Sanernow Documentation

Documentation

Overview

SanerNow is a platform for endpoint security and management – a platform that hosts numerous tools to cover various endpoint security and management requirements. SanerNow queries your systems to find aberrations, and helps your systems retain normality.

SanerNow is provided as Software as a Service (SaaS). With no capital expenditure, a pay-as-you-go model allows payment for only services used, based on the number of endpoints being serviced. Having tools to address multiple use cases within one platform helps reduce up to 60% of the investment in endpoint security and management.

The following concepts are embodied within the SanerNow platform and tools.

  • Self-provision tools from the cloud, as needed, for specific use cases
  • Pay for actual usage and avoid lengthy product procurement process
  • Eliminate risk, try out tools to ensure they meet requirements
  • Be usable, without the need for training or massive product documentation
  • Effectively address endpoint security and management tasks

SanerNow Use Cases

SanerNow addresses the following business cases:

  • Vulnerability Management – Continuously assess risks, automated to a daily routine.
  • Patch Management – Apply operating system and third-party application patches for Windows, Linux and Mac OS X.
  • Compliance Management – Comply with regulatory standards benchmarks and achieve continuous compliance (PCI, HIPAA, NIST 800-53, NIST 800-171).
  • Asset Management – Discover and manage assets.
  • Endpoint Management – Manage endpoints and ensure their well-being.
  • Endpoint Threat Detection and Response – Detect and Respond to Indicators of Attack (IoA) and Indicators of Compromise (IoC).

Getting Started With SanerNow

Introduction

SanerNowTM is a platform and tools for managing and securing your endpoints. The platform is designed as a SaaS model and provides security and IT management tools on demand.Sign up

Please refer to the SanerNow website https://sanernow.com or click on the above

Getting started with SanerNow

There are only a few simple steps to get started with SanerNow.

  • Sign Up
    • Select a Plan
    • Provision Tools
    • Update Profile
  • Open SanerNow Platform
    • Create Account
    • Create User
    • Deploy Agents
  • Use SanerNow Tools

Sign up

On the SanerNow web page https://www.sanernow.com, click “Sign Up” or “Try for free” at the top right.

Sign up

The first and last name must contain alphanumeric characters. The password needs to have at least one number, one upper case, one lower case and a special character. It must be at least seven characters and no more than 20 characters. The password should only contain these special characters ~ ! @ $ ^ & * ( ) – = _

Click Sign Up to complete registration.

Sign up

To sign up, enter a valid email address, your name, and password. The email address will be the username for your login.

Sign up

Note: If you are unable to register, please check your email address to ensure it is valid and that it hasn’t been previously registered.

An email will be sent to you to verify your registration email.

Note: If you don’t receive the email within a few minutes, please check your email spam folder.

Click on the link in the email to finish the verification process. Within a few minutes you should receive a confirmation web page.

You will be redirected to a web page as shown below after email verification. Click Sign In with your email address and password.

Email confirmation

Note: Please contact support@secpod.com if you did not receive the registration email or if the Sign Up Confirmation isn’t displayed after clicking the email link. It may take a few minutes for the confirmation to display.

On the SanerNow web page (https://sanernow.com), click Sign In at the top right.

Select Plan (This step is not required if you clicked “Try for free”)

After signing in to SanerNow, you can select a free evaluation or monthly plan.

The Free SanerNow Evaluation plan lets you try out SanerNow tools for up to a month on up to ten endpoints. You can switch to a monthly plan at any time.

The SanerNow Monthly plan includes monthly billing based on tools provisioned and number of endpoints managed. An invoice will be generated after the end of each month, which will be sent to the account registration email address. Please contact support@secpod.com if you will be managing more than 5,000 endpoints.

If you clicked “Try for free”, plan selection is not required. You’ll be taken to “Provision Tools” step.

Select the desired plan and click Next.

SanerNow Evaluation

Monthly Plan

Click on next to proceed.

Provision Tools

Select the tools you would like to provision. For the Free Evaluation Plan, you will most likely want to provision all tools. With the Monthly Plan you can then provision specific tools for each account you create. Accounts allow you to segregate endpoints by site and to control user access.

Select the tools to provision and click Next.

Monthly Plan

Update Profile

Enter billing details to complete the sign up process. Enter your address, state, country, zip code and preferred currency. A valid phone number is required. This information will be used for generating invoices.

Click Save.

Monthly Plan

Open Saner Platform

Click Open Saner Platform at the top right. You will then be redirected to saner.secpod.com.

Open Saner Platform

Create Account

Create an account or site with a name, organization, valid email address (that will be used for reports and alerts), number of subscriptions and tools to be provisioned.

Open Saner Platform

Once an account or site is created, SanerNow agents will be built. The agents are built specifically for each account or site.

Note: This process takes several minutes. Please be patient.

Note: Later you can create additional accounts or sites by clicking the gear icon at the upper right.

Deploy Agents

SanerNow agents can be deployed to endpoints by using the links on this page. Select the appropriate agent for the endpoint operating system. When using SanerNow, you can also go to Manage > Devices > Deployment and use a URL for downloading agents.

Open Saner Platform

Use SanerNow Tools

Click the icon at the top left corner of the screen to select an account or site to manage.

Access to Account and Devices

tools for more detail.

Click Manage > Devices to see device information after agents have been deployed

Access to Account and Devices

click on  at the top center to select SanerNow tools.

Access to Account and Devices

Note: If you are unable to view all tools by clicking , this could be because some of the tools were not provisioned for this account.

Note: Refer to the SanerNow User Guides in the Documentation section of the SanerNow website for detailed information (www.sanernow.com/documentation).

Note: If you have any issues, please contact Technical Support at support@secpod.com.

Release Notes

Release Notes SanerNow 4.6.0.0

July 28, 2020

SanerNow 4.6.0.0 comes out with several enhancements to enrich the product usage experience. . This maintenance release also includes  bug fixes to enhance the performance of the SanerNow platform. 

Release Summary

Patch Management (PM) module improved with new enhancements

  1. Enhanced visibility in the Patch Management (PM) Dashboard to understand risks, patches, and the impact of patching at any given time.
  2. Added search functionality in PM Dashboard, supporting granular searches on all patch metadata.
  3. Ability to view the impact of patching while creating patching tasks. 
  4. Added search filters in the PM job status page
  5. Added a new policy to automatically delete inactive devices based on specific criteria.

Others:

  1. New support introduced to audit SQL based Database Servers

Several bugs have been addressed improving the reliability, performance, and security of the SanerNow platform. 

We hope SecPod SanerNow 4.6.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@secpod.com for any feature request or enhancements you expect in the product.

Release Notes SanerNow 4.5.0.0

May 17, 2020

SanerNow 4.5.0.0 brings several enhancements to the Patch Management (PM) module along with a few product performance improvements. This maintenance release also consists of fixes to bugs, security issues, and enhancements to REST API coverage.

Release Summary

Performance Improvements – Enhanced product performance for better usage

  1. Access SanerNow Dashboards more efficiently now: Significant user experience and performance improvements are made to load the dashboard elements faster.
  2. Enhanced management for transient devices: Improved support for transient devices changing locations frequently.
  3. Introducing custom templates for reports: Ability to create a custom template for reports, which can then be applied to all other Customer Accounts or Sites.

Patch Management (PM) – Patch management improved with new functionalities

  1. Included new filters for better visibility: Added filters to identify inactive devices and list devices by their operating system version and build number.
  2. Introducing a single click filter: A single-click filter is introduced to list third-party application patches by the operating system family.
  3. Test and deploy Firmware and non-security patches now: Firmware and non-security patches are included in the Test and Deploy feature. This would allow users to verify patches in a testbed and then approve for production rollout.
  4. Enhancements to save bandwidth usage: The patching jobs are now sent only to the applicable devices in the selected group of devices significantly improving the performance and reducing network bandwidth utilization.

General enhancements and bug fixes

  1. Fixed few security issues in the platform.
  2. Inconsistency in the SanerNow agent upgrade is addressed considering a fail-over situation.
  3. More indicaors are added to show the agent’s remediation progress.
  4. Various bugs are resolved on dashboards, reports, and other tools.

We hope SecPod SanerNow 4.5.0.0 will ease your endpoint security and management operations to a greater extent. Please mail us at support@secpod.com for any feature request or enhancements you expect in the product.

Release Notes SanerNow 4.4.0.0

March 19, 2020

At SecPod, we strive towards delivering solution to enhance user experience. SanerNow 4.4.0.0 comes with a bundle of new additions, enhancements and bug fixes to increase efficient product usage. In this release we have brought several enhancements to Patch Management, Endpoint detection and response and Agent Deployment Tool, covering other general enhancements and bug fixes as well.

Patch Management (PM) – Enhancing patch management for better visibility

  1. Introducing device view and patch view: A new dashboard element is added to represent a Device view, with the option to switch to Patch view. The Device view shows a list of all applicable patches per device, risks, patch-ability status, etc along with a single click option to create a remediation job.
  2. Check patch repository reachability status and resolve issues: Patch repository reachability status added on the dashboard to diagnose issues related to patching.
  3. Introducing all new device-based reports: Device-based Report APIs are added in Patch Management (PM) under Reports. The APIs such as Devices with Missing Security Patches, Missing Configuration, Most Critical Patches to give you better insight on effective patching, Patches for Paid-Products or licensed products, Missing Patches of Non-reachable devices.
  4. Insightful error messages to resolve patching obstacles: Error codes and reasons are added to better understand Status on Patch Remediation and Automation tasks.
  5. Show customized alerts on functional end-user systems before initiating remediation: Reboot alert messages can be provided on fixing missing patches, automation or rollback tasks that notifies logged-in users on endpoints to save their work and prepare for the reboot of endpoints. A similar notification can also be sent before remediation tasks, alerting the user about the scheduled activity.
  6. Enhanced Saner agents to comply with Windows Update component: Saner agents are now intelligent to gather any inconsistency with the Windows Update component and resolve issues automatically.

