|
24570
|
prepend source identifiers to Schematron pattern ids. |
Closed |
2010-01-11 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-21 14:19:21
|
Details:
Currently, all of the Schematron patterns are extracted from the various schemas and aggregated into three master Schematron files: definitions, system characteristics, and results. Once so aggregated, it is impossible to tell which schema a rule came from without reading down into the body of the rule and finding something that distinguishes the rule, for example, platform specific xpath statement in the context, test, assertion or report. Also, it is possible for pattern ids to be duplicated across the schemas and therefore clash when aggregated.
To fix these problems, a prefix shall be put on all Schematron pattern IDs identifying the schema the pattern comes from. This prefix shall be the namespace prefix used within a schema file to identify its own namespace followed by an underscore, "_". For example, "oval-def_" for patterns found in the "oval-definitions-schema.xsd"
|
Follow-ups:
n/a
|
|
24683
|
var_refs should have a var_check - but it's not required. Change the schematron rule to be a report rather than an assert |
Closed |
2010-01-21 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-22 21:23:09
|
Details:
There is a Schematron rule that assures that items with a var_ref attribute also have a var_check attribute. This is more a best practice than a requirement. So the assertion message should be changed to reflect that it is only a warning and not invalid.
|
Follow-ups:
Date Added: 2010-01-22 21:21:58 Jon Baker: "I think the wording is fine for the moment."
Date Added: 2010-01-23 01:50:34 for now we committed the change to make the schematron assertion a report. At a later time we will review and standardize all schematron rules.
|
|
23826
|
Change maxOccurs for several xinetd_item entities |
Closed |
2009-10-14 |
Fixed |
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2010-01-25 20:24:57
|
Details:
The following entities should be changed to maxOccurs="unlimited":
only_from
no_access
flags
|
Follow-ups:
n/a
|
|
23828
|
Add two more values to EntityXinetdTypeStatusType enumeration |
Closed |
2009-10-14 |
Fixed |
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2010-01-26 15:48:16
|
Details:
The additional values needed are:
TCPMUX
TCPMUXPLUS
|
Follow-ups:
n/a
|
|
13725
|
support statements that return multiple n-tuples in sql, wmi, ldap, and activedirectory tests |
Closed |
2007-11-27 |
Fixed |
Priority:
Medium High
| Category:
n/a
| Date Closed:
2010-02-17 20:25:47
|
Details:
Each of these test can return values that have multiple components. For example, SELECT value1, value2 FROM table. Another example is with Active Directory: an attribute value of type ADSTYPE_DN_WITH_STRING associates a DN with a string, so it has two components, one is the DN and one is the associated string.
|
Follow-ups:
n/a
|
|
23663
|
allow empty values in variables |
Closed |
2009-09-28 |
Fixed |
Priority:
Low
| Category:
Definition Schemas
| Date Closed:
2010-01-26 01:59:19
|
Details:
>-----Original Message-----
>From: owner-oval-team-list@LISTS.MITRE.ORG [mailto:owner-oval-team-
>list@LISTS.MITRE.ORG] On Behalf Of Michael Chisholm
>Sent: Wednesday, September 16, 2009 2:45 PM
>To: oval-team-list
>Subject: Empty <value> not allowed in constant_variable?
>
>Mike Lah accidentally stumbled over a constraint with an oval
>definition, where <value>'s for <constant_variable>'s cannot be empty.
>Some of my thoughts:
>
>- Schematron validation passed, and that error was caught by the
>interpreter itself. But there is a schematron rule which I think is
>supposed to catch this, and doesn't seem to be working.
>
><sch:rule context="oval-def:constant_variable/oval-def:value">
> <sch:assert test=".!=''">....</sch:assert>
></sch:rule>
>
>Does this rule need to be fixed? (I don't know schematron well enough
>to tell by looking)
>
>- An empty value is valid in some circumstances. For example, it is
>possible for a regex to match the empty string. If you aren't allowed
>to have empty strings as variable values, you can't represent some valid
>matches. So I question whether this schematron rule should exist at
>all. I can see that it would not make sense to have an empty value if
>the variable type is, say, 'int'. Maybe a more appropriate rule would
>enforce values of the <value> element, according to the
>constant_variable's datatype? (I thought I'd seen a rule like that in
>other places in the schema)
>
>Andy
|
Follow-ups:
Date Added: 2010-01-26 01:51:27 removed the schematron rule
Date Added: 2010-01-26 01:59:18 Removed the rule that checks that oval-def:literal_component is not empty.
Looked for all other occurrences of several possible matching strings to try to find other areas where we are restricting the empty string.
|
|
23664
|
ensure that error handling is not allowing silent failures - substring function documentation and more |
Closed |
2009-09-28 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-01-28 19:32:35
|
Details:
>From: owner-oval-team-list@LISTS.MITRE.ORG [mailto:owner-oval-team-
>list@LISTS.MITRE.ORG] On Behalf Of Baker, Jon
>Sent: Wednesday, September 23, 2009 1:09 PM
>To: Chisholm, Michael A.; oval-team-list
>Subject: RE: OVAL Interpreter - Substring Function Bug Fix
>
>For what it is worth Java reports errors in both conditions. Xpath
>silently handles both conditions.
>
>I agree that consistency is good here. As I was writing my message last
>night it occurred to me that we are likely inconsistent all over the oval
>language in how we handle conditions like this. Perhaps we can do a
>review of the documentation with the next release to address these
>inconsistencies?
>
>I think that avoiding silent failures is a good idea and that might be a
>good foundation to base the documentation review upon. Does this make
>sense to the rest of you?
