the release number of the build, changed by the vendor/builder. This is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686. This represents the name, epoch, version, release, and architecture fields as a single version string. It has the form "NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE". Note that a null epoch (or '(none)' as returned by rpm) is equivalent to '0' and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE. The dependency_check_passed entity indicates whether or not the dependency check passed. If the dependency check is not performed, due to the 'nodeps' behavior, this entity must not be collected. The digest_check_passed entity indicates whether or not the verification of the package or header digests passed. If the digest check is not performed, due to the 'nodigest' behavior, this entity must not be collected. 5.11 The digest_check_passed item entity can not be collected as implemented, and has become irrelevant. This item entity has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ELEMENT: ID: The verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the 'noscripts' behavior, this entity must not be collected. The signature_check_passed entity indicates whether or not the verification of the package or header signatures passed. If the signature check is not performed, due to the 'nosignature' behavior, this entity must not be collected. 5.11 The signature_check_passed item entity can not be collected as implemented, and has become irrelevant. This item entity has been deprecated and will be removed in version 6.0 of the language. DEPRECATED ELEMENT: ID: This item describes the current and pending status of a SELinux boolean. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The name of the SELinux boolean. The current_status entity indicates current state of the specified SELinux boolean. The pending_status entity indicates the pending state of the specified SELinux boolean. This item describes the SELinux security context of a file or process on the local system. This item follows the SELinux security context structure: user:role:type:low_sensitivity[:low_category]- high_sensitivity [:high_category]. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. This is the process ID of the process. The user element specifies the SELinux user that either created the file or started the process. The role element specifies the types that a process may transition to (domain transitions). Note that this entity is not relevant for files and will always have a value of object_r. The type element specifies the domain in which the file is accessible or the domain in which a process executes. The low_sensitivity element specifies the current sensitivity of a file or process. The low_category element specifies the set of categories associated with the low sensitivity. The high_sensitivity element specifies the maximum range for a file or the clearance for a process. The high_category element specifies the set of categories associated with the high sensitivity. The rawlow_sensitivity element specifies the current sensitivity of a file or process but in its raw context. The rawlow_category element specifies the set of categories associated with the low sensitivity but in its raw context. The rawhigh_sensitivity element specifies the maximum range for a file or the clearance for a process but in its raw context. The rawhigh_category element specifies the set of categories associated with the high sensitivity but in its raw context. This item describes info related to Slackware packages. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. This is the pakage name to check. This is the version number of the pakage. This is the architecture the package is designed for. This is the revision of the package. This item stores the dependencies of the systemd unit. Please refer to the individual elements in the schema for more details about what each represents. The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. The dependency entity refers to the name of a unit that was confirmed to be a dependency of the given unit. This item stores the properties and values of a systemd unit. The unit entity refers to the full systemd unit name, which has a form of "$name.$type". For example "cupsd.service". This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories. The name of the property associated with a systemd unit. The value of the property associated with a systemd unit. Exactly one value shall be used for all property types except dbus arrays - each array element shall be represented by one value. The EntityItemRpmVerifyResultType complex type restricts a string value to the set of possible outcomes of checking an attribute of a file included in an RPM against the actual value of that attribute in the RPM database. The empty string is also allowed to support empty elements associated with error conditions. 'pass' indicates that the test passed and is equivalent to the '.' value reported by the rpm -V command. 'fail' indicates that the test failed and is equivalent to a bold charcter in the test result string reported by the rpm -V command. 'not performed' indicates that the test could not be performed and is equivalent to the '?' value reported by the rpm -V command. The empty string value is permitted here to allow for detailed error reporting. The EntityStateProtocolType complex type restricts a string value to the set of physical layer protocols used by AF_PACKET sockets. The empty string is also allowed to support the empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. Ethernet loopback packet. Xerox PUP packet. Xerox PUP Address Transport packet. Internet protocol packet. CCITT X.25 packet. Address resolution packet. G8BPQ AX.25 ethernet packet. Xerox IEEE802.3 PUP packet. Xerox IEEE802.3 PUP address transport packet. DEC assigned protocol. DEC DNA Dump/Load. DEC DNA Remote Console. DEC DNA Routing. DEC LAT. DEC Diagnostics. DEC Customer use. DEC Systems Comms Arch. Reverse address resolution packet. Appletalk DDP. Appletalk AARP. 802.1Q VLAN Extended Header. IPX over DIX. IPv6 over bluebook. Slow Protocol. See 802.3ad 43B. Web-cache coordination protocol. PPPoE discovery messages. PPPoE session messages. MPLS Unicast traffic. MPLS Multicast traffic. MultiProtocol Over ATM. Frame-based ATM Transport over Ethernet. ATA over Ethernet. TIPC. Dummy type for 802.3 frames. Dummy protocol id for AX.25. Every packet. 802.2 frames. Internal only. DEC DDCMP: Internal only Dummy type for WAN PPP frames. Dummy type for PPP MP frames. Dummy type for Atalk over PPP. Localtalk pseudo type. 802.2 frames. Mobitex. Card specific control frames. Linux-IrDA. Acorn Econet. HDLC frames. 1A for ArcNet. The empty string value is permitted here to allow for detailed error reporting.