Version 5.7 (Archived)

This page provides information on the proposed changes to the OVAL Language. All information about the new version is included in this centralized location. The major highlights of the release so far are listed below:

  • Added support for n-tuples.
  • Numerous Schematron rule refinements and performance focused improvements.
  • Significant documentation improvements were made throughout the OVAL Language schemas.
  • Removed the long deprecated ind-def:filemd5_test and apache-def:version_test and all their related objects, states, and items.
  • New Tests and Component Schemas Added in Version 5.7
    • Added the win-def:dnscache_test and unix-def:dnscache_test to support checking the dns cache on a local host.
    • Added new ind-def:sql57_test, ind-def:ldap57_test, win-def:wmi57_test, and win-def:activedirectory57_test in order to leverage n-tuple support.

All of the above items remain open for discussion and any comments or feedback is greatly apppreciated. For a complete listing of the release contents see the New in Version 5.7 section. A complete listing of the tests available in this release can be found here. More information about the OVAL Language review process can be found here.

Downloads

Includes downloads for the Version 5.7 Definition Schema, System Characteristics Schema, Results Schema, and Element Dictionaries.

KEY
Complete Schema - has all documentation embedded and the Schematron mark-up.
Minimal Schema - includes the raw xml schema only.
Schematron - a schema that can provide additional validation of OVAL V5 documents.
Documentation html - element dictionaries, which users can elect to view in a browser or save.
All files zip - all files zipped together to allow for one simple download.
xsd/sch - a user can either right click to download the file or left click to open the file in their default viewer.
Deprecation Listing - a list of all deprecated language constructs.

OVAL Definition Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Independent xsd xsd html - html
Apache xsd xsd html - -
Apple Macintosh xsd xsd html - -
Cisco CatOS xsd xsd html - html
Cisco IOS xsd xsd html - html
Cisco PixOS xsd xsd html - -
FreeBSD xsd xsd html - -
HP-UX xsd xsd html - html
IBM AIX xsd xsd html - -
Linux xsd xsd html - -
Microsoft Windows xsd xsd html - html
SharePoint xsd xsd html - -
Sun Solaris xsd xsd html - html
UNIX xsd xsd html - html
Vmware ESX xsd xsd html - html
 
 

OVAL System Characteristics Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Independent xsd xsd html - html
Apache xsd xsd html - -
Apple Macintosh xsd xsd html - -
Cisco CatOS xsd xsd html - html
Cisco IOS xsd xsd html - html
Cisco PixOS xsd xsd html - -
FreeBSD xsd xsd html - -
HP-UX xsd xsd html - -
IBM AIX xsd xsd html - -
Linux xsd xsd html - -
Microsoft Windows xsd xsd html - html
SharePoint xsd xsd html - -
Sun Solaris xsd xsd html - -
UNIX xsd xsd html - -
Vmware ESX xsd xsd html - html
 

OVAL Results Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
 

OVAL Variables Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
 

Example XML Stylesheets

File Name Description
results_to_html.xsl The results_to_html stylesheet converts an OVAL Results document into a more readable html format.
minimal_schema.xsl The minimal_schema stylesheet removes all annotation elements from the OVAL Schema leaving only the minimal schema.
element_dictionary.xsl The element_dictionary stylesheet creates documentation files from the OVAL Schema.
reference_mapping.xsl The reference_mapping stylesheet creates a map between each OVAL Definition in a document and a specified reference source.
Back to top

New in Version 5.7

Version 5.7 of the Official OVAL Schema is a direct result of feedback from the OVAL Community. This will be a minor version change and may require some new development by tools that support earlier versions of the Language. The changes pending to the different schemas are outlined below. "Open" status means the item is under consideration or being worked upon, "Closed" status means that the item has been incorporated and work on it is completed, and "Suspended" status means that the item will not be included in this version but may be included in a future version.

Items addressed in this version include:

ID Title Status Date Opened Resolution
24570 prepend source identifiers to Schematron pattern ids. Closed 2010-01-11 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-21 14:19:21
Details:
Currently, all of the Schematron patterns are extracted from the various schemas and aggregated into three master Schematron files: definitions, system characteristics, and results. Once so aggregated, it is impossible to tell which schema a rule came from without reading down into the body of the rule and finding something that distinguishes the rule, for example, platform specific xpath statement in the context, test, assertion or report. Also, it is possible for pattern ids to be duplicated across the schemas and therefore clash when aggregated.

To fix these problems, a prefix shall be put on all Schematron pattern IDs identifying the schema the pattern comes from. This prefix shall be the namespace prefix used within a schema file to identify its own namespace followed by an underscore, "_". For example, "oval-def_" for patterns found in the "oval-definitions-schema.xsd"
Follow-ups:
n/a
24683 var_refs should have a var_check - but it's not required. Change the schematron rule to be a report rather than an assert Closed 2010-01-21 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-22 21:23:09
Details:
There is a Schematron rule that assures that items with a var_ref attribute also have a var_check attribute. This is more a best practice than a requirement. So the assertion message should be changed to reflect that it is only a warning and not invalid.
Follow-ups:
Date Added: 2010-01-22 21:21:58
Jon Baker: "I think the wording is fine for the moment."

Date Added: 2010-01-23 01:50:34
for now we committed the change to make the schematron assertion a report. At a later time we will review and standardize all schematron rules.

23826 Change maxOccurs for several xinetd_item entities Closed 2009-10-14 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2010-01-25 20:24:57
Details:
The following entities should be changed to maxOccurs="unlimited":

only_from
no_access
flags
Follow-ups:
n/a
23828 Add two more values to EntityXinetdTypeStatusType enumeration Closed 2009-10-14 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2010-01-26 15:48:16
Details:
The additional values needed are:

TCPMUX
TCPMUXPLUS
Follow-ups:
n/a
13725 support statements that return multiple n-tuples in sql, wmi, ldap, and activedirectory tests Closed 2007-11-27 Fixed
Priority: Medium High | Category: n/a | Date Closed: 2010-02-17 20:25:47
Details:
Each of these test can return values that have multiple components.  For example, SELECT value1, value2 FROM table.  Another example is with Active Directory: an attribute value of type ADSTYPE_DN_WITH_STRING associates a DN with a string, so it has two components, one is the DN and one is the associated string.
Follow-ups:
n/a
23663 allow empty values in variables Closed 2009-09-28 Fixed
Priority: Low | Category: Definition Schemas | Date Closed: 2010-01-26 01:59:19
Details:
>-----Original Message-----
>From: owner-oval-team-list@LISTS.MITRE.ORG [mailto:owner-oval-team-
>list@LISTS.MITRE.ORG] On Behalf Of Michael Chisholm
>Sent: Wednesday, September 16, 2009 2:45 PM
>To: oval-team-list
>Subject: Empty <value> not allowed in constant_variable?
>
>Mike Lah accidentally stumbled over a constraint with an oval
>definition, where <value>'s for <constant_variable>'s cannot be empty.
>Some of my thoughts:
>
>- Schematron validation passed, and that error was caught by the
>interpreter itself.  But there is a schematron rule which I think is
>supposed to catch this, and doesn't seem to be working.
>
><sch:rule context="oval-def:constant_variable/oval-def:value">
>  <sch:assert test=".!=''">....</sch:assert>
></sch:rule>
>
>Does this rule need to be fixed?  (I don't know schematron well enough
>to tell by looking)
>
>- An empty value is valid in some circumstances.  For example, it is
>possible for a regex to match the empty string.  If you aren't allowed
>to have empty strings as variable values, you can't represent some valid
>matches.  So I question whether this schematron rule should exist at
>all.  I can see that it would not make sense to have an empty value if
>the variable type is, say, 'int'.  Maybe a more appropriate rule would
>enforce values of the <value> element, according to the
>constant_variable's datatype?  (I thought I'd seen a rule like that in
>other places in the schema)
>
>Andy
Follow-ups:
Date Added: 2010-01-26 01:51:27
removed the schematron rule

Date Added: 2010-01-26 01:59:18
Removed the rule that checks that oval-def:literal_component is not empty. Looked for all other occurrences of several possible matching strings to try to find other areas where we are restricting the empty string.

23664 ensure that error handling is not allowing silent failures - substring function documentation and more Closed 2009-09-28 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-01-28 19:32:35
Details:
>From: owner-oval-team-list@LISTS.MITRE.ORG [mailto:owner-oval-team-
>list@LISTS.MITRE.ORG] On Behalf Of Baker, Jon
>Sent: Wednesday, September 23, 2009 1:09 PM
>To: Chisholm, Michael A.; oval-team-list
>Subject: RE: OVAL Interpreter - Substring Function Bug Fix
>
>For what it is worth Java reports errors in both conditions. Xpath
>silently handles both conditions.
>
>I agree that consistency is good here. As I was writing my message last
>night it occurred to me that we are likely inconsistent all over the oval
>language in how we handle conditions like this. Perhaps we can do a
>review of the documentation with the next release to address these
>inconsistencies?
>
>I think that avoiding silent failures is a good idea and that might be a
>good foundation to base the documentation review upon. Does this make
>sense to the rest of you?
>
>Jon
>
>============================================
>Jonathan O. Baker
>G022 - IA Industry Collaboration
>The MITRE Corporation
>Email: bakerj@mitre.org
>
>
>>-----Original Message-----
>>From: owner-oval-team-list@LISTS.MITRE.ORG [mailto:owner-oval-team-
>>list@LISTS.MITRE.ORG] On Behalf Of Michael Chisholm
>>Sent: Wednesday, September 23, 2009 12:49 PM
>>To: oval-team-list
>>Subject: Re: OVAL Interpreter - Substring Function Bug Fix
>>
>>Why would a value which is too low (<1) be effectively silently
>>corrected, but a value which is too high cause an error?  That seems
>>like inconsistent behavior to me.  One seems as much a "silent failure"
>>as the other.  How about reporting an error condition in both cases?
>>
>>Andy
>>
>>Baker, Jon wrote:
>>>
>>> Ok, that makes more sense. We should consider how we want the OVAL
>>> language to address this. I see two options:
>>>
>>> -          Add text that states that if the start position is at a
>>> position that is beyond the end of the string the resulting substring
>>> is always the empty string.
>>>
>>> -          Add text that states that if the start position is at a
>>> position that is beyond the end of the string an error should be
>>> reported.
>>>
>>>
>>>
>>> Java throws an error.
>>>
>>> XPath results in an empty string.
>>>
>>>
>>>
>>> I think we have tended towards the report an error solution in OVAL.
>>> This is because we would like to avoid silent failures.
>>>
>>>
>>>
>>> Drew, does this make sense to you?
>>>
>>>
>>>
>>> Once we are all set we can update the interpreter.
>>>
>>>
>>>
>>> Jon
>>>
>>>
>>>
>>> ============================================
>>>
>>> Jonathan O. Baker
>>>
>>> G022 - IA Industry Collaboration
>>>
>>> The MITRE Corporation
>>>
>>> Email: bakerj@mitre.org
>>>
>>>
>>>
>>> *From:* Haynes, Dan
>>> *Sent:* Tuesday, September 22, 2009 6:59 PM
>>> *To:* Baker, Jon
>>> *Subject:* RE: OVAL Interpreter - Substring Function Bug Fix
>>>
>>>
>>>
>>>                 Hi Jon,
>>>
>>>
>>>
>>> Sorry about that.  I meant to say a value greater than the string's
>>> length for the substring_start attribute.
>>>
>>>
>>>
>>>                 Thanks,
>>>
>>>
>>>
>>>                 Danny
>>>
>>>
>>>
>>> *From:* Baker, Jon
>>> *Sent:* Tuesday, September 22, 2009 8:53 AM
>>> *To:* Haynes, Dan
>>> *Cc:* oval-team-list
>>> *Subject:* RE: OVAL Interpreter - Substring Function Bug Fix
>>>
>>>
>>>
>>> The documentation for the function currently says:
>>>
>>>
>>>
>>> "The substring function takes a single string component and produces a
>>> single value that contains a portion of the original string. The
>>> substring_start attribute defines the starting position in the
>>> original string. Note, to include the first character of the string,
>>> the start position would be 1. Also note that a value less than one
>>> also means starting at the first character of the string. The
>>> substring_length attribute defines how many character after and
>>> including the starting character to include. Note that a
>>> substring_length value greater than the actual length of the string or
>>> a negative value means to include all the characters after the
>>> starting character. For example assume a basic component element that
>>> returns the value "abcdefg" with a substring_start value of 3 and a
>>> substring_length value of 2. The local_variable element would be
>>> evaluate to have a single value of "cd". If the string component used
>>> by the substring function returns multiple values, then the substring
>>> operation is performed multiple times and results in multiple values
>>> for the component."
>>>
>>>
>>>
>>>
>>>
>>> It looks like the language does specify how to handle a
>>> "substring_length" longer than the length of the subject string. If
>>> this is what you are asking about please enter a bug for the
>>> interpreter and feel free to fix it when you get a chance.
>>>
>>>
>>>
>>> Also note that I found two errors in the description above and
>>> corrected them both and committed to SVN for the next release of OVAL.
>>>
>>>
>>>
>>> Jon
>>>
>>>
>>>
>>> ============================================
>>>
>>> Jonathan O. Baker
>>>
>>> G022 - IA Industry Collaboration
>>>
>>> The MITRE Corporation
>>>
>>> Email: bakerj@mitre.org
>>>
>>>
>>>
>>> *From:* Haynes, Dan
>>> *Sent:* Monday, September 21, 2009 10:05 AM
>>> *To:* Baker, Jon
>>> *Subject:* OVAL Interpreter - Substring Function Bug Fix
>>>
>>>
>>>
>>> Hi Jon,
>>>
>>>
>>>
>>> I was just fixing the bug in the substring function
>>>
>>(https://sourceforge.net/tracker/?func=detail&aid=2850166&group_id=21546
>9
>>&atid=1033794
>>>
>><https://sourceforge.net/tracker/?func=detail&aid=2850166&group_id=21546
>9
>>&atid=1033794>)
>>> that Andy found, so that Mike can write the validation content for
>>> this function, and I noticed that the OVAL Language does not specify
>>> how to handle a value greater than the string's length for the
>>> substring_length attribute.  Currently, the Interpreter throws the
>>> following message because a value is considered an invalid starting
>>> position.
>>>
>>>
>>>
>>> VariableFactory::GetVariable() - Error while parsing variable:
>>> oval:test:var:1 Unknown Error
>>>
>>>
>>>
>>> Do you know how this case should be handled?  Would it be better to
>>> catch the std::out_of_range exception thrown by the string::substr()
>>> method and report that the starting position is invalid rather than
>>> the unknown error message above?
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>> Danny
>>>
Follow-ups:
n/a
23695 require family to be unique when multiple affected elements are used in a single definition Closed 2009-10-01 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-22 16:55:33
Details:
the definition of the oval-def:MetadataType should be updated to require that each child affected element have a unique family.
Follow-ups:
n/a
23994 remove affected_platform Schematron rule from windows definitions schema Closed 2009-10-31 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-22 17:11:15
Details:
This rule requires the affected_platform to be in a list of known windows os'es when the family is windows. The problem is that with each new release of a windows os the list of valid os'es needs to be updated. This list is bound to be out of synch with the list of os'es that microsoft actually releases. Having th e rule encoded in the windows-definition-schema means that it can only be updated with a release of the language.