>
>Jon
>
>============================================
>Jonathan O. Baker
>G022 - IA Industry Collaboration
>The MITRE Corporation
>Email: bakerj@mitre.org
>
>
>>-----Original Message-----
>>From: owner-oval-team-list@LISTS.MITRE.ORG [mailto:owner-oval-team-
>>list@LISTS.MITRE.ORG] On Behalf Of Michael Chisholm
>>Sent: Wednesday, September 23, 2009 12:49 PM
>>To: oval-team-list
>>Subject: Re: OVAL Interpreter - Substring Function Bug Fix
>>
>>Why would a value which is too low (<1) be effectively silently
>>corrected, but a value which is too high cause an error? That seems
>>like inconsistent behavior to me. One seems as much a "silent failure"
>>as the other. How about reporting an error condition in both cases?
>>
>>Andy
>>
>>Baker, Jon wrote:
>>>
>>> Ok, that makes more sense. We should consider how we want the OVAL
>>> language to address this. I see two options:
>>>
>>> - Add text that states that if the start position is at a
>>> position that is beyond the end of the string the resulting substring
>>> is always the empty string.
>>>
>>> - Add text that states that if the start position is at a
>>> position that is beyond the end of the string an error should be
>>> reported.
>>>
>>>
>>>
>>> Java throws an error.
>>>
>>> XPath results in an empty string.
>>>
>>>
>>>
>>> I think we have tended towards the report an error solution in OVAL.
>>> This is because we would like to avoid silent failures.
>>>
>>>
>>>
>>> Drew, does this make sense to you?
>>>
>>>
>>>
>>> Once we are all set we can update the interpreter.
>>>
>>>
>>>
>>> Jon
>>>
>>>
>>>
>>> ============================================
>>>
>>> Jonathan O. Baker
>>>
>>> G022 - IA Industry Collaboration
>>>
>>> The MITRE Corporation
>>>
>>> Email: bakerj@mitre.org
>>>
>>>
>>>
>>> *From:* Haynes, Dan
>>> *Sent:* Tuesday, September 22, 2009 6:59 PM
>>> *To:* Baker, Jon
>>> *Subject:* RE: OVAL Interpreter - Substring Function Bug Fix
>>>
>>>
>>>
>>> Hi Jon,
>>>
>>>
>>>
>>> Sorry about that. I meant to say a value greater than the string's
>>> length for the substring_start attribute.
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Danny
>>>
>>>
>>>
>>> *From:* Baker, Jon
>>> *Sent:* Tuesday, September 22, 2009 8:53 AM
>>> *To:* Haynes, Dan
>>> *Cc:* oval-team-list
>>> *Subject:* RE: OVAL Interpreter - Substring Function Bug Fix
>>>
>>>
>>>
>>> The documentation for the function currently says:
>>>
>>>
>>>
>>> "The substring function takes a single string component and produces a
>>> single value that contains a portion of the original string. The
>>> substring_start attribute defines the starting position in the
>>> original string. Note, to include the first character of the string,
>>> the start position would be 1. Also note that a value less than one
>>> also means starting at the first character of the string. The
>>> substring_length attribute defines how many character after and
>>> including the starting character to include. Note that a
>>> substring_length value greater than the actual length of the string or
>>> a negative value means to include all the characters after the
>>> starting character. For example assume a basic component element that
>>> returns the value "abcdefg" with a substring_start value of 3 and a
>>> substring_length value of 2. The local_variable element would be
>>> evaluate to have a single value of "cd". If the string component used
>>> by the substring function returns multiple values, then the substring
>>> operation is performed multiple times and results in multiple values
>>> for the component."
>>>
>>>
>>>
>>>
>>>
>>> It looks like the language does specify how to handle a
>>> "substring_length" longer than the length of the subject string. If
>>> this is what you are asking about please enter a bug for the
>>> interpreter and feel free to fix it when you get a chance.
>>>
>>>
>>>
>>> Also note that I found two errors in the description above and
>>> corrected them both and committed to SVN for the next release of OVAL.
>>>
>>>
>>>
>>> Jon
>>>
>>>
>>>
>>> ============================================
>>>
>>> Jonathan O. Baker
>>>
>>> G022 - IA Industry Collaboration
>>>
>>> The MITRE Corporation
>>>
>>> Email: bakerj@mitre.org
>>>
>>>
>>>
>>> *From:* Haynes, Dan
>>> *Sent:* Monday, September 21, 2009 10:05 AM
>>> *To:* Baker, Jon
>>> *Subject:* OVAL Interpreter - Substring Function Bug Fix
>>>
>>>
>>>
>>> Hi Jon,
>>>
>>>
>>>
>>> I was just fixing the bug in the substring function
>>>
>>(https://sourceforge.net/tracker/?func=detail&aid=2850166&group_id=21546
>9
>>&atid=1033794
>>>
>><https://sourceforge.net/tracker/?func=detail&aid=2850166&group_id=21546
>9
>>&atid=1033794>)
>>> that Andy found, so that Mike can write the validation content for
>>> this function, and I noticed that the OVAL Language does not specify
>>> how to handle a value greater than the string's length for the
>>> substring_length attribute. Currently, the Interpreter throws the
>>> following message because a value is considered an invalid starting
>>> position.
>>>
>>>
>>>
>>> VariableFactory::GetVariable() - Error while parsing variable:
>>> oval:test:var:1 Unknown Error
>>>
>>>
>>>
>>> Do you know how this case should be handled? Would it be better to
>>> catch the std::out_of_range exception thrown by the string::substr()
>>> method and report that the starting position is invalid rather than
>>> the unknown error message above?
