The following is a description of the elements, types, and attributes that compose the Windows specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard item element defined in the Core System Characteristic Schema. Through extension, each item inherits a set of elements and attributes that are shared amongst all OVAL Items. Each item is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core System Characteristic Schema is not outlined here.
The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.
The access token item holds information about the individual privileges and rights associated with a specific access token. It is important to note that these privileges are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Each privilege and right in the data section accepts a boolean value signifying whether the privilege is granted or not. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
Child Elements Type MinOccurs MaxOccurs security_principle oval-sc:EntityItemStringType 0 1 seassignprimarytokenprivilege oval-sc:EntityItemBoolType 0 1 seauditprivilege oval-sc:EntityItemBoolType 0 1 sebackupprivilege oval-sc:EntityItemBoolType 0 1 sechangenotifyprivilege oval-sc:EntityItemBoolType 0 1 secreateglobalprivilege oval-sc:EntityItemBoolType 0 1 secreatepagefileprivilege oval-sc:EntityItemBoolType 0 1 secreatepermanentprivilege oval-sc:EntityItemBoolType 0 1 secreatesymboliclinkprivilege oval-sc:EntityItemBoolType 0 1 secreatetokenprivilege oval-sc:EntityItemBoolType 0 1 sedebugprivilege oval-sc:EntityItemBoolType 0 1 seenabledelegationprivilege oval-sc:EntityItemBoolType 0 1 seimpersonateprivilege oval-sc:EntityItemBoolType 0 1 seincreasebasepriorityprivilege oval-sc:EntityItemBoolType 0 1 seincreasequotaprivilege oval-sc:EntityItemBoolType 0 1 seincreaseworkingsetprivilege oval-sc:EntityItemBoolType 0 1 seloaddriverprivilege oval-sc:EntityItemBoolType 0 1 selockmemoryprivilege oval-sc:EntityItemBoolType 0 1 semachineaccountprivilege oval-sc:EntityItemBoolType 0 1 semanagevolumeprivilege oval-sc:EntityItemBoolType 0 1 seprofilesingleprocessprivilege oval-sc:EntityItemBoolType 0 1 serelabelprivilege oval-sc:EntityItemBoolType 0 1 seremoteshutdownprivilege oval-sc:EntityItemBoolType 0 1 serestoreprivilege oval-sc:EntityItemBoolType 0 1 sesecurityprivilege oval-sc:EntityItemBoolType 0 1 seshutdownprivilege oval-sc:EntityItemBoolType 0 1 sesyncagentprivilege oval-sc:EntityItemBoolType 0 1 sesystemenvironmentprivilege oval-sc:EntityItemBoolType 0 1 sesystemprofileprivilege oval-sc:EntityItemBoolType 0 1 sesystemtimeprivilege oval-sc:EntityItemBoolType 0 1 setakeownershipprivilege oval-sc:EntityItemBoolType 0 1 setcbprivilege oval-sc:EntityItemBoolType 0 1 setimezoneprivilege oval-sc:EntityItemBoolType 0 1 seundockprivilege oval-sc:EntityItemBoolType 0 1 seunsolicitedinputprivilege oval-sc:EntityItemBoolType 0 1 sebatchlogonright oval-sc:EntityItemBoolType 0 1 seinteractivelogonright oval-sc:EntityItemBoolType 0 1 senetworklogonright oval-sc:EntityItemBoolType 0 1 seremoteinteractivelogonright oval-sc:EntityItemBoolType 0 1 seservicelogonright oval-sc:EntityItemBoolType 0 1 sedenybatchLogonright oval-sc:EntityItemBoolType 0 1 sedenyinteractivelogonright oval-sc:EntityItemBoolType 0 1 sedenynetworklogonright oval-sc:EntityItemBoolType 0 1 sedenyremoteInteractivelogonright oval-sc:EntityItemBoolType 0 1 sedenyservicelogonright oval-sc:EntityItemBoolType 0 1
| Deprecated As Of Version: 5.7 Reason: Replaced by the activedirectory57_item. This item allows for single fields to be selected from active directory. A new item was created to allow more than one field to be selected in one statement. See the activedirectory57_item. Comment: This object has been deprecated and may be removed in a future version of the language. |
The active directory item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
