Potential AIX Limitations with OVAL Schema
|
|
David Raphael
|
In the process of working with various AIX OVAL Definitions, we've run into what we believe is a limitation of the current and proposed schema.
We believe that there is a gap in the capability of OVAL regarding the verification of APAR related issues. The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, and <fix_state.../> with regards to APAR numbers. The <fix_object .../> uses information acquired from the "instfix..." command. This command verifies "fixes." We also need to verify information gathered from the "emgr..." command. This command is used to install and verify "interim fixes." This would require the addition of something like <interim_fix_test.../>, <interim_fix_object.../>, and <interim_fix_state.../> Without this capability, OVAL is not capable of covering ~80% of recent (post-TL or post-Service Pack etc...) security issues. Here is an IBM page with some terminology: http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs.html -- David Raphael Research Tools Manager Risk and Compliance Security Research McAfee, Inc. 972.963.7224 Direct 214.769.6098 Mobile [hidden email] http://www.mcafee.com To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
||||||||||||||||
bakerj
|
David,
Thanks for bringing this up. Those of you that know your way around AIX please correct me where I am wrong below. More information about Interim Fixes can be found here: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/docs.html I looked at the documentation for the emgr command: http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds2/emgr.htm More specifically I am thinking this is the relevant section of the above page: http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/install_opt_swupdates.htm#emgr_listing_op It looks like we are interested in emgr -l. At first glance I am thinking we would use emgr -l -u <VUID> or emgr -l -L <LABEL> to list installed interim fixes and look up details of a single interim fix installation. Based on the documentation does the following fields make sense for this proposed test: Object fields: - vuid or label ( I am not sure ) - the id of the VUID or label of the efix. See http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/install_opt_swupdates.htm#emgr_reference_efix State fields: - vuid or label - see above... - abstract - Describes the efix package. - state - the emergency fix state. Based on an enumeration of possible states. See: http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/install_opt_swupdates.htm#emgr_efix_states - ... - are there other fields that should be included? Once we know the correct fields I can send around a bit of oval schema to represent the proposed test. Thanks, Jon ============================================ Jonathan O. Baker G022 - IA Industry Collaboration The MITRE Corporation Email: [hidden email] >-----Original Message----- >From: David Raphael [mailto:[hidden email]] >Sent: Wednesday, August 19, 2009 4:17 PM >To: oval-developer-list OVAL Developer List/Closed Public Discussion >Subject: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >Schema > >In the process of working with various AIX OVAL Definitions, we've run >into what we believe is a limitation of the current and proposed schema. > >We believe that there is a gap in the capability of OVAL regarding the >verification of APAR related issues. > >The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, and ><fix_state.../> with regards to APAR numbers. The <fix_object .../> >uses information acquired from the "instfix..." command. This command >verifies "fixes." > >We also need to verify information gathered from the "emgr..." command. >This command is used to install and verify "interim fixes." This would >require the addition of something like <interim_fix_test.../>, ><interim_fix_object.../>, and <interim_fix_state.../> >Without this capability, OVAL is not capable of covering ~80% of recent >(post-TL or post-Service Pack etc...) security issues. > >Here is an IBM page with some terminology: >http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs.h >tml > > > >-- >David Raphael > >Research Tools Manager >Risk and Compliance Security Research >McAfee, Inc. > >972.963.7224 Direct >214.769.6098 Mobile > >[hidden email] >http://www.mcafee.com > >To unsubscribe, send an email message to [hidden email] with >SIGNOFF OVAL-DEVELOPER-LIST >in the BODY of the message. If you have difficulties, write to OVAL- >[hidden email]. To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
||||||||||||||||
Aharon
|
In reply to this post
by David Raphael
David is right, OVAL should allow checking for interim efixes. It hasn't been an issue for DTCC, as we only install APAR fixes. There is really a half a dozen different ways to handle this issue. If the OVAL definition included the vulnerable fileset versions, once an efix is applied, it would also take the fileset out of the range of vulnerable version. I don't see any reason to argue against adding this type of functionality though. In a previous message Jon mentions using the emgr command to list efixes. This command does require root access and we would have to assume that the oval interpreter was either running as root or has appropriate sudo access to run the command. In the OVAL world do we assume that the interpreter is running as a privileged user? I am not sure if instfix will list efixes, as we don't have any efixes installed in house for me to check. You can run instfix as a non-privileged user, but I am not sure that efixes will show in the output. I am not a big fan of IBM efixes, and do prefer mitigating the vulnerability through other means till an APAR is released. --------------------------------------------------- Michael "Aharon" Chernin Senior Unix Security Engineer Corporate Information Security -Depository Trust & Clearing Corporation [hidden email]
In the process of working with various AIX OVAL Definitions, we've run into what we believe is a limitation of the current and proposed schema. We believe that there is a gap in the capability of OVAL regarding the verification of APAR related issues. The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, and <fix_state.../> with regards to APAR numbers. The <fix_object .../> uses information acquired from the "instfix..." command. This command verifies "fixes." We also need to verify information gathered from the "emgr..." command. This command is used to install and verify "interim fixes." This would require the addition of something like <interim_fix_test.../>, <interim_fix_object.../>, and <interim_fix_state.../> Without this capability, OVAL is not capable of covering ~80% of recent (post-TL or post-Service Pack etc...) security issues. Here is an IBM page with some terminology: http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs.html -- David Raphael Research Tools Manager Risk and Compliance Security Research McAfee, Inc. 972.963.7224 Direct 214.769.6098 Mobile [hidden email] http://www.mcafee.com To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. _____________________________________________________________ DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
|||||||||||||||||||||||||||
|
bakerj
|
Some javascript/style in this post has been disabled (why?)
Aharon, Many of the tests defined in oval require root or otherwise elevated
access to a system. If the best method to examine interim fixes is through the
emgr command it would be acceptable to develop a test around this command that
requires root access. Do you have any suggestion for the fields that we would care to
collect in this new test? I suggested a few in my email last night, but I am
certainly not experienced with patching issues in AIX. Thanks, Jon ============================================ Jonathan O. Baker G022 - IA Industry Collaboration The MITRE Corporation Email: [hidden email] From: Michael Chernin
[mailto:[hidden email]]
|
|||||||||||||||||||||||||||
|
bakerj
|
In reply to this post
by bakerj
I have attached a modified version of the aix component schema for your review. Please note that I decided to incorporate both the VUID and the label in the new interim_fix_state and that the interim_fix_object uses just a VUID.