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>> Danny
>>>
|
Follow-ups:
n/a
|
|
23695
|
require family to be unique when multiple affected elements are used in a single definition |
Closed |
2009-10-01 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-22 16:55:33
|
Details:
the definition of the oval-def:MetadataType should be updated to require that each child affected element have a unique family.
|
Follow-ups:
n/a
|
|
23994
|
remove affected_platform Schematron rule from windows definitions schema |
Closed |
2009-10-31 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-22 17:11:15
|
Details:
This rule requires the affected_platform to be in a list of known windows os'es when the family is windows. The problem is that with each new release of a windows os the list of valid os'es needs to be updated. This list is bound to be out of synch with the list of os'es that microsoft actually releases. Having th e rule encoded in the windows-definition-schema means that it can only be updated with a release of the language.
Pasted the rule below for easy reference:
<sch:pattern id="affected_platform">
<sch:rule context="oval-def:affected[@family='windows']">
<sch:assert test="not(oval-def:platform) or oval-def:platform='Microsoft Windows 95' or oval-def:platform='Microsoft Windows 98' or oval-def:platform='Microsoft Windows ME' or oval-def:platform='Microsoft Windows NT' or oval-def:platform='Microsoft Windows 2000' or oval-def:platform='Microsoft Windows XP' or oval-def:platform='Microsoft Windows Server 2003' or oval-def:platform='Microsoft Windows Vista' or oval-def:platform='Microsoft Windows Server 2008' or oval-def:platform='Microsoft Windows 7'">
<sch:value-of select="../../@id"/> - the value "<sch:value-of select="oval-def:platform"/>" found in platform element as part of the affected element is not a valid windows platform.</sch:assert>
</sch:rule>
</sch:pattern>
|
Follow-ups:
n/a
|
|
24106
|
add test to examine dns cache on windows and unix platforms |
Closed |
2009-11-10 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-03-10 13:13:48
|
Details:
Need a test to test for listing DNS cache domain names and IP addresses.
|
Follow-ups:
n/a
|
|
24327
|
correct variable id regular expression in independent-system-characteristics-schema |
Closed |
2009-12-13 |
Fixed |
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2009-12-13 01:23:37
|
Details:
The ind-sc:EntityItemVariableRefType has the wrong regular expression in its pattern that specifies the allowed valid OVAL Variable ids. Needs to be corrected to align with the real definition of a variable id
|
Follow-ups:
n/a
|
|
24732
|
align file related behaviors across all schemas |
Closed |
2010-01-27 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-02-10 19:37:32
|
Details:
The behaviors defined for searching files are inconsistent across the windows, independent, and unix component schemas. There are four different behaviors defined to help control file searches:
- max_depth - defined in all schemas
- recurse_direction - defined in all schemas
- recurse - only defined in the unix schema
- recurse_file_system - only defined in the unix schema
There are at least two problems with the fact that the file behaviors are not in alignment:
1- File related tests in the independent-definitions-schema are intended to apply to unix platforms. The recurse and recurse_file_system behavior probably needed when using the independent-definitions-schema tests on a unix platform.
2- There is no behavior in the widows or independent schemas to allow a user to specify which types of file systems should be searched. These schema probably need the 'recurse_file_system' behavior.
I recommend that we make the following changes in version 5.7 to address these issues and bring some consistency to the file related behaviors:
1- Add the 'recurse' and 'recurse_file_system' behaviors to the following objects in the independent-definitions-schema:
- ind-def:filehash_object
- ind-def:textfilecontent54_object
- ind-def:xmlfilecontent_object
- ind-def:filemd5_object - no change here because it is deprecated
This addition would require us to document that the 'recurse' behavior does not apply when an independent-definitions-schema test is evaluated on windows.
2- Add the 'recurse_file_system' behavior to the following objects in the windows-definitions-schema:
- win-def:file_object
- win-def:fileauditedpermissions53_object
- win-def:fileeffectiverights53_object
Assuming these changes are made such that the default behavior matches the current behavior of all modified objects, this change should not impact existing content. The change should reduce confusion about the various file related behaviors and add in the capability restrict file searched on windows platforms based on the type of file system.
|
Follow-ups:
n/a
|
|
24733
|
deprecate the values 'files', 'files and directories', and 'none' in the sccs_object |
Closed |
2010-01-27 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-01-28 04:25:52
|
Details:
need to deprecate these values that do not make sense. Deprecation should align with the deprecation that occurred in version 5.4 on the unix-def:file_object.
|
Follow-ups:
n/a
|
|
24868
|
remove ind-def:filemd5_test, ind-def:filemd5_object, ind-def:filemd5_sate, and ind-sc:filemd5_item |
Closed |
2010-02-10 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-10 19:13:42
|
Details:
As outline in the "OVAL Language Deprecation Policy" any construct that has been deprecated for more than one release may be removed from a subsequent minor release of the OVAL Language (http://oval.mitre.org/language/about/deprecation.html).
I would like to propose the following deprecated items be removed in the next draft of version 5.7:
In the independent-definitions-schema
- ind-def:filemd5_test
- ind-def:filemd5_object
- ind-def:filemd5_sate
See: http://oval.mitre.org/language/download/schema/version5.6/ovaldefinition/deprecation/independent-definitions-schema.html
In the independent-system-characteristics-schema:
- ind-sc:filemd5_item
See: http://oval.mitre.org/language/download/schema/version5.6/ovalsc/deprecation/independent-system-characteristics-schema.html
|
Follow-ups:
n/a
|
|
24869
|
remove apache-def:version_test, apache-def:version_object, apache-def:version_state, and apache-sc:version_item |
Closed |
2010-02-10 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-10 19:13:40
|
Details:
As outline in the "OVAL Language Deprecation Policy" any construct that has been deprecated for more than one release may be removed from a subsequent minor release of the OVAL Language (http://oval.mitre.org/language/about/deprecation.html).