Child Elements Type MinOccurs MaxOccurs naming_context win-sc:EntityItemNamingContextType 0 1 relative_dn oval-sc:EntityItemStringType 0 1 attribute oval-sc:EntityItemStringType 0 1 object_class oval-sc:EntityItemStringType 0 1 adstype win-sc:EntityItemAdstypeType 0 1 value oval-sc:EntityItemAnySimpleType 0 unbounded
The activedirectory57_item holds information about specific entries in the Windows Active Directory. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
Child Elements Type MinOccurs MaxOccurs naming_context win-sc:EntityItemNamingContextType 0 1 relative_dn oval-sc:EntityItemStringType 0 1 attribute oval-sc:EntityItemStringType 0 1 object_class oval-sc:EntityItemStringType 0 1 adstype win-sc:EntityItemAdstypeType 0 1 value oval-sc:EntityItemRecordType 0 unbounded
The auditeventpolicy item enumerates the different types of events the system should audit. The defined values are found in window's POLICY_AUDIT_EVENT_TYPE enumeration and accessed through the LsaQueryInformationPolicy when the InformationClass parameters are set to PolicyAuditEventsInformation. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
Child Elements Type MinOccurs MaxOccurs account_logon win-sc:EntityItemAuditType 0 1 account_management win-sc:EntityItemAuditType 0 1 detailed_tracking win-sc:EntityItemAuditType 0 1 directory_service_access win-sc:EntityItemAuditType 0 1 logon win-sc:EntityItemAuditType 0 1 object_access win-sc:EntityItemAuditType 0 1 policy_change win-sc:EntityItemAuditType 0 1 privilege_use win-sc:EntityItemAuditType 0 1 system win-sc:EntityItemAuditType 0 1
The auditeventpolicysubcategories_item is used to hold information about the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, if the credential_validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting. It extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
Child Elements Type MinOccurs MaxOccurs credential_validation win-sc:EntityItemAuditType 0 1 kerberos_authentication_service win-sc:EntityItemAuditType 0 1 kerberos_service_ticket_operations win-sc:EntityItemAuditType 0 1 kerberos_ticket_events win-sc:EntityItemAuditType 0 1 other_account_logon_events win-sc:EntityItemAuditType 0 1 application_group_management win-sc:EntityItemAuditType 0 1 computer_account_management win-sc:EntityItemAuditType 0 1 distribution_group_management win-sc:EntityItemAuditType 0 1 other_account_management_events win-sc:EntityItemAuditType 0 1 security_group_management win-sc:EntityItemAuditType 0 1 user_account_management win-sc:EntityItemAuditType 0 1 dpapi_activity win-sc:EntityItemAuditType 0 1 process_creation win-sc:EntityItemAuditType 0 1 process_termination win-sc:EntityItemAuditType 0 1 rpc_events win-sc:EntityItemAuditType 0 1 directory_service_access win-sc:EntityItemAuditType 0 1 directory_service_changes win-sc:EntityItemAuditType 0 1 directory_service_replication win-sc:EntityItemAuditType 0 1 detailed_directory_service_replication win-sc:EntityItemAuditType 0 1 account_lockout win-sc:EntityItemAuditType 0 1 ipsec_extended_mode win-sc:EntityItemAuditType 0 1 ipsec_main_mode win-sc:EntityItemAuditType 0 1 ipsec_quick_mode win-sc:EntityItemAuditType 0 1 logoff win-sc:EntityItemAuditType 0 1 logon win-sc:EntityItemAuditType 0 1 network_policy_server win-sc:EntityItemAuditType 0 1 other_logon_logoff_events win-sc:EntityItemAuditType 0 1 special_logon win-sc:EntityItemAuditType 0 1 application_generated win-sc:EntityItemAuditType 0 1 certification_services win-sc:EntityItemAuditType 0 1 detailed_file_share win-sc:EntityItemAuditType 0 1 file_share win-sc:EntityItemAuditType 0 1 file_system win-sc:EntityItemAuditType 0 1 filtering_platform_connection win-sc:EntityItemAuditType 0 1 filtering_platform_packet_drop win-sc:EntityItemAuditType 0 1 handle_manipulation