The following is a description of the elements, types, and attributes that compose the UNIX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. Unix System Characteristics 5.11.1:1.2 11/30/2016 09:00:00 AM Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses. The domain_name element contains a string that represents a domain name that was collected from the DNS cache on the local system. The ttl element contains an integer that represents the time to live in seconds of the DNS cache entry. The ip_address element contains a string that represents an IP address associated with the specified domain name. Note that the IP address can be IPv4 or IPv6. The file item holds information about the individual files found on a system. Each file item contains path and filename information as well as its type, associated user and group ids, relevant dates, and the privialeges granted. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. This is the file's type: regular file (regular), directory, named pipe (fifo), symbolic link, socket or block special. This is the group owner of the file, by group number. - the value of group_id must be greater than zero The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. This element represents the owner of the file. - the value of user_id must be greater than zero This is the time that the file was last accessed, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. This is the time of the last change to the file's inode, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. An inode is a Unix data structure that stores all of the information about a particular file. This is the time of the last change to the file's contents, in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. This is the size of the file in bytes. Does the program run with the uid (thus privileges) of the file's owner, rather than the calling user? Does the program run with the gid (thus privileges) of the file's group owner, rather than the calling user's group? Can users delete each other's files in this directory, when said directory is writable by those users? Can the owner (user owner) of the file read this file or, if a directory, read the directory contents? Can the owner (user owner) of the file write to this file or, if a directory, write to the directory? Can the owner (user owner) of the file execute it or, if a directory, change into the directory? Can the group owner of the file read this file or, if a directory, read the directory contents? Can the group owner of the file write to this file, or if a directory, write to the directory? Can the group owner of the file execute it or, if a directory, change into the directory? Can all other users read this file or, if a directory, read the directory contents? Can the other users write to this file, or if a directory, write to the directory? Can the other users execute this file or, if a directory, change into the directory? Does the file or directory have ACL permissions applied to it? If a system supports ACLs and the file or directory doesn't have an ACL, or it matches the standard UNIX permissions, the entity will have a status of 'exists' and a value of 'false'. If the system supports ACLs and the file or directory has an ACL, the entity will have a status of 'exists' and a value of 'true'. Lastly, if a system doesn't support ACLs, the entity will have a status of 'does not exist'. The file extended attribute item holds information about the individual file extended attributes found on a system. Each file extended attribute item contains path, filename, and attribute name information as well as the attribute's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The filepath element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to a file on the machine. The name of the file. If the xsi:nil attribute is set to true, then the item being represented is the higher directory represented by the path entity. This is the extended attribute's name, identifier or key. This is the extended attribute's value or contents. The gconf_item holds information about an individual GConf preference key found on a system. Each gconf_item contains a preference key, source, type, whether it's writable, the user who last modified it, the time it was last modified, whether it's the default value, as well as the preference key's value. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The preference key to check. The source used to look up the preference key. The type of the preference key. Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable. The user who last modified the preference key. The time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970. Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value. The value of the preference key. The inetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. A recognized protocol listed in the file /etc/inet/protocols. The name of a valid service listed in the services file. For RPC services, the value of the service-name field consists of the RPC service name or program number, followed by a '/' (slash) and either a version number or a range of version numbers (for example, rstatd/2-4). Either the pathname of a server program to be invoked by inetd to perform the requested service, or the value internal if inetd itself provides the service. The arguments for running the service. These are either passed to the server program invoked by inetd, or used to configure a service provided by inetd. In the case of server programs, the arguments shall begin with argv[0], which is typically the name of the program. In the case of a service provided by inted, the first argument shall be the word "internal". The endpoint type (aka, socket type) associated with the service. The user id of the user the server program should run under. (This allows for running with less permission than root.) This field has values wait or nowait. This entry specifies whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The interface item holds information about the interfaces on a system. Each interface item contains name and address information as well as any associated flags. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The name entity is the actual name of the specific interface. Examples might be eth0, eth1, fwo, etc. This element specifies the type of interface. The hardware_addr entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F. The inet_addr entity is the IP address of the specific interface. Note that the IP address can be IPv4 or IPv6. If the IP address is an IPv6 address, this entity should be expressed as an IPv6 address prefix using CIDR notation and the netmask entity should not be collected. The broadcast_addr entity is the broadcast IP address for this interface's network. Note that the IP address can be IPv4 or IPv6. This is the bitmask used to calculate the interface's IP network. The network number is calculated by bitwise-ANDing this with the IP address. The host number on that network is calculated by bitwise-XORing this with the IP address. Note that if the inet_addr entity contains an IPv6 address prefix, this entity should not be collected. This is the interface flag line, which generally contains flags like "UP" to denote an active interface, "PROMISC" to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. /etc/passwd. See passwd(4). This is the name of the user for which data was gathered. This is the encrypted version of the user's password. The numeric user id, or uid, is the third column of each user's entry in /etc/passwd. The id of the primary UNIX group the user belongs to. The GECOS (or GCOS) field from /etc/passwd; typically contains the user's full name. The user's home directory. The user's shell program. The date and time when the last login occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, UTC. Output of /usr/bin/ps. See ps(1). 5.8 The process_item has been deprecated and replaced by the process58_item. The entity 'command' was changed to 'command_line' in the process58_item to accurately describe what information is collected. Please see the process58_item for additional information. DEPRECATED ITEM: ID: This specifies the command/program name about which data has has been collected. This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more. This is the process ID of the process. This is the process ID of the process's parent process. This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call. This is the real user id which represents the user who has created the process. A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc. This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past. This is the TTY on which the process was started, if applicable. This is the effective user id which represents the actual privileges of the process. Output of /usr/bin/ps. See ps(1). This is the string used to start the process. This includes any parameters that are part of the command line. This is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more. This is the process ID of the process. This is the process ID of the process's parent process. This is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call. This is the real user id which represents the user who has created the process. A platform specific characteristic maintained by the scheduler: RT (real-time), TS (timeshare), FF (fifo), SYS (system), etc. This is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past. This is the TTY on which the process was started, if applicable. This is the effective user id which represents the actual privileges of the process. A boolean that when true would indicates that ExecShield is enabled for the process. The loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value. An effective capability associated with the process. See linux/include/linux/capability.h for more information. An selinux domain label associated with the process. The session ID of the process. The routingtable_item holds information about an individual routing table entry found in a system's primary routing table. Each routingtable_item contains a destination IP address, gateway, netmask, flags, and the name of the interface associated with it. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the '-n' option with route(8) or netstat(8). It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation. The gateway of the specified routing table entry. The flags associated with the specified routing table entry. The name of the interface associated with the routing table entry. The runlevel item holds information about the start or kill state of a specified service at a given runlevel. Each runlevel item contains service name and runlevel information as well as start and kill information. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The service_name entity is the actual name of the specific service. The runlevel entity specifies the system runlevel associated with a service. The start entity specifies whether the service is scheduled to start at the runlevel. The kill entity specifies whether the service is scheduled to be killed at the runlevel. 