I would like to propose the following deprecated items be removed in the next draft of version 5.7:
In the apache-definitions-schema:
- apache-def:version_test
- apache-def:version_object
- apache-def:version_state
See: http://oval.mitre.org/language/download/schema/version5.6/ovaldefinition/deprecation/apache-definitions-schema.html
In the apache-system-characteristics-schema:
- apache-sc:version_item
See: http://oval.mitre.org/language/download/schema/version5.6/ovalsc/deprecation/apache-system-characteristics-schema.html
|
Follow-ups:
n/a
|
|
25419
|
add Schematron rules to enforce tests are referencing the correct objects and states |
Closed |
2010-03-22 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-03-22 19:54:11
|
Details:
In reviewing the release candidate we discovered that some of the Schematron rules that relate a test to the correct object and state are missing. These rules were simply never added when we started using schematron or when the test itself was created. These are important rules and we feel that we should add them to the 5.7 release.
The following tests were missing Schematron rules:
- catos-def:version55_test
- catos-def:version_test
- hpux-def:getconf_test
- hpux-def:patch53_test
- hpux-def:patch_test
- hpux-def:swlist_test
- hpux-def:trusted_test
- linux-def:dpkginfo_test
- linux-def:inetlisteningservers_test
- linux-def:rpminfo_test
- linux-def:slackwarepkginfo_test
- macos-def:accountinfo_test
- macos-def:inetlisteningservers_test
- macos-def:nvram_test
- macos-def:pwpolicy_test
|
Follow-ups:
n/a
|
|
25575
|
remove default element value from sp-def:spantivirussettings_state entities |
Closed |
2010-03-31 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-03-31 17:48:04
|
Details:
In preparing for the 5.7 release I noticed that a default element value was set on two entities in the sp-def:spantivirussettings_state. We do not allow default element values on entities and this is the only place in the OVAL Language schemas that his occurs. Due to the schema refactoring that we did to support n-tuples this default element value now causes an error in some schema processors. This is a trivial change that should not impact validating any content and it corrects and error in the schema.
Modified: sharepoint-definitions-schema.xsd
===================================================================
--- sharepoint-definitions-schema.xsd 2010-03-31 01:38:48 UTC (rev 5771)
+++ sharepoint-definitions-schema.xsd 2010-03-31 11:59:21 UTC (rev 5772)
@@ -1188,7 +1188,7 @@
<xsd:complexContent>
<xsd:extension base="oval-def:StateType">
<xsd:sequence>
- <xsd:element name="spwebservicename" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1" default="*">
+ <xsd:element name="spwebservicename" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The spwebservicename denotes the name of a SharePoint web service to be tested or * (the default) to test all web services.</xsd:documentation>
<xsd:appinfo>
@@ -1200,7 +1200,7 @@
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
- <xsd:element name="spfarmname" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1" default="SPFarm.Local">
+ <xsd:element name="spfarmname" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>The spfarmname denotes the name of the farm on which the Sharepoint webservice resides or the local farm (default).</xsd:documentation>
<xsd:appinfo>
|
Follow-ups:
n/a
|
|
25674
|
document the handling of datatype aration when a var_ref is used and the datatype is recordnd ope |
Closed |
2010-04-09 |
Fixed |
Priority:
Very Low
| Category:
n/a
| Date Closed:
2011-01-12 11:50:24
|
Details:
The schema documentation does not currently describe how an interpreter should handle datatype and operation when a var_ref is used to retrieve record. The documentation needs to explicitly state that the datatype used for evaluation of a given field is the datatype found on that field. The operation will always be equals.
|
Follow-ups:
Date Added: 2010-04-17 01:27:28 Due to the impact of this change we will defer this feature until a later release. It will not be included in version 5.7.
Date Added: 2011-01-12 11:50:23 This issue was addressed with documentation in the version 5.7 release that clearly states that the use of var_ref is not permitted when the datatype is record.
|
|
25675
|
allow field references on the object_component |
Closed |
2010-04-09 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-04-13 00:41:54
|
Details:
The <object_component> element needs to be updated to allow a specific field in a record to be referenced by name. The <object_component>, as defined by the oval-def:ObjectComponentType type, allows a variable to derive its value(s) from an OVAL Object. The <object_component> currently has two attributes:
- object_ref - a reference to an OVAL Object
- item_field - the name of the field to pull extract the value from in any
OVAL Items that are collected as a result of processing the
referenced OVAL Object.
Considering the sample <wmi57_item> below we need to allow an <object_component> to refer to a particular field like the field with a value of "user1".
<wmi57_item id="1" status="exists" ...>
<namespace>root\CIMV2</namespace>
<wql>SELECT name, screensavertimeout FROM Win32_Desktop;</wql>
<result datatype="record">
<oval-sc:field name="name" datatype="string">user1</oval-sc:field>
<oval-sc:field name="screensavertimeout" datatype="int">900</oval-sc:field>
</result>
</wmi57_item>
We are currently considering adding an optional record_field attribute to the <object_component>. This attribute would hold the name of the field that holds the desired value. It the xml might look something like this:
<object_component object_ref="oval:example:obj:2" item_field="result" record_field="name"/>
|
Follow-ups:
Date Added: 2010-04-13 00:41:53 Added record_field as suggested in the tracker description.
|
|
20064
|
win-def:port_object local_port schematron rule is requiring string when it should be an int |
Closed |
2009-06-08 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-26 01:33:33
|
Details:
There is an inconsistency in the type for the local_port entity in the port_object. The inconsistency is that the local_port entity is of type âoval-def:EntityObjectIntTypeâ yet the corresponding assertion test checks to see if the local_port entity value is of type string. Below is the offending XML from the windows-definitions-schema.xsd file.