win-sc:EntityItemAuditType 0 1 kernel_object win-sc:EntityItemAuditType 0 1 other_object_access_events win-sc:EntityItemAuditType 0 1 registry win-sc:EntityItemAuditType 0 1 sam win-sc:EntityItemAuditType 0 1 audit_policy_change win-sc:EntityItemAuditType 0 1 authentication_policy_change win-sc:EntityItemAuditType 0 1 authorization_policy_change win-sc:EntityItemAuditType 0 1 filtering_platform_policy_change win-sc:EntityItemAuditType 0 1 mpssvc_rule_level_policy_change win-sc:EntityItemAuditType 0 1 other_policy_change_events win-sc:EntityItemAuditType 0 1 non_sensitive_privilege_use win-sc:EntityItemAuditType 0 1 other_privilege_use_events win-sc:EntityItemAuditType 0 1 sensitive_privilege_use win-sc:EntityItemAuditType 0 1 ipsec_driver win-sc:EntityItemAuditType 0 1 other_system_events win-sc:EntityItemAuditType 0 1 security_state_change win-sc:EntityItemAuditType 0 1 security_system_extension win-sc:EntityItemAuditType 0 1 system_integrity win-sc:EntityItemAuditType 0 1
The dnscache_item stores information retrieved from the DNS cache about a domain name, its time to live, and its corresponding IP addresses.
Child Elements Type MinOccurs MaxOccurs domain_name oval-sc:EntityItemStringType 0 1 ttl oval-sc:EntityItemIntType 0 1 ip_address oval-sc:EntityItemStringType 0 unbounded
This element describes file metadata. The time information can be retrieved by the _stst function. Development_class and other version information (company, internal name, language, original_filename, product_name, product_version) can be retrieved using the VerQueryValue function.
Child Elements Type MinOccurs MaxOccurs filepath oval-sc:EntityItemStringType 0 1 path oval-sc:EntityItemStringType 0 1 filename oval-sc:EntityItemStringType 0 1 owner oval-sc:EntityItemStringType 0 1 size oval-sc:EntityItemIntType 0 1 a_time oval-sc:EntityItemIntType 0 1 c_time oval-sc:EntityItemIntType 0 1 m_time oval-sc:EntityItemIntType 0 1 ms_checksum oval-sc:EntityItemStringType 0 1 version oval-sc:EntityItemStringType 0 1 type win-sc:EntityItemFileTypeType 0 1 development_class oval-sc:EntityItemStringType 0 1 company oval-sc:EntityItemStringType 0 1 internal_name oval-sc:EntityItemStringType 0 1 language oval-sc:EntityItemStringType 0 1 original_filename oval-sc:EntityItemStringType 0 1 product_name oval-sc:EntityItemStringType 0 1 product_version oval-sc:EntityItemStringType 0 1
This item stores the audited access rights of a file that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.
This item stores the effective rights of a file that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
The Windows group_item allows the different users and subgroups, that directly belong to specific groups (identified by name), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.
Child Elements Type MinOccurs MaxOccurs group oval-sc:EntityItemStringType 0 1 user oval-sc:EntityItemStringType 0 unbounded subgroup oval-sc:EntityItemStringType 0 unbounded
The Windows group_sid_item allows the different users and subgroups, that directly belong to specific groups (identified by SID), to be collected. The collected subgroups will not be resolved to find indirect user or subgroup members. If the subgroups need to be resolved, it should be done using the sid_sid_object. Note that the user and subgroup elements can appear an unlimited number of times. If a user is not found in the specified group, a single user element should exist with a status of 'does not exist'. If there is an error determining the users of a group, a single user element should exist with a status of 'error'. If a subgroup is not found in the specified group, a single subgroup element should exist with a status of 'does not exist'. If there is an error determining the subgroups of a group, a single subgroup element should exist with a status of 'error'.