Endpoint Detection and Response (EDR) – Optimizing Endpoint Detection and response for improved performance:

  1. Increased scalability to view huge data: EDR performance enhanced to load data for a large number of devices, assisting with scalability.
  2. Introducing filters to view only required details: Status filters are also added in EDR for viewing a subset of data from endpoints.

Agent Deployment – Enhanced agent deployment tool to increase efficiency

Analyse, act and deploy agents according to the requirements of end-user computer: Saner Agent Deployment Tool is now smarter to gather pre-requisites and deploy agents with ease. It also allows users to deploy agents with single-sign-on credentials.

General enhancements and bug fixes

  1. Microsoft Operating system details are added with a specific release version wherever Operating System names are displayed across the platform.
  2. Various bugs are resolved on dashboards, reports, and patch management tasks.
  3. Mac OS X agent adheres to the Mac OS X application signing and notarization guidelines.

We hope SecPod SanerNow 4.4.0.0 will ease your endpoint security management to a greater extent. Please mail us at support@secpod.com for any feature request or enhancements you expect in the product.

Release Notes SanerNow 4.3.0.0

February 3, 2020

SanerNow 4.3.0.0 brings several enhancements to Patch Management (PM) tool. This maintenance release also includes fixes to major bugs, security issues and enhances Rest API coverage.

Release Summary

  1. Operating System (OS) upgrade, a one-click OS version upgrade is introduced. This feature installs necessary Security KBs, and upgrades the system to the latest version.
  2. Reboot Scheduler is introduced to schedule the reboots to a particular time. Reboot jobs are listed in the PM status page to track the reboot progress.
  3. Added color scheme to charts in reports.
  4. Inconsistency in the ‘Windows Update’ component is automatically resolved.
  5. Superseded and older patches are suppressed and only the latest security patches are listed.
  6. Non-Security patches are added to the individual device details page, in addition to the security patches.
  7. Rest API coverage is enhanced to include newer APIs and improved security validations.
  8. Inconsistencies while moving the device from one account to another account is addressed.
  9. Upgraded 3rd party dependent libraries to the latest version.

Release Notes SanerNow 4.2.2.1

 June 28, 2019

SanerNow 4.2.2.1 enriches API coverage in custom reports and extends web service support for software deployment.

Introducing new Custom Report APIs for

  1. Summary of Patch Aging
  2. Detailed Information on Up-To-Date Assets
  3. Listing assets without patch released by vendor
  4. Vulnerability Metrics that is updated to show total number of vulnerabilities
  5. Overall Remediation information
  6. Vulnerability Statistics
  7. Vulnerability Count of Active and Inactive Devices

Release Notes SanerNow 4.2.2.0

 June 14, 2019

SanerNow 4.2.2.0 provides more control over task scheduling, support for non-persistent desktop virtualization devices and minor bug fixes.

Task Scheduling

Extended the scheduler in PM Automation, EDR Detection and Response, EM Checks and Actions to have flexibility in scheduling patching and other tasks. Specifically, users can now choose selective months, weeks, days or any date to schedule tasks.

Non-Persistent Device Support

Support added for non-persistent desktop virtualized devices – agents are activated when such devices are initiated and are gracefully deactivated when shut down. This will ensure subscriptions are not locked down with an instance that is not running and are available for deploying on live systems.

Release Notes SanerNow 4.2.1.0

 May 06, 2019

SanerNow 4.2.1.0 introduces a unique, easy to use report generation tool with various data export APIs and report builder charts and tables. It also brings support for two new operating systems and further enhances AI driven search assistant.

Custom report generation

A unique and easy to use report generation and customization tool is introduced with 100s of pre-built data export APIs, report builder charts and tables. With this, users will have the facility to create custom reports, export, and schedule periodic backup of those reports. An intuitive user interface allows you to build custom dashboards, save and export these dashboards across SanerNow tools.

  1. Create custom reports,
    • Predefined APIs for all SanerNow tools and their functions
    • An intuitive search interface to find or determine the right API
    • Apply filters to extract information of specific interest and plot them as data tables and charts
    • Export created report into PDF or send e-mail
    • Schedule backup of these reports for periodic export and sending e-mails
    • Export each data section into CSV
    • Build reports and set them as Default for periodic viewing
  2. The current Default reports are made available as Canned Reports. With this release, you can also customize these reports.
  3. The Reports tool is built for high performance.

New platform support

  1. Alpine Linux – Alpine Linux is a Linux distribution based on musl and BusyBox, primarily designed for security, simplicity, and resource efficiency. The SanerNow agent is now available to deploy on this platform.
  2. Windows Server 2019 – Microsoft Windows Server 2019 is the latest version of the Microsoft server operating system. The SanerNow agent is now available to deploy on this platform.

Enhancements to Plasma

Plasma is a Beta version of an intelligent machine learning based search assistant. This will be continuously enhanced to become smarter. New enhancements include,

  • More search suggestions
  • Filtering capability to reduce the scope of results
  • Minor bug fixes

Other enhancements

  1. Patch Management: Dates have been added to show when the remediation/patching task was performed on an individual device.
  2. Endpoint Management:
    • USB Mass storage device and USB port blocking support is now supported on all Linux systems.
    • Blocking of devices by Device ID (device instance ID) is now supported in Windows and Linux.
  3. Track EOL (End of Life) and EOS (End of Support) products across the platform. Such products are marked as Outdated.
  4. Live system metrics on an individual device page (Click on the hostname under Manage -> Devices page to view this feature). This has a control to fetch system metrics only when refreshed, thus helps save network bandwidth.

Release Notes SanerNow 4.2.0.0

March 03, 2019

SanerNow 4.2.0.0 introduces Plasma, a beta version of a smart search assistant. New features are also introduced in Patch Management to further simplify endpoint patching.

Plasma

Plasma is a Beta version of an intelligent machine learning based search assistant. This marks the first release of Plasma which is intended to do smarter, AI (artificial intelligence) powered searches. This will be continuously enhanced to become smarter.

  1. User Assist – Searches as you type across 1000+ documents to provide navigational help on the platform.
  2. Discover – Search across platform’s rich endpoint data and indicators to discover meaningful information.

Patch Management

  1. Test and Deploy – Test patches in a test environment before deployment. Administrators can create a test task and provide automation rules to deploy after validating results of the test task. This is useful to rollout patches in a production environment after testing in an identical test environment.
  2. Batch Remediation – Administrators are able to include pre and post scripts to be bundled in a remediation job or rule. Pre-scripts are executed before the remediation task and post-scripts are executed once a remediation task completes. This feature is only available for security patches. Additionally, our content research team will add script-based patching to cover vulnerabilities that do not have vendor patches.
  3. Firmware Patching – With an increasing number of attacks targeting the underlying hardware system, firmware patching has become a critical need. Firmware patches can now be applied on Microsoft Windows systems.
  4. Reboot Control – Logged-in users are now able to postpone reboots until a specific time.
  5. Retry Remediation – The Patch Management Status page now lets you re-attempt already created remediation tasks. A copy of the remediation job is created which can be edited and applied.
  6. Detailed Remediation Status – Remediation status now includes ReceivedInitiated and Done to provide more visibility on tasks being performed.
  7. Stop Ongoing Remediation Task – Ongoing remediation tasks can now be stopped to release devices that haven’t yet accepted the task. This will free devices for other remediation tasks.
  8. Dashboard changes – A smart Patch Compliance calculator has been added to identify the number of patches required to patch a minimal number of devices to eliminate the maximum number of vulnerabilities. Patch compliance for devices and assets are also shown.
  9. Bug Fixes and Performance – Various issues have been addressed.

Endpoint Management

  1. Extended support to handle .bat, .sh, .reg, .deb, .rpm, .exe, .msp, .msi via zip file upload section under Software Deployment.

Device Management

  1. Users can move Devices across accounts. This is useful when employees move to different locations or move to new projects, etc.
  2. E-mail alerts are now provided when Saner agents are uninstalled.

Release Notes SanerNow 4.1.1.0

November 22, 2018

Software deployment
  1. Deploy Software packages from array of pre-packaged list of Software applications to Saner enabled systems. We have 100’s of pre-bundled packages to choose from for Windows, Linux and Mac OS X.
  2. Create rules to deploy Software packages for new devices while new systems are being provisioned. All your pre-selected Software packages are deployed at one go. This helps making your systems ready to use with all essential software.
  3. Create your own deployer package and roll out across all Saner enabled endpoint systems. The deployer packages can be exe, MSI, archived files with script and other installers or it can even be a download URL.
  4. Uninstall Software applications across endpoint systems to remove rogue applications, blacklisted applications, license violating applications or unauthorized software at one go across all affected systems.

Real-time communication

  • Continuous, real-time visibility is a must for security operations. With new, web-socket based communication between the agents and the server, everything becomes instant. Sending a scan request, performing a query, monitoring system activities, scheduling an Action in response to a security event are all immediate.

Live system health

  • System details now include trending graphs showing CPU, RAM, Network and Disk usage. Click on a device to witness live data from an endpoint, the most simple and sophisticated means to monitor system health.

Role based user access

  • Introducing Role-based User Access – to delegate users to handle one or more Saner services across multiple accounts.

Password protect Saner agent service

  • The Saner agent service is now password protected. Any unauthorized uninstallation of Saner agent is prevented unless configured password is supplied.

Others

  1. Account administrators can alter device subscription limit for accounts and extend account expiry date
  2. Improved Microsoft patching
  3. Endpoint Protection Software displays devices without Anti-Virus software installed in addition to devices that are under risk
  4. Performance improvements
  5. Saner agent upgrade and scan optimization on agents
  6. Bug and security fixes

Release Notes SanerNow 4.1

September 05, 2018

  1. Patch Management Automation now supports security and non-security patches. A software patch can fix security vulnerabilities or improve the usability and performance. While creating an automation task, users can select from two options, either apply security patches only or apply both security and non-security patches.
  2. Patch Rollback is now available for Linux and Mac operating systems. Saner tracks rollback point for a software asset while applying a patch. This helps revert changes and restores applications or operating systems to the last best-known version/configuration.
  3. Saner users can prioritize patches based on severity. Patches are categorized as Critical, High, Medium and Low. A typical use-case would be to allow remediation tasks to qualify only critical patches for Software applications on various devices.
  4. All scans now run in “Low” mode by default. This would ensure Saner agents consume minimal resources while a scan is run. A CPU threshold value can also be set to restrict resource utilization. This configuration can be altered using Settings.
  5. Simplified Group and Device filtering.
  6. Revamped patch automation and Remediation Status interface for better usability, with the ability to filter by Group/Devices and also by the family of Operating System.
  7. Saner agents can now recover themselves in case of an abnormal shutdown of a system.
  8. Other bugs and usability concerns are addressed.