<xsd:element name="local_port" type="oval-def:EntityObjectIntType">
<xsd:annotation>
<xsd:documentation>This element specifies the number assigned to the local listening port.</xsd:documentation>
<xsd:appinfo>
<sch:pattern id="winportobjlocal_port">
<sch:rule context="win-def:port_object/win-def:local_port">
<sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the local_port entity of a port_object should be 'string'</sch:assert>
</sch:rule>
</sch:pattern>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Also, in the windows-system-charactersistics-schema.xsd file, the port_item specifies the local_port entity should be of type âoval-def:EntityObjectIntTypeâ. Therefore the local_port entity in the windows-definitions-schema.xsd file should be updated to align with the port_item windows-system-characteristics.xsd file.
|
Follow-ups:
Date Added: 2010-01-25 21:18:16 Updated appropriate Schematron rules.
|
|
23669
|
Clarify the win-def:registry_object/win-def:name documentation |
Closed |
2009-09-29 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-25 01:48:28
|
Details:
The win-def:registry_object/win-def:name documentation should be clarified to state that if an empty string is specified for the name entity the registry key's default value should be collected.
|
Follow-ups:
n/a
|
|
23913
|
specify how a substring_start value greater than the length of the string should be handled in the oval-def:SubstringFunctionType |
Closed |
2009-10-21 |
Fixed |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-01-28 04:30:59
|
Details:
The OVAL Language does not currently specify how to handle a substring_start value greater than the length of the string. This should be specified and implemented in OVALDI as necessary.
|
Follow-ups:
n/a
|
|
23914
|
clarify the oval-def:EscapeRegexFunctionType documentation |
Closed |
2009-10-21 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2009-10-21 18:12:40
|
Details:
The oval-def:EscapeRegexFunctionType documentation should be clarified to state that the escape_regex function escapes all regular expression characters regardless of whether or not they were already escaped. For example, if you had the string '\.test*?' it would evaluate to '\\\.test\*\?' instead of '\\.test\*\?'.
|
Follow-ups:
Date Added: 2009-10-21 18:12:39 The oval-def:EscapeRegexFunctionType documentation was clarified by providing the following example. The string '(\.test_string*)?)' will evaluate to '\(\\\.test_string\*\)\?'.
|
|
24136
|
add a schematron rule to check for behaviors being used with the filepath entity |
Closed |
2009-11-17 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-26 15:03:48
|
Details:
A schematron rule should be added to check to make sure that behaviors are not used with the filepath entity as they are not allowed.
<xsd:documentation>
It is important to note that the ‘max_depth’ and ‘recurse_direction’ attributes of the ‘behaviors’ element do not apply to the ‘filepath’ element, only to the ‘path’ and ‘filename’ elements. This is because the ‘filepath’ element represents an absolute path to a particular file and it is not possible to recurse over a file.
</xsd:documentation>
|
Follow-ups:
Date Added: 2010-01-22 21:26:10 Which schemas does this affect? Windows only?
Date Added: 2010-01-25 16:10:55 Fixed in windows definitions schema.
Date Added: 2010-01-25 16:19:45 This issue applies to all component definition schemas. Simply search for all instances of "filepath". This should find matches at least in the independent and unix schemas.
To me more specific, the general notion of behaviors with the filepath entity should be allowed. However, there are a few specific behaviors that should not be allowed. We need to look at the behaviors around each filepath and make sure we prohibit those that do not make sense.
Date Added: 2010-01-25 16:37:48 Are the "few specific behaviors" limited to max_depth and "recurse_direction"? I do see in the independent-definitions-schema.xsd "ignore_case", "multiline" and "singleline". I don't know enough about the meanings, but they appear to be valid with a filepath. I'll try to examine the behaviors and if I have any questions about specific ones, I'll ask.
Date Added: 2010-01-25 16:44:48 each behavior should be documented. If a behavior is not documented then we need to fix that and add documentation. The examples you gave from the independent-definitions-schema do not apply to the filepath entity.
For a bit of background, in version 5.6 we added the filepath entity as a choice instead of path+filename. When we did this we forgot to add any schematron assertions to prevent the behaviors that applied to one portion of the choice (path+filename) from being applied to the filepath portion of the choice.
Date Added: 2010-01-26 01:34:17 is this one complete now?
Date Added: 2010-01-26 14:08:52 Fixed in Unix definitions schema. This is complete now.
|
|
24219
|
update the oval-sc:ObjectType documentation regarding when no items are found for an object |
Closed |
2009-11-30 |
Fixed |
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2010-03-10 13:13:01
|
Details:
Update the documentation that states when an object do not exist it shouldn’t reference any items. This should be changed to state that an item will be referenced and will provide information about elements that were successfully collected. For example, if a file_object has a path equal to "c:\" and a filename equal to "test.txt", and "test.txt" does not exist, an item with a path equal to "c:\" and a filename equal to "test.txt" with a status of "does not exist" will be referenced by that object.
|
Follow-ups:
Date Added: 2010-01-27 16:10:16 These changes should be reviewed and improved if possible.