5.10 The sccs_item has been deprecated because the Source Code Control System (SCCS) is obsolete. The sccs_item may be removed in a future version of the language. DEPRECATED ITEM: ID: Specifies the absolute path to an SCCS file. A directory cannot be specified as a filepath. The path element specifies the directory component of the absolute path to an SCCS file. The name of an SCCS file. /etc/shadow. See shadow(4). This is the name of the user for which data was gathered. This is the encrypted version of the user's password. This is the date of the last password change in days since 1/1/1970. This specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password. This describes how long the user can keep a password before the system forces them to change it. This describes how long before password expiration the system begins warning the user. The system will warn the user at each login. This describes how many days of account inactivity the system will wait after a password expires before locking the account? This window, usually only set to a few days, gives users who are logging in very seldomly a bit of extra time to receive the password expiration warning and change their password. This specifies when will the account's password expire, in days since 1/1/1970. This is a numeric reserved field that the shadow file may use in the future. The encrypt_method entity describes method that is used for hashing passwords. The symlink_item element identifies the result generated for a symlink_object. Specifies the filepath to the subject symbolic link file, specified by the symlink_object. Specifies the canonical path for the target of the symbolic link file specified by the filepath. The sysctl_item stores information retrieved from the local system about a kernel parameter and its respective value(s). The name element contains a string that represents the name of a kernel parameter that was collected from the local system. The value element contains a string that represents the current value(s) for the specified kernel parameter on the local system. Information about the hardware the machine is running on. This information is the parsed equivalent of uname -a. This entity specifies the machine hardware name. This corresponds to the command uname -m. This entity specifies the host name. This corresponds to the command uname -n. This entity specifies the operating system name. This corresponds to the command uname -s. This entity specifies the build version. This corresponds to the command uname -r. This entity specifies the operating system version. This corresponds to the command uname -v. This entity specifies the processor type. This corresponds to the command uname -p. The xinetd item holds information associated with different Internet services. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information. The protocol entity specifies the protocol that is used by the service. The list of valid protocols can be found in /etc/protocols. The service_name entity specifies the name of the service. The flags entity specifies miscellaneous settings associated with the service. The no_access entity specifies the remote hosts to which the service is unavailable. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host. The only_from entity specifies the remote hosts to which the service is available. Please see the xinetd.conf(5) man page for information on the different formats that can be used to describe a host. The port entity specifies the port used by the service. The server entity specifies the executable that is used to launch the service. The server_arguments entity specifies the arguments that are passed to the executable when launching the service. The socket_type entity specifies the type of socket that is used by the service. Possible values include: stream, dgram, raw, or seqpacket. The type entity specifies the type of the service. A service may have multiple types. The user entity specifies the user identifier of the process that is running the service. The user identifier may be expressed as a numerical value or as a user name that exists in /etc/passwd. The wait entity specifies whether or not the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the service accepts the connection. A value of 'true' indicates that the service is single-threaded and the service will accept the connection. A value of 'false' indicates that the service is multi-threaded and xinetd will accept the connection. The disabled entity specifies whether or not the service is disabled. A value of 'true' indicates that the service is disabled and will not start. A value of 'false' indicates that the service is not disabled. The EntityItemCapabilityType complex type restricts a string value to a specific set of values that describe POSIX capability types associated with a process service. This list is based off the values defined in linux/include/linux/capability.h. Documentation on each allowed value can be found in capability.h. The empty string is also allowed to support empty elements associated with error conditions. The empty string value is permitted here to allow for empty elements associated with variable references. The EntityItemEndpointType complex type restricts a string value to a specific set of values that describe endpoint types associated with an Internet service. The empty string is also allowed to support empty elements associated with error conditions. The stream value is used to describe a stream socket. The dgram value is used to describe a datagram socket. The raw value is used to describe a raw socket. The seqpacket value is used to describe a sequenced packet socket. The tli value is used to describe all TLI endpoints. The sunrpc_tcp value is used to describe all SUNRPC TCP endpoints. The sunrpc_udp value is used to describe all SUNRPC UDP endpoints. The empty string value is permitted here to allow for detailed error reporting. The EntityItemGconfTypeType complex type restricts a string value to the seven values GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, GCONF_VALUE_SCHEMA, GCONF_VALUE_LIST, and GCONF_VALUE_PAIR that specify the type of the value associated with a GConf preference key. The empty string is also allowed to support empty elements associated with error conditions. The GCONF_VALUE_STRING type is used to describe a preference key that has a string value. The GCONF_VALUE_INT type is used to describe a preference key that has a integer value. The GCONF_VALUE_FLOAT type is used to describe a preference key that has a float value. The GCONF_VALUE_BOOL type is used to describe a preference key that has a boolean value. The GCONF_VALUE_SCHEMA type is used to describe a preference key that has a schema value. The actual value will be the default value as specified in the GConf schema. The GCONF_VALUE_LIST type is used to describe a preference key that has a list of