I would appreciate a quick turn around on the review of this new test so that we might be able to incorporate it into a second release candidate of version 5.6. More to follow on this, but for now note that we will likely have a second release candidate that will be posted later today or tomorrow. Thanks, Jon ============================================ Jonathan O. Baker G022 - IA Industry Collaboration The MITRE Corporation Email: [hidden email] >-----Original Message----- >From: Baker, Jon [mailto:[hidden email]] >Sent: Wednesday, August 19, 2009 10:02 PM >To: oval-developer-list OVAL Developer List/Closed Public Discussion >Subject: Re: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >Schema > >David, > >Thanks for bringing this up. Those of you that know your way around AIX >please correct me where I am wrong below. > >More information about Interim Fixes can be found here: >http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/docs.html > >I looked at the documentation for the emgr command: >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds2/e >mgr.htm > >More specifically I am thinking this is the relevant section of the >above page: >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/ >install_opt_swupdates.htm#emgr_listing_op > > >It looks like we are interested in emgr -l. At first glance I am >thinking we would use emgr -l -u <VUID> or emgr -l -L <LABEL> to list >installed interim fixes and look up details of a single interim fix >installation. > >Based on the documentation does the following fields make sense for this >proposed test: > >Object fields: > - vuid or label ( I am not sure ) - the id of the VUID or label of the >efix. See >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/ >install_opt_swupdates.htm#emgr_reference_efix > > > >State fields: > - vuid or label - see above... > - abstract - Describes the efix package. > - state - the emergency fix state. Based on an enumeration of possible >states. See: >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/ >install_opt_swupdates.htm#emgr_efix_states > - ... - are there other fields that should be included? > > >Once we know the correct fields I can send around a bit of oval schema >to represent the proposed test. > >Thanks, > >Jon > >============================================ >Jonathan O. Baker >G022 - IA Industry Collaboration >The MITRE Corporation >Email: [hidden email] > > >>-----Original Message----- >>From: David Raphael [mailto:[hidden email]] >>Sent: Wednesday, August 19, 2009 4:17 PM >>To: oval-developer-list OVAL Developer List/Closed Public Discussion >>Subject: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >>Schema >> >>In the process of working with various AIX OVAL Definitions, we've run >>into what we believe is a limitation of the current and proposed >schema. >> >>We believe that there is a gap in the capability of OVAL regarding the >>verification of APAR related issues. >> >>The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, >and >><fix_state.../> with regards to APAR numbers. The <fix_object .../> >>uses information acquired from the "instfix..." command. This command >>verifies "fixes." >> >>We also need to verify information gathered from the "emgr..." command. >>This command is used to install and verify "interim fixes." This would >>require the addition of something like <interim_fix_test.../>, >><interim_fix_object.../>, and <interim_fix_state.../> >>Without this capability, OVAL is not capable of covering ~80% of recent >>(post-TL or post-Service Pack etc...) security issues. >> >>Here is an IBM page with some terminology: >>http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs. >h >>tml >> >> >> >>-- >>David Raphael >> >>Research Tools Manager >>Risk and Compliance Security Research >>McAfee, Inc. >> >>972.963.7224 Direct >>214.769.6098 Mobile >> >>[hidden email] >>http://www.mcafee.com >> >>To unsubscribe, send an email message to [hidden email] with >>SIGNOFF OVAL-DEVELOPER-LIST >>in the BODY of the message. If you have difficulties, write to OVAL- >>[hidden email]. > >To unsubscribe, send an email message to [hidden email] with >SIGNOFF OVAL-DEVELOPER-LIST >in the BODY of the message. If you have difficulties, write to OVAL- >[hidden email]. SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. <?xml version="1.0"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:aix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#aix" xmlns:sch="http://purl.oclc.org/dsdl/schematron" targetNamespace="http://oval.mitre.org/XMLSchema/oval-definitions-5#aix" elementFormDefault="qualified" version="5.6"> <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-definitions-5" schemaLocation="oval-definitions-schema.xsd"/> <xsd:annotation> <xsd:documentation>The following is a description of the elements, types, and attributes that compose the AIX specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.</xsd:documentation> <xsd:documentation>This schema was originally developed by Yuzheng Zhou and Todd Dolinsky at Hewlett-Packard. The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.</xsd:documentation> <xsd:appinfo> <schema>AIX Definition</schema> <version>5.6 RC 1</version> <date>7/31/2009 3:39:08 PM</date> <terms_of_use>Copyright (c) 2002-2009, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.</terms_of_use> <sch:ns prefix="oval-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5"/> <sch:ns prefix="aix-def" uri="http://oval.mitre.org/XMLSchema/oval-definitions-5#aix"/> <sch:ns prefix="xsi" uri="http://www.w3.org/2001/XMLSchema-instance"/> </xsd:appinfo> </xsd:annotation> <!-- =============================================================================== --> <!-- ================================ INTERIM FIX TEST =========================== --> <!-- =============================================================================== --> <xsd:element name="interim_fix_test" substitutionGroup="oval-def:test"> <xsd:annotation> <xsd:documentation>The intirm fix test is used to check information associated with different interim or emergency fixes installed on the system. The information being tested is based off the emgr -l -u VUID command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an interim_fix_object and the optional state element specifies the information to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixtst"> <sch:rule context="aix-def:interim_fix_test/aix-def:object"> <sch:assert test="@object_ref=/oval-def:oval_definitions/oval-def:objects/aix-def:interim_fix_object/@id"><sch:value-of select="../@id"/> - the object child element of a <sch:name path=".."/> must reference a interim_fix_object</sch:assert> </sch:rule> <sch:rule context="aix-def:interim_fix_test/aix-def:state"> <sch:assert test="@state_ref=/oval-def:oval_definitions/oval-def:states/aix-def:interim_fix_state/@id"><sch:value-of select="../@id"/> - the state child element of a <sch:name path=".."/> must reference a interim_fix_state</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:TestType"> <xsd:sequence> <xsd:element name="object" type="oval-def:ObjectRefType" minOccurs="1" maxOccurs="1"/> <xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="interim_fix_object" substitutionGroup="oval-def:object"> <xsd:annotation> <xsd:documentation>The interim_fix_object element is used by a intirm fix test to define the specific fix to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.</xsd:documentation> <xsd:documentation>An interim fix object consists of a single wuid entity that identifies the fix to be used.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:ObjectType"> <xsd:sequence> <xsd:choice minOccurs="1" maxOccurs="1"> <xsd:element ref="oval-def:set"/> <xsd:sequence> <xsd:element name="wuid" type="oval-def:EntityObjectStringType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation>TODO</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixobjwuid"> <sch:rule context="aix-def:interim_fix_object/aix-def:wuid"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:choice> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="interim_fix_state" substitutionGroup="oval-def:state"> <xsd:annotation> <xsd:documentation>The interim_fix_state element defines the different information associated with a specific interim fix installed on the system. Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:StateType"> <xsd:sequence> <xsd:element name="wuid" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Virtually Unique ID. A combination of time and cpuid, this ID can be used to differentiate fixes that are otherwise identical.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixstewuid"> <sch:rule context="aix-def:interim_fix_state/aix-def:wuid"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="label" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Each efix that is installed on a given system has a unique efix label.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixstelabel"> <sch:rule context="aix-def:interim_fix_state/aix-def:label"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="abstract" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Describes the efix package.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixsteabstract"> <sch:rule context="aix-def:interim_fix_state/aix-def:abstract"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="state" type="aix-def:EntityStateInterimFixStateType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The the emergency fix state.