|
|
24220
|
update the oval-sc:ObjectType documentation regarding when no items are found for an object and behaviors are used |
Closed |
2009-11-30 |
Fixed |
Priority:
Medium
| Category:
System Characteristics Schemas
| Date Closed:
2010-03-10 13:12:59
|
Details:
When zero items are collected by the system for a specified object (when the equals operation is used) it will provide an item specifying which elements were successfully collected and which elements did not exist. However, when behaviors are used with the specified object it can result in many items with a status of "does not exist" to be collected, and can significantly impact the time it takes to analyze the definition. It needs to be decided how to handle this case and then updated in the documentation. An example of this scenario is if a file_object where the path equals "c:\" and the filename equals "test.txt" and the behaviors recurse_direction equals “down" and max_depth equals “-1" are applied. As OVALDI recurses the directory, for every path it searches for "test.txt", and doesn't find it, it will collect an item that does not exist with a path equal to "c:\some_path" and a filename equal to "test.txt" with a status of "does not exist". As a result, if there are many subdirectories of the path "c:\", there will be many items referenced by the object that do not exist and will increase the time it takes to analyze the definition.
|
Follow-ups:
Date Added: 2010-01-27 16:10:39 These changes should be reviewed and improved if possible.
|
|
24535
|
refer to the xsi:nil attribute in a consistent manner |
Closed |
2010-01-08 |
Fixed |
Priority:
High
| Category:
n/a
| Date Closed:
2010-01-28 05:01:58
|
Details:
In the schemas we often refer to the xsi:nil attribute as either the nil attribute, the nillable attribute, or xsi:nil (sometimes all in the same paragraph). We should pick one way to refer to it. It seems that xsi:nil would be the best choice because you know exactly what it is and in other places in the schemas we use the datatype attribute, id attribute, etc.
|
Follow-ups:
n/a
|
|
24536
|
clarify in the documentation that sets are a unique collection of elements |
Closed |
2010-01-08 |
Fixed |
Priority:
High
| Category:
n/a
| Date Closed:
2010-01-28 05:02:17
|
Details:
Places in the schema where we mention sets (e.g. a set of items, a set of objects, etc.), we should say a unique set of items, a unique set of objects, etc. This will clarify any confusion where a set may be interpreted as a collection of elements that are not necessarily unique.
|
Follow-ups:
n/a
|
|
24538
|
clarify the filepath entity documentation for file related tests on unix systems |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-22 14:07:21
|
Details:
The filepath entity documentation currently states:
<xsd:documentation>
The filepath element specifies the absolute path for a file on the machine.
</xsd:documentation>
When dealing with tests in the UNIX schema, this documentation may be confusing because, in UNIX, directories are a type of file. Therefore, a statement should be added to the above documentation to explicitly state that a directory cannot be specified in the filepath entity. The documentation should be updated in all of the schemas to keep the documentation consistent.
|
Follow-ups:
n/a
|
|
24539
|
clarify which file types are applicable for each file-based test |
Closed |
2010-01-08 |
n/a |
Priority:
High
| Category:
Definition Schemas
| Date Closed:
2010-01-28 04:20:31
|
Details:
The language has many file-based tests; however, it does not necessarily make sense for all file types to be collected for each test. The documentation for each file-based test should explicitly state which file types will be collected.
|
Follow-ups:
n/a
|
|
24540
|
clarify the ind-def:ldap_object, ind-def:ldap_state, and ind-sc:ldap_item suffix entity documentation |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-25 20:15:29
|
Details:
Please see http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html for information on the required changes.
|
Follow-ups:
n/a
|
|
24541
|
clarify the ind-def:ldap_object scope behavior documentation |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-25 20:15:44
|
Details:
Please see
http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html
for information on the required changes.
|
Follow-ups:
n/a
|
|
24542
|
deprecate the LDAPTYPE_TIMESTAMP and LDAPTYPE_EMAIL values in the ind-def:EntityStateLdaptypeType and ind-sc:EntityItemLdaptypeType enumerations |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-25 20:15:15
|
Details:
Please see
http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html
for additional information.
|
Follow-ups:
n/a
|
|
24543
|
add the LDAPTYPE_BINARY value to the ind-def:EntityStateLdaptypeType and ind-sc:EntityItemLdaptypeType enumerations |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-25 20:14:58
|
Details:
Please see
http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html
for additional information.
|
Follow-ups:
n/a
|
|
24544
|
clarify how the oval-def:escape_regex function works |
Closed |
2010-01-08 |
Duplicate |
Priority:
Medium
| Category:
Definition Schemas
| Date Closed:
2010-01-25 02:56:00
|
Details:
This documentation should be clarified to state that the oval-def:escape_regex function escapes all regular expression characters regardless of whether or not the regular expression character has been escaped. For example, the string '\.test*?' will evaluate to '\\\.test\*\?' and not '\\.test\*\?'.
|
Follow-ups:
Date Added: 2010-01-25 02:55:59 An example, similar to this, was added to the documentation on October 21, 2009.
|
|
24545
|
clarify the documentation for the win-def:file_state/win-def:owner and win-sc:file_item/win-sc:owner entities |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-25 15:17:26
|
Details:
It should be explicitly stated that the owner entity should specify the owner in the DOMAIN\username format.
|
Follow-ups:
n/a
|
|
24546
|
clarify the win-def:file_state/win-def:ms_checksum and win-sc:file_item/win-sc:ms_checksum entity documentation |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-01-25 15:17:07
|
Details:
The documentation currently states:
<xsd:documentation>
The ms_checksum element is the md5 checksum of the file as supplied by Microsoft.
</xsd:documentation>
and
<xsd:documentation>
the md5 checksum of the file.
