From 6c979f7c1461c3f1c4efba52553b012416cdc6b9 Mon Sep 17 00:00:00 2001 From: iam048 Date: Thu, 29 Aug 2024 22:18:09 +0530 Subject: [PATCH] Added PaloAlto Networks PAN-OS and Cisco NX-OS Schema Support --- schemas/oval/5.11.2/oval-common-schema.xsd | 10 + .../oval/5.11.2/oval-definitions-schema.xsd | 2 + .../oval-system-characteristics-schema.xsd | 1 + .../oval/5.11.2/panos-definitions-schema.xsd | 171 +++++++ .../panos-system-characteristics-schema.xsd | 66 +++ .../oval/5.11.2/x-nxos-definitions-schema.xsd | 419 ++++++++++++++++++ 6 files changed, 669 insertions(+) create mode 100644 schemas/oval/5.11.2/panos-definitions-schema.xsd create mode 100644 schemas/oval/5.11.2/panos-system-characteristics-schema.xsd create mode 100644 schemas/oval/5.11.2/x-nxos-definitions-schema.xsd diff --git a/schemas/oval/5.11.2/oval-common-schema.xsd b/schemas/oval/5.11.2/oval-common-schema.xsd index 45524ee3921..d07bd6c4cf8 100644 --- a/schemas/oval/5.11.2/oval-common-schema.xsd +++ b/schemas/oval/5.11.2/oval-common-schema.xsd @@ -607,6 +607,16 @@ at_least_one_exists || 0 | 0+ | 1+ | 0+ || Error The windows value describes the Microsoft Windows operating system. + + + + The NX-OS value describes the Cisco NX-OS operating system. + + + + + The PAN-OS value describes the Palo Alto Networks PAN-OS operating system. + diff --git a/schemas/oval/5.11.2/oval-definitions-schema.xsd b/schemas/oval/5.11.2/oval-definitions-schema.xsd index 42c238e1ec2..8a36edba122 100644 --- a/schemas/oval/5.11.2/oval-definitions-schema.xsd +++ b/schemas/oval/5.11.2/oval-definitions-schema.xsd @@ -29,6 +29,8 @@ + + The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) Definitions. Some of the objects defined here are extended and enhanced by individual component schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core Definition Schema are described in detail and should provide the information necessary to understand what each represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here. The OVAL Schema is maintained by OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. diff --git a/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd b/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd index c71de366af1..397d75b0a60 100644 --- a/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd +++ b/schemas/oval/5.11.2/oval-system-characteristics-schema.xsd @@ -30,6 +30,7 @@ + The following is a description of the elements, types, and attributes that compose the core schema for encoding Open Vulnerability and Assessment Language (OVAL) System Characteristics. The Core System Characteristics Schema defines all operating system independent objects. These objects are extended and enhanced by individual family schemas, which are described in separate documents. Each of the elements, types, and attributes that make up the Core System Characteristics Schema are described in detail and should provide the information necessary to understand what each object represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between these objects is not outlined here. The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. diff --git a/schemas/oval/5.11.2/panos-definitions-schema.xsd b/schemas/oval/5.11.2/panos-definitions-schema.xsd new file mode 100644 index 00000000000..1396555a354 --- /dev/null +++ b/schemas/oval/5.11.2/panos-definitions-schema.xsd @@ -0,0 +1,171 @@ + + + + + + The following is a description of the elements, types, and attributes that compose the Palo Alto (PAN-OS)-specific + tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension + of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a + set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and + should provide the information necessary to understand what each element and attribute represents. This document + is intended for developers and assumes some familiarity with XML. A high level description of the interaction + between the different tests and their relationship to the Core Definition Schema is not outlined here. + + + This schema was originally developed by William Munyan at cisecurity.org. The OVAL Schema is maintained by the + OVAL Community. For more information, including how to get involved in the project and how to submit change + requests, please visit the OVAL website at http://oval.cisecurity.org. + + + Palo Alto (PAN-OS) Definitions + 5.11.2:2.0 + 03/30/2021 09:00:00 AM + + For the portion subject to the copyright in the United States: Copyright (c) 2016 United States Government. + All rights reserved. Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of + this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the + OVAL License for the specific language governing permissions and limitations for use of this schema. When + distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + + + + The config_test is used to check the properties of the XML output from a PAN-OS XML API request to export the + current running configuration. This is a request to the API at "https://[PAN-OS-DEVICE]/api/?type=export&category=configuration". + The response to this request is an XML payload rooted with a "response" element and including device-specific information. + It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType + description for more information. The required object element references a config_object and the optional state + element specifies the data to check. + + + + config_test + config_object + config_state + config_item + + + + + + - the object child element of a config_test must reference a config_object + + + - the state child element of a config_test must reference a config_state + + + + + + + + + + + + + + + + + + + The config_object element is used by a config_test to define the object to be evaluated. Each object extends the + standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description + for more information. The common set element allows complex objects to be created using filters