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixstestate"> <sch:rule context="aix-def:interim_fix_state/aix-def:state"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- =============================== FILESET TEST ================================ --> <!-- =============================================================================== --> <xsd:element name="fileset_test" substitutionGroup="oval-def:test"> <xsd:annotation> <xsd:documentation>The fileset test is used to check information associated with different filesets installed on the system. The information used by this test is modeled after the /usr/bin/lslpp -l command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an inetd_object and the optional state element specifies the information to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesettst"> <sch:rule context="aix-def:fileset_test/aix-def:object"> <sch:assert test="@object_ref=/oval-def:oval_definitions/oval-def:objects/aix-def:fileset_object/@id"><sch:value-of select="../@id"/> - the object child element of a fileset_test must reference a fileset_object</sch:assert> </sch:rule> <sch:rule context="aix-def:fileset_test/aix-def:state"> <sch:assert test="@state_ref=/oval-def:oval_definitions/oval-def:states/aix-def:fileset_state/@id"><sch:value-of select="../@id"/> - the state child element of a fileset_test must reference a fileset_state</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:TestType"> <xsd:sequence> <xsd:element name="object" type="oval-def:ObjectRefType" minOccurs="1" maxOccurs="1"/> <xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="fileset_object" substitutionGroup="oval-def:object"> <xsd:annotation> <xsd:documentation>The fileset_object element is used by a fileset test to define the fileset to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.</xsd:documentation> <xsd:documentation>A fileset object consists of a single flstinst entity that identifies the fileset to be used.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:ObjectType"> <xsd:sequence> <xsd:choice minOccurs="1" maxOccurs="1"> <xsd:element ref="oval-def:set"/> <xsd:sequence> <xsd:element name="flstinst" type="oval-def:EntityObjectStringType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The flstinst entity represents the fileset name we want to check. For example, if we want to check the status of the fileset 'bos.rte', we can use fileset test and the flstinst entity will be 'bos.rte' or 'bot.*' or etc.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetobjflstinst"> <sch:rule context="aix-def:fileset_object/aix-def:flstinst"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the flstinst entity of a fileset_object should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:choice> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="fileset_state" substitutionGroup="oval-def:state"> <xsd:annotation> <xsd:documentation>The fileset_state element defines the different information associated with filesets installed on the system. Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:StateType"> <xsd:sequence> <xsd:element name="flstinst" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Represents the name of a fileset.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetsteflstinst"> <sch:rule context="aix-def:fileset_state/aix-def:flstinst"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the flstinst entity of a fileset_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="level" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Maintenance level (also known as version in Solaris or Linux) of a fileset. For example, "5.3.0.10" is the level for 'bos.txt.tfs' fileset in one AIX machine.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetstelevel"> <sch:rule context="aix-def:fileset_state/aix-def:level"> <sch:assert test="@datatype='version'"><sch:value-of select="../@id"/> - datatype attribute for the level entity of a fileset_state should be 'version'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="state" type="aix-def:EntityStateFilesetStateType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>This gives the state of a fileset. The state can be 'APPLIED', 'APPLYING','BROKEN', 'COMMITTED', 'EFIX LOCKED', 'OBSOLETE', 'COMMITTING','REJECTING'. See the manpage of the 'lslpp' command more information.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetstestate"> <sch:rule context="aix-def:fileset_state/aix-def:state"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the state entity of a fileset_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="description" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Short description of a fileset.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetstedescription"> <sch:rule context="aix-def:fileset_state/aix-def:description"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the description entity of a fileset_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- ================================ FIX TEST =================================== --> <!-- =============================================================================== --> <xsd:element name="fix_test" substitutionGroup="oval-def:test"> <xsd:annotation> <xsd:documentation>The fix test is used to check information associated with different fixes installed on the system. The information being tested is based off the /usr/sbin/instfix -iavk command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an fix_object and the optional state element specifies the information to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixtst"> <sch:rule context="aix-def:fix_test/aix-def:object"> <sch:assert test="@object_ref=/oval-def:oval_definitions/oval-def:objects/aix-def:fix_object/@id"><sch:value-of select="../@id"/> - the object child element of a fix_test must reference a fix_object</sch:assert> </sch:rule> <sch:rule context="aix-def:fix_test/aix-def:state"> <sch:assert test="@state_ref=/oval-def:oval_definitions/oval-def:states/aix-def:fix_state/@id"><sch:value-of select="../@id"/> - the state child element of a fix_test must reference a fix_state</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:TestType"> <xsd:sequence> <xsd:element name="object" type="oval-def:ObjectRefType" minOccurs="1" maxOccurs="1"/> <xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="fix_object" substitutionGroup="oval-def:object"> <xsd:annotation> <xsd:documentation>The fix_object element is used by a fix test to define the specific fix to be evaluated. Each object extends the standard ObjectType as definied in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.</xsd:documentation> <xsd:documentation>A fix object consists of a single apar_number entity that identifies the fix to be used.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:ObjectType"> <xsd:sequence> <xsd:choice minOccurs="1" maxOccurs="1"> <xsd:element ref="oval-def:set"/> <xsd:sequence> <xsd:element name="apar_number" type="oval-def:EntityObjectStringType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation>APAR is the short for 'Authorized Program Analysis Report'. APAR identifies and describes a software product defect. An APAR number can obtain a PTF (Program Temporary Fix) for the defect, if a PTF is available. An example of an apar_number is 'IY78751', it includes two alphabetic characters and a 5-digit integer.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixobjapar_number"> <sch:rule context="aix-def:fix_object/aix-def:apar_number"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the apar_number entity of a fix_object should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:choice> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="fix_state" substitutionGroup="oval-def:state"> <xsd:annotation> <xsd:documentation>The fix_state element defines the different information associated with a specific fix installed on the system. Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:StateType"> <xsd:sequence> <xsd:element name="apar_number" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>APAR is the short for 'Authorized Program Analysis Report'. APAR identifies and describes a software product defect. An APAR number can obtain a PTF (Program Temporary Fix) for the defect, if a PTF is available. An example of an apar_number is 'IY78751', it includes two alphabetic characters and a 5-digit integer.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixsteapar_number"> <sch:rule context="aix-def:fix_state/aix-def:apar_number"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the apar_number entity of a fix_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="abstract" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The abstract of an APAR. For instance, 'LL syas rXct are available even when not susea' is the abstract of APAR 'IY78751'.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixsteabstract"> <sch:rule context="aix-def:fix_state/aix-def:abstract"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the abstract entity of a fix_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="symptom" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The symptom text related to an APAR. For example, the symptom text for 'IY75211' is 'Daylight savings change for year 2007 and beyond'.