new branch created from discussion in OVAL-Community#112

soprasteria · Feb 15, 2021 · 2c762cd · 2c762cd
1 parent 8f43b5a
commit 2c762cd
Show file tree

Hide file tree

Showing 2 changed files with 136 additions and 0 deletions.
diff --git a/oval-schemas/linux-definitions-schema.xsd b/oval-schemas/linux-definitions-schema.xsd
@@ -2718,6 +2718,110 @@
                     </xsd:extension>
                </xsd:complexContent>
           </xsd:complexType>
+     </xsd:element>
+	 <!-- =============================================================================== -->
+     <!-- ==============================  AUDITD LINE TEST  ============================= -->
+     <!-- =============================================================================== -->
+     <!-- Originaly authored by French Ministry of Army (DGA-MI) -->
+     <xsd:element name="auditdline_test" substitutionGroup="oval-def:test">
+       <xsd:annotation>
+         <xsd:documentation>The auditdline_test is used to check the living rules of the auditd service. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a auditdline_object and the optional state element specifies the data to check.</xsd:documentation>
+         <xsd:appinfo>
+           <oval:element_mapping>
+             <oval:test>auditdline_test</oval:test>
+             <oval:object>auditdline_object</oval:object>
+             <oval:state>auditdline_state</oval:state>
+             <oval:item target_namespace="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux">auditdline_item</oval:item>
+           </oval:element_mapping>
+         </xsd:appinfo>
+         <xsd:appinfo>
+           <sch:pattern id="linux_auditdlinetst">
+             <sch:rule context="linux:auditdline_test/linux:object">
+               <sch:assert test="@object_ref=ancestor::oval-def:oval_definitions/oval-def:objects/linux:auditdline_object/@id"><sch:value-of select="../@id"/> - the object child element of a auditdline_test must reference a auditdline_object</sch:assert>
+             </sch:rule>
+             <sch:rule context="linux:auditdline_test/linux:state">
+               <sch:assert test="@state_ref=ancestor::oval-def:oval_definitions/oval-def:states/linux:auditdline_state/@id"><sch:value-of select="../@id"/> - the state child element of a auditdline_test must reference a auditdline_state</sch:assert>
+             </sch:rule>
+           </sch:pattern>
+         </xsd:appinfo>
+       </xsd:annotation>
+       <xsd:complexType>
+         <xsd:complexContent>
+           <xsd:extension base="oval-def:TestType">
+             <xsd:sequence>
+               <xsd:element name="object" type="oval-def:ObjectRefType" />
+               <xsd:element name="state" type="oval-def:StateRefType" minOccurs="0" maxOccurs="unbounded"/>
+             </xsd:sequence>
+           </xsd:extension>
+         </xsd:complexContent>
+       </xsd:complexType>
+     </xsd:element>
+     <xsd:element name="auditdline_object" substitutionGroup="oval-def:object">
+       <xsd:annotation>
+         <xsd:documentation>The auditdline_object element is used by a auditdline_test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema.</xsd:documentation>
+         <xsd:documentation>A auditdline_object consists of an filter_key entity that is the same as the -k parameter of the auditctl -l command.</xsd:documentation>
+         <xsd:appinfo>
+           <sch:pattern id="linux_auditdline_object_verify_filter_state">
+             <sch:rule context="linux:auditdline_object//oval-def:filter">
+               <sch:let name="parent_object" value="ancestor::linux:auditdline_object"/>
+               <sch:let name="parent_object_id" value="$parent_object/@id"/>
+               <sch:let name="state_ref" value="."/>
+               <sch:let name="reffed_state" value="ancestor::oval-def:oval_definitions/oval-def:states/*[@id=$state_ref]"/>
+               <sch:let name="state_name" value="local-name($reffed_state)"/>
+               <sch:let name="state_namespace" value="namespace-uri($reffed_state)"/>
+               <sch:assert test="(($state_namespace='http://oval.mitre.org/XMLSchema/oval-definitions-5#linux') and ($state_name='auditdline_state'))">State referenced in filter for <sch:value-of select="name($parent_object)"/> '<sch:value-of select="$parent_object_id"/>' is of the wrong type. </sch:assert>
+             </sch:rule>
+           </sch:pattern>
+         </xsd:appinfo>
+       </xsd:annotation>
+       <xsd:complexType>
+         <xsd:complexContent>
+           <xsd:extension base="oval-def:ObjectType">
+             <xsd:sequence>
+               <xsd:choice>
+                 <xsd:element ref="oval-def:set"/>
+                 <xsd:sequence>
+                   <xsd:element name="filter_key" type="oval-def:EntityObjectStringType" nillable="true">
+                     <xsd:annotation>
+                       <xsd:documentation>As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule.</xsd:documentation>
+                       <xsd:documentation>If the xsi:nil attribute is set to true, all auditd rules must be present in the system characteristics (auditdline_item).</xsd:documentation>
+                     </xsd:annotation>
+                   </xsd:element>
+                   <xsd:element ref="oval-def:filter" minOccurs="0" maxOccurs="unbounded"/>
+                 </xsd:sequence>
+               </xsd:choice>
+             </xsd:sequence>
+           </xsd:extension>
+         </xsd:complexContent>
+       </xsd:complexType>
+     </xsd:element>
+     <xsd:element name="auditdline_state" substitutionGroup="oval-def:state">
+       <xsd:annotation>
+         <xsd:documentation>The auditdline_state element defines the different information that can be used to evaluate the auditd rules. This includes the filter key, the corresponding rule and the line number of the rule. Please refer to the individual elements in the schema for more details about what each represents.</xsd:documentation>
+       </xsd:annotation>
+       <xsd:complexType>
+         <xsd:complexContent>
+           <xsd:extension base="oval-def:StateType">
+             <xsd:sequence>
+               <xsd:element name="filter_key" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
+                 <xsd:annotation>
+                   <xsd:documentation>As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule.</xsd:documentation>
+                 </xsd:annotation>
+               </xsd:element>
+               <xsd:element name="audit_line" type="oval-def:EntityStateStringType" minOccurs="0" maxOccurs="1">
+                 <xsd:annotation>
+                   <xsd:documentation>A rule written on a single line like returned by the auditctl -k command.</xsd:documentation>
+                 </xsd:annotation>
+               </xsd:element>
+               <xsd:element name="line_number" type="oval-def:EntityStateIntType" minOccurs="0" maxOccurs="1">
+                 <xsd:annotation>
+                   <xsd:documentation>The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1.</xsd:documentation>
+                 </xsd:annotation>
+               </xsd:element>
+             </xsd:sequence>
+           </xsd:extension>
+         </xsd:complexContent>
+       </xsd:complexType>
      </xsd:element>
      <!-- =============================================================================== -->
      <!-- =============================================================================== -->

