The following is a description of the elements, types, and attributes that compose the Solaris specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Solaris System Characteristics 5.11.1:1.1 11/30/2016 09:00:00 AM Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. This item stores the facet properties and values of an IPS system image. Specifies the path to the Solaris IPS image. Specifies the name of the facet property associated with an IPS image. Specifies the value of the facet property associated with an IPS image. This item stores system state information associated with an IPS image on a Solaris system. The path to the Solaris IPS image. The name of the property associated with the Solaris IPS image. The value of a property that is associated with a Solaris IPS image. Information about the instruction set architectures. This information can be retrieved by the isainfo command. The isainfo_item was originally developed by Robert L. Hollis at ThreatGuard, Inc. Many thanks for their support of the OVAL project. This is the number of bits in the address space of the native instruction set (isainfo -b). This is the name of the instruction set used by kernel components (isainfo -k). This is the name of the instruction set used by portable applications (isainfo -n). This item represents data collected by the ndd command. The name of the device for which the parameter was collected. The instance of the device to examine. Certain devices may have multiple instances on a system. If multiple instances exist, this entity should be populated with its respective instance value. If only a single instance exists, this entity should not be collected. The name of a parameter for example, ip_forwarding The observed value of the named parameter. The package_item holds information about installed SVR4 packages. Output of /usr/bin/pkginfo. See pkginfo(1). This item stores system state information associated with IPS packages installed on a Solaris system. The person, group of persons, or organization that is the source of the package. The publisher should be expressed without leading "pkg:" or "//" components. The full hierarchical name of the package which is separated by forward slash characters. The full name should be expressed without leading "pkg:/" or "/" components. The version of the package which consists of the component version, build version, and branch version. The timestamp when the package was published in the ISO-8601 basic format (YYYYMMDDTHHMMSSZ). The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system. A summary of what the package provides. A description of what the package provides. The category of the package. A boolean value indicating whether or not updates are available for this package. This item stores the FMRI associated with associated with IPS packages that have been flagged as to be avoided from installation on a Solaris system. The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system. The packagecheck_item holds verification information about an individual file that is part of an installed SVR4 package. Each packagecheck_item contains a package designation, filepath, whether the checksum differs, whether the size differs, whether the modfication time differs, and how the actual permissions differ from the expected permissions. For more information, see pkgchk(1M). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The pkginst entity is a string that represents a package designation by its instance. An instance can be the package abbreviation or a specific instance (for example, inst.1 or inst.2). The filepath element specifies the absolute path for a file or directory in the specified package.. Has the file's checksum changed? A value of true indicates that the file's checksum has changed. A value of false indicates that the file's checksum has not changed. Has the file's size changed? A value of true indicates that the file's size has changed. A value of false indicates that the file's size has not changed. Has the file's modified time changed? A value of true indicates that the file's modified time has changed. A value of false indicates that the file's modified time has not changed. Has the actual user read permission changed from the expected user read permission? Has the actual user write permission changed from the expected user write permission? Has the actual user exec permission changed from the expected user exec permission? Has the actual group read permission changed from the expected group read permission? Has the actual group write permission changed from the expected group write permission? Has the actual group exec permission changed from the expected group exec permission? Has the actual others read permission changed from the expected others read permission? Has the actual others read permission changed from the expected others read permission? Has the actual others read permission changed from the expected others read permission? This item stores the FMRI associated with associated with IPS packages that have been frozen at a particular version. The Fault Management Resource Identifier (FMRI) of the package which uniquely identifies the package on the system. This item stores system state information associated with IPS package publishers on a Solaris system. The name of the IPS package publisher. The type of the IPS package publisher. The origin URI of the IPS package publisher. The alias of the IPS package publisher. The Secure Socket Layer (SSL) key registered by a client for publishers using client-side SSL authentication. The Secure Socket Layer (SSL) certificate registered by a client for publishers using client-side SSL authentication. The universally unique identifier (UUID) that identifies the image to its publisher. The last time that the IPS package publisher's catalog was updated in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. Specifies whether or not the publisher is enabled. Specifies where in the search order the IPS package publisher is listed. The first publisher in the search order will have a value of '1'. The properties associated with an IPS package publisher. Patches for SVR4 packages are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number. The information can be obtained using /usr/bin/showrev -p. Please see showrev(1M). The base entity reresents a patch base code found before the hyphen. The version entity represents a patch version number found after the hyphen. The smf_item is used to hold information related to service management facility controlled services The FMRI (Fault Managed Resource Identifier) entity holds the identifier associated with a service. Services managed by SMF are assigned FMRI URIs prefixed with the scheme name "svc". FMRIs used by SMF can be expressed in three ways: first as an absolute path including a location path such as "localhost" (eg svc://localhost/system/system-log:default), second as a path relative to the local machine (eg svc:/system/system-log:default), and third as simply the service identifier with the string prefixes implied (eg system/system-log:default). For OVAL, the absolute path version (first choice) should be used. The service_name entity is usually an abbreviated form of the FMRI. In the example svc://localhost/system/system-log:default, the name would be system-log. The service_state entity describes the state that the service is in. Each service instance is always in a well-defined state based on its dependencies, the results of the execution of its methods, and its potential receipt of events from the contracts filesystem. The service_state values are UNINITIALIZED, OFFLINE, ONLINE, DEGRADED, MAINTENANCE, DISABLED, and LEGACY-RUN. The protocol entity describes the protocol supported by the service. The entity server_executable is a string representing the listening daemon on the server side. An example being 'svcprop ftp' which might show 'inetd/start/exec astring /usr/sbin/in.ftpd\ -a' The server_arguments entity describes the parameters that are passed to the service. The exec_as_user entity is a string pulled from svcprop in the following format: inetd_start/user astring root This item stores the properties and values of an SMF service. Specifies the SMF service on the system. This is the service category and name separated by a forward slash ("/"). Specifies the instance of an SMF service which represents a specific configuration of a service. The name of the property associated with an SMF service. This is the property category and name separated by a forward slash ("/"). The Fault Management Resource Identifier (FMRI) of the SMF service which uniquely identifies the service on the system. Specifies the value of the property associated with an SMF service. This item stores the variant properties and values of the specified IPS system image. Specifies the path to the Solaris IPS image. Specifies the name of the variant property associated with an IPS image. Specifies the value of the variant property associated with an IPS image. This item stores the information associated with the current virtualization environment this instance of Solaris is running on and is capable of supporting. The name of the current environment. This information could be collected using the libv12n library or by executing the 'virtinfo -c current list -H -o name' command. The list of virtualization environments that this node supports as children. This information could be collected using the libv12n library or by executing the 'virtinfo -c supported list -H -o name' command. The parent environment of the current environment. This information could be collected using libv12n library or by executing the 'virtinfo -c parent list -H -o name' command. The logical domain roles associated with the current environment. This information could be collected using libv12n library. The properties associated with the current environment. This information could be collected using libv12n library. The EntityItemClientUUIDType restricts a string value to a representation of a client UUID, used to identify an image to its IPS package publisher. The empty string is also allowed to support empty element associated with error conditions. The EntityItemPermissionCompareType complex type restricts a string value to more, less, or same which specifies if an actual permission is different than the expected permission (more or less restrictive) or if the permission is the same. The empty string is also allowed to support empty elements associated with error conditions. The actual permission is more restrictive than the expected permission. The actual permission is less restrictive than the expected permission. The actual permission is the same as the expected permission. The empty string value is permitted here to allow for detailed error reporting. The EntityItemPublisherTypeType complex type restricts a string value to three values: archive, mirror, or origin that specifies how the publisher distributes their packages. The empty string is also allowed to support empty elements associated with error conditions. The value of 'archive' specifies that the publisher distributes packages by providing a file that contains one or more packages. The value of 'mirror' specifies that the publisher distributes packages by providing a package repository that contains only package content. The value of 'origin' specifies that the publisher distributes packages by providing a package repository that contains both package metadata and package content. The empty string value is permitted here to allow for detailed error reporting. The EntityItemSmfServiceStateType defines the different values that are valid for the service_state entity of a smf_item. The empty string is also allowed as a valid value to support empty emlements associated with error conditions. The instance is enabled and running or available to run. The instance, however, is functioning at a limited capacity in comparison to normal operation. The instance is disabled. The instance is enabled, but not able to run. Administrative action is required to restore the instance to offline and subsequent states. This state represents a legacy instance that is not managed by the service management facility. Instances in this state have been started at some point, but might or might not be running. The instance is enabled, but not yet running or available to run. The instance is enabled and running or is available to run. This is the initial state for all service instances. The empty string value is permitted here to allow for detailed error reporting. The EntityItemV12NEnvypeType complex type restricts a string value to a specific set of values that describe the virtalization environment. The empty string is also allowed to support empty elements associated with error conditions. The virtualization environment is unknown. This could mean it is a bare metal virtualization environment. The virtualization environment is a Kernel-based Virtual Machine (KVM). The virtualization environment is a logical domain. The virtualization environment is a non-global zone. The virtualization environment is a kernel zone. The virtualization environment is VMware. The virtualization environment is Oracle VirtualBox. The virtualization environment is Xen. The empty string value is permitted here to allow for detailed error reporting. The EntityItemLDOMRoleType complex type restricts a string value to a specific set of roles for the current virtualization environment. The empty string is also allowed to support empty elements associated with error conditions. The current virtualization environment is a control domain. The current virtualization environment is an I/O domain. The current virtualization environment is a root I/O domain. The current virtualization environment is a service domain. The empty string value is permitted here to allow for detailed error reporting.