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixstesymptom"> <sch:rule context="aix-def:fix_state/aix-def:symptom"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the symptom entity of a fix_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="installation_status" type="aix-def:EntityStateFixInstallationStatusType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The installation status of files associated with the APAR. This cannot be got from the output of the instfix command directly. The last line of the output is 'All filesets for XXXXXXX were found', or 'Not all filesets for XXXXXXX were found' or 'No filesets which have fixes for XXXXXXX are currently installed.'. These can be translated to the correct value as defined by the EntityStateFixInstallationStatusType.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixsteinstallation_status"> <sch:rule context="aix-def:fix_state/aix-def:installation_status"> <sch:assert test="not(@datatype) or @datatype='string'"><sch:value-of select="../@id"/> - datatype attribute for the installation_status entity of a fix_state should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- =============================== OSLEVEL TEST ================================ --> <!-- =============================================================================== --> <xsd:element name="oslevel_test" substitutionGroup="oval-def:test"> <xsd:annotation> <xsd:documentation>The oslevel test reveals information about the release and maintenance level of AIX operating system. This information can be retrieved by the /usr/bin/oslevel -r command. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references an oslevel_object and the optional state element specifies the metadata to check. The evaluation of the test is guided by the check attribute that is inherited from the TestType.</xsd:documentation> <xsd:appinfo> <sch:pattern id="osleveltst"> <sch:rule context="aix-def:oslevel_test/aix-def:object"> <sch:assert test="@object_ref=/oval-def:oval_definitions/oval-def:objects/aix-def:oslevel_object/@id"><sch:value-of select="../@id"/> - the object child element of a oslevel_test must reference a oslevel_object</sch:assert> </sch:rule> <sch:rule context="aix-def:oslevel_test/aix-def:state"> <sch:assert test="@state_ref=/oval-def:oval_definitions/oval-def:states/aix-def:oslevel_state/@id"><sch:value-of select="../@id"/> - the state child element of a oslevel_test must reference a oslevel_state</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:TestType"> <xsd:sequence> <xsd:element name="object" type="oval-def:ObjectRefType" minOccurs="1" maxOccurs="1"/> <xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="oslevel_object" substitutionGroup="oval-def:object"> <xsd:annotation> <xsd:documentation>The oslevel_object element is used by an oslevel test to define those objects to be evaluated based on a specified state. There is actually only one object relating to oslevel and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check oslevel will reference the same oslevel_object which is basically an empty object element.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:ObjectType"/> </xsd:complexContent> </xsd:complexType> </xsd:element> <xsd:element name="oslevel_state" substitutionGroup="oval-def:state"> <xsd:annotation> <xsd:documentation>The oslevel_state element defines the information about maintenance level (system version). Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-def:StateType"> <xsd:sequence> <xsd:element name="maintenance_level" type="oval-def:EntityStateStringType" minOccurs="1" maxOccurs="1"> <xsd:annotation> <xsd:documentation>This is the maintenance level (system version) of current AIX operating system.</xsd:documentation> <xsd:appinfo> <sch:pattern id="oslevelstemaintenance_level"> <sch:rule context="aix-def:oslevel_state/aix-def:maintenance_level"> <sch:assert test="@datatype='version'"><sch:value-of select="../@id"/> - datatype attribute for the maintenance_level entity of an oslevel_state should be 'version'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- =============================================================================== --> <!-- =============================================================================== --> <xsd:complexType name="EntityStateFilesetStateType"> <xsd:annotation> <xsd:documentation>The EntityStateFilesetStateType complex type defines the different values that are valid for the state entity of a fileset state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the state entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="oval-def:EntityStateStringType"> <xsd:enumeration value="APPLIED"> <xsd:annotation> <xsd:documentation>The specified fileset is installed on the system. The APPLIED state means that the fileset can be rejected with the installp command and the previous level of the fileset restored. This state is only valid for Version 4 fileset updates and 3.2 migrated filesets.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="APPLYING"> <xsd:annotation> <xsd:documentation>An attempt was made to apply the specified fileset, but it did not complete successfully, and cleanup was not performed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BROKEN"> <xsd:annotation> <xsd:documentation>The specified fileset or fileset update is broken and should be reinstalled before being used.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="COMMITTED"> <xsd:annotation> <xsd:documentation>The specified fileset is installed on the system. The COMMITTED state means that a commitment has been made to this level of the software. A committed fileset update cannot be rejected, but a committed fileset base level and its updates (regardless of state) can be removed or deinstalled by the installp command.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="COMMITTING"> <xsd:annotation> <xsd:documentation>An attempt was made to commit the specified fileset, but it did not complete successfully, and cleanup was not performed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="EFIX LOCKED"> <xsd:annotation> <xsd:documentation>The specified fileset was installed sucessfully and locked by the interim fix (interim fix) manager.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="OBSOLETE"> <xsd:annotation> <xsd:documentation>The specified fileset was installed with an earlier version of the operating system but has been replaced by a repackaged (renamed) newer version. Some of the files that belonged to this fileset have been replaced by versions from the repackaged fileset.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="REJECTING"> <xsd:annotation> <xsd:documentation>An attempt was made to reject the specified fileset, but it did not complete successfully, and cleanup was not performed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value=""> <xsd:annotation> <xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="EntityStateFixInstallationStatusType"> <xsd:annotation> <xsd:documentation>The EntityStateFixInstallationStatusType complex type defines the different values that are valid for the installation_status entity of a fix_state state. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the installation_status entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="oval-def:EntityStateStringType"> <xsd:enumeration value="ALL_INSTALLED"> <xsd:annotation> <xsd:documentation>All filesets for XXXXXXX were found</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="SOME_INSTALLED"> <xsd:annotation> <xsd:documentation>Not all filesets for XXXXXXX were found</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="NONE_INSTALLED"> <xsd:annotation> <xsd:documentation>No filesets which have fixes for XXXXXXX are currently installed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value=""> <xsd:annotation> <xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="EntityStateInterimFixStateType"> <xsd:annotation> <xsd:documentation>The EntityStateInterimFixStateType complex type defines the different values that are valid for the state entity of a interim_fix_state state. Please refer to the AIX documentation of Emergency Fix States. The empty string is also allowed as a valid value to support an empty element that is found when a variable reference is used within the state entity. Note that when using pattern matches and variables care must be taken to ensure that the regular expression and variable values align with the enumerated values.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="oval-def:EntityStateStringType"> <xsd:enumeration value="STABLE"> <xsd:annotation> <xsd:documentation>The efix was installed with a standard installation, and successfully completed the last installation operation.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="MOUNTED"> <xsd:annotation> <xsd:documentation>The efix was installed with a mount installation operation, and successfully completed the last installation or mount operation.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="UNMOUNTED"> <xsd:annotation> <xsd:documentation>The efix was installed with a mount installation operation and one or more efix files were unmounted in a previous emgr command operation.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BROKEN"> <xsd:annotation> <xsd:documentation>An unrecoverable error occurred during an installation or removal operation. The status of the efix is unreliable.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="INSTALLING"> <xsd:annotation> <xsd:documentation>The efix is in the process of installing.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="REBOOT_REQUIRED"> <xsd:annotation> <xsd:documentation>The efix was installed successfully and requires a reboot to fully integrate into the target system.