Pasted the rule below for easy reference:


<sch:pattern id="affected_platform">
                        <sch:rule context="oval-def:affected[@family='windows']">
                              <sch:assert test="not(oval-def:platform) or oval-def:platform='Microsoft Windows 95' or oval-def:platform='Microsoft Windows 98' or oval-def:platform='Microsoft Windows ME' or oval-def:platform='Microsoft Windows NT' or oval-def:platform='Microsoft Windows 2000' or oval-def:platform='Microsoft Windows XP' or oval-def:platform='Microsoft Windows Server 2003' or oval-def:platform='Microsoft Windows Vista' or oval-def:platform='Microsoft Windows Server 2008' or oval-def:platform='Microsoft Windows 7'">
                                    <sch:value-of select="../../@id"/> - the value "<sch:value-of select="oval-def:platform"/>" found in platform element as part of the affected element is not a valid windows platform.</sch:assert>
                        </sch:rule>
                  </sch:pattern>
Follow-ups:
n/a
24106 add test to examine dns cache on windows and unix platforms Closed 2009-11-10 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-03-10 13:13:48
Details:
Need a test to test for listing DNS cache domain names and IP addresses.
Follow-ups:
n/a
24327 correct variable id regular expression in independent-system-characteristics-schema Closed 2009-12-13 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2009-12-13 01:23:37
Details:
The ind-sc:EntityItemVariableRefType has the wrong regular expression in its pattern that specifies the allowed valid OVAL Variable ids. Needs to be corrected to align with the real definition of a variable id
Follow-ups:
n/a
24732 align file related behaviors across all schemas Closed 2010-01-27 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-02-10 19:37:32
Details:
The behaviors defined for searching files are inconsistent across the windows, independent, and unix component schemas. There are four different behaviors defined to help control file searches:

- max_depth - defined in all schemas
- recurse_direction - defined in all schemas
- recurse - only defined in the unix schema
- recurse_file_system - only defined in the unix schema

There are at least two problems with the fact that the file behaviors are not in alignment:

1- File related tests in the independent-definitions-schema are intended to apply to unix platforms. The recurse and recurse_file_system behavior probably needed when using the independent-definitions-schema tests on a unix platform.

2- There is no behavior in the widows or independent schemas to allow a user to specify which types of file systems should be searched. These schema probably need the 'recurse_file_system' behavior.


I recommend that we make the following changes in version 5.7 to address these issues and bring some consistency to the file related behaviors:

1- Add the 'recurse' and 'recurse_file_system' behaviors to the following objects in the independent-definitions-schema:
   - ind-def:filehash_object
   - ind-def:textfilecontent54_object
   - ind-def:xmlfilecontent_object
   - ind-def:filemd5_object - no change here because it is deprecated

This addition would require us to document that the 'recurse' behavior does not apply when an independent-definitions-schema test is evaluated on windows.