Release Notes SanerNow 4.0.0.5

  1. Updated Code Signing Certificate and signed all executables and binaries.

Release Notes SanerNow 4.0.0.4

  1. Fixed cross-site scripting and remote code execution vulnerabilities that existed in update logo feature in Account Management that allows attackers to define potentially untrusted Javascript running within a web browser. Thanks to Sumit Birajdar helping us discover the vulnerability.
  2. Integrated support for Fedora 28 operating system.
  3. Patch Management supports MSI file format for remediating vulnerabilities in Windows Systems.
  4. Fixed configuration file corruption issue on force shutdown/restart of devices using backup mechanism.
  5. Minor bug fixes.

Release Notes SanerNow 4.0.0.3

  1. Introduced device status on group-based view in Manage page.
  2. Fixed Mail settings update for Administrators and Accounts/Sites.
  3. Added persistence of task scheduling in Endpoint Management (EM) and Endpoint Detection and Response (EDR).
  4. Minor bug fixes.

Release Notes SanerNow 4.0.0.2

  1. Fixed host counters in Assets License Section in PDF reports. Fixed detection counters in IoC and IoA Sections under Endpoint Detection and Response (EDR) PDF reports.
  2. Fixed Remediation action issues in Compliance Management (CM).
  3. Other minor bug fixes.

Release Notes SanerNow 4.0.0.1

  1. Fixed scheduling software deployment tasks in Endpoint Detection and Response (EDR).
  2. Added hostnames of devices associated to a specific Software/Hardware License in in CSV report of Asset Management.
  3. Fixed an update issue in Sensitive Data Detection detection scripts under Endpoint Management (EM) .
  4. Fixed scheduler update issue in System Health detection scripts under Endpoint Management (EM) .

FAQ – Frequently Asked Questions

Technical FAQ

How to get started?

Sign Up on www.sanernow.com and select tools required. Go to “Open Console” to create accounts and deploy on agents. Within 10 minutes you should be able to set up 1000 machines and view their reports.

What measures can we take to secure our account?

You can set up a 2-step verification to add an extra layer of security to your account. See section How can we set up two-factor authentication for more details. Adminitrators and Account Administrators can enforce two-factor authentication for all other users.

How is my data secured?

Your data is isolated from others. Multiple techniques are used to ensure data integrity and request/response are verified. Our specialized team ensures that platform passes through multiple layers of security tests. These teams are up-to-date with latest attacks and threats and plays a major role in defining checks for products such as OpenVAS. Your data is secure with us.

How can we set up two-factor authentication?

When you enable two-factor authentication, you add an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code sent to your phone).

To start with, click on ‘turn on’ against two-factor authentication. Open the Google Authenticator app and scan the QR code. You will be provided with 6 digit code in the app. Enter the code in the text box and press Enable button.

On every login, after entering username ans password, you will be promted to enter the code displayed by the Google Authenticator app. These two steps are verified for access to your account.

What is the average size of content downloaded or network utilization by agents from your server during scan?

Though security content download differs depending on the detection of vulnerabilities and configuration issues. An active agent may download an average of 4MB data (only when content requires update/if changed) on Windows machines. Our signatures release cycle is 2-3 times per week. We have devised mechanisms to optimize content download.

How system resources are utilized or how is the CPU performance during scan?

CPU averages at 20-30% in low mode scan. Whereas, in full throttle, scans are speedy and finish within minutes, CPU averages at 50-80% for a few seconds then goes back to 20-30%. Saner service priority is set to normal and operating systems handle it effectively. It will not interfere with your work.

What settings may be required to optimize network during remediation/patching?

Set up a local patch server or a WSUS server in your organization. Agents are designed to detect WSUS server settings and fetch patches from the same. In case, WSUS is not set up on your individual endpoints, you can use EDR section to set up Registry Response. For more details, follow the link, https://support.microsoft.com/en-in/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s

Third party products patches can also be served from a local HTTP/HTTPs/FTP server. Go to Manage> Create Settings > Remediate.

Select Third-party products patch server select Local, a new set of settings will open up to provide server URL. Contact info@secpod.com to get Remediation resource feed for a large setup.

Settings such as buffering patches with bandwidth usage restriction under Manage> Create Settings > Remediate also helps optimize remediation tasks.

How system resources are utilized or how is the CPU performance during remediation?

CPU average is very low during remediation. Patches are queued and taken up sequentially. A scan is performed after remediation job or rule is accomplished. Following graph shows remediation effect on operating system.

Can I configure a time period between which remediation should start and end?

Yes. While setting up remediation job or rule, you can provide remediation timeframe with start and end date-time. For example, in a typical organization, remediation can be set to end at 8:00 a.m in the morning when employees start their day at work. In case, if an automated remediation task is ongoing at 8:00, it will come to its logical end and any reboot and sequential tasks will be taken in the next time interval. However, short-term remediation tasks will end and result will be uploaded.

After configuring a time period between which remediation should start and end, can change it?

In case of remediation automation, we can change the timeframe which takes into effect in the next upcoming time. Short-term remediation tasks cannot be modified.

Can I install a customized patch for remediation or install other applications using Saner?

Yes. You could use Software Deployment in Response section of Endpoint Management. All applications and patches will be installed silently without interfering with users on the endpoints. It is advisable to test your installation and provide appropriate silent option if usual options such as /S is not used.

Can I install a non-security patch also with Saner?

Yes. You could use Software Deployment in Response section of Endpoint Management.

What should I do if a remediation patch is not available?

You could chose to block the application temporarily and unblock later. Go to EDR > Build your own Response > Application Block

How can I remediate commercial licensed products such as Adobe Acrobat or Oracle WebLogic Server?

You could use Software Deployment in Response section of Endpoint Management . Provide a vendor URL to download patch or upload the patch and provide silent option.

Can I find out since how long a vulnerability existed in an organization?

Yes. In VM dashboard, vulnerability patching graph provides insight on how long a vulnerability existed in an organization since its detection on our platform.

What are the next steps to vulnerability detection?

VM gives you a detailed information about existing loopholes making endpoints prone to malware attacks. Next steps would involve strategizing patching activity using PM and ensure endpoint-protection software are up-to-date using EM. Complementary to that, EDR will help realizing any ongoing attack to respond immediately and AM to check if such vulnerable software assets are in regular use or sparingly used.

How can I mitigate vulnerabilities effectively?

You can visualize vulnerability mitigation statistics to prioritze your patching activity. An insight on high fidelity attacks provide you information on tasks that require immediate attention because it is prone to malware attack. Statistics such as vulnerability based on severity scores also aid in determining next steps for vulnerability mitigation.

Can I find out since how long patch was available and not applied in an organization?

Yes. In PM dashboard, patch patching graph provides awareness on when a missing patch was released by vendor and not applied in the endpoints. Patching impact and Configuration Impact are powerful tools to visualize the affect of remediation.

Remediation and Software Patching is a long and tough activity. What if something goes wrong? Is rollback option available?

Our patches are tested by a dedicated team to ensure remediation is accurate and quick. Saner agent has also evolved as part of remediation to ensure speedy ways to achieve patching.

Under any circumstance, a Rollback feature is available for Windows, Linux and Mac operating system patches. Complaince roll back is also in place. Third-party products cannot be reverted but can be reinstalled with the previous version. Go to PM dashboard > click on PM in left panel > Rollback.

Please ensure that you have checked if rollback is possible for a patch before applying remediation because some vendor patches do not support rollback.

Can I know why a particular remediation failed?

Yes. In PM dashboard see ‘Reason for Failure’. You can also check individual remediation tasks status using ‘Job Status summary’ section on the dashboard. Click on expand to dig deep into status.

A patch is available and approved in my WSUS server but Saner remediation is failing. Why?

Each setup is different and some initiatives from your end can help speedy resolution of such issues. Consider checking (on one of the endpoints) if system is configured properly to your WSUS server. Click on Windows Update to see if patch appears in the system. If relevant patch appears in the system, then Saner should be able to fetch it. If not, either WUS is not configured properly or a pre-requisite patch may hinder remediation.

Please note: installing a patch may open up other patches in a software asset. Also, Windows Update software itself may require patching. Consider installing it before any other remediation task.

Please log your observations in the mail and contact info@secpod.com for resolving your case. We will be happy to help.

Can I identify software products which are out-of-life? What actions can be taken for out-of-life products.

Yes. Check AM dashboard > Outdated Applications. Consider installing upgrades using Software Deployment in Response section of Endpoint Management. You may also uninstall such applications using Application Management> uninstall option.

Does Saner provide tracking of software licenses?

Yes. In AM, you could track software licenses and cost incurred to an organization. You can also provide external feed to assess software licenses.

Can I blacklist or whitelist software applications?

Yes. In AM, import blacklisted or whitelisted applications feed (in CSV format) and go to dashboard to check violations if any. Currently, we do not automatically uninstall or block applications using this feed. This can be automated using EDR > Build your own Detection and Response to periodically run response script.

What possible response actions can be executed from Saner?

Response actions are widely categorized into Network, Process, Service, Software Deployment, System, Application and Devices, Security, File, Windows Registry, Tuneup, Startup Programs. Kindly check individual categories for more information. Each category in Response section has a set of actions.

Is it possible to automate reponses/actions on detection scripts?

Yes. In EM, it is possible to create actions based on a set of existing detection scripts.

Can we add more detection scripts in EM?

100+ detection scripts are already defined and ready to use. You could add more using EM > Tools section. In case of any issues or requirements, contact info@secpod.com and we will create it for you.

Can I know the system health of all my endpoints?