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="REMOVING"> <xsd:annotation> <xsd:documentation>The efix is in the process of being removed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value=""> <xsd:annotation> <xsd:documentation>The empty string value is permitted here to allow for empty elements associated with variable references.</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleContent> </xsd:complexType> </xsd:schema> <?xml version="1.0"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:oval-sc="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xmlns:aix-sc="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix" xmlns:sch="http://purl.oclc.org/dsdl/schematron" targetNamespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix" elementFormDefault="qualified" version="5.6"> <xsd:import namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" schemaLocation="oval-system-characteristics-schema.xsd"/> <xsd:annotation> <xsd:documentation>The following is a description of the elements, types, and attributes that compose the AIX specific system characteristic items found in Open Vulnerability and Assessment Language (OVAL). Each item is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here.</xsd:documentation> <xsd:documentation>This schema was originally developed by Yuzheng Zhou and Todd Dolinsky at Hewlett-Packard. The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.mitre.org.</xsd:documentation> <xsd:appinfo> <schema>AIX System Characteristics</schema> <version>5.6 RC 1</version> <date>7/31/2009 3:39:10 PM</date> <terms_of_use>Copyright (c) 2002-2009, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at http://oval.mitre.org/oval/about/termsofuse.html. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included.</terms_of_use> <sch:ns prefix="oval-sc" uri="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5"/> <sch:ns prefix="aix-sc" uri="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix"/> <sch:ns prefix="xsi" uri="http://www.w3.org/2001/XMLSchema-instance"/> </xsd:appinfo> </xsd:annotation> <!-- =============================================================================== --> <!-- ============================= INTERIM FIX ITEM ============================== --> <!-- =============================================================================== --> <xsd:element name="interim_fix_item" substitutionGroup="oval-sc:item"> <xsd:annotation> <xsd:documentation>From emgr -l -u VUID Command. See instfix manpage for specific fields.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-sc:ItemType"> <xsd:sequence> <xsd:element name="wuid" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Virtually Unique ID. A combination of time and cpuid, this ID can be used to differentiate fixes that are otherwise identical.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixitemwuid"> <sch:rule context="aix-sc:interim_fix_item/aix-sc:wuid"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="label" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Each efix that is installed on a given system has a unique efix label.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixitemlabel"> <sch:rule context="aix-sc:interim_fix_item/aix-sc:label"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="abstract" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Describes the efix package.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixitemabstract"> <sch:rule context="aix-sc:interim_fix_item/aix-sc:abstract"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="state" type="aix-sc:EntityItemInterimFixStateType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The the emergency fix state.</xsd:documentation> <xsd:appinfo> <sch:pattern id="interimfixitemstate"> <sch:rule context="aix-sc:interim_fix_item/aix-sc:state"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the <sch:name/> entity of a <sch:name path=".."/> should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- =============================== FILESET ITEM ================================ --> <!-- =============================================================================== --> <xsd:element name="fileset_item" substitutionGroup="oval-sc:item"> <xsd:annotation> <xsd:documentation>Output of /usr/bin/lslpp -l FilesetName. See lslpp manpage for specific fields.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-sc:ItemType"> <xsd:sequence> <xsd:element name="flstinst" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Represents the name of the fileset being checked.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetitemflstinst"> <sch:rule context="aix-sc:fileset_item/aix-sc:flstinst"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the flstinst entity of a fileset_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="level" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Maintenance level (also known as version in Solaris or Linux) of the fileset. For example, "5.3.0.10" is the level for 'bos.txt.tfs' fileset in one AIX machine.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetitemlevel"> <sch:rule context="aix-sc:fileset_item/aix-sc:level"> <sch:assert test="@datatype='version'">item <sch:value-of select="../@id"/> - datatype attribute for the level entity of a fileset_item should be 'version'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="state" type="aix-sc:EntityItemFilesetStateType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>This gives the state of the fileset being checked. The state can be 'APPLIED', 'APPLYING','BROKEN', 'COMMITTED', 'EFIX LOCKED', 'OBSOLETE', 'COMMITTING','REJECTING'. See the manpage of the 'lslpp' command more information.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetitemstate"> <sch:rule context="aix-sc:fileset_item/aix-sc:state"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the state entity of a fileset_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="description" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>Short description of the fileset being checked.</xsd:documentation> <xsd:appinfo> <sch:pattern id="filesetitemdescription"> <sch:rule context="aix-sc:fileset_item/aix-sc:description"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the description entity of a fileset_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- ============================= FIX ITEM ==================================== --> <!-- =============================================================================== --> <xsd:element name="fix_item" substitutionGroup="oval-sc:item"> <xsd:annotation> <xsd:documentation>From /usr/sbin/instfix -iavk APARNum Command. See instfix manpage for specific fields.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-sc:ItemType"> <xsd:sequence> <xsd:element name="apar_number" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>APAR is the short for 'Authorized Program Analysis Report'. APAR identifies and describes a software product defect. An APAR number can obtain a PTF (Program Temporary Fix) for the defect, if a PTF is available. An example of an apar_number is 'IY78751', it includes two alphabetic characters and a 5-digit integer.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixitemapar_number"> <sch:rule context="aix-sc:fix_item/aix-sc:apar_number"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the apar_number entity of a fix_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="abstract" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The abstract of the APAR being checked. For instance, 'LL syas rXct are available even when not susea' is the abstract of APAR 'IY78751'.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixitemabstract"> <sch:rule context="aix-sc:fix_item/aix-sc:abstract"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the abstract entity of a fix_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="symptom" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The symptom text related to the APAR being checked. For example, the symptom text for 'IY75211' is 'Daylight savings change for year 2007 and beyond'.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixitemsymptom"> <sch:rule context="aix-sc:fix_item/aix-sc:symptom"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the symptom entity of a fix_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="installation_status" type="aix-sc:EntityItemFixInstallationStatusType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>The installation status of files associated with the APAR.</xsd:documentation> <xsd:appinfo> <sch:pattern id="fixiteminstallation_status"> <sch:rule context="aix-sc:fix_item/aix-sc:installation_status"> <sch:assert test="not(@datatype) or @datatype='string'">item <sch:value-of select="../@id"/> - datatype attribute for the installation_status entity of a fix_item should be 'string'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- =============================== OSLEVEL ITEM ================================ --> <!-- =============================================================================== --> <xsd:element name="oslevel_item" substitutionGroup="oval-sc:item"> <xsd:annotation> <xsd:documentation>Information about the release and maintenance level of AIX operating system. This information can be retrieved by the /usr/bin/oslevel -r command.</xsd:documentation> </xsd:annotation> <xsd:complexType> <xsd:complexContent> <xsd:extension base="oval-sc:ItemType"> <xsd:sequence> <xsd:element name="maintenance_level" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1"> <xsd:annotation> <xsd:documentation>This is the maintenance level (system version) of current AIX operating system.