2- Add the 'recurse_file_system' behavior to the following objects in the windows-definitions-schema:
   - win-def:file_object 
   - win-def:fileauditedpermissions53_object
   - win-def:fileeffectiverights53_object


Assuming these changes are made such that the default behavior matches the current behavior of all modified objects, this change should not impact existing content. The change should reduce confusion about the various file related behaviors and add in the capability restrict file searched on windows platforms based on the type of file system.
Follow-ups:
n/a
24733 deprecate the values 'files', 'files and directories', and 'none' in the sccs_object Closed 2010-01-27 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-01-28 04:25:52
Details:
need to deprecate these values that do not make sense. Deprecation should align with the deprecation that occurred in version 5.4 on the unix-def:file_object.
Follow-ups:
n/a
24868 remove ind-def:filemd5_test, ind-def:filemd5_object, ind-def:filemd5_sate, and ind-sc:filemd5_item Closed 2010-02-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-10 19:13:42
Details:
As outline in the "OVAL Language Deprecation Policy" any construct that has been deprecated for more than one release may be removed from a subsequent minor release of the OVAL Language (http://oval.mitre.org/language/about/deprecation.html). 

I would like to propose the following deprecated items be removed in the next draft of version 5.7:

In the independent-definitions-schema
- ind-def:filemd5_test
- ind-def:filemd5_object
- ind-def:filemd5_sate
See: http://oval.mitre.org/language/download/schema/version5.6/ovaldefinition/deprecation/independent-definitions-schema.html

In the independent-system-characteristics-schema:
- ind-sc:filemd5_item
See: http://oval.mitre.org/language/download/schema/version5.6/ovalsc/deprecation/independent-system-characteristics-schema.html
Follow-ups:
n/a
24869 remove apache-def:version_test, apache-def:version_object, apache-def:version_state, and apache-sc:version_item Closed 2010-02-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-10 19:13:40
Details:
As outline in the "OVAL Language Deprecation Policy" any construct that has been deprecated for more than one release may be removed from a subsequent minor release of the OVAL Language (http://oval.mitre.org/language/about/deprecation.html). 

I would like to propose the following deprecated items be removed in the next draft of version 5.7:

In the apache-definitions-schema:
- apache-def:version_test
- apache-def:version_object
- apache-def:version_state
See: http://oval.mitre.org/language/download/schema/version5.6/ovaldefinition/deprecation/apache-definitions-schema.html

In the apache-system-characteristics-schema:
- apache-sc:version_item
See: http://oval.mitre.org/language/download/schema/version5.6/ovalsc/deprecation/apache-system-characteristics-schema.html
Follow-ups:
n/a
25419 add Schematron rules to enforce tests are referencing the correct objects and states Closed 2010-03-22 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-03-22 19:54:11
Details:
In reviewing the release candidate we discovered that some of the Schematron rules that relate a test to the correct object and state are missing. These rules were simply never added when we started using schematron or when the test itself was created. These are important rules and we feel that we should add them to the 5.7 release. 

The following tests were missing Schematron rules:

- catos-def:version55_test
- catos-def:version_test
- hpux-def:getconf_test
- hpux-def:patch53_test
- hpux-def:patch_test
- hpux-def:swlist_test
- hpux-def:trusted_test
- linux-def:dpkginfo_test
- linux-def:inetlisteningservers_test
- linux-def:rpminfo_test
- linux-def:slackwarepkginfo_test
- macos-def:accountinfo_test
- macos-def:inetlisteningservers_test
- macos-def:nvram_test
- macos-def:pwpolicy_test
Follow-ups:
n/a
25575 remove default element value from sp-def:spantivirussettings_state entities Closed 2010-03-31 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-03-31 17:48:04
Details:
In preparing for the 5.7 release I noticed that a default element value was set on two entities in the sp-def:spantivirussettings_state. We do not allow default element values on entities and this is the only place in the OVAL Language schemas that his occurs. Due to the schema refactoring that we did to support n-tuples this default element value now causes an error in some schema processors. This is a trivial change that should not impact validating any content and it corrects and error in the schema. 


Modified: sharepoint-definitions-schema.xsd
===================================================================
--- sharepoint-definitions-schema.xsd	2010-03-31 01:38:48 UTC (rev 5771)
+++ sharepoint-definitions-schema.xsd	2010-03-31 11:59:21 UTC (rev 5772)
@@ -1188,7 +1188,7 @@
                   <xsd:complexContent>
                         <xsd:extension base="oval-def:StateType">
                               <xsd:sequence>
-                                    <xsd:element name="spwebservicename" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1" default="*">
+                                    <xsd:element name="spwebservicename" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
                                           <xsd:annotation>
                                                 <xsd:documentation>The spwebservicename denotes the name of a SharePoint web service to be tested or * (the default) to test all web services.</xsd:documentation>
                                                 <xsd:appinfo>
@@ -1200,7 +1200,7 @@
                                                 </xsd:appinfo>
                                           </xsd:annotation>
                                     </xsd:element>
-                                    <xsd:element name="spfarmname" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1" default="SPFarm.Local">
+                                    <xsd:element name="spfarmname" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
                                           <xsd:annotation>
                                                 <xsd:documentation>The spfarmname denotes the name of the farm on which the Sharepoint webservice resides or the local farm (default).</xsd:documentation>
                                                 <xsd:appinfo>
Follow-ups:
n/a
25674 document the handling of datatype aration when a var_ref is used and the datatype is recordnd ope Closed 2010-04-09 Fixed
Priority: Very Low | Category: n/a | Date Closed: 2011-01-12 11:50:24
Details:
The schema documentation does not currently describe how an interpreter should handle datatype and operation when a var_ref is used to retrieve record. The documentation needs to explicitly state that the datatype used for evaluation of a given field is the datatype found on that field. The operation will always be equals.
Follow-ups:
Date Added: 2010-04-17 01:27:28
Due to the impact of this change we will defer this feature until a later release. It will not be included in version 5.7.

Date Added: 2011-01-12 11:50:23
This issue was addressed with documentation in the version 5.7 release that clearly states that the use of var_ref is not permitted when the datatype is record.

25675 allow field references on the object_component Closed 2010-04-09 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-04-13 00:41:54
Details:
The <object_component> element needs to be updated to allow a specific field in a record to be referenced by name. The <object_component>, as defined by the oval-def:ObjectComponentType type, allows a variable to derive its value(s) from an OVAL Object. The <object_component> currently has two attributes:
 - object_ref - a reference to an OVAL Object
 - item_field - the name of the field to pull extract the value from in any 
                OVAL Items that are collected as a result of processing the 
                referenced OVAL Object.