diff --git a/oval-schemas/linux-system-characteristics-schema.xsd b/oval-schemas/linux-system-characteristics-schema.xsd
@@ -1185,6 +1185,38 @@
                     </xsd:extension>
                </xsd:complexContent>
           </xsd:complexType>
+     </xsd:element>
+	 <!-- =============================================================================== -->
+     <!-- ==============================  AUDITD LINE ITEM  ============================= -->
+     <!-- =============================================================================== -->
+     <!-- Originaly authored by French Ministry of Army (DGA-MI) -->
+     <xsd:element name="auditdline_item" substitutionGroup="oval-sc:item">
+          <xsd:annotation>
+               <xsd:documentation>This item stores results from checking the living rules of the auditd service.</xsd:documentation>
+          </xsd:annotation>
+          <xsd:complexType>
+               <xsd:complexContent>
+                    <xsd:extension base="oval-sc:ItemType">
+                         <xsd:sequence>
+                              <xsd:element name="filter_key" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1">
+                                   <xsd:annotation>
+                                        <xsd:documentation>>As described in the auditctl(8) manpage, the filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. You may have more than one key on a rule.</xsd:documentation>
+                                   </xsd:annotation>
+                              </xsd:element>
+                              <xsd:element name="auditline" type="oval-sc:EntityItemStringType" minOccurs="0" maxOccurs="1">
+                                   <xsd:annotation>
+                                        <xsd:documentation>A rule written on a single line like returned by the auditctl -k command.</xsd:documentation>
+                                   </xsd:annotation>
+                              </xsd:element>
+                              <xsd:element name="line_number" type="oval-sc:EntityItemIntType" minOccurs="0" maxOccurs="1">
+                                   <xsd:annotation>
+                                        <xsd:documentation>The line number of the rule, which can be considered as the rule number regarding that there is one rule per line. This number starts at 1 which means that the number of the first rule returned is 1.</xsd:documentation>
+                                   </xsd:annotation>
+                              </xsd:element>
+                         </xsd:sequence>
+                    </xsd:extension>
+               </xsd:complexContent>
+          </xsd:complexType>
      </xsd:element>
      <!-- =============================================================================== -->
      <!-- =============================================================================== -->