values. The actual values will be one of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that all of the values associated with a GCONF_VALUE_LIST are required to have the same type. The GCONF_VALUE_PAIR type is used to describe a preference key that has a pair of values. The actual values will consist of the primitive GConf datatypes GCONF_VALUE_STRING, GCONF_VALUE_INT, GCONF_VALUE_FLOAT, GCONF_VALUE_BOOL, and GCONF_VALUE_SCHEMA. Note that the values associated with a GCONF_VALUE_PAIR are not required to have the same type. The empty string value is permitted here to allow for detailed error reporting. The EntityItemRoutingTableFlagsType complex type restricts a string value to a specific set of values that describe the flags associated with a routing table entry. This list is based off the values defined in the man pages of various platforms. For Linux, please see route(8). For Solaris, please see netstat(1M). For HP-UX, please see netstat(1). For Mac OS, please see netstat(1). For FreeBSD, please see netstat(1). Documentation on each allowed value can be found in the previously listed man pages. The empty string is also allowed to support empty elements associated with error conditions. The following table is a mapping between the generic flag enumeration values and the actual flag values found on the various platforms. If the flag value is not specified, for a particular generic flag enumeration value, the flag value is not defined for that platform. Name Linux Solaris HPUX Mac OS FreeBSD    AIX UP U U U U U          U GATEWAY G G G G G          G HOST H H H H H          H REINSTATE R DYNAMIC D D D D          D MODIFIED M M M          M ADDRCONF A A CACHE C                                                e REJECT ! R R          R REDUNDANT M (>=9) SETSRC S BROADCAST B b b          b LOCAL L           l PROTOCOL_1 1 1          1 PROTOCOL_2 2 2          2 PROTOCOL_3 3 3          3 BLACK_HOLE B B CLONING C C          c PROTOCOL_CLONING c c INTERFACE_SCOPE I LINK_LAYER L L          L MULTICAST m          m STATIC S S          S WAS_CLONED W W          W XRESOLVE X X USABLE                                                       u PINNED                                                       P ACTIVE_DEAD_GATEWAY_DETECTION                                             A (>=5.1) The empty string value is permitted here to allow for detailed error reporting. The EntityItemXinetdTypeStatusType complex type restricts a string value to five values, either RPC, INTERNAL, UNLISTED, TCPMUX, or TCPMUXPLUS that specify the type of service registered in xinetd. The empty string is also allowed to support empty elements associated with error conditions. The INTERNAL type is used to describe services like echo, chargen, and others whose functionality is supplied by xinetd itself. The RPC type is used to describe services that use remote procedure call ala NFS. The UNLISTED type is used to describe services that aren't listed in /etc/protocols or /etc/rpc. The TCPMUX type is used to describe services that conform to RFC 1078. This type indiciates that the service is responsible for handling the protocol handshake. The TCPMUXPLUS type is used to describe services that conform to RFC 1078. This type indicates that xinetd is responsible for handling the protocol handshake. The empty string value is permitted here to allow for detailed error reporting. The EntityItemWaitStatusType complex type restricts a string value to two values, either wait or nowait, that specify whether the server that is invoked by inetd will take over the listening socket associated with the service, and whether once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The empty string is also allowed to support empty elements associated with error conditions. The value of 'wait' specifies that the server that is invoked by inetd will take over the listening socket associated with the service, and once launched, inetd will wait for that server to exit, if ever, before it resumes listening for new service requests. The value of 'nowait' specifies that the server that is invoked by inetd will not wait for any existing server to finish before taking over the listening socket associated with the service. The empty string value is permitted here to allow for detailed error reporting. The EntityItemEncryptMethodType complex type restricts a string value to a set that corresponds to the allowed encrypt methods used for protected passwords in a shadow file. The empty string is also allowed to support empty elements associated with error conditions. The DES method corresponds to the (none) prefix. The BSDi method corresponds to BSDi modified DES or the '_' prefix. The MD5 method corresponds to MD5 for Linux/BSD or the $1$ prefix. The Blowfish method corresponds to Blowfish (OpenBSD) or the $2$ or $2a$ prefixes. The Sun MD5 method corresponds to the $md5$ prefix. The SHA-256 method corresponds to the $5$ prefix. The SHA-512 method corresponds to the $6$ prefix. The empty string value is permitted here to allow for empty elements associated with variable references. The EntityItemInterfaceType complex type restricts a string value to a specific set of values. These values describe the different interface types which are defined in 'if_arp.h'. The empty string is also allowed to support empty element associated with variable references. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values. The ARPHRD_ETHER type is used to describe ethernet interfaces. The ARPHRD_FDDI type is used to describe fiber distributed data interfaces (FDDI). The ARPHRD_LOOPBACK type is used to describe loopback interfaces. The ARPHRD_VOID type is used to describe unknown interfaces. The ARPHRD_PPP type is used to describe point-to-point protocol interfaces (PPP). The ARPHRD_SLIP type is used to describe serial line internet protocol interfaces (SLIP). The ARPHRD_PRONET type is used to describe PROnet token ring interfaces. The empty string value is permitted here to allow for detailed error reporting.