Considering the sample <wmi57_item> below we need to allow an <object_component> to refer to a particular field like the field with a value of "user1".

<wmi57_item id="1" status="exists" ...>
  <namespace>root\CIMV2</namespace>
  <wql>SELECT name, screensavertimeout FROM Win32_Desktop;</wql>
  <result datatype="record">
    <oval-sc:field name="name" datatype="string">user1</oval-sc:field>
    <oval-sc:field name="screensavertimeout" datatype="int">900</oval-sc:field>
  </result>
</wmi57_item>

We are currently considering adding an optional record_field attribute to the <object_component>. This attribute would hold the name of the field that holds the desired value. It the xml might look something like this:
 
<object_component object_ref="oval:example:obj:2" item_field="result" record_field="name"/>
Follow-ups:
Date Added: 2010-04-13 00:41:53
Added record_field as suggested in the tracker description.

20064 win-def:port_object local_port schematron rule is requiring string when it should be an int Closed 2009-06-08 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-26 01:33:33
Details:
There is an inconsistency in the type for the local_port entity in the port_object.  The inconsistency is that the local_port entity is of type ‘oval-def:EntityObjectIntType’ yet the corresponding assertion test checks to see if the local_port entity value is of type string.  Below is the offending XML from the windows-definitions-schema.xsd file.

<xsd:element name="local_port" type="oval-def:EntityObjectIntType">
      <xsd:annotation>
            <xsd:documentation>This element specifies the number assigned to the local listening port.</xsd:documentation>
            <xsd:appinfo>
                  <sch:pattern id="winportobjlocal_port">
                        <sch:rule context="win-def:port_object/win-def:local_port">
                              <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the local_port entity of a port_object should be 'string'</sch:assert>
                        </sch:rule>
                  </sch:pattern>
            </xsd:appinfo>
      </xsd:annotation>
</xsd:element> 


Also, in the windows-system-charactersistics-schema.xsd file, the port_item specifies the local_port entity should be of type ‘oval-def:EntityObjectIntType’.  Therefore the local_port entity in the windows-definitions-schema.xsd file should be updated to align with the port_item windows-system-characteristics.xsd file. 

Follow-ups:
Date Added: 2010-01-25 21:18:16
Updated appropriate Schematron rules.

23669 Clarify the win-def:registry_object/win-def:name documentation Closed 2009-09-29 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-25 01:48:28
Details:
The win-def:registry_object/win-def:name documentation should be clarified to state that if an empty string is specified for the name entity the registry key's default value should be collected. 
Follow-ups:
n/a
23913 specify how a substring_start value greater than the length of the string should be handled in the oval-def:SubstringFunctionType Closed 2009-10-21 Fixed
Priority: High | Category: Definition Schemas | Date Closed: 2010-01-28 04:30:59
Details:
The OVAL Language does not currently specify how to handle a substring_start value greater than the length of the string.  This should be specified and implemented in OVALDI as necessary.
Follow-ups:
n/a
23914 clarify the oval-def:EscapeRegexFunctionType documentation Closed 2009-10-21 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2009-10-21 18:12:40
Details:
The oval-def:EscapeRegexFunctionType documentation should be clarified to state that the escape_regex function escapes all regular expression characters regardless of whether or not they were already escaped.  For example, if you had the string '\.test*?' it would evaluate to '\\\.test\*\?' instead of '\\.test\*\?'. 

Follow-ups:
Date Added: 2009-10-21 18:12:39
The oval-def:EscapeRegexFunctionType documentation was clarified by providing the following example. The string '(\.test_string*)?)' will evaluate to '\(\\\.test_string\*\)\?'.

24136 add a schematron rule to check for behaviors being used with the filepath entity Closed 2009-11-17 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-26 15:03:48
Details:
A schematron rule should be added to check to make sure that behaviors are not used with the filepath entity as they are not allowed.

<xsd:documentation>

It is important to note that the ‘max_depth’ and ‘recurse_direction’ attributes of the ‘behaviors’ element do not apply to the ‘filepath’ element, only to the ‘path’ and ‘filename’ elements. This is because the ‘filepath’ element represents an absolute path to a particular file and it is not possible to recurse over a file.

</xsd:documentation>
Follow-ups:
Date Added: 2010-01-22 21:26:10
Which schemas does this affect? Windows only?

Date Added: 2010-01-25 16:10:55
Fixed in windows definitions schema.

Date Added: 2010-01-25 16:19:45
This issue applies to all component definition schemas. Simply search for all instances of "filepath". This should find matches at least in the independent and unix schemas. To me more specific, the general notion of behaviors with the filepath entity should be allowed. However, there are a few specific behaviors that should not be allowed. We need to look at the behaviors around each filepath and make sure we prohibit those that do not make sense.

Date Added: 2010-01-25 16:37:48
Are the "few specific behaviors" limited to max_depth and "recurse_direction"? I do see in the independent-definitions-schema.xsd "ignore_case", "multiline" and "singleline". I don't know enough about the meanings, but they appear to be valid with a filepath. I'll try to examine the behaviors and if I have any questions about specific ones, I'll ask.

Date Added: 2010-01-25 16:44:48
each behavior should be documented. If a behavior is not documented then we need to fix that and add documentation. The examples you gave from the independent-definitions-schema do not apply to the filepath entity. For a bit of background, in version 5.6 we added the filepath entity as a choice instead of path+filename. When we did this we forgot to add any schematron assertions to prevent the behaviors that applied to one portion of the choice (path+filename) from being applied to the filepath portion of the choice.

Date Added: 2010-01-26 01:34:17
is this one complete now?

Date Added: 2010-01-26 14:08:52
Fixed in Unix definitions schema. This is complete now.

24219 update the oval-sc:ObjectType documentation regarding when no items are found for an object Closed 2009-11-30 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2010-03-10 13:13:01
Details:
Update the documentation that states when an object do not exist it shouldn’t reference any items.  This should be changed to state that an item will be referenced and will provide information about elements that were successfully collected.  For example, if a file_object has a path equal to "c:\" and a filename equal to "test.txt", and "test.txt" does not exist, an item with a path equal to "c:\" and a filename equal to "test.txt" with a status of "does not exist" will be referenced by that object.
Follow-ups:
Date Added: 2010-01-27 16:10:16
These changes should be reviewed and improved if possible.