Child Elements Type MinOccurs MaxOccurs group_sid oval-sc:EntityItemStringType 0 1 user_sid oval-sc:EntityItemStringType 0 unbounded subgroup_sid oval-sc:EntityItemStringType 0 unbounded
Enumerate various attributes about the interfaces on a system.
Child Elements Type MinOccurs MaxOccurs name oval-sc:EntityItemStringType 0 1 index oval-sc:EntityItemIntType 0 1 type win-sc:EntityItemInterfaceTypeType 0 1 hardware_addr oval-sc:EntityItemStringType 0 1 inet_addr oval-sc:EntityItemStringType 0 1 broadcast_addr oval-sc:EntityItemStringType 0 1 netmask oval-sc:EntityItemStringType 0 1 addr_type win-sc:EntityItemAddrTypeType 0 unbounded
The lockoutpolicy item enumerates various attributes associated with lockout information for users and global groups in the security database.
Child Elements Type MinOccurs MaxOccurs force_logoff oval-sc:EntityItemIntType 0 1 lockout_duration oval-sc:EntityItemIntType 0 1 lockout_observation_window oval-sc:EntityItemIntType 0 1 lockout_threshold oval-sc:EntityItemIntType 0 1
This item gathers information from the specified metabase keys.
Child Elements Type MinOccurs MaxOccurs key oval-sc:EntityItemStringType 0 1 id oval-sc:EntityItemIntType 0 1 name oval-sc:EntityItemStringType 0 1 user_type oval-sc:EntityItemStringType 0 1 data_type oval-sc:EntityItemStringType 0 1 data oval-sc:EntityItemAnySimpleType 0 unbounded
Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry_item and activedirectory_item are of no use. If this can be figured out, then the password_policy item is not needed.
Child Elements Type MinOccurs MaxOccurs max_passwd_age oval-sc:EntityItemIntType 0 1 min_passwd_age oval-sc:EntityItemIntType 0 1 min_passwd_len oval-sc:EntityItemIntType 0 1 password_hist_len oval-sc:EntityItemIntType 0 1 password_complexity oval-sc:EntityItemBoolType 0 1 reversible_encryption oval-sc:EntityItemBoolType 0 1
Information about open listening ports.
Child Elements Type MinOccurs MaxOccurs local_address oval-sc:EntityItemStringType 0 1 local_port oval-sc:EntityItemIntType 0 1 protocol win-sc:EntityItemProtocolType 0 1 pid oval-sc:EntityItemIntType 0 1
This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
Child Elements Type MinOccurs MaxOccurs printer_name oval-sc:EntityItemStringType 0 1 trustee_sid oval-sc:EntityItemStringType 0 1 standard_delete oval-sc:EntityItemBoolType 0 1 standard_read_control oval-sc:EntityItemBoolType 0 1 standard_write_dac oval-sc:EntityItemBoolType 0 1 standard_write_owner oval-sc:EntityItemBoolType 0 1 standard_synchronize oval-sc:EntityItemBoolType 0 1 access_system_security oval-sc:EntityItemBoolType 0 1 generic_read oval-sc:EntityItemBoolType 0 1 generic_write oval-sc:EntityItemBoolType 0 1 generic_execute oval-sc:EntityItemBoolType 0 1 generic_all oval-sc:EntityItemBoolType 0 1 printer_access_administer oval-sc:EntityItemBoolType 0 1 printer_access_use oval-sc:EntityItemBoolType 0 1 job_access_administer oval-sc:EntityItemBoolType 0 1 job_access_read oval-sc:EntityItemBoolType 0 1
Information about running processes.