Yes. Go to EM > Detection > System Health. Click to get real time data. Visualize Disks space used reaching 90% and high CPU and RAM usage.

Can I command my endpoint to scan now or reboot now?

Yes. Go to Manage>Devices>Select device>Click on ‘Scan now’. For reboot, go to EDR/EM > Response> System and select reboot.

What are the common indicators of compromise/attack?

Endpoint protection software is disabled, applications with unknown publisher, firewall disabled, torrent-like downloads, new application in start up program, common operating system libraries having a different MD5sum, unknown processes running or multiple ports open, disk space running out, to name a few.

What are the existing Compliance benchmark supported by Saner?

SecPod Default Compliance, Vendor recommended (such as Microsoft) General Compliance, NIST-800-53, NIST 800-171, PCI, HIPPA, others such as ISO 27001, WMI, ports, process control, service control, device control, anti-virus compliance etc which can be designed as per user requirement.

Can I remove checks from an existing Compliance benchmark?

Yes, if it does not comply to your organization. Simply deselect the rule or category while creating/editing compliance.

Can I take remediation actions on customized Compliance checks?

Yes. Remediation scripts are automatically generated based on compliance created by users. Go to CM dashboard > Remediation actions to know more.

Why some of the compliance checks shows Not selected or Not checked status?

Some checks which are deselected by you will appear as ‘Not selected’ in the report. Compliance checks that require input from user are mostly ‘Not checked’ unless some data is provided by the user. If any issues, please contact info@secpod.com. Appropriate screenshots of reports/dashboard and agent audit logs will definitely help understand the case.

Can I apply rollback on customized Compliance benchmark?

Yes.

Can I see trending reports?

No. Currently you can back up reports using Reports from left panel that will be emailed automatically on scheduled intervals.

Can I export individual endpoint report?

Yes. Go to Manage > Devices > Click on hostname > Click on Export Device Report.

Can I be alerted on certain incidents on endpoints.

A variety of alerts can be issues to notify on any failed actions, incidents in endpoints, critical vulnerabilities issues, configuration issues, new detection on endpoints, etc. Click on Alerts from left panel to know more.

How long does a scan take?

A typical scan takes under 5 minutes in windows and 1-2 minutes in Linux and Mac Machines. Special mechanisms and algorithms on agents help achieve this.

My scan is prolonged. What can I do?

Contact info@secpod.com with endpoint’s audit log that can be received from Manage>Devices>Click on hostname> Click on Audit Logs. You can also change settings > Log to debug, scan and send spsaneragent.log from the endpoint system under SecPod Saner installation directory/log folder in Windows and /var/log/saner in unix based machines.

SanerNow Architecture

SanerNow’s platform-centric approach is designed on the same principles as that of an operating system. The core (‘kernel’) performs the analytical computations required to detect aberrations and deviations. The ‘shell’ provides the ability to query, monitor and make changes. The ‘user/application layer’ helps transform these computations to support various use cases.

SanerNow is built with these four primary concepts:

  • Query the system to get visibility
  • Monitor for changes and aberrations as they occur
  • Analyze the system for risks and threats
  • Respond to fix the issues

Key platform features include:

  • Continuous monitoring: System controls
  • Principle of Self-Healing: Detect and fix vulnerabilities, Identify unwanted/unused assets and uninstall them, Monitor the anti-virus program status, and start it if it is not running, Detect IoC/IoAs and respond to the threats.
  • Speed: Deploy SanerNow in minutes, scan 1000s of endpoints in less than 5 minutes
  • Scalability
  • Multi-tenancy, multi-user and role-based access
  • High-performance:Retrieve search results in less than a second
  • Agents: Support for Windows, Linux and Mac OS X

SanerNow is a scalable analytics and correlation engine. It works with the SanerNow agent that resides on endpoint devices to collect and transmit data to the SanerNow server. SanerNow server correlates the data from agents on endpoint devices with compliance standards and best practices, and vulnerability and threat intelligence to provide real-time endpoint management and protection capabilities.

 

Scalability and Ease-of-use

SanerNow provides an intuitive registration interface and efficient authentication mechanism to safeguard customers’ data. It provisions and meters tools and services to a large number of devices in a subscription-based model. It scales from ten to thousands of devices under each account. Each endpoint in an organization subscribes to our platform. An agent is installed harnessing the power of each endpoint and exchanges information with our platform with minimal use of CPU and memory resources.

Simple and Intuitive

Effortlessly deploy and manage devices with this platform that provides numerous ways to install agents. You can deploy using our deployment tool, rollout silent installation using your organization’s deployment tool or share via a unique URL.

Each endpoint communicates with platform using web services. Our platform also provides mechanisms to integrate with other platforms via Web services or SDKs.

Optimization Algorithms

SanerNow platform serves relevant checks and actions based on the type of endpoint widely categorized as Windows-based, Mac operating systems and other Linux operating systems. The checks and actions catered from the platform are finely refined to the version of operating system running on the endpoint. This avoids exchange of large data from and to agents. Optimized algorithms are in place at agents and server to perform scan within minutes and analyze data for different tools. The data sent from agents is designed to optimize network usage, for quick responses and accurate information timely tested in our labs.

Visibility and Continuous Protection within Minutes

Finely crafted reports gives you an insight of overall security posture of your organization and drills down to detailed account of vulnerabilities, compliance issues, incidents and reponses, missing and installed patches and 100+ checks on endpoint management. Alerts give you instant notifications on possible warnings that needs to addressed on your endpoints. You can also get instant notifications on actions taken based on checks.

Detection and Response Automation

SanerNow also provides an easy means to audit and automate responses based on detection scripts. These actions can be scheduled in a timely manner to minimize user intervention at every level possible.

Platforms Supported

SanerNow Supported Operating Systems

  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Mac OS X 10.10
  • Mac OS X 10.11
  • Mac OS X 10.12
  • Mac OS X 10.13
  • Mac OS X 10.14
  • Ubuntu 14.04
  • Ubuntu 16.04
  • Ubuntu 18.10
  • Ubuntu 18.04
  • Debian 7
  • Debian 8
  • Debian 9
  • Amazon Linux
  • Amazon Linux 2
  • Redhat Enterprise Linux 5
  • Redhat Enterprise Linux 6
  • Redhat Enterprise Linux 7
  • CentOS 5
  • CentOS 6
  • CentOS 7
  • Oracle Linux 5
  • Oracle Linux 6
  • Oracle Linux 7
  • Fedora 27
  • Fedora 28
  • Fedora 29
  • Linux Mint 17
  • Linux Mint 18
  • Linux Mint 19
  • Linux Mint Debian Edition 3 Cindy

SanerNow Feature Map

SanerNow addresses the following business cases:

  • Vulnerability Management – Continuously assess risks, automated to a daily routine.
  • Patch Management – Apply operating system and third-party application patches for Windows, Linux and Mac OS X.
  • Compliance Management – Comply with regulatory standards benchmarks and achieve continuous compliance (PCI, HIPAA, NIST 800-53, NIST 800-171).
  • Asset Management – Discover and manage assets.
  • Endpoint Management – Manage endpoints and ensure their well-being.
  • Endpoint Threat Detection and Response – Detect and Respond to Indicators of Attack (IoA) and Indicators of Compromise (IoC).

 

Security Content and Intelligence

The security intelligence hosted at our content repository feeding the SanerNow platform.

INDEX

  1. SCAP Content Statistics
  2. OVAL Definitions Platform Coverage
  3. OVAL Definitions Class-wise Distribution
  4. OVAL Definitions Family-wise Distribution
  5. Application and OS Remediation Coverage
  6. Compliance Benchmark Coverage
  7. List of Vulnerability to Exploit/Malware Mapping covered in SanerNow
  8. List of IoA (Indicators of Attack) covered in SanerNow

SCAP Content Statistics

ContentCoverage
CVE41027
CPE132805
CRE12591
CCE17342
CWE909
XCCDF156
OVAL111967

OVAL Definitions Platform Coverage

PlatformOVAL Definitions
Alpine Linux1282
Amazon Linux1952
Apple MacOS13108
CentOS4652
Debian5192
Fedora14271
IBM AIX232
Linux15021
Mandriva2122
Oracle Linux2861
Red Hat4237
SUSE338
Sun Solaris2332
Ubuntu7083
Windows37150
Total110551

OVAL Definitions Class-wise Distribution

OVAL ClassOVAL Definitions
Inventory7853
Vulnerability41027
Patch45745
Compliance17342

OVAL Definitions Family-wise Distribution

OVAL FamilyOVAL Definitions
Windows37150
Linux61678
MacOS13108

Application and OS Remediation Coverage

Sl.No.OVAL Definitions
1All Microsoft products
2All Linux distros ‘OS’ packages
3All Mac OS X packages
4Adobe AIR
5Adobe Flash Player Npapi
6Adobe Shockwave Player
7Adobe Reader
8Apache Subversion
9Apple iTunes
10Apple QuickTime
11Apple Safari
12Elasticsearch
13Foxit Reader
14Adobe Reader DC continous
15Google Chrome
16Mozilla FireFox
17Mozilla SeaMonkey
18Mozilla Thunderbird
19MySQL
20Ghostscript
21Google Earth
22Google Picasa
23Google Sketchup
24OpenSSH
25OpenSSL
26Open Office
27OpenVPN Client
28Opera
29Pidgin
30PostgreSQL
31Putty
32Python
33RealPlayer
34RealVNC
35Skype
36Oracle Java JDK/JRE
37Oracle VirtualBox
38Vmware Player
39Vmware Movie Decoder
40VLC MediaPlayer
41Winamp
42WinRar
43Winzip
44Wireshark
45Adobe Reader DC classic
46Winscp
47Activeperl
48Apple iCloud
49Mozilla Firefox ESR
50Mozilla Thunderbird ESR
51Adobe Flash Player ActiveX
52Adobe Flash Player Ppapi
53LibreOffice
54.net core
557Zip
56TeamViewer
57UltraVNC
58TightVNC
59Trillian
60Evernote
61Ccleaner
62Notepad++
63Adobe Acrobat for Mac
64Adobe Acrobat DC Classic for Mac
65Adobe Acrobat DC Continous for Mac
66Lan Messenger
67Powershell
68K-meleon
69Adobe Digital Editions
70Vsphere Client
71FlashGet
72Lenovo System Update
73Inkscape
74Audacity
75AIMP
76Malwarebytes
77Sumatra PDF
78Citrix Receiver
79Apple iBooks Author
80Adobe Brackets
81Palemoon
82Cygwin
83Vmware Tools
84Docker for Linux
85MySQL Connector/Net
86Dell SupportAssist
87Dropbox
88AnyDesk(Windows)
89Git
90iTerm2 for mac
91Microsoft Visual Studio Code
92Cacti
93Calibre
94Kubernetes for linux
95Kibana for linux
96TheHive Project Cortex analyzer for linux
97Gitlab-ce, Gitlab-ee for linux
98Bitdefender
99Apache CouchDB
100GIMP
101Atlassian Bamboo
102Telegram Desktop
103BSplayer
104KMplayer
105IBM Db2
106Irfanview