24220 update the oval-sc:ObjectType documentation regarding when no items are found for an object and behaviors are used Closed 2009-11-30 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2010-03-10 13:12:59
Details:
When zero items are collected by the system for a specified object (when the equals operation is used) it will provide an item specifying which elements were successfully collected and which elements did not exist.  However, when behaviors are used with the specified object it can result in many items with a status of "does not exist" to be collected, and can significantly impact the time it takes to analyze the definition.  It needs to be decided how to handle this case and then updated in the documentation.  An example of this scenario is if a file_object where the path equals "c:\" and the filename equals "test.txt" and the behaviors recurse_direction equals “down" and max_depth equals “-1" are applied.  As OVALDI recurses the directory, for every path it searches for "test.txt", and doesn't find it, it will collect an item that does not exist with a path equal to "c:\some_path" and a filename equal to "test.txt" with a status of "does not exist".  As a result, if there are many subdirectories of the path "c:\", there will be many items referenced by the object that do not exist and will increase the time it takes to analyze the definition.
Follow-ups:
Date Added: 2010-01-27 16:10:39
These changes should be reviewed and improved if possible.

24535 refer to the xsi:nil attribute in a consistent manner Closed 2010-01-08 Fixed
Priority: High | Category: n/a | Date Closed: 2010-01-28 05:01:58
Details:
In the schemas we often refer to the xsi:nil attribute as either the nil attribute, the nillable attribute, or xsi:nil (sometimes all in the same paragraph). We should pick one way to refer to it. It seems that xsi:nil would be the best choice because you know exactly what it is and in other places in the schemas we use the datatype attribute, id attribute, etc.
Follow-ups:
n/a
24536 clarify in the documentation that sets are a unique collection of elements Closed 2010-01-08 Fixed
Priority: High | Category: n/a | Date Closed: 2010-01-28 05:02:17
Details:
Places in the schema where we mention sets (e.g. a set of items, a set of objects, etc.), we should say a unique set of items, a unique set of objects, etc.  This will clarify any confusion where a set may be interpreted as a collection of elements that are not necessarily unique.
Follow-ups:
n/a
24538 clarify the filepath entity documentation for file related tests on unix systems Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-22 14:07:21
Details:
The filepath entity documentation currently states:

<xsd:documentation>
  The filepath element specifies the absolute path for a file on the machine.
</xsd:documentation> 

When dealing with tests in the UNIX schema, this documentation may be confusing because, in UNIX, directories are a type of file.  Therefore, a statement should be added to the above documentation to explicitly state that a directory cannot be specified in the filepath entity.  The documentation should be updated in all of the schemas to keep the documentation consistent.
Follow-ups:
n/a
24539 clarify which file types are applicable for each file-based test Closed 2010-01-08 n/a
Priority: High | Category: Definition Schemas | Date Closed: 2010-01-28 04:20:31
Details:
The language has many file-based tests; however, it does not necessarily make sense for all file types to be collected for each test.  The documentation for each file-based test should explicitly state which file types will be collected.
Follow-ups:
n/a
24540 clarify the ind-def:ldap_object, ind-def:ldap_state, and ind-sc:ldap_item suffix entity documentation Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-25 20:15:29
Details:
Please see http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html for information on the required changes.
Follow-ups:
n/a
24541 clarify the ind-def:ldap_object scope behavior documentation Closed 2010-01-08 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-25 20:15:44
Details:
Please see
http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html
for information on the required changes.
Follow-ups:
n/a
24542 deprecate the LDAPTYPE_TIMESTAMP and LDAPTYPE_EMAIL values in the ind-def:EntityStateLdaptypeType and ind-sc:EntityItemLdaptypeType enumerations Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-25 20:15:15
Details:
Please see
http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html
for additional information.
Follow-ups:
n/a
24543 add the LDAPTYPE_BINARY value to the ind-def:EntityStateLdaptypeType and ind-sc:EntityItemLdaptypeType enumerations Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-25 20:14:58
Details:
Please see
http://n2.nabble.com/Proposed-Changes-to-the-ind-def-ldap-test-tp4171575ef20093.html
for additional information.
Follow-ups:
n/a
24544 clarify how the oval-def:escape_regex function works Closed 2010-01-08 Duplicate
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-01-25 02:56:00
Details:
This documentation should be clarified to state that the oval-def:escape_regex function escapes all regular expression characters regardless of whether or not the regular expression character has been escaped. For example, the string '\.test*?' will evaluate to '\\\.test\*\?' and not '\\.test\*\?'.
Follow-ups:
Date Added: 2010-01-25 02:55:59
An example, similar to this, was added to the documentation on October 21, 2009.

24545 clarify the documentation for the win-def:file_state/win-def:owner and win-sc:file_item/win-sc:owner entities Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-25 15:17:26
Details:
It should be explicitly stated that the owner entity should specify the owner in the DOMAIN\username format.
Follow-ups:
n/a
24546 clarify the win-def:file_state/win-def:ms_checksum and win-sc:file_item/win-sc:ms_checksum entity documentation Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-01-25 15:17:07
Details:
The documentation currently states:

<xsd:documentation>
  The ms_checksum element is the md5 checksum of the file as supplied by  Microsoft.
</xsd:documentation> 

and 

<xsd:documentation>
  the md5 checksum of the file.
</xsd:documentation> 

The documentation should be clarified to state that the ms_checksum entity is the checksum as returned by the MapFileAndCheckSum() API call.  Please see http://msdn.microsoft.com/en-us/library/ms680355(VS.85).aspx for more information.
Follow-ups:
n/a
24547 improve the performance of the schematron rules Closed 2010-01-08 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-17 17:19:32
Details:
Due to the slow performance of the schematron rules for the OVAL Language, we should investigate different ways to optimize and improve their performance.
Follow-ups:
n/a
24548 clarify documentation in the ResultEnumeration to explicitly state how errors should be assigned Closed 2010-01-08 Fixed
Priority: High | Category: n/a | Date Closed: 2010-01-28 04:47:26
Details:
The documentation for the error value in the ResultEnumeration should be clarified so that it explicitly states how errors should be assigned.  It will also be beneficial to clarify how and when errors should be assigned to items and their respective entities.
Follow-ups:
n/a
24687 add an attribute to the filter construct to control its behavior Closed 2010-01-22 Fixed
Priority: Medium High | Category: Definition Schemas | Date Closed: 2010-01-28 20:16:46
Details:
Please see http://n2.nabble.com/OVAL-Filter-behavior-tp4420626ef20093.html for more information.
Follow-ups:
n/a
24688 clarify the search scope in the user and group tests Closed 2010-01-22 Fixed
Priority: Medium High | Category: n/a | Date Closed: 2010-02-17 19:34:40
Details:
Clarify the search scope in the user and group tests as specified in the proposal.
Follow-ups:
n/a
24689 add subgroup entity to the win-sc:group_item Closed 2010-01-22 Fixed
Priority: Medium High | Category: System Characteristics Schemas | Date Closed: 2010-02-03 21:12:34
Details:
Update the win-sc:group_item to include a subgroup entity as outlined in the proposal.
Follow-ups:
Date Added: 2010-02-03 21:12:20
This was also applied to the win-sc:group_sid_item.