Child Elements Type MinOccurs MaxOccurs command_line oval-sc:EntityItemStringType 0 1 pid oval-sc:EntityItemIntType 0 1 ppid oval-sc:EntityItemIntType 0 1 priority oval-sc:EntityItemStringType 0 1 image_path oval-sc:EntityItemStringType 0 1 current_dir oval-sc:EntityItemStringType 0 1
The windows registry item specifies information that can be collected about a particular registry key.
Child Elements Type MinOccurs MaxOccurs hive win-sc:EntityItemRegistryHiveType 0 1 key oval-sc:EntityItemStringType 0 1 name oval-sc:EntityItemStringType 0 1 type win-sc:EntityItemRegistryTypeType 0 1 value oval-sc:EntityItemAnySimpleType 0 unbounded
This item stores the audited access rights of a registry key that a system access control list (SACL) structure grants to a specified trustee. The trustee's audited access rights are determined checking all access control entries (ACEs) in the SACL. For help with this test see the GetAuditedPermissionsFromAcl() api.
This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee's effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.
Child Elements Type MinOccurs MaxOccurs service_name oval-sc:EntityItemStringType 0 1 trustee_sid oval-sc:EntityItemStringType 0 1 standard_delete oval-sc:EntityItemBoolType 0 1 standard_read_control oval-sc:EntityItemBoolType 0 1 standard_write_dac oval-sc:EntityItemBoolType 0 1 standard_write_owner oval-sc:EntityItemBoolType 0 1 generic_read oval-sc:EntityItemBoolType 0 1 generic_write oval-sc:EntityItemBoolType 0 1 generic_execute oval-sc:EntityItemBoolType 0 1 service_query_conf oval-sc:EntityItemBoolType 0 1 service_change_conf oval-sc:EntityItemBoolType 0 1 service_query_stat oval-sc:EntityItemBoolType 0 1 service_enum_dependents oval-sc:EntityItemBoolType 0 1 service_start oval-sc:EntityItemBoolType 0 1 service_stop oval-sc:EntityItemBoolType 0 1 service_pause oval-sc:EntityItemBoolType 0 1 service_interrogate oval-sc:EntityItemBoolType 0 1 service_user_defined oval-sc:EntityItemBoolType 0 1
Child Elements Type MinOccurs MaxOccurs netname oval-sc:EntityItemStringType 0 1 shared_type oval-sc:EntityItemStringType 0 1 max_uses oval-sc:EntityItemIntType 0 unbounded current_uses oval-sc:EntityItemIntType 0 unbounded local_path oval-sc:EntityItemStringType 0 1 access_read_permission oval-sc:EntityItemBoolType 0 1 access_write_permission oval-sc:EntityItemBoolType 0 1 access_create_permission oval-sc:EntityItemBoolType 0 1 access_exec_permission oval-sc:EntityItemBoolType 0 1 access_delete_permission oval-sc:EntityItemBoolType 0 1 access_atrib_permission oval-sc:EntityItemBoolType 0 1 access_perm_permission oval-sc:EntityItemBoolType 0 1 access_all_permission oval-sc:EntityItemBoolType 0 1
Child Elements Type MinOccurs MaxOccurs trustee_name oval-sc:EntityItemStringType 0 1 trustee_sid oval-sc:EntityItemStringType 0 1 trustee_domain oval-sc:EntityItemStringType 0 1
Child Elements Type MinOccurs MaxOccurs trustee_sid oval-sc:EntityItemStringType 0 1 trustee_name oval-sc:EntityItemStringType 0 1 trustee_domain oval-sc:EntityItemStringType 0 1
The uac_item is used to hold information about settings related to User Access Control within Windows.