Compliance Benchmark Coverage

Benchmark for OSGeneral ComplianceSecPod ComplianceNIST 800-171NIST 800-53PCI 3.2HIPAA 45 CFR 164
Microsoft Windows 7YesYesYesYesYesYes
Microsoft Windows 8.1YesYesYesYesYesYes
Microsoft Windows 10YesYesYesYesYesYes
Microsoft Windows Server 2008 R2YesYesYesYesYesYes
Microsoft Windows Server 2012 R2YesYesYesYesYesYes
Microsoft Windows Server 2016YesYesYesYesYesYes
Mac OS X 10.10YesYesNoNoNoNo
Mac OS X 10.11YesYesNoNoNoNo
Mac OS X 10.12YesYesNoNoNoNo
Mac OS X 10.13YesYesNoNoNoNo
Mac OS X 10.14YesYesNoNoNoNo
Redhat Enterprise Linux 6YesYesNoNoNoNo
Redhat Enterprise Linux 7YesYesNoNoNoNo
CentOS 6YesYesNoNoNoNo
CentOS 7YesYesNoNoNoNo
Oracle Enterprise Linux 6YesYesNoNoNoNo
Oracle Enterprise Linux 7YesYesNoNoNoNo
Amazon Linux AMIYesYesNoNoNoNo
Amazon Linux 2YesYesNoNoNoNo
Ubuntu 14.04YesYesNoNoNoNo
Ubuntu 16.04YesYesNoNoNoNo
Ubuntu 18.04YesYesNoNoNoNo

List of Vulnerability to Exploit/Malware Mapping covered in SanerNow

Sl. No.MVE (Malware Vulnerability Enumeration)
1Novidade Exploit Kit
2Predator the Thief Stealer Malware
3Angler Exploit Kit
4Nebula Exploit Kit
5Wekby-APT18
6Spectre-NG
7BlackHole Exploit Kit
8Poodle
9Beapy Cryptominer
10BlackOasis APT
11BlueKeep
12Mozi Botnet
13LokiBot Malware
14Hangul Active Exploits
15Fragus Exploit Kit
16Aurora Panda APT17
17Quasar
18Sandworm Team APT
19LatentBot
20Asruex Trojan
21Cleaver APT
22IcePack Exploit Kit
23SharePoint Active Exploit-CVE-2019-0604
24Roboto Botnet
25iPack Exploit Kit
26Elise Malware
27Tick APT
28Spartan Exploit Kit
29SWEED Group
30MuddyWater APT
31TA505 APT
32Troldesh Ransomware
33NEODYMIUM APT
34Echobot Botnet
35Archie Exploit Kit
36Pinchy Spider APT
37Disdain Exploit Kit
38Konni Group
39OmniRAT Malware
40Wingbird
41Gh0stRAT Trojan
42Hunter Exploit Kit
43SandCat APT
44ImpassionedFramework Exploit Kit
45Smominru Botnet
46DarkHydrus APT
47Reaper APT37
48Sidewinder APT
49Orcus Rat Malware
50NicePack Exploit Kit
51CommentPanda APT1
52DotkaChef Exploit Kit
53Frankenstein Campaign
54TA459 APT
55AZORult Trojan
56Cool Exploit Kit
57APT16
58Spectre
59FIN7 APT
60Mozilla Firefox Active Exploit CVE-2019-17026
61Firefox Active Exploits
62Winnti APT
63njRAT
64SpeakUp Backdoor Trojan
65BestPack Exploit Kit
66Bottle Exploit Kit
67Elfin APT33
68APT-C-09
69ThreadKit Exploit Kit
70Operation Poison Needles APT
71Sandworm Trojan
72EvilPost APT
73ExileRat Malware
74Sweet Orange Exploit Kit
75Hawkball Backdoor
76Infinity Exploit Kit
77Nansh0u Campaign
78NRSMiner Cryptominer
79Zhi Zhu Exploit Kit
80PlugX Malware
81Molerats APT
82Niteris Exploit Kit
83OceanLotus APT32
84Raccoon Stealer
85KPOT Stealer Malware
86Magecart Group
87Merry Christmas Exploit Kit
88Suckfly APT
89Qakbot
90Godzilla Loader
91Wavethrough
92Persirai Botnet
93Group5 APT
94CrimeBoss Exploit Kit
95VegaLocker Ransomware
96Pitty Tiger APT
97Watchbog Malware
98Bleeding-Life Exploit Kit
99Carbanak APT
100Eleonore Exploit Kit
101Tropic Trooper APT
102Taidoor Malware
103Calypso APT
104Deep Panda APT
105CritXPack Exploit Kit
106Double Dragon APT41
107NextCry Ransomware
108Redkit Exploit Kit
109Kovter Malware
110PKPLUG APT
111Underminer Exploit Kit
112Magnitude Exploit Kit
113Remcos RAT
114Private Exploit Kit
115PrincessLocker Ransomware
116Zebrocy APT
117LatenBot
118Lotus Blossom APT
119Glazunov Exploit Kit
120RAMBleed
121BlackTech APT
122Satori Botnet
123Codoso APT19
124Rawin Exploit Kit
125Slingshot APT
126Rancor APT
127AssocAID Exploit Kit
128Drown
129RIDL
130XBash Malware
131MetaPack Exploit Kit
132Slub Backdoor
133GreenFlash-Sundown Exploit Kit
134Citrix ADC Active Exploit CVE-2019-19781
135EternalBlue
136CrimePack Exploit Kit
137Cisco ASA Active Exploit CVE-2018-0296
138AveMaria RAT
139Emotet Trojan
140Kore Exploit Kit
141Emissary Panda APT
142Grandsoft Exploit Kit
143Cobalt APT
144RIG Exploit Kit
145WhiteLotus Exploit Kit
146Manuscrypt Malware
147Nuclear Exploit Kit
148Rocke Group
149Plurox Malware
150Dukes-APT29
151Dragonfly APT
152Sava Exploit Kit
153Purple Fox Malware
154Phoenix Exploit Kit
155Zyklon Backdoor
156HawkEye Keylogger
157Operation WizardOpium Campaign
158Lord Exploit Kit
159Incognito Exploit Kit
160Ke3chang APT
161Adwind RAT
162Poison Ivy
163FIN6 APT
164Mustang Panda APT
165RedDot Exploit Kit
166Buhtrap Group
167Lamberts APT
168Kerberods Trojan Dropper
169HiMan Exploit Kit
170Gamaredon Group
171ZoPack
172Darkhotel APT
173ByeBear
174Mpack Exploit Kit
175WannaCry Ransomware
176Platinum APT
177Kronos Banking Trojan
178Sakura Exploit Kit
179Turla Malware
180BillGates Botnet
181SamSam Ransomware
182Neutrino Exploit Kit
183KuaiGoMiner Trojan
184KaiXin Exploit Kit
185Godlua Backdoor
186Leafminer Group
187DoublePulsar BackDoor
188Dridex Malware
189Putter Panda APT2
190Cloud Atlas APT
191Hanjuan Exploit Kit
192Pirpi APT3
193NullHole Exploit Kit
194Chainshot Malware
195Dacls RAT
196Empire Pack Exploit Kit
197BRONZE BUTLER APT
198Chthonic Banking Trojan
199Sodinokibi Ransomware
2005ss5c Ransomware
201Promethium APT
202Sundown-Pirate Exploit Kit
203Siberia Exploit Kit
204ZombieLoad
205LoJax Malware
206Dust Storm APT
207Petya Ransomware
208PowerPool APT
209Tornado
210OilRig APT34
211Glupteba Malware Dropper
212FinSpy
213BlackSquid Malware
214Flimkit Exploit Kit
215APT30
216Baldr Trojan
217DragonOK APT
218FruityArmor APT
219Whitehole Exploit Kit
220Neptune Exploit Kit
221Lazarus Group
222Return of the WiZard
223Hierarchy Exploit Kit
224Scarlet Mimic APT
225Astrum Exploit Kit
226Sea Turtle APT
227Capesand Exploit Kit
228FIN8 APT
229JustExploit Exploit Kit
230GhostMiner Malware
231Maze Ransomware
232Sednit Exploit Kit
233Revenge RAT
234Naikon APT
235Whitefly APT
236XMRig Cryptominer
237Kimsuky APT
238Meltdown
239Gorgon APT
240PopAds Exploit Kit
241ShellShock
242Trickbot
243GoBrut Botnet
244Satan Ransomware
245Operation LagTime IT Campaign
246Gongda Exploit Kit
247JNEC.a Ransomware
248LightsOut Exploit Kit
249Formbook Malware
250Ryuk Ransomware
251Imminent Monitor RAT
252Styx Exploit Kit
253NetCat Attack
254MenuPass APT10
255Sofacy APT28
256Nucsoft Exploit Kit
257Dofloo Trojan
258amiak APT
259admin@338 APT
260Silence APT
261CK Exploit Kit
262AdvisorsBot Malware
263Neosploit Exploit Kit
264Agent Tesla Trojan
265Leviathan APT
266Fallout Exploit Kit
267vBulletin Active Exploit-CVE-2019-16759
268FlashPack Exploit Kit
269Muhstik Botnet
270CopyKittens
271Violin Panda APT20
272Sundown Exploit Kit
273RevengeHotels Campaign
274Fallout
275Spelevo Exploit Kit
276HeartBleed
277Impact Exploit Kit
278Fiesta Exploit Kit
279GandCrab Ransomware