24690 clarify the tested_item result attribute Closed 2010-01-22 Fixed
Priority: High | Category: Result Schemas | Date Closed: 2010-01-28 04:37:52
Details:
Please see http://n2.nabble.com/oval-results-tested-item-tp4147599ef20093.html for more information.
Follow-ups:
n/a
24786 add windows 7 audit settings to the auditeventpolicysubcategories_state and auditeventpolicysubcategories_item Closed 2010-02-03 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-03 21:55:04
Details:
Jon,

One issue that comes to mind with respect to any new setting is that the OVAL documentation currently does not document restrictions on usage of specific elements with the version(s) of a product or platform in which they are supported.  This may be something to consider for future additions to the documentation as well as the schematrons.
 
To ensure comprehensive support for the audit subcategories I suggest that the following child elements be added to auditeventpolicysubcategories_state:
 
Child Elements                                               Type                                   MinOccurs   MaxOccurs
kerberos_authentication_service            win-def:EntityStateAuditType                0                 1
kerberos_service_ticket_operations        win-def:EntityStateAuditType                0                 1
network_policy_server                          win-def:EntityStateAuditType                0                 1
detailed_file_share                               win-def:EntityStateAuditType                0                 1
 
This page contains a listing of what's new to security auditing in Windows 7 and Windows 2008 R2.
http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx
 
I have pasted the description of the previously listed settings below for your convenience.
 
Audit Policy: Account Logon: Kerberos Authentication Service:

Audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.

Audit Policy: Account Logon: Kerberos Service Ticket Operations:

Audit events generated by Kerberos service ticket requests.
 
Audit Policy: Logon-Logoff: Network Policy Server:
Audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.


Audit Policy: Object Access: Detailed File Share:

Audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
 
Thanks,
Tim Harrison
SCAP Content Development
National Institute of Standards and Technology
(717)561-2923
[hidden email]

--------------------------------------------------------------------------------
From: Baker, Jon [[hidden email]]
Sent: Monday, February 01, 2010 9:21 PM
To: [hidden email]
Subject: Re: [OVAL-DEVELOPER-LIST] Windows 7 audit settings

Tim,

We have not had a chance to look at Windows 7 yet, but it does look like some changes were made to the auditing capabilities in windows 7 and server 2008. Would it be possible to suggest the changes that need to be made and provide a link to the correct Microsoft article to justify the changes? 

Thanks,

Jon 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

From: Harrison, Tim [mailto:[hidden email]] 
Sent: Thursday, January 28, 2010 5:38 PM
To: oval-developer-list OVAL Developer List/Closed Public Discussion
Subject: [OVAL-DEVELOPER-LIST] Windows 7 audit settings 

I appear to have run accross 4 new audit policy subcategories in Windows 7:

Audit Policy: Account Logon: Kerberos Authentication Service
Audit Policy: Account Logon: Kerberos Service Ticket Operations
Audit Policy: Logon-Logoff: Network Policy Server
Audit Policy: Object Access: Detailed File Share

Do do any of the current OVAL versions address these audit subcategories?
 
If not, are there are any plans to add them?

If the answer to both of these questions is 'no' then I would like to request the following element be added as child elements of auditeventpolicysubcategories_state:

kerberos_authentication_service
kerberos_service_ticket_operations
network_policy_server
detailed_file_share
 
Respectfully,

Tim Harrison
SCAP Content Development
National Institute of Standards and Technology
(717)561-2923
[hidden email]

Follow-ups:
n/a
24788 Update the documentation for the user and group tests regarding resolving subgroups Closed 2010-02-03 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-03 21:17:02
Details:
Update the documentation for the user and group tests to state that the groups and subgroups will not be resolved.  Please see http://n2.nabble.com/Proposal-to-Add-a-Subgroup-Entity-to-the-win-sc-group-item-tp4453782ef20093.html for more information.
Follow-ups:
n/a
24812 document the audit event policy subcategories Closed 2010-02-04 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-17 19:24:57
Details:
The audit event policy subcategories do not have any documentation. This should be added.

http://technet.microsoft.com/en-us/library/dd560628(WS.10).aspx
Follow-ups:
n/a
24813 remove platform specific documentation in the auditeventpolicysubcategories_item Closed 2010-02-04 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-17 22:44:47
Details:
The auditeventpolicysubcategories_item documentation says “These subcategories are new in Windows Vista”.  This is no longer accurate as some of the values are new to Windows 7.  Other instances of platform specific documentation should be looked for and removed as it can change and will be difficult to maintain. It should be replaced with something along the lines of "many of the elements in this item are platform specific and you should refer to your product’s documentation for more information".
Follow-ups:
n/a
24957 add the 'has_extended_acl' entity to the unix-def:file_state and the unix-sc:file_item Closed 2010-02-16 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-02-17 20:26:05
Details:
Classification:  UNCLASSIFIED 
Caveats: NONE

Hi Danny,

That looks good to me.