Child Elements Type MinOccurs MaxOccurs admin_approval_mode oval-sc:EntityItemBoolType 0 1 elevation_prompt_admin oval-sc:EntityItemStringType 0 1 elevation_prompt_standard oval-sc:EntityItemStringType 0 1 detect_installations oval-sc:EntityItemBoolType 0 1 elevate_signed_executables oval-sc:EntityItemBoolType 0 1 elevate_uiaccess oval-sc:EntityItemBoolType 0 1 run_admins_aam oval-sc:EntityItemBoolType 0 1 secure_desktop oval-sc:EntityItemBoolType 0 1 virtualize_write_failures oval-sc:EntityItemBoolType 0 1
The windows user_item allows the different groups (identified by name) that a user belongs to be collected.
Child Elements Type MinOccurs MaxOccurs user oval-sc:EntityItemStringType 0 1 enabled oval-sc:EntityItemBoolType 0 1 group oval-sc:EntityItemStringType 0 unbounded
The windows user_sid_item allows the different groups (identified by SID) that a user belongs to be collected.
Child Elements Type MinOccurs MaxOccurs user_sid oval-sc:EntityItemStringType 0 1 enabled oval-sc:EntityItemBoolType 0 1 group_sid oval-sc:EntityItemStringType 0 unbounded
The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.
Child Elements Type MinOccurs MaxOccurs rootpath oval-sc:EntityItemStringType 0 1 file_system oval-sc:EntityItemStringType 0 1 name oval-sc:EntityItemStringType 0 1 volume_max_component_length oval-sc:EntityItemIntType 0 1 serial_number oval-sc:EntityItemIntType 0 1 file_case_sensitive_search oval-sc:EntityItemBoolType 0 1 file_case_preserved_names oval-sc:EntityItemBoolType 0 1 file_unicode_on_disk oval-sc:EntityItemBoolType 0 1 file_persistent_acls oval-sc:EntityItemBoolType 0 1 file_file_compression oval-sc:EntityItemBoolType 0 1 file_volume_quotas oval-sc:EntityItemBoolType 0 1 file_supports_sparse_files oval-sc:EntityItemBoolType 0 1 file_supports_reparse_points oval-sc:EntityItemBoolType 0 1 file_supports_remote_storage oval-sc:EntityItemBoolType 0 1 file_volume_is_compressed oval-sc:EntityItemBoolType 0 1 file_supports_object_ids oval-sc:EntityItemBoolType 0 1 file_supports_encryption oval-sc:EntityItemBoolType 0 1 file_named_streams oval-sc:EntityItemBoolType 0 1 file_read_only_volume oval-sc:EntityItemBoolType 0 1
| Deprecated As Of Version: 5.7 Reason: Replaced by the wmi57_item. This item allows for single fields to be selected from WMI. A new item was created to allow more than one field to be selected in one statement. See the wmi57_item. Comment: This object has been deprecated and may be removed in a future version of the language. |
The wmi_item outlines information to be checked through Microsoft's WMI interface.
Child Elements Type MinOccurs MaxOccurs namespace oval-sc:EntityItemStringType 0 1 wql oval-sc:EntityItemStringType 0 1 result oval-sc:EntityItemAnySimpleType 0 unbounded
The wmi57_item outlines information to be checked through Microsoft's WMI interface.
Child Elements Type MinOccurs MaxOccurs namespace oval-sc:EntityItemStringType 0 1 wql oval-sc:EntityItemStringType 0 1 result oval-sc:EntityItemRecordType 0 unbounded
The wuaupdatesearcher_item outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft's WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. The test extends the standard ItemType as defined in the oval-system-characteristics schema and one should refer to the ItemType description for more information.
Child Elements Type MinOccurs MaxOccurs search_criteria oval-sc:EntityItemStringType 0 1 update_id oval-sc:EntityItemStringType 0 unbounded
The EntityItemAddrTypeType restricts a string value to a specific set of values that describe the different address types of interfaces. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description MIB_IPADDR_DELETED
The stated IP address is being deleted. The unsigned short value that this corresponds to is 0x0040
MIB_IPADDR_DISCONNECTED
The stated IP address is on a disconnected interface. The unsigned short value that this corresponds to is 0x0008.