List of IoA (Indicators of Attack) covered in SanerNow

Sl. No.IoA (Indicators Of Attack)
1Highly Suspicious Processes
2ICMP DoS Attack Detection
3Firewall Security Center Notification Disabled
4Unauthorized Application Accessing LPC Port
5Suspicious Special Group Logon
6Scheduled Task Anomalies
7System ASLR Disabled
8User or Computer Account Created or Deleted
9Suspicious Explorer
10Task Manager Disabled
11System GateKeeper Disabled
12AntiVirus Security Center Notification Disabled
13User Account Logon Failed Anomalies
14User Account Locked or Unlocked
15Updates Security Center Notification Disabled
16User Account Creation Anomalies
17System DEP AlwaysOff
18System UAC Off
19Registry Access Disabled
20Suspicious Process Called Privileged System Service Operation
21Suspicious Windows Security Audit Log Cleared
22Suspicious Service Installation Anomalies
23Kerberos Replay Attack Detection
24System ExecShield Disabled
25Computer Account Creation Anomalies
26Highly Suspicious Svchost Executable
27Windows CPU or RAM Usage More Than 95 Percentage
28Firewall Disabled
29Windows Firewall Failed to Initialize or Start
30Windows Filtering Blocked Suspicious Packet Connection
31UAC Security Center Notify Disabled
32System NX DX Disabled

Windows Probes

Access token

An access token used to check the properties of Windows access token as well as in idual privileges and rights associated with it.

Child ElementsDescription
Assign primary token privilegeIf Assign primary token privilege is enabled, it allows a parent process to replace an access token that is associated with a child process.
Audit privilegeIf Audit privilege is enabled, it allows a process to generate audit records in the security log. The security log can be used to trace unauthorized system access.
Backup privilegeIf Backup privilege is enabled, it allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access by using the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply.
Batch logon rightIf an account is assigned the Batch logon right right, it can log on using the batch logon type.
Change notify privilegeIf Change notify privilege is enabled, it allows the user to pass through folders to which the user otherwise has no access while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the content of a folder; it allows the user only to traverse its directories.
Create global privilegeIf Create global privilege is enabled, it allows the user to create named file mapping objects in the global namespace during Terminal Services sessions.
Create page file privilegeIf Create page file privilege is enabled, it allows the user to create and change the size of a pagefile.
Create permanent privilegeIf Create permanent privilege is enabled, it allows a process to create a directory object in the object manager. It is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode have this privilege inherently.
Create symbolic link privilegeIf Create symbolic link privilege is enabled, it allows users to create symbolic links.
Create token privilegeIf Create token privilege is enabled, it allows a process to create an access token by calling NtCreateToken() or other token-creating APIs.
Security principleThe Security principle element identifies an access token to test for. Security principles include users or groups with either local or domain accounts, and computer accounts created when a computer joins a domain. In Windows, security principles are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. User rights and permissions to access objects such as Active Directory objects, files, and registry settings are assigned to security principles. In a domain environment, security principles should be identified in the form: “domain\trustee name”. For local security principles use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Debug privilegeIf Debug privilege is enabled, it allows the user to attach a debugger to any process. It provides access to sensitive and critical operating system components.
Deny batch logon rightIf an account is assigned the Deny batch logon right right, it is explicitly denied the ability to log on using the batch logon type.
Deny interactive logon rightIf an account is assigned the Deny interactive logon right right, it is explicitly denied the ability to log on using the interactive logon type.
Deny network logon rightIf an account is assigned the Deny network logon right right, it is explicitly denied the ability to log on using the network logon type.
Deny Remote interactive logon rightIf an account is assigned the Deny Remote interactive logon right right, it is explicitly denied the ability to log on through Terminal Services.
Deny service logon rightIf an account is assigned the Deny service logon right right, it is explicitly denied the ability to log on using the service logon type.
Enable delegation privilegeIf Enable delegation privilege is enabled, it allows the user to change the Trusted for Delegation setting on a user or computer object in Active Directory. The user or computer that is granted this privilege must also have write access to the account control flags on the object.
Impersonate privilegeIf Impersonate privilege is enabled, it allows the user to impersonate a client after authentication.
Increase base priority privilegeIf Increase base priority privilege is enabled, it allows a user to increase the base priority class of a process.
Increase quota privilegeIf Increase quota privilege is enabled, it allows a process that has access to a second process to increase the processor quota assigned to the second process.
Increase working set privilegeIf Increase working set privilege is enabled, it allows a user to increase a process working set.
Interactive logon rightIf an account is assigned the Interactive logon right right, it can log on using the interactive logon type.
Load driver privilegeIf Load driver privilege is enabled, it allows a user to install and remove drivers for Plug and Play devices.
Lock memory privilegeIf Lock memory privilege is enabled, it allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk.
Machine account privilegeIf Machine account privilege is enabled, it allows the user to add a computer to a specific domain.
Manage volume privilegeIf Manage volume privilege is enabled, it allows a non-administrative or remote user to manage volumes or disks.
Network logon rightIf an account is assigned the Network logon right right, it can log on using the network logon type.
Profile single process privilegeIf Profile single process privilege is enabled, it allows a user to sample the performance of an application process.
Re-label privilegeIf Re-label privilege is enabled, it allows a user to modify an object label.
Remote interactive logon rightIf an account is assigned the Remote interactive logon right right, it can log on to the computer by using a Remote Desktop connection.
Remote shutdown privilegeIf Remote shutdown privilege is enabled, it allows a user to shut down a computer from a remote location on the network.
Restore privilegeIf Restore privilege is enabled, it allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principle as the owner of an object.
Security privilegeIf Security privilege is enabled, it allows a user to specify object access auditing options for in idual resources such as files, Active Directory objects, and registry keys. A user who has this privilege can also view and clear the security log from Event Viewer.
Service logon rightIf an account is assigned the Service logon right right, it can log on using the service logon type.
Shutdown privilegeIf Shutdown privilege is enabled, it allows a user to shut down the local computer.
Sync agent privilegeIf Sync agent privilege is enabled, it allows a process to read all objects and properties in the directory, regardless of the protection on the objects and properties. It is required in order to use Lightweight Directory Access Protocol (LDAP) directory synchronization (Dirsync) services.
System environment privilegeIf System environment privilege is enabled, it allows modification of system environment variables either by a process through an API or by a user through System Properties.
System profile privilegeIf System profile privilege is enabled, it allows a user to sample the performance of system processes.
System time privilegeIf System time privilege is enabled, it allows the user to adjust the time on the computer’s internal clock. It is not required to change the time zone or other display characteristics of the system time.
Take ownershipIf Take ownership privilege is enabled, it allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
TCB privilegeIf TCB privilege is enabled, it allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.
Timezone privilegeIf Timezone privilege is enabled, it allows the user to change the time zone.
Trusted credentials management access rightIf an account is assigned this right, it can access the Credential Manager as a trusted caller.
Undock privilegeIf Undock privilege is enabled, it allows the user of a portable computer to undock the computer by clicking Eject PC on the Start menu.
Unsolicited input privilegeIf Unsolicited input privilege is enabled, it allows the user to read unsolicited data from a terminal device.

Active directory

This is used to check information about specific entries in active directory.

Child ElementsDescription
ADS typeThe type of information that the specified attribute represents.
AttributeSpecifies a named value contained by the object.
Naming contextEach object in active directory exists under a certain naming context (also known as a partition). A naming context is defined as a single object in the Directory Information Tree (DIT) along with every object in the tree subordinate to it. There are three default naming contexts in Active Directory: domain, configuration, and schema.
Object classThe name of the class of which the object is an instance.
Relative distinguished nameThis is used to uniquely identify an object inside the specified naming context. It contains all the parts of the object’s distinguished name except those outlined by the naming context.
ValueThe actual value of the specified Active Directory attribute. Note that while an Active Directory attribute can contain structured data where it is necessary to collect multiple related fields that can be described by the ‘record’ datatype, it is not always the case. It also is possible that an Active Directory attribute can contain only a single value or an array of values. In these cases, there is not a name to uniquely identify the corresponding field which is a requirement for fields in the ‘record’ datatype. As a result, the name of the Active Directory attribute will be used to uniquely identify the field and satisfy this requirement.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Child ElementsDescription
Antivirus nameThis element specifies a display name of a installed antivirus product.
Instance GUIDThis entity holds a string that represents the GUID of a particular group.
Path to signed product executableThis element specifies the absolute path to antivirus product exe file on the machine.
Path to signed reporting executableThis element specifies the absolute path to antivirus reporting exe file on the machine.
Product enabledThis element specifies whether product is enabled/disabled.
Product stateThis element specifies a state value. When this value is converted to HEX, the bits specify if product is enabled/disabled and whether definitions are up-to-date or outdated.
Product up-to-dateThis element specifies whether product is up-to-date.

ARP Cache

This is used to collect various information about address resolution protocol cache table.

Child ElementsDescription
Host IPThis element specifies host IP address.
Interface IndexApplicable to only Windows. This element specifies value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Interface locally unique ID indexApplicable to only Windows. This element specifies unique identifier (LUID) for the network interface associated with this IP address.
Reachability timeApplicable to only Windows. The Reachability time specifies time, in milliseconds, that a node assumes a neighbor is reachable after having received a reachability confirmation.
MAC addressThis element specifies physical hardware address of the adapter for the network interface associated with this IP address.
Interface TypeApplicable to only Windows. This element specifies interface type as defined by the Internet Assigned Names Authority (IANA)
Neighbour stateApplicable to only Windows. The state of a network neighbour IP address as defined in RFC 2461. This member can be one of the values from the NL_NEIGHBOR_STATE enumeration type that is defined in the Nldef.h header file. https://msdn.microsoft.com/en-us/library/gg159207.aspx

Audit Event Policy

This is used to check different types of events the system should audit.

