The AccesstokenBehaviors complex type defines a number of behaviors that allow a more detailed definition of the accesstoken_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_object or similar to resolve the members of a group. |
The FileAuditPermissions53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the fileauditpermissions53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the ‘max_depth’ and ‘recurse_direction’ attributes of the ‘behaviors’ element do not apply to the ‘filepath’ element, only to the ‘path’ and ‘filename’ elements. This is because the ‘filepath’ element represents an absolute path to a particular file and it is not possible to recurse over a file.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_sid_object or similar to resolve the members of a group. |
The file audited permissions test is used to check the audit permissions associated with Windows files. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileauditedpermissions_object, and the optional state element references a fileauditedpermissions_state that specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The fileauditedpermissions_object element is used by a file audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
A fileauditedpermissions_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (sid) to check audited permissions of. If multiple files or sids are matched by either reference, then each possible combination of file and sid is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileAuditPermissionsBehaviors complex type for more information about specific behaviors.
The fileauditedpermissions_state element defines the different audit permissions that can be associated with a given fileauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
The FileAuditPermissionsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the fileauditpermissions_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_object or similar to resolve the members of a group. |
The FileEffectiveRights53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the fileeffectiverights53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
It is important to note that the ‘max_depth’ and ‘recurse_direction’ attributes of the ‘behaviors’ element do not apply to the ‘filepath’ element, only to the ‘path’ and ‘filename’ elements. This is because the ‘filepath’ element represents an absolute path to a particular file and it is not possible to recurse over a file.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_sid_object or similar to resolve the members of a group. |
The file effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member. The fileeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a fileeffectiverights_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The fileeffectiverights_object element is used by a file effective rights test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
A fileeffectiverights_object is defined as a combination of a Windows file and trustee name. The file represents the file to be evaluated while the trustee name represents the account (sid) to check effective rights of. If multiple files or sids are matched by either reference, then each possible combination of file and sid is a matching file effective rights object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the FileEffectiveRightsBehaviors complex type for more information about specific behaviors.
The fileeffectiverights_state element defines the different rights that can be associated with a given fileeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
The FileEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the fileeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_object or similar to resolve the members of a group. |
The PrinterEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the pritnereffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_sid_object or similar to resolve the members of a group. |
The regkeyauditedpermissions53_state element defines the different audit permissions that can be associated with a given regkeyauditedpermissions53_object. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements | Deprecation Info |
---|---|
standard_synchronize
Windows NT/2000: The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
Deprecated As Of Version: 5.6
Reason: This entity has been deprecated because registry keys do not support the SYNCHRONIZE standard access right. |
The RegkeyAuditPermissions53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyauditedpermissions53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_sid_object or similar to resolve the members of a group. |
The registry key audited permissions test is used to check the audit permissions associated with Windows registry keys. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyauditedpermissions_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The regkeyauditedpermissions_object element is used by a registry key audited permissions test to define the objects used to evalutate against the specified state. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic.
A regkeyauditedpermissions_object is defined as a combination of a Windows registry key and trustee name. The hive and key elements represents the registry key to be evaluated while the trustee name represents the account (sid) to check audited permissions of. If multiple keys or sids are matched by either reference, then each possible combination of file and sid is a matching file audited permissions object. In addition, a number of behaviors may be provided that help guide the collection of objects. Please refer to the RegkeyAuditPermissionsBehaviors complex type for more information about specific behaviors.
The regkeyauditedpermissions_state element defines the different audit permissions that can be associated with a given regkeyauditedpermissions_object. Please refer to the individual elements in the schema for more details about what each represents.
The RegkeyAuditPermissionsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyauditedpermissions_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_object or similar to resolve the members of a group. |
The regkeyeffectiverights53_state element defines the different rights that can be associated with a given regkeyeffectiverights53_object. Please refer to the individual elements in the schema for more details about what each represents.
Child Elements | Deprecation Info |
---|---|
standard_synchronize
Windows NT/2000: The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
Deprecated As Of Version: 5.6
Reason: This entity has been deprecated because registry keys do not support the SYNCHRONIZE standard access right. |
The RegkeyEffectiveRights53Behaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyeffectiverights53_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_sid_object or similar to resolve the members of a group. |
The registry key effective rights test is used to check the effective rights associated with Windows files. Note that the trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member. The regkeyeffectiverights_test element extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a regkeyeffectiverights_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The regkeyeffectiverights_state element defines the different rights that can be associated with a given regkeyeffectiverights_object. Please refer to the individual elements in the schema for more details about what each represents.
The RegkeyEffectiveRightsBehaviors complex type defines a number of behaviors that allow a more detailed definition of the registrykeyeffectiverights_object being specified. Note that using these behaviors may result in some unique results. For example, a double negative type condition might be created where an object entity says include everything except a specific item, but a behavior is used that might then add that item back in.
Attributes: | ||||||
---|---|---|---|---|---|---|
|
||||||
- | resolve_group | xsd:boolean | (optional -- default='false') |
Deprecated As Of Version: 5.6
Reason: The 'resolve_group' behavior has been deprecated in favor of using variables to reference more efficient objects for expanding groups. Comment: Consider using a sid_sid_object or similar to resolve the members of a group. |
The user_sid_test is used to check information about Windows users. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a user_sid_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.
The user_sid_object represents a set of users on a Windows system. This set (which might contain only one user) is identified by a SID.
The user_sid_state element enumerates the different groups (identified by SID) that a Windows user might belong to. Please refer to the individual elements in the schema for more details about what each represents.
The EntityStateSharedResourceTypeType complex type defines the different values that are valid for the type entity of a shared resource state. Note that the Windows API returns a DWORD value and OVAL uses the constant name that is normally defined for these return values. This is done to increase readability and maintainability of OVAL Definitions. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the type entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.
It is also important to note that special shared resources are those reserved for remote administration, interprocess communication, and administrative shares.
Value | Description | Deprecation Info |
---|---|---|
STYPE_SPECIAL |
The STYPE_SPECIAL type means that this is a special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$). Can also refer to administrative shares such as C$, D$, E$, and so forth. The DWORD value that this corresponds to is 0x40000000. |
Deprecated As Of Version: 5.6
Reason: In version 5.6 of the OVAL Language, the EntityStateSharedResourceTypeType was changed to include all of the different shared resource types as specified in Microsoft's documentation of the shi2_type member of the SHARE_INFO_2 structure. As a result, the STYPE_SPECIAL value by itself is no longer valid because it would actually be equal to the value STYPE_DISKTREE_SPECIAL (0x80000000) which is STYPE_DISKTREE (0x00000000) OR'd with STYPE_SPECIAL (0x80000000). Comment: This value has been deprecated and will be removed in version 6.0 of the language. |
STYPE_TEMPORARY |
The STYPE_TEMPORARY type means that the shared resource is a temporary share. The DWORD value that this corresponds to is 0x80000000. |
Deprecated As Of Version: 5.6
Reason: In version 5.6 of the OVAL Language, the EntityStateSharedResourceTypeType was changed to include all of the different shared resource types as specified in Microsoft's documentation of the shi2_type member of the SHARE_INFO_2 structure. As a result, the STYPE_TEMPORARY value by itself is no longer valid because it would actually be equal to the value STYPE_DISKTREE_TEMPORARY (0x40000000) which is STYPE_DISKTREE (0x00000000) OR'd with STYPE_TEMPORARY (0x40000000). Comment: This value has been deprecated and will be removed in version 6.0 of the language. |