Thanks,

-Brady

-----Original Message-----
From: Haynes, Dan [mailto:dhaynes@MITRE.ORG] 
Sent: Tuesday, February 16, 2010 2:25 PM
To: OVAL-DEVELOPER-LIST@LISTS.MITRE.ORG
Subject: Re: [OVAL-DEVELOPER-LIST] Proposal for UNIX ACL child element
(UNCLASSIFIED)

Hi Brady,

I agree that this information would be beneficial for anyone
investigating the permissions of a file.  However, I do have one
comment.  Rather than not having the 'has_extended_acl' entity present
if the interpreter or system do not support ACL, the entity could have a
status of 'not collected' if the interpreter doesn't support ACL and a
status of 'does not exist' if the system doesn't support ACL.  I think
that this would be useful because it would provide the user with more
information as to why a value for the 'has_extended_acl' entity was not
retrieved.  With these changes, and what you specified below, the
outcome of retrieving the value for the 'has_extended_acl' entity would
look something like this:

1) If an interpreter doesn't support the collection of ACL information,
the status will be 'not collected'.
2) If there is an error trying to retrieve this information, the status
will be 'error'.
3) If a system doesn't support ACLs, the status will be 'does not
exist'.
4) If a system supports ACLs, the status will be 'exists'.
5) If a file doesn't have an ACL, or it matches the standard UNIX
permissions, the value will be 'false'
6) If a file has an ACL, the value will be 'true'.

Does this make sense?  Is this along the lines of what you were
thinking?  

Thanks,

Danny

>-----Original Message-----
>From: Jeff Saxton [mailto:jeff_saxton@BIGFIX.COM]
>Sent: Tuesday, February 09, 2010 7:12 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] Proposal for UNIX ACL child element
>(UNCLASSIFIED)
>
>I like it fwiw
>
>"Alleman, Brady G CTR DISA FSO" <Brady.Alleman.ctr@DISA.MIL> wrote:
>
>
>Classification:  UNCLASSIFIED
>Caveats: NONE
>
>I would like to propose a schema change to allow for the testing for
the
>presence of file access control lists (ACLs) on UNIX platforms.  While
many
>UNIX systems support ACLs, their use and implementation are not
consistent or
>standardized.  It could be difficult to create a structure that
satisfactorily
>represents ACLs from multiple platforms.  Regardless, the existence of
a file
>ACL that contains permissions beyond those of the file's mode is a
>characteristic that would be useful in security assessment, and a
concept
>recognized by UNIX systems supporting ACLs.  Depending on the platform,
such
>ACLs are referred to as "extended," "non-trivial," or "optional."
>
>I suggest adding a boolean "has_extended_acl" child element to the
existing
>file_state element in the UNIX schema.  This element could be absent if
the
>system does not support ACLs, or the interpreter does not support ACLs
on the
>system.  The element would be false if the file has no ACL, or a
so-called
>"trivial," "minimal," or "base" ACL that exactly matches the
permissions of the
>file's mode number and ownership, and true otherwise.  This is, with a
few
>possible exceptions, the condition represented by a '+' appearing in
the
>permissions of a file as output by "ls -l".  A multiple-platform
implementation
>example of this can be found in the file-has-acl.c file of the GNU
Coreutils
>project.
>
>Does this seem like an appropriate change to support this capability,
or are
>there alternatives that should be considered?
>
>Thanks,
>
>--
>Brady Alleman
>tapestry technologies, LLC
>DISA FSO, IA Standards (CTR)
>Classification:  UNCLASSIFIED
>Caveats: NONE
>
>
>To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-
>LIST-request@LISTS.MITRE.ORG.
>
>To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-
>LIST-request@LISTS.MITRE.ORG.

To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to
OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
Classification:  UNCLASSIFIED 
Caveats: NONE

To unsubscribe, send an email message to LISTSERV@LISTS.MITRE.ORG with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to OVAL-DEVELOPER-LIST-request@LISTS.MITRE.ORG.
Follow-ups:
n/a
25294 add support for target_user and make username, userpass, and directory_node nillable in the macos-def:pwpolicy_test Closed 2010-03-10 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-03-10 20:18:54
Details:
Please see http://n2.nabble.com/Mac-pwpolicy-test-tp4455124ef20093.html for additional information.
Follow-ups:
n/a
25309 update the uid entity documentation in the unix-def:process_state and unix-sc:process_item Closed 2010-03-11 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-03-12 14:47:49
Details:
The uid entity documentation should be updated to state that the uid entity refers to the effective user id.
Follow-ups:
n/a
25574 clarify schema documentation regarding IP addresses Closed 2010-03-31 Fixed
Priority: Medium | Category: n/a | Date Closed: 2010-03-31 17:45:01
Details:
It should be clarified in the schema documentation that IP addresses can be either IPv4 or IPv6.
Follow-ups:
n/a
Back to top

Timeline for Version 5.7

PLANNING DRAFT RELEASE CANDIDATE OFFICIAL
28 August 2009 3 February 2010 10 March 2010 12 May 2010
Back to top

Status Reports on Version 5.7

Status updates are included below. You may also review the OVAL Developer’s Forum Archives for discussions about Version 5.7.

[2010-05-12]

Version 5.7 has been officially released. Many thanks to all in the community that helped with this minor release.

[2010-04-20]

A fourth release candidate of Version 5.7 was posted for community on 20 April 2010. This update addresses issue related to the new record datatype. The record datatype is now prohibited when using variables.

[2010-04-09]

The release of Version 5.7 has been delayed by 4 weeks to correct three issues related to n-tuples and allow ample time for organizations to implement support for these changes. The new release date will be May 12, 2010.

[2010-04-01]

A third release candidate of Version 5.7 was posted for community on 01 April 2010. This update corrects an error in the SharePoint Schema that allowed default element values to be set on entities. Two minor documentation updates were also made.

[2010-03-23]

A second release candidate of Version 5.7 was posted for community on 23 March 2010. This update adds several missing Schematron rules that relate a test to the correct object and state. Several minor documentation updates were also made.

[2010-03-10]

A release candidate of Version 5.7 was posted for community on 10 March 2010. This update completes changes for supporting n-tuples, adding the new dnscache_test, and improves documentation. At this point the schema should be stable and any additional changes will be limited to fixes and documentation updates.

[2010-02-17]

A second draft of Version 5.7 was posted for community review and comment on 17 February 2010. This draft includes support for n-tuples and removes long standing deprecated constructs among numerous other changes.

[2010-02-03]

A first draft of Version 5.7 was posted for community review and comment on 03 February 2010.

[2009-08-28]

Version 5.7 is currently in the planning stage. If you have any suggestions for changes that should be included, please send them to the OVAL Community.

Back to top

Page Last Updated: December 12, 2011