Child ElementsDescription
Account logonAudit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
Account managementAudit attempts to create, delete, or change user or group accounts. Also, audit password changes.
Detailed trackingAudit specific events, such as program activation, some forms of handle duplication, indirect access to an object, and process exit. Note that this activity is also known as process tracking.
Directory service accessAudit attempts to access the directory service.
LogonAudit attempts to log on to or log off of the system. Also, audit attempts to make a network connection.
Object accessAudit attempts to access securable objects, such as files.
Policy changeAudit attempts to change Policy object rules.
Privilege useAudit attempts to use privileges.
SystemAudit attempts to shut down or restart the computer. Also, audit events that affect system security or the security log.

Audit Event Policy Subcategories

This is used to check the audit event policy settings on a Windows system. These settings are used to specify which system and network events are monitored. For example, If Credential validation element has a value of AUDIT_FAILURE, it means that the system is configured to log all unsuccessful attempts to validate a user account on a system. It is important to note that these audit event policy settings are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information on each setting.

Child ElementsDescription
Account lockoutAudit the events produced by a failed attempt to log onto a locked out account.
Application generatedAudit the events produced by applications that use the Windows Auditing API.
Application group managementAudit the events produced by changes to application groups.
Audit policy changesAudit the events produced by changes in security audit policy settings.
Authentication policy changeAudit the events produced by changes to the authentication policy.
Authorization policy changeAudit the events produced by changes to the authorization policy.
Certificate servicesAudit the events produced by operations on Active Directory Certificate Services.
Computer account managementAudit the events produced by changes to computer accounts.
Credential validationAudit the events produced during the validation of a user’s logon credentials.
Detailed directory serviceAudit the events produced by detailed Active Directory Domain Services replication between domain controllers.
Detailed file shareAudit the events produced by attempts to access files and folders on a shared folder.
Directory service accessAudit the events produced when a Active Directory Domain Services object is accessed.
Directory service changesAudit the events produced when changes are made to Active Directory Domain Services objects.
Directory service replicationAudit the events produced when two Active Directory Domain Services domain controllers are replicated.
Distribution group managementAudit the events produced by changes to distribution groups.
Audit DPAPI(data protection) activityAudit the events produced when requests are made to the Data Protection application interface.
File shareAudit the events produced by attempts to access a shared folder.
File systemAudit the events produced user attempts to access file system objects.
Filtering platform connectionAudit the events produced by connections that are allowed or blocked by Windows Filtering Platform.
Filtering platform packet dropAudit the events produced by packets that are dropped by Windows Filtering Platform.
Filtering platform policy changeAudit the events produced by changes to the Windows Filtering Platform.
Handle manipulationAudit the events produced when a handle is opened or closed.
IPSec driverAudit the events produced by the IPsec filter driver.
IPSec extended modeAudit the events produced by Internet Key Exchange and Authenticated Internet protocol during Extended Mode negotiations.
IPSec main modeAudit the events produced by Internet Key Exchange and Authenticated Internet protocol during Main Mode negotiations.
IPSec quick modeAudit the events produced by Internet Key Exchange and Authenticated Internet protocol during Quick Mode negotiations.
Kerberos authentication serviceAudit the events produced by Kerberos authentication ticket-granting requests.
Kerberos service ticket operationsAudit the events produced by Kerberos service ticket requests.
Kerberos ticket events (Deprecated)Audit the events produced during the validation of Kerberos tickets provided for a user account logon request.
Kernel objectAudit the events produced by attempts to access the system kernel.
Log offAudit the events produced by closing a logon session.
LogonAudit the events produced by attempts to log onto a user account.
MPSSVC rule level policy changeAudit the events produced by changes to policy rules used by the Windows Firewall.
Network policy serverAudit the events produced by RADIUS and Network Access Protection user access requests.
Non-sensitive privilegeAudit the events produced by the use of non-sensitive privileges.
Other account logon eventsAudit the events produced by changes to user accounts that are not covered by other events in the Account Logon category.
Other account management eventsAudit the events produced by other user account changes that are not covered by other events in the Account Management category.
Other logon logoff eventsAudit the events produced by other logon/logoff based events that are not covered in the Logon/Logoff category.
Other object access eventsAudit the events produced by the management of Task Scheduler jobs or COM+ objects.
Other polict change eventsAudit the events produced by other security policy changes that are not covered other events in the Policy Change category.
Other privilege use eventsThis is currently not used and has been reserved by Microsoft for use in the future.
Other system eventsAudit the events produced by the startup and shutdown, security policy processing, and cryptography key file and migration operations of the Windows Firewall.
Security state changeAudit the events produced by changes in the security state.
Process creationAudit the events produced when a process is created or starts.
Process terminationAudit the events produced when a process ends.
RegistryAudit the events produced by attempts to access registry objects.
RPC eventsAudit the events produced by inbound remote procedure call connections.
Security Account Manager(SAM)Audit the events produced by attempts to access Security Accounts Manager objects.
Security group managementAudit the events produced by changes to security groups.
Security system extensionAudit the events produced by the security system extensions or services.
Sensitive privilege useAudit the events produced by the use of sensitive privileges.
Special logonAudit the events produced by special logons.
System integrityAudit the events that indicate that the integrity security subsystem has been violated.
User account managementAudit the events produced by changes to user accounts.

Auto Logon Last Logon Last Reboot

This is used to collect auto login is enabled or not, last user logon time and last system restart time.

Child ElementsDescription
Last boot up timeThis element specifies date and time the operating system was last restarted. It is in datetime format such as 20180226090624.652230+330
Last logonThis element specifies last log on timestamp. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC).
User nameThis element specifies the name of a particular user.
Auto admin logonThis element specifies automatic logon feature is enabled or not. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts.�
Auto logon enabled user nameThis element specifies the last user name entered in the Log On to Windows dialog box. This entry is required if you have configured Windows to log on automatically by setting the value of Auto admin logon to 1.

BIOS Information

This is used to collect various information about BIOS.

Child ElementsDescription
BIOS ManufactureThis element specifies manufacturer of this software element. This value comes from the Vendor member of the BIOS Information structure in the SMBIOS information.
BIOS NameThe BIOS Name element used to identify the software element.
BIOS Serial NumberThis element specifies serial number of the software element
System Management BIOS VersionThis element specifies BIOS version as reported by SMBIOS. This value comes from the BIOS Version member of the BIOS Information structure in the SMBIOS information.
BIOS StatusThis element specifies current status of BIOS. Various operational and nonoperational status can be defined.
BIOS VersionThis element specifies version of the BIOS. This string is created by the BIOS manufacturer
BIOS LanguageThis element specifies name of the current BIOS language.

Bit Locker Information

This is used to collect bit-locker enabled device information.

Child ElementsDescription
Device IDThis element specifies an unique identifier for the volume on this system.
Drive letterThis element specifies the drive letter of the volume.
StatusThis element specifies the status of the volume, whether or not Bit-Locker is protecting the volume.
Volume IDThis element specifies a persistent identifier for the volume on this system.

Computer Information

This is used to collect various information about computer system.

`

Child ElementsDescription
Base board serial numberThis element represents the base board serial number.
Boot deviceThis element specifies the name of the disk drive from which the Windows operating system starts.
BIOS serial numberThis element represents the BIOS serial number.
Cache SizeThis element specifies the size of the total processor cache. A cache is an external memory area that has a faster access time than the main RAM memory.
CPUThis element specifies name of the processor.
CPU coresThis element specifies the number of CPU cores.
CPU ArchitectureThis element specifies processor architecture used by the platform.
CPU usageThis element specified CPU usage in percentage.
Disk descriptionThis element specifies description of the disk drive.
Disk nameThis element specifies the short description of the disk drive – a one-line string.
Disk drive serial numberThis element specifies serial number of the disk drive.
Disk sizeThis element specifies size of the disk drive (in bytes).
Disk typeThis element specifies a numeric value that corresponds to the type of disk drive this logical disk represents.
Network total bytes receivedThis element represents the number of bytes received.
Network total bytes transmittedThis element represents the number of bytes transmitted.
Network total bytes(received/transmitted)This element represents the total number of bytes received and transmitted.
Operating system architectureThis element specifies the architecture of the operating system.
Operating system nameThis element specifies the name of the operating system.
Operating system serial numberThis element represents the operating system serial number.
Free RAMThis element specifies free system memory size in bytes.
RAM usageThis element specifies used system memory size in percentage.
RAM usedThis element specifies used system memory size in bytes.
System nameThis element specifies system name.
System time synchronization statusThis element specifies if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false
System product nameThis element specifies the system hardware name.
System product versionThis element specifies the system hardware version.
System uptimeThis element specifies the number of milliseconds that have elapsed since the system was started.
Total RAMThis element specifies system total memory size in bytes.
Timezone nameThis element specifies the timezone such as Indian Standard Time.
Timezone differenceThis element specifies the difference in timezone in hours.
Volume nameThis element specifies volume name of the logical disk. Constraints: Maximum 32 characters.

Device information

This is used to collect information about plug and play devices.

Child ElementsDescription
Device descriptionThis element specifies description of the device.
Device driverThis element specifies the path of the service that supports the device.
Device GUIDThis element specifies the globally unique identifier (GUID) of the device.
Device hardware IDThis element specifies the hardware ID of the device.
Device instance IDThis element specifies the instance ID of the device.
Device manufactureThis element specifies manufacturer of the device.
Device nameThis element specifies label given to the device.
Device statusThis element specifies the current status of the device. Various operational and nonoperational statuses can be defined.
Device typeThis element specifies the type of the device.

DNS cache

DNS cache is used to check the time to live and IP addresses associated with a domain name. The time to live and IP addresses for a particular domain name are retrieved from the DNS cache on the local system. The entries in the DNS cache can be collected using Microsoft’s DnsGetCacheDataTable() and DnsQuery() API calls.