</xsd:documentation>
The documentation should be clarified to state that the ms_checksum entity is the checksum as returned by the MapFileAndCheckSum() API call. Please see http://msdn.microsoft.com/en-us/library/ms680355(VS.85).aspx for more information.
|
Follow-ups:
n/a
|
|
24547
|
improve the performance of the schematron rules |
Closed |
2010-01-08 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-17 17:19:32
|
Details:
Due to the slow performance of the schematron rules for the OVAL Language, we should investigate different ways to optimize and improve their performance.
|
Follow-ups:
n/a
|
|
24548
|
clarify documentation in the ResultEnumeration to explicitly state how errors should be assigned |
Closed |
2010-01-08 |
Fixed |
Priority:
High
| Category:
n/a
| Date Closed:
2010-01-28 04:47:26
|
Details:
The documentation for the error value in the ResultEnumeration should be clarified so that it explicitly states how errors should be assigned. It will also be beneficial to clarify how and when errors should be assigned to items and their respective entities.
|
Follow-ups:
n/a
|
|
24687
|
add an attribute to the filter construct to control its behavior |
Closed |
2010-01-22 |
Fixed |
Priority:
Medium High
| Category:
Definition Schemas
| Date Closed:
2010-01-28 20:16:46
|
Details:
Please see http://n2.nabble.com/OVAL-Filter-behavior-tp4420626ef20093.html for more information.
|
Follow-ups:
n/a
|
|
24688
|
clarify the search scope in the user and group tests |
Closed |
2010-01-22 |
Fixed |
Priority:
Medium High
| Category:
n/a
| Date Closed:
2010-02-17 19:34:40
|
Details:
Clarify the search scope in the user and group tests as specified in the proposal.
|
Follow-ups:
n/a
|
|
24689
|
add subgroup entity to the win-sc:group_item |
Closed |
2010-01-22 |
Fixed |
Priority:
Medium High
| Category:
System Characteristics Schemas
| Date Closed:
2010-02-03 21:12:34
|
Details:
Update the win-sc:group_item to include a subgroup entity as outlined in the proposal.
|
Follow-ups:
Date Added: 2010-02-03 21:12:20 This was also applied to the win-sc:group_sid_item.
|
|
24690
|
clarify the tested_item result attribute |
Closed |
2010-01-22 |
Fixed |
Priority:
High
| Category:
Result Schemas
| Date Closed:
2010-01-28 04:37:52
|
Details:
Please see http://n2.nabble.com/oval-results-tested-item-tp4147599ef20093.html for more information.
|
Follow-ups:
n/a
|
|
24786
|
add windows 7 audit settings to the auditeventpolicysubcategories_state and auditeventpolicysubcategories_item |
Closed |
2010-02-03 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-03 21:55:04
|
Details:
Jon,
One issue that comes to mind with respect to any new setting is that the OVAL documentation currently does not document restrictions on usage of specific elements with the version(s) of a product or platform in which they are supported. This may be something to consider for future additions to the documentation as well as the schematrons.
To ensure comprehensive support for the audit subcategories I suggest that the following child elements be added to auditeventpolicysubcategories_state:
Child Elements Type MinOccurs MaxOccurs
kerberos_authentication_service win-def:EntityStateAuditType 0 1
kerberos_service_ticket_operations win-def:EntityStateAuditType 0 1
network_policy_server win-def:EntityStateAuditType 0 1
detailed_file_share win-def:EntityStateAuditType 0 1
This page contains a listing of what's new to security auditing in Windows 7 and Windows 2008 R2.
http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx
I have pasted the description of the previously listed settings below for your convenience.
Audit Policy: Account Logon: Kerberos Authentication Service:
Audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
Audit Policy: Account Logon: Kerberos Service Ticket Operations:
Audit events generated by Kerberos service ticket requests.
Audit Policy: Logon-Logoff: Network Policy Server:
Audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
Audit Policy: Object Access: Detailed File Share:
Audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
Thanks,
Tim Harrison
SCAP Content Development
National Institute of Standards and Technology
(717)561-2923
[hidden email]
--------------------------------------------------------------------------------
From: Baker, Jon [[hidden email]]
Sent: Monday, February 01, 2010 9:21 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Windows 7 audit settings
Tim,
We have not had a chance to look at Windows 7 yet, but it does look like some changes were made to the auditing capabilities in windows 7 and server 2008. Would it be possible to suggest the changes that need to be made and provide a link to the correct Microsoft article to justify the changes?
Thanks,
Jon
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]
From: Harrison, Tim [mailto:[hidden email]]
Sent: Thursday, January 28, 2010 5:38 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: [OVAL-DEVELOPER-LIST] Windows 7 audit settings
I appear to have run accross 4 new audit policy subcategories in Windows 7:
Audit Policy: Account Logon: Kerberos Authentication Service
Audit Policy: Account Logon: Kerberos Service Ticket Operations
Audit Policy: Logon-Logoff: Network Policy Server
Audit Policy: Object Access: Detailed File Share
Do do any of the current OVAL versions address these audit subcategories?
If not, are there are any plans to add them?
If the answer to both of these questions is 'no' then I would like to request the following element be added as child elements of auditeventpolicysubcategories_state:
kerberos_authentication_service
kerberos_service_ticket_operations
network_policy_server
detailed_file_share
Respectfully,
Tim Harrison
SCAP Content Development
National Institute of Standards and Technology
(717)561-2923
[hidden email]
|
Follow-ups:
n/a
|
|
24788
|
Update the documentation for the user and group tests regarding resolving subgroups |
Closed |
2010-02-03 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-03 21:17:02
|
Details:
Update the documentation for the user and group tests to state that the groups and subgroups will not be resolved. Please see http://n2.nabble.com/Proposal-to-Add-a-Subgroup-Entity-to-the-win-sc-group-item-tp4453782ef20093.html for more information.
|
Follow-ups:
n/a
|
|
24812
|
document the audit event policy subcategories |
Closed |
2010-02-04 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-17 19:24:57
|
Details:
The audit event policy subcategories do not have any documentation. This should be added.
http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx
|
Follow-ups:
n/a
|
|
24813
|
remove platform specific documentation in the auditeventpolicysubcategories_item |
Closed |
2010-02-04 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-17 22:44:47
|
Details:
The auditeventpolicysubcategories_item documentation says “These subcategories are new in Windows Vista”. This is no longer accurate as some of the values are new to Windows 7. Other instances of platform specific documentation should be looked for and removed as it can change and will be difficult to maintain. It should be replaced with something along the lines of "many of the elements in this item are platform specific and you should refer to your product’s documentation for more information".
|
Follow-ups:
n/a
|
|
24957
|
add the 'has_extended_acl' entity to the unix-def:file_state and the unix-sc:file_item |
Closed |
2010-02-16 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-02-17 20:26:05
|
Details:
Classification: UNCLASSIFIED
Caveats: NONE
Hi Danny,
That looks good to me.