MIB_IPADDR_DYNAMIC
The stated IP address is a dynamic IP address. The unsigned short value that this corresponds to is 0x0004.
MIB_IPADDR_PRIMARY
The stated IP address is a primary IP address. The unsigned short value that this corresponds to is 0x0001.
MIB_IPADDR_TRANSIENT
The stated IP address is a transient IP address. The unsigned short value that this corresponds to is 0x0080
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemAdstypeType restricts a string value to a specific set of values that describe the possible types associated with an Active Directory attribute. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description ADSTYPE_INVALID
The data type is invalid.
ADSTYPE_DN_STRING
The string is of Distinguished Name (path) of a directory service object.
ADSTYPE_CASE_EXACT_STRING
The string is of the case-sensitive type.
ADSTYPE_CASE_IGNORE_STRING
The string is of the case-insensitive type.
ADSTYPE_PRINTABLE_STRING
The string is displayable on the screen or in print.
ADSTYPE_NUMERIC_STRING
The string is of a numeric value to be interpreted as text.
ADSTYPE_BOOLEAN
The data is of a Boolean value.
ADSTYPE_INTEGER
The data is of an integer value.
ADSTYPE_OCTET_STRING
The string is of a byte array.
ADSTYPE_UTC_TIME
The data is of the universal time as expressed in Universal Time Coordinate (UTC).
ADSTYPE_LARGE_INTEGER
The data is of a long integer value.
ADSTYPE_PROV_SPECIFIC
The string is of a provider-specific string.
ADSTYPE_OBJECT_CLASS
Not used.
ADSTYPE_CASEIGNORE_LIST
The data is of a list of case insensitive strings.
ADSTYPE_OCTET_LIST
The data is of a list of octet strings.
ADSTYPE_PATH
The string is of a directory path.
ADSTYPE_POSTALADDRESS
The string is of the postal address type.
ADSTYPE_TIMESTAMP
The data is of a time stamp in seconds.
ADSTYPE_BACKLINK
The string is of a back link.
ADSTYPE_TYPEDNAME
The string is of a typed name.
ADSTYPE_HOLD
The data is of the Hold data structure.
ADSTYPE_NETADDRESS
The string is of a net address.
ADSTYPE_REPLICAPOINTER
The data is of a replica pointer.
ADSTYPE_FAXNUMBER
The string is of a fax number.
ADSTYPE_EMAIL
The data is of an e-mail message.
ADSTYPE_NT_SECURITY_DESCRIPTOR
The data is of Windows NT/Windows 2000 Security Descriptor as represented by a byte array.
ADSTYPE_UNKNOWN
The data is of an undefined type.
ADSTYPE_DN_WITH_BINARY
The data is of ADS_DN_WITH_BINARY used for mapping a distinguished name to a non varying GUID.
ADSTYPE_DN_WITH_STRING
The data is of ADS_DN_WITH_STRING used for mapping a distinguished name to a non-varying string value.
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemAuditType restricts a string value to a specific set of values: AUDIT_NONE, AUDIT_SUCCESS, AUDIT_FAILURE, and AUDIT_SUCCESS_FAILURE. These values describe which audit records should be generated. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description AUDIT_FAILURE
The audit type AUDIT_FAILURE is used to perform audits on all unsuccessful occurrences of specified events when auditing is enabled.
AUDIT_NONE
The audit type AUDIT_NONE is used to cancel all auditing options for the specified events.
AUDIT_SUCCESS
The audit type AUDIT_SUCCESS is used to perform audits on all successful occurrences of the specified events when auditing is enabled.
AUDIT_SUCCESS_FAILURE
The audit type AUDIT_SUCCESS_FAILURE is used to perform audits on all successful and unsuccessful occurrences of the specified events when auditing is enabled.
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemFileTypeType restricts a string value to a specific set of values that describe the different types of files. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description FILE_ATTRIBUTE_DIRECTORY
The handle identifies a directory.