</xsd:documentation> <xsd:appinfo> <sch:pattern id="oslevelitemmaintenance_level"> <sch:rule context="aix-sc:oslevel_item/aix-sc:maintenance_level"> <sch:assert test="@datatype='version'">item <sch:value-of select="../@id"/> - datatype attribute for the maintenance_level entity of an oslevel_item should be 'version'</sch:assert> </sch:rule> </sch:pattern> </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:extension> </xsd:complexContent> </xsd:complexType> </xsd:element> <!-- =============================================================================== --> <!-- =============================================================================== --> <!-- =============================================================================== --> <xsd:complexType name="EntityItemFilesetStateType"> <xsd:annotation> <xsd:documentation>The EntityStateFilesetStateType complex type defines the different values that are valid for the state entity of a fileset state. The empty string value is permitted here to allow for detailed error reporting.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="oval-sc:EntityItemStringType"> <xsd:enumeration value="APPLIED"> <xsd:annotation> <xsd:documentation>The specified fileset is installed on the system. The APPLIED state means that the fileset can be rejected with the installp command and the previous level of the fileset restored. This state is only valid for Version 4 fileset updates and 3.2 migrated filesets.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="APPLYING"> <xsd:annotation> <xsd:documentation>An attempt was made to apply the specified fileset, but it did not complete successfully, and cleanup was not performed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BROKEN"> <xsd:annotation> <xsd:documentation>The specified fileset or fileset update is broken and should be reinstalled before being used.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="COMMITTED"> <xsd:annotation> <xsd:documentation>The specified fileset is installed on the system. The COMMITTED state means that a commitment has been made to this level of the software. A committed fileset update cannot be rejected, but a committed fileset base level and its updates (regardless of state) can be removed or deinstalled by the installp command.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="COMMITTING"> <xsd:annotation> <xsd:documentation>An attempt was made to commit the specified fileset, but it did not complete successfully, and cleanup was not performed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="EFIX LOCKED"> <xsd:annotation> <xsd:documentation>The specified fileset was installed sucessfully and locked by the interim fix (interim fix) manager.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="OBSOLETE"> <xsd:annotation> <xsd:documentation>The specified fileset was installed with an earlier version of the operating system but has been replaced by a repackaged (renamed) newer version. Some of the files that belonged to this fileset have been replaced by versions from the repackaged fileset.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="REJECTING"> <xsd:annotation> <xsd:documentation>An attempt was made to reject the specified fileset, but it did not complete successfully, and cleanup was not performed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value=""/> </xsd:restriction> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="EntityItemFixInstallationStatusType"> <xsd:annotation> <xsd:documentation>The EntityStateFixInstallationStatusType defines the different values that are valid for the installation_status entity of a fix_state item. The empty string is also allowed as a valid value to support empty emlements associated with error conditions.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="oval-sc:EntityItemStringType"> <xsd:enumeration value="ALL_INSTALLED"> <xsd:annotation> <xsd:documentation>All filesets for XXXXXXX were found</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="SOME_INSTALLED"> <xsd:annotation> <xsd:documentation>Not all filesets for XXXXXXX were found</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="NONE_INSTALLED"> <xsd:annotation> <xsd:documentation>No filesets which have fixes for XXXXXXX are currently installed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value=""> <xsd:annotation> <xsd:documentation>The empty string value is permitted here to allow for detailed error reporting.</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleContent> </xsd:complexType> <xsd:complexType name="EntityItemInterimFixStateType"> <xsd:annotation> <xsd:documentation>The EntityItemInterimFixStateType complex type defines the different values that are valid for the state entity of a interim_fix_state state. Please refer to the AIX documentation of Emergency Fix States. The empty string value is permitted here to allow for detailed error reporting.</xsd:documentation> </xsd:annotation> <xsd:simpleContent> <xsd:restriction base="oval-sc:EntityItemStringType"> <xsd:enumeration value="STABLE"> <xsd:annotation> <xsd:documentation>The efix was installed with a standard installation, and successfully completed the last installation operation.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="MOUNTED"> <xsd:annotation> <xsd:documentation>The efix was installed with a mount installation operation, and successfully completed the last installation or mount operation.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="UNMOUNTED"> <xsd:annotation> <xsd:documentation>The efix was installed with a mount installation operation and one or more efix files were unmounted in a previous emgr command operation.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BROKEN"> <xsd:annotation> <xsd:documentation>An unrecoverable error occurred during an installation or removal operation. The status of the efix is unreliable.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="INSTALLING"> <xsd:annotation> <xsd:documentation>The efix is in the process of installing.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="REBOOT_REQUIRED"> <xsd:annotation> <xsd:documentation>The efix was installed successfully and requires a reboot to fully integrate into the target system.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="REMOVING"> <xsd:annotation> <xsd:documentation>The efix is in the process of being removed.</xsd:documentation> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value=""> <xsd:annotation> <xsd:documentation>The empty string value is permitted here to allow for detailed error reporting.</xsd:documentation> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleContent> </xsd:complexType> </xsd:schema> |
||||||||||||||||
|
David Raphael
|
Couple of questions:
- I noticed that you used "wuid" in the schema - is this a typo? - Can the <interim_fix_object...> support <label>, <efix_id> and <vuid> ? It seems that those are all valid methods to collect an interim fix. - When would one use "label" or "efix id" for state? On 8/24/09 10:07 AM, "Baker, Jon" <[hidden email]> wrote: I have attached a modified version of the aix component schema for your review. Please note that I decided to incorporate both the VUID and the label in the new interim_fix_state and that the interim_fix_object uses just a VUID. I would appreciate a quick turn around on the review of this new test so that we might be able to incorporate it into a second release candidate of version 5.6. More to follow on this, but for now note that we will likely have a second release candidate that will be posted later today or tomorrow. Thanks, Jon ============================================ Jonathan O. Baker G022 - IA Industry Collaboration The MITRE Corporation Email: [hidden email] >-----Original Message----- >From: Baker, Jon [mailto:[hidden email]] >Sent: Wednesday, August 19, 2009 10:02 PM >To: oval-developer-list OVAL Developer List/Closed Public Discussion >Subject: Re: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >Schema > >David, > >Thanks for bringing this up. Those of you that know your way around AIX >please correct me where I am wrong below. > >More information about Interim Fixes can be found here: >http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/docs.html > >I looked at the documentation for the emgr command: >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds2/e >mgr.htm > >More specifically I am thinking this is the relevant section of the >above page: >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/ >install_opt_swupdates.htm#emgr_listing_op > > >It looks like we are interested in emgr -l. At first glance I am >thinking we would use emgr -l -u <VUID> or emgr -l -L <LABEL> to list >installed interim fixes and look up details of a single interim fix >installation. > >Based on the documentation does the following fields make sense for this >proposed test: > >Object fields: > - vuid or label ( I am not sure ) - the id of the VUID or label of the >efix. See >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/ >install_opt_swupdates.htm#emgr_reference_efix > > > >State fields: > - vuid or label - see above... > - abstract - Describes the efix package. > - state - the emergency fix state. Based on an enumeration of possible >states. See: >http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/ >install_opt_swupdates.htm#emgr_efix_states > - ... - are there other