Thanks,
-Brady
-----Original Message-----
From: Haynes, Dan [mailto:dhaynes@MITRE.ORG]
Sent: Tuesday, February 16, 2010 2:25 PM
To: OVAL-DEVELOPER-LIST@LISTS.MITRE.ORG
Subject: Re: [OVAL-DEVELOPER-LIST] Proposal for UNIX ACL child element
(UNCLASSIFIED)
Hi Brady,
I agree that this information would be beneficial for anyone
investigating the permissions of a file. However, I do have one
comment. Rather than not having the 'has_extended_acl' entity present
if the interpreter or system do not support ACL, the entity could have a
status of 'not collected' if the interpreter doesn't support ACL and a
status of 'does not exist' if the system doesn't support ACL. I think
that this would be useful because it would provide the user with more
information as to why a value for the 'has_extended_acl' entity was not
retrieved. With these changes, and what you specified below, the
outcome of retrieving the value for the 'has_extended_acl' entity would
look something like this:
1) If an interpreter doesn't support the collection of ACL information,
the status will be 'not collected'.
2) If there is an error trying to retrieve this information, the status
will be 'error'.
3) If a system doesn't support ACLs, the status will be 'does not
exist'.
4) If a system supports ACLs, the status will be 'exists'.
5) If a file doesn't have an ACL, or it matches the standard UNIX
permissions, the value will be 'false'
6) If a file has an ACL, the value will be 'true'.
Does this make sense? Is this along the lines of what you were
thinking?
Thanks,
Danny
>-----Original Message-----
>From: Jeff Saxton [mailto:jeff_saxton@BIGFIX.COM]
>Sent: Tuesday, February 09, 2010 7:12 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] Proposal for UNIX ACL child element
>(UNCLASSIFIED)
>
>I like it fwiw
>
>"Alleman, Brady G CTR DISA FSO" <Brady.Alleman.ctr@DISA.MIL> wrote:
>
>
>Classification: UNCLASSIFIED
>Caveats: NONE
>
>I would like to propose a schema change to allow for the testing for
the
>presence of file access control lists (ACLs) on UNIX platforms. While
many
>UNIX systems support ACLs, their use and implementation are not
consistent or
>standardized. It could be difficult to create a structure that
satisfactorily
>represents ACLs from multiple platforms. Regardless, the existence of
a file
>ACL that contains permissions beyond those of the file's mode is a
>characteristic that would be useful in security assessment, and a
concept
>recognized by UNIX systems supporting ACLs. Depending on the platform,
such
>ACLs are referred to as "extended," "non-trivial," or "optional."
>
>I suggest adding a boolean "has_extended_acl" child element to the
existing
>file_state element in the UNIX schema. This element could be absent if
the
>system does not support ACLs, or the interpreter does not support ACLs
on the
>system. The element would be false if the file has no ACL, or a
so-called
>"trivial," "minimal," or "base" ACL that exactly matches the
permissions of the
>file's mode number and ownership, and true otherwise. This is, with a
few
>possible exceptions, the condition represented by a '+' appearing in
the
>permissions of a file as output by "ls -l". A multiple-platform
implementation
>example of this can be found in the file-has-acl.c file of the GNU
Coreutils
>project.
>
>Does this seem like an appropriate change to support this capability,
or are
>there alternatives that should be considered?
>
>Thanks,
>
>--
>Brady Alleman
>tapestry technologies, LLC
>DISA FSO, IA Standards (CTR)
>Classification: UNCLASSIFIED
>Caveats: NONE
>
>
>To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message. If you have difficulties, write to
OVAL-DEVELOPER-
>LIST-request@LISTS.MITRE.ORG.
>
>To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message. If you have difficulties, write to
OVAL-DEVELOPER-
>LIST-request@LISTS.MITRE.ORG.
To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message. If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
Classification: UNCLASSIFIED
Caveats: NONE
To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message. If you have difficulties, write to OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
|
Follow-ups:
n/a
|
|
25294
|
add support for target_user and make username, userpass, and directory_node nillable in the macos-def:pwpolicy_test |
Closed |
2010-03-10 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-03-10 20:18:54
|
Details:
Please see http://n2.nabble.com/Mac-pwpolicy-test-tp4455124ef20093.html for additional information.
|
Follow-ups:
n/a
|
|
25309
|
update the uid entity documentation in the unix-def:process_state and unix-sc:process_item |
Closed |
2010-03-11 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-03-12 14:47:49
|
Details:
The uid entity documentation should be updated to state that the uid entity refers to the effective user id.
|
Follow-ups:
n/a
|
|
25574
|
clarify schema documentation regarding IP addresses |
Closed |
2010-03-31 |
Fixed |
Priority:
Medium
| Category:
n/a
| Date Closed:
2010-03-31 17:45:01
|
Details:
It should be clarified in the schema documentation that IP addresses can be either IPv4 or IPv6.
|
Follow-ups:
n/a
|