and set logic. + Again, please refer to the description of the set element in the oval-definitions-schema. + + + A config_object consists of an xpath entity that contains an XPATH 1.0 query to perform on the PAN-OS API response + XML data. The response data is assumed to consist of a <response> entity, with arbitrary (i.e., vendor-specific) + child nodes. + + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + + Specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid + XPath 1.0 statement is usable with one exception, at most one field may be identified in the XPath. + This is because the value_of element in the data section is only designed to work against a single + field. The only valid operator for xpath is equals since there is an infinite number of possible + XPaths and determinining all those that do not equal a given XPath would be impossible. + + + + + - operation attribute for the xpath entity of a config_object should be 'equals', note that this overrules the general operation attribute validation (i.e. follow this one) + + + + + + + + + + + + + + + + + The config_state element defines the different information that can be used to evaluate the result of a specific + config XPath evaluation. This includes the XPath used and the value of this XPath. + + + + + + + + + Specifies an XPath expression describing the text node(s) or attribute(s) to look at. + + + + + The value_of element checks the value(s) of the text node(s) or attribute(s) found. + + + + + + + + diff --git a/schemas/oval/5.11.2/panos-system-characteristics-schema.xsd b/schemas/oval/5.11.2/panos-system-characteristics-schema.xsd new file mode 100644 index 00000000000..9285032c52b --- /dev/null +++ b/schemas/oval/5.11.2/panos-system-characteristics-schema.xsd @@ -0,0 +1,66 @@ + + + + + + This document outlines the items of the OVAL System Characteristics XML schema that are composed of Palo Alto-specific + tests. Each item is an extention of a basic System Characteristics item defined in the core System Characteristics XML + schema. + + + This schema was originally developed by William Munyan at cisecurity.org. The OVAL Schema is maintained by the OVAL + Community. For more information, including how to get involved in the project and how to submit change requests, please + visit the OVAL website at http://oval.cisecurity.org. + + + Palo Alto (PAN-OS) Definitions + 5.11.2:2.0 + 03/30/2021 09:00:00 AM + + For the portion subject to the copyright in the United States: Copyright (c) 2016 United States Government. + All rights reserved. Copyright (c) 2016, Center for Internet Security. All rights reserved. The contents of + this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the + OVAL License for the specific language governing permissions and limitations for use of this schema. When + distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + + + This item stores results from checking the contents of an XML configuration. + + + + + + + + Specifies an XPath expression describing the text node(s) or attribute(s) which were collected. + + + + + + The value_of element checks the value(s) of the text node(s) or attribute(s) found. How this + is used is entirely controlled by operator attributes. + + + + + + + + + diff --git a/schemas/oval/5.11.2/x-nxos-definitions-schema.xsd b/schemas/oval/5.11.2/x-nxos-definitions-schema.xsd new file mode 100644 index 00000000000..a95ba9eec19 --- /dev/null +++ b/schemas/oval/5.11.2/x-nxos-definitions-schema.xsd @@ -0,0 +1,419 @@ + + + + + + The following is a description of the elements, types, and attributes that compose the NX-OS specific tests found in Open Vulnerability and Assessment Language (OVAL). Each test is an extension of the standard test element defined in the Core Definition Schema. Through extension, each test inherits a set of elements and attributes that are shared amongst all OVAL tests. Each test is described in detail and should provide the information necessary to understand what each element and attribute represents. This document is intended for developers and assumes some familiarity with XML. A high level description of the interaction between the different tests and their relationship to the Core Definition Schema is not outlined here. + The OVAL Schema is maintained by the OVAL Community. For more information, including how to get involved in the project and how to submit change requests, please visit the OVAL website at http://oval.cisecurity.org. + + NX-OS Definition + 5.11.1:1.0 + 05/02/2020 09:00:00 AM + For the portion subject to copyright in the United States: Copyright (c) 2020 United States Government. All rights reserved. Copyright (c) 2020, Center for Internet Security. All rights reserved. The contents of this file are subject to the terms of the OVAL License located at https://oval.cisecurity.org/terms. See the OVAL License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the OVAL Schema, this license header must be included. + + + + + + + + + + + The global test is used to check for the existence of a particular line in the NX-OS config file under the global context. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a global_object and the optional state element specifies the data to check. + + + global_test + global_object + global_state + global_item + + + + + + - the object child element of a global_test must reference a global_object + + + - the state child element of a global_test must reference a global_state + + + + + + + + + + + + + + + + + + The global_object element is used by a global test to define the object to be evaluated. For the most part this object checks for existence and is used without a state comparision. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The global_command entity identifies a specific line in the NX-OS config file under the global context. + + + + + + + + + + + + + The global_state element defines the different information that can be found in the NX-OS config file under the global context. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The global_command entity identifies a specific line in the NX-OS config file under the global context. + + + + + + + + + + + + + The line test is used to check the properties of specific output lines from a SHOW command, such as show running-config. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a line_object and the optional state element specifies the data to check. + + + line_test + line_object + line_state + line_item + + + + + + - the object child element of a line_test must reference a line_object + + + - the state child element of a line_test must reference a line_state + + + + + + + + + + + + + + + + + + The line_object element is used by a line test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A line object consists of a show_subcommand entity that is the name of a SHOW sub-command to be tested. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The name of a SHOW sub-command. + + + + + + + + + + + + + The line_state element defines the different information that can be used to evaluate the result of a specific SHOW sub-command. This includes the name of ths sub-command and the corresponding config line. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The name of the SHOW sub-command. + + + + + The value returned from by the specified SHOW sub-command. + + + + + + + + + + + + + The version_test is used to check the version of the NX-OS operating system. It extends the standard TestType as defined in the oval-definitions-schema and one should refer to the TestType description for more information. The required object element references a version_object and the optional state element specifies the data to check. + + + version_test + version_object + version_state + version_item + + + + + + - the object child element of a version_test must reference a version_object + + + - the state child element of a version_test must reference a version_state + + + + + + + + + + + + + + + + + + The version_object element is used by a version_test to define the different version information associated with an NX-OS system. There is actually only one object relating to version and this is the system as a whole. Therefore, there are no child entities defined. Any OVAL Test written to check version will reference the same version_object which is basically an empty object element. + For information on how Cisco NX-OS versionioning works, see: https://tools.cisco.com/security/center/resources/ios_nx_os_reference_guide#release_naming_nx_os + + + + + + + + + + The version_state element defines the version information held within a Cisco NX-OS version. + + + + + + + + The entire NX-OS version string, for example: '7.1(0)N1(1b)' or '9.2(1)'. + + + + + The major version piece of the version string. The value is an integer, and in the example 6.2(8b) the major_release is '6' + + + + + The minor release piece of the version string. The value is an integer, and in the example 6.2(8b) the minor_release is '2' + + + + + The maintenance release piece of the version string. The value is an integer, and in the example 6.2(8b) the maintenance release is '8' + + + + + The rebuild identifier piece of the version string. The value is a string, and in the example 6.2(8b) the rebuild is 'b'. For the examples 7.1(0)N1(1b) and 9.2(1), there is no rebuild identifier. + + + + + The platform designator piece of the version string. The value is a string, and in the example 7.1(0)N1(1b) the platform designator is 'N'. For the examples 6.2(8b) and 9.2(1), there is no platform designator. + + + + + The platform minor release piece of the version string. The value is an integer, and in the example 7.1(0)N2(1b) the platform minor release is '2'. For the examples 6.2(8b) and 9.2(1), there is no platform minor release. + + + + + The platform maintenance release piece of the version string. The value is an integer, and in the example 7.1(0)N1(2b) the platform maintenance release is '2'. For the examples 6.2(8b) and 9.2(1), there is no platform maintenance release. + + + + + The platform rebuild identifier piece of the version string. The value is a string, and in the example 7.1(0)N1(1b) the platform rebuild identifier is 'b'. For the examples 6.2(8b) and 9.2(1), there is no platform rebuild identifier. + + + + + + + + + + + + + The section test is used to check the properties of specific output lines from a configuration section. + + + section_test + section_object + section_state + section_item + + + + + + - the object child element of a section_test must reference a section_object + + + - the state child element of a section_test must reference a section_state + + + + + + + + + + + + + + + + + + The section_object element is used by a section test to define the object to be evaluated. Each object extends the standard ObjectType as defined in the oval-definitions-schema and one should refer to the ObjectType description for more information. The common set element allows complex objects to be created using filters and set logic. Again, please refer to the description of the set element in the oval-definitions-schema. + A section object consists of a section_command entity that is the name of a section command to be tested. + + + + + + + + + + State referenced in filter for '' is of the wrong type. + + + + + + + + + + + + + + The name of a section command. + + + + + + + + + + + + + The section_state element defines the different information that can be used to evaluate the result of a specific section command. This includes the name of ths section_command and the corresponding config lines. Please refer to the individual elements in the schema for more details about what each represents. + + + + + + + + The name of the section command. + + + + + The value returned with all config lines of the section. + + + + + The value returned with one config line of the section at a time. + + + + + + + +