fields that should be included? > > >Once we know the correct fields I can send around a bit of oval schema >to represent the proposed test. > >Thanks, > >Jon > >============================================ >Jonathan O. Baker >G022 - IA Industry Collaboration >The MITRE Corporation >Email: [hidden email] > > >>-----Original Message----- >>From: David Raphael [mailto:[hidden email]] >>Sent: Wednesday, August 19, 2009 4:17 PM >>To: oval-developer-list OVAL Developer List/Closed Public Discussion >>Subject: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >>Schema >> >>In the process of working with various AIX OVAL Definitions, we've run >>into what we believe is a limitation of the current and proposed >schema. >> >>We believe that there is a gap in the capability of OVAL regarding the >>verification of APAR related issues. >> >>The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, >and >><fix_state.../> with regards to APAR numbers. The <fix_object .../> >>uses information acquired from the "instfix..." command. This command >>verifies "fixes." >> >>We also need to verify information gathered from the "emgr..." command. >>This command is used to install and verify "interim fixes." This would >>require the addition of something like <interim_fix_test.../>, >><interim_fix_object.../>, and <interim_fix_state.../> >>Without this capability, OVAL is not capable of covering ~80% of recent >>(post-TL or post-Service Pack etc...) security issues. >> >>Here is an IBM page with some terminology: >>http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs. >h >>tml >> >> >> >>-- >>David Raphael >> >>Research Tools Manager >>Risk and Compliance Security Research >>McAfee, Inc. >> >>972.963.7224 Direct >>214.769.6098 Mobile >> >>[hidden email] >>http://www.mcafee.com >> >>To unsubscribe, send an email message to [hidden email] with >>SIGNOFF OVAL-DEVELOPER-LIST >>in the BODY of the message. If you have difficulties, write to OVAL- >>[hidden email]. > >To unsubscribe, send an email message to [hidden email] with >SIGNOFF OVAL-DEVELOPER-LIST >in the BODY of the message. If you have difficulties, write to OVAL- >[hidden email]. To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. -- David Raphael Research Tools Manager Risk and Compliance Security Research McAfee, Inc. 972.963.7224 Direct 214.769.6098 Mobile [hidden email] http://www.mcafee.com To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
||||||||||||||||
|
bakerj
|
>
>Couple of questions: > >- I noticed that you used "wuid" in the schema - is this a typo? > Yes, that was a mistake. I will make sure it is corrected. >- Can the <interim_fix_object...> support <label>, <efix_id> and <vuid> >? It seems that those are all valid methods to collect an interim fix. > The AIX documentation on "Referencing Emergency Fixes" certainly aligns with your thinking. See: http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/install_opt_swupdates.htm#emgr_reference_efix However, for oval I was not sure that the efix id made sense. In the AIX documentation on referenced above the section "Reference by efix ID" has a note that states: "Emergency fix IDs are valid for short periods of time and change as efixes are removed and added. Always verify the current efix ID number by listing the efix using the -l flag." This leads me to think that efix id is not very useful in oval for identifying an efix in a fairly static manner. In the same documentation the "Reference by VUID" section states the following: "The VUID is used to differentiate packages that have the same label. Unlike Authorized Program Analysis Reports (APARs), which are officially tracked, emergency fixes are not tracked by any organization, so it is possible to have two efix packages with the same label." This description suggests that the efix label is not unique so for oval it may not be the best way to identify a single efix. Having considered the three options for referencing an efix I landed on the VUID as the best way to uniquely identify one efix. >- When would one use "label" or "efix id" for state? > My thinking in adding the label to the state was that in the case where you had a specific efix that you want to locate on a host and you only have it label. You could simply check for al efixes and then filter that set down by label. Does this all make sense? Thanks, Jon >On 8/24/09 10:07 AM, "Baker, Jon" <[hidden email]> wrote: > >I have attached a modified version of the aix component schema for your >review. Please note that I decided to incorporate both the VUID and the >label in the new interim_fix_state and that the interim_fix_object uses >just a VUID. > >I would appreciate a quick turn around on the review of this new test so >that we might be able to incorporate it into a second release candidate >of version 5.6. More to follow on this, but for now note that we will >likely have a second release candidate that will be posted later today >or tomorrow. > >Thanks, > >Jon > >============================================ >Jonathan O. Baker >G022 - IA Industry Collaboration >The MITRE Corporation >Email: [hidden email] > > >>-----Original Message----- >>From: Baker, Jon [mailto:[hidden email]] >>Sent: Wednesday, August 19, 2009 10:02 PM >>To: oval-developer-list OVAL Developer List/Closed Public Discussion >>Subject: Re: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >>Schema >> >>David, >> >>Thanks for bringing this up. Those of you that know your way around AIX >>please correct me where I am wrong below. >> >>More information about Interim Fixes can be found here: >>http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/docs.html >> >>I looked at the documentation for the emgr command: >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds2/ >e >>mgr.htm >> >>More specifically I am thinking this is the relevant section of the >>above page: >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf >/ >>install_opt_swupdates.htm#emgr_listing_op >> >> >>It looks like we are interested in emgr -l. At first glance I am >>thinking we would use emgr -l -u <VUID> or emgr -l -L <LABEL> to list >>installed interim fixes and look up details of a single interim fix >>installation. >> >>Based on the documentation does the following fields make sense for >this >>proposed test: >> >>Object fields: >> - vuid or label ( I am not sure ) - the id of the VUID or label of the >>efix. See >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf >/ >>install_opt_swupdates.htm#emgr_reference_efix >> >> >> >>State fields: >> - vuid or label - see above... >> - abstract - Describes the efix package. >> - state - the emergency fix state. Based on an enumeration of possible >>states. See: >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf >/ >>install_opt_swupdates.htm#emgr_efix_states >> - ... - are there other fields that should be included? >> >> >>Once we know the correct fields I can send around a bit of oval schema >>to represent the proposed test. >> >>Thanks, >> >>Jon >> >>============================================ >>Jonathan O. Baker >>G022 - IA Industry Collaboration >>The MITRE Corporation >>Email: [hidden email] >> >> >>>-----Original Message----- >>>From: David Raphael [mailto:[hidden email]] >>>Sent: Wednesday, August 19, 2009 4:17 PM >>>To: oval-developer-list OVAL Developer List/Closed Public Discussion >>>Subject: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >>>Schema >>> >>>In the process of working with various AIX OVAL Definitions, we've run >>>into what we believe is a limitation of the current and proposed >>schema. >>> >>>We believe that there is a gap in the capability of OVAL regarding the >>>verification of APAR related issues. >>> >>>The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, >>and >>><fix_state.../> with regards to APAR numbers. The <fix_object .../> >>>uses information acquired from the "instfix..." command. This command >>>verifies "fixes." >>> >>>We also need to verify information gathered from the "emgr..." >command. >>>This command is used to install and verify "interim fixes." This >would >>>require the addition of something like <interim_fix_test.../>, >>><interim_fix_object.../>, and <interim_fix_state.../> >>>Without this capability, OVAL is not capable of covering ~80% of >recent >>>(post-TL or post-Service Pack etc...) security issues. >>> >>>Here is an IBM page with some terminology: >>>http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs >. >>h >>>tml >>> >>> >>> >>>-- >>>David Raphael >>> >>>Research Tools Manager >>>Risk and Compliance Security Research >>>McAfee, Inc. >>> >>>972.963.7224 Direct >>>214.769.6098 Mobile >>> >>>[hidden email] >>>http://www.mcafee.com >>> >>>To unsubscribe, send an email message to [hidden email] with >>>SIGNOFF OVAL-DEVELOPER-LIST >>>in the BODY of the message. If you have difficulties, write to OVAL- >>>[hidden email]. >> >>To unsubscribe, send an email message to [hidden email] with >>SIGNOFF OVAL-DEVELOPER-LIST >>in the BODY of the message. If you have difficulties, write to OVAL- >>[hidden email]. > >To unsubscribe, send an email message to [hidden email] with >SIGNOFF OVAL-DEVELOPER-LIST >in the BODY of the message. If you have difficulties, write to OVAL- >[hidden email]. > > >-- >David Raphael > >Research Tools Manager >Risk and Compliance Security Research >McAfee, Inc. > >972.963.7224 Direct >214.769.6098 Mobile > >[hidden email] >http://www.mcafee.com To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
||||||||||||||||
|
David Raphael
|
That makes sense.