FILE_TYPE_CHAR
The specified file is a character file, typically an LPT device or a console.
FILE_TYPE_DISK
The specified file is a disk file.
FILE_TYPE_PIPE
The specified file is a socket, a named pipe, or an anonymous pipe.
FILE_TYPE_REMOTE
Unused.
FILE_TYPE_UNKNOWN
Either the type of the specified file is unknown, or the function failed.
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemInterfaceTypeType restricts a string value to a specific set of values that describe the different types of interfaces. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description MIB_IF_TYPE_ETHERNET
The MIB_IF_TYPE_ETHERNET type is used to describe ethernet interfaces.
MIB_IF_TYPE_FDDI
The MIB_IF_TYPE_FDDI type is used to describe fiber distributed data interfaces (FDDI).
MIB_IF_TYPE_LOOPBACK
The MIB_IF_TYPE_LOOPBACK type is used to describe loopback interfaces.
MIB_IF_TYPE_OTHER
The MIB_IF_TYPE_OTHER type is used to describe unknown interfaces.
MIB_IF_TYPE_PPP
The MIB_IF_TYPE_PPP type is used to describe point-to-point protocol interfaces (PPP).
MIB_IF_TYPE_SLIP
The MIB_IF_TYPE_SLIP type is used to describe serial line internet protocol interfaces (SLIP).
MIB_IF_TYPE_TOKENRING
The MIB_IF_TYPE_TOKENRING type is used to describe token ring interfaces..
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemNamingContextType restricts a string value to a specific set of values: domain, configuration, and schema. These values describe the different naming context found withing Active Directory. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description domain
The domain naming context contains Active Directory objects present in the specified domain (e.g. users, computers, groups, and other objects).
configuration
The configuration naming context contains configuration data that is required for the Active Directory to operate as a directory service.
schema
The schema naming context contains all of the Active Directory object definitions.
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemProtocolType restricts a string value to a specific set of values that describe the different available protocols. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description TCP
The port uses the Transmission Control Protocol (TCP).
UDP
The port uses the User Datagram Protocol (UDP).
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemRegistryHiveType restricts a string value to a specific set of values that describe the different registry hives. The empty string is also allowed to support empty emlement associated with error conditions.
Value Description HKEY_CLASSES_ROOT
This registry subtree contains information that associates file types with programs and configuration data for automation (e.g. COM objects and Visual Basic Programs).
HKEY_CURRENT_CONFIG
This registry subtree contains configuration data for the current hardware profile.
HKEY_CURRENT_USER
This registry subtree contains the user profile of the user that is currently logged into the system.
HKEY_LOCAL_MACHINE
This registry subtree contains information about the local system.
HKEY_USERS
This registry subtree contains user-specific data.
The empty string value is permitted here to allow for detailed error reporting.
The EntityItemRegistryTypeType defines the different values that are valid for the type entity of a registry item. These values describe the possible types of data stored in a registry key. restricts a string value to a specific set of values that describe the different registry types. The empty string is also allowed as a valid value to support empty emlements associated with error conditions. Please note that the values identified are for the type entity and are not valid values for the datatype attribute. For information about how to encode registry data in OVAL for each of the different types, please visit the registry_item documentation.
Value Description reg_binary
The reg_binary type is used by registry keys that specify binary data in any form.
reg_dword
The reg_dword type is used by registry keys that specify a 32-bit number.
reg_expand_sz
The reg_expand_sz type is used by registry keys to specify a null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%").
reg_multi_sz
The reg_multi_sz type is used by registry keys that specify an array of null-terminated strings, terminated by two null characters.
reg_none
The reg_none type is used by registry keys that have no defined value type.
reg_qword
The reg_qword type is used by registry keys that specify a 64-bit number.
reg_sz
The reg_sz type is used by registry keys that specify a single null-terminated string.
The empty string value is permitted here to allow for detailed error reporting.