Thanks for the clarification. Cheers, Dave On 8/24/09 11:01 AM, "Baker, Jon" <[hidden email]> wrote: > >Couple of questions: > >- I noticed that you used "wuid" in the schema - is this a typo? > Yes, that was a mistake. I will make sure it is corrected. >- Can the <interim_fix_object...> support <label>, <efix_id> and <vuid> >? It seems that those are all valid methods to collect an interim fix. > The AIX documentation on "Referencing Emergency Fixes" certainly aligns with your thinking. See: http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf/install_opt_swupdates.htm#emgr_reference_efix However, for oval I was not sure that the efix id made sense. In the AIX documentation on referenced above the section "Reference by efix ID" has a note that states: "Emergency fix IDs are valid for short periods of time and change as efixes are removed and added. Always verify the current efix ID number by listing the efix using the -l flag." This leads me to think that efix id is not very useful in oval for identifying an efix in a fairly static manner. In the same documentation the "Reference by VUID" section states the following: "The VUID is used to differentiate packages that have the same label. Unlike Authorized Program Analysis Reports (APARs), which are officially tracked, emergency fixes are not tracked by any organization, so it is possible to have two efix packages with the same label." This description suggests that the efix label is not unique so for oval it may not be the best way to identify a single efix. Having considered the three options for referencing an efix I landed on the VUID as the best way to uniquely identify one efix. >- When would one use "label" or "efix id" for state? > My thinking in adding the label to the state was that in the case where you had a specific efix that you want to locate on a host and you only have it label. You could simply check for al efixes and then filter that set down by label. Does this all make sense? Thanks, Jon >On 8/24/09 10:07 AM, "Baker, Jon" <[hidden email]> wrote: > >I have attached a modified version of the aix component schema for your >review. Please note that I decided to incorporate both the VUID and the >label in the new interim_fix_state and that the interim_fix_object uses >just a VUID. > >I would appreciate a quick turn around on the review of this new test so >that we might be able to incorporate it into a second release candidate >of version 5.6. More to follow on this, but for now note that we will >likely have a second release candidate that will be posted later today >or tomorrow. > >Thanks, > >Jon > >============================================ >Jonathan O. Baker >G022 - IA Industry Collaboration >The MITRE Corporation >Email: [hidden email] > > >>-----Original Message----- >>From: Baker, Jon [mailto:[hidden email]] >>Sent: Wednesday, August 19, 2009 10:02 PM >>To: oval-developer-list OVAL Developer List/Closed Public Discussion >>Subject: Re: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >>Schema >> >>David, >> >>Thanks for bringing this up. Those of you that know your way around AIX >>please correct me where I am wrong below. >> >>More information about Interim Fixes can be found here: >>http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/docs.html >> >>I looked at the documentation for the emgr command: >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/cmds/aixcmds2/ >e >>mgr.htm >> >>More specifically I am thinking this is the relevant section of the >>above page: >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf >/ >>install_opt_swupdates.htm#emgr_listing_op >> >> >>It looks like we are interested in emgr -l. At first glance I am >>thinking we would use emgr -l -u <VUID> or emgr -l -L <LABEL> to list >>installed interim fixes and look up details of a single interim fix >>installation. >> >>Based on the documentation does the following fields make sense for >this >>proposed test: >> >>Object fields: >> - vuid or label ( I am not sure ) - the id of the VUID or label of the >>efix. See >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf >/ >>install_opt_swupdates.htm#emgr_reference_efix >> >> >> >>State fields: >> - vuid or label - see above... >> - abstract - Describes the efix package. >> - state - the emergency fix state. Based on an enumeration of possible >>states. See: >>http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixins/insgdrf >/ >>install_opt_swupdates.htm#emgr_efix_states >> - ... - are there other fields that should be included? >> >> >>Once we know the correct fields I can send around a bit of oval schema >>to represent the proposed test. >> >>Thanks, >> >>Jon >> >>============================================ >>Jonathan O. Baker >>G022 - IA Industry Collaboration >>The MITRE Corporation >>Email: [hidden email] >> >> >>>-----Original Message----- >>>From: David Raphael [mailto:[hidden email]] >>>Sent: Wednesday, August 19, 2009 4:17 PM >>>To: oval-developer-list OVAL Developer List/Closed Public Discussion >>>Subject: [OVAL-DEVELOPER-LIST] Potential AIX Limitations with OVAL >>>Schema >>> >>>In the process of working with various AIX OVAL Definitions, we've run >>>into what we believe is a limitation of the current and proposed >>schema. >>> >>>We believe that there is a gap in the capability of OVAL regarding the >>>verification of APAR related issues. >>> >>>The OVAL Schema currently supports <fix_test.../>, <fix_object.../>, >>and >>><fix_state.../> with regards to APAR numbers. The <fix_object .../> >>>uses information acquired from the "instfix..." command. This command >>>verifies "fixes." >>> >>>We also need to verify information gathered from the "emgr..." >command. >>>This command is used to install and verify "interim fixes." This >would >>>require the addition of something like <interim_fix_test.../>, >>><interim_fix_object.../>, and <interim_fix_state.../> >>>Without this capability, OVAL is not capable of covering ~80% of >recent >>>(post-TL or post-Service Pack etc...) security issues. >>> >>>Here is an IBM page with some terminology: >>>http://www14.software.ibm.com/webapp/set2/sas/f/aix51fixes/supportdefs >. >>h >>>tml >>> >>> >>> >>>-- >>>David Raphael >>> >>>Research Tools Manager >>>Risk and Compliance Security Research >>>McAfee, Inc. >>> >>>972.963.7224 Direct >>>214.769.6098 Mobile >>> >>>[hidden email] >>>http://www.mcafee.com >>> >>>To unsubscribe, send an email message to [hidden email] with >>>SIGNOFF OVAL-DEVELOPER-LIST >>>in the BODY of the message. If you have difficulties, write to OVAL- >>>[hidden email]. >> >>To unsubscribe, send an email message to [hidden email] with >>SIGNOFF OVAL-DEVELOPER-LIST >>in the BODY of the message. If you have difficulties, write to OVAL- >>[hidden email]. > >To unsubscribe, send an email message to [hidden email] with >SIGNOFF OVAL-DEVELOPER-LIST >in the BODY of the message. If you have difficulties, write to OVAL- >[hidden email]. > > >-- >David Raphael > >Research Tools Manager >Risk and Compliance Security Research >McAfee, Inc. > >972.963.7224 Direct >214.769.6098 Mobile > >[hidden email] >http://www.mcafee.com -- David Raphael Research Tools Manager Risk and Compliance Security Research McAfee, Inc. 972.963.7224 Direct 214.769.6098 Mobile [hidden email] http://www.mcafee.com To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