Child ElementsDescription
Domain nameThe Domain name element contains a string that represents a domain name that was collected from the DNS cache on the local system.
IP addressThe IP address element contains a string that represents an IP address associated with the specified domain name that was collected from the DNS cache on the local system. Note that the IP address can be IPv4 or IPv6.
TTLThe ttl element contains an integer that represents the time to live in seconds of the DNS cache entry.

Environment Variables

This is used to check an environment variable for the specified process, which is identified by its process ID, on the system .

Child ElementsDescription
NameThis element describes the name of an environment variable.
Process ID(PID)The process ID of the process from which the environment variable was retrieved.
ValueThe actual value of the specified environment variable.

Events

This is used to collect information about Security events, System events and Application events.

Child ElementsDescription
channelThis element specifies one of the following channels Security, System or Application
ComputerThis element specifies the time at which this entry was submitted.
DataThis element specifies fields of an event
Event IDThis element specifies a number identifying the particular event type. The value is specific to the event source for the event, and is used with source name to locate a description string in the message file for the event source.
LevelThe level element is numeric value which specifies a classification of the event severity.
String:ChannelThis element specifies one of the following channels Security, System or Application
String:KeywordThis element specifies a set of categories or tags that can be used to filter or search for events.
String:LevelThe level element is a string value which specifies a classification of the event severity.
String:MessageThis element specifies description of the event.
String:OpcodeThis element specifies what activity the application or component was doing when the event was triggered.
String:ProviderThis element specifies provider of the event
System timeThis element specifies the time of the computer at which the event occurred.

Family of Operating System

This is used to check the family a certain system belongs to. This test basically allows the high level system types (window, unix, ios, etc.) to be tested.

Child ElementsDescription
Family of Operating SystemThis element describes the high-level system OS type to test against. Please refer to the definition of the EntityFamilyType for more information about the possible values.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Child ElementsDescription
Access timeTime of last access of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Creation timeTime of creation of file. Valid on NTFS but not on FAT formatted disk drives. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
CompanyThis entity defines a company name to be found within the version-information structure.
Development classThe Development class element allows the distinction to be made between the GDR development environment and the QFE development environment. This field holds the text found in front of the mmmmmm-nnnn version, for example srv03_gdr.
File nameThis element specifies name of the file on the machine.
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Internal nameThis entity defines an internal name to be found within the version-information structure.
LanguageThis entity defines a language to be found within the version-information structure.
Modified timeTime of last modification of file. The string should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Microsoft checksumThe checksum of the file as supplied by Microsoft’s MapFileAndCheckSum function.
Original filenameThis entity defines an original filename to be found within the version-information structure.
OwnerThe owner element is a string that contains the name of the owner. The name should be specified in the DOMAIN\username format.
Product nameThis entity defines a product name to be found within the version-information structure.
Product versionThis entity defines a product version to be found within the version-information structure.
SizeThe size element is the size of the file in bytes.
TypeThe type element marks whether the file is a directory, named pipe, standard file, etc. These types are the return values for GetFileType, with the exception of FILE_ATTRIBUTE_DIRECTORY which is obtained by looking at GetFileAttributesEx. NOTE: Should this entity be split into two in future versions of the language as there are other values associated with GetFileAttributesEx that are not represented here?
VersionThe version element is the delimited version string of the file.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

File Audit Permissions

This is used to check the audit permissions associated with Windows files. Note that the trustee’s audited permissions are the audit permissions that the SACL grants to the trustee or to any groups of which the trustee is a member. File path is mandatory for this query while submitting to agents.

Child ElementsDescription
Access system securityIndicates access to a system access control list (SACL).
File append dataGrants the right to append data to the file.
File delete childRight to delete a directory and all the files it contains (its children), even If files are read-only.
File executeGrants the right to execute a file.
File read attributesGrants the right to read file attributes.
File read dataGrants the right to read data from the file.
File read eaGrants the right to read extended attributes.
File write attributesGrants the right to change file attributes.
File write dataGrants the right to write data to the file.
File write eaGrants the right to write extended attributes.
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Generic allRead, write, and execute access.
Generic executeExecute access.
Generic readRead access.
Generic writeWrite access.
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s Security Descriptor, not including the information in the SACL.
Standard synchronizeThe right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Standard write DACThe right to modify the DACL in the object’s Security Descriptor.
Standard write ownerThe right to change the owner in the object’s Security Descriptor.
Trustee SIDThe Trustee SID element is the unique SID that associated a user, group, system, or program (such as a Windows service).
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

File Effective Rights

This will collect directories and all Windows file types (FILE_TYPE_CHAR, FILE_TYPE_DISK, FILE_TYPE_PIPE, FILE_TYPE_REMOTE, and FILE_TYPE_UNKNOWN). File path is mandatory for this query while submitting to agents.

Child ElementsDescription
Access system securityIndicates access to a system access control list (SACL).
File append dataGrants the right to append data to the file, or if a directory, grants the right to add a sub-directory to the directory.
File delete childRight to delete a directory and all the files it contains (its children), even If files are read-only.
File executeGrants the right to execute a file, or if a directory, the right to traverse the directory.
File read attributesGrants the right to read file, or directory, attributes.
File read dataGrants the right to read data from the file, or if a directory, grants the right to list the content of the directory.
File read eaGrants the right to read extended attributes.
File write attributesGrants the right to change file, or directory, attributes.
File write dataGrants the right to write data to the file, or if a directory, grants the right to add a file to the directory.
File write eaGrants the right to write extended attributes.
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Generic allRead, write, and execute access.
Generic executeExecute access.
Generic readRead access.
Generic writeWrite access.
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s Security Descriptor, not including the information in the SACL.
Standard synchronizeThe right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Standard write DACThe right to modify the DACL in the object’s Security Descriptor.
Standard write ownerThe right to change the owner in the object’s Security Descriptor.
Trustee SIDThe Trustee SID element is the unique SID that associated a user, group, system, or program (such as a Windows service).
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

filehash58

This is used for a file hash of specific file(s). This only implies on regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. File path is mandatory for this query while submitting to agents.

Child ElementsDescription
File path*This entity specifies the directory component of the absolute path to a file on the machine.
HashThis entity specifies the result of applying the hash algorithm to the file.
Hash typeThis entity specifies the hash algorithm to use when collecting the hash for each of the specified files.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Firewall

This is used to collect firewall status on private, public and domain profiles and inbound/outbound traffic information.

Child ElementsDescription
Allow inbound trafficThis element specifies the value for the default action for inbound traffic. It can be either allowed or blocked.
Allow outbound trafficThis element specifies the value for the default action for outbound traffic. It can be either allowed or blocked.
Block inbound trafficThis element specifies the value of the BlockAllInboundTraffic property. This property indicates whether inbound traffic is blocked for a specified profile.
Display notificationsThis element specifies the value of the NotificationsDisabled property. This property indicates whether notifications are enabled or disabled for a specified profile.
ProfileThis element specifies name of the profile i.e Public, Private or Domain
StatusThis element specifies the value of the FirewallEnabled property. This property indicates whether the firewall is enabled or disabled for a specified profile.
Unicast response to multicasr broadcastThis element specifies the value of the UnicastResponseToMulticastBroadcastDisabled property. This property indicates whether the firewall should allow unicast incoming responses to outgoing multicast and broadcast traffic.

Group

This collects different users and subgroups that directly belong to specific groups (identified by name). When this collects the groups on the system, it only includes the local and built-in group accounts and not domain group accounts. However, it is important to note that domain group accounts can still be looked up. Also, note that the subgroups of the group will not be resolved to find indirect user and group members. If subgroups need to be resolved, it should be done using the SID query.

Child ElementsDescription
GroupThis element holds a string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: “domain\group name”. For local groups use: “computer name\group name”. For built-in accounts on the system, use the group name without a domain.
Sub-groupApplicable only for Windows systems. A string that represents the name of a particular subgroup in the specified group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, the subgroups should be identified in the form: “domain\group name”. In a local environment, the subgroups should be identified in the form: “computer name\group name”. If subgroups are built-in groups, the subgroups should be identified in the form: “group name” without a domain component.
UserApplicable only for Windows systems. This element holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. For built-in accounts on the system, use the user name without a domain.

Group SID

This defines the specific group(s) identified by SID.

Child ElementsDescription
Group SIDThis entity holds a string that represents the SID of a particular group.
Sub-group SIDThis entity holds a string that represents the SID of particular subgroup in the specified group. This entity can be included multiple times in a system characteristic item in order to record that a group contains a number of different subgroups.
User SIDThis entity holds a string that represents the SID of particular user in the specified group.

Installed Applications

This is used to collect information about installed application on the system.

Child ElementsDescription
Application dateThis element specifies installed application date.
Application nameThis element specifies installed application name.
Application last useThis element specifies the last use date of an application.
Application pathThis element specifies installed application path on the machine.
Application publisherThis element specifies the application publisher information.
Application versionThis element specifies installed application version
Install locationThis element specifies installed location on the machine.

Installed Patches

This is used to collect information about installed application on the system.

Child ElementsDescription
DescriptionThis element specifies the description of the patch.
Patch IDThe Patch ID element is unique identifier associated with a particular update.
Patch installed byThis element specifies the person who installed the update. If this value is unknown, the property is empty.
Patch installed onThis element specifies the date that the update was installed. If this value is unknown, the property is empty.
Patch rollback availableThis element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severityThis element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch sizeThis element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Child ElementsDescription
Active typeThis element specifies the active interfaces.
Address typeThis element specifies the address type or state of a specific interface. Each interface can be associated with more than one value meaning the Address type element can occur multiple times in a system characteristic item.
Broadcast addressThis element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
Hardware AddressThe Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
IndexThis element specifies index that identifies the interface.
IP address of an interfaceThis element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
NameThis element specifies the name of an interface.
NetmaskThis element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected.
TypeThis element specifies the type of interface which is limited to certain set of values.

Account Lockout Policy

The lockout policy test enumerates various attributes associated with lockout information for users and global groups in the security database.

Child ElementsDescription
Force log-offSpecifies, in seconds, the amount of time between the end of the valid logon time and the time when the user is forced to log off the network. A value of TIMEQ_FOREVER (-1) indicates that the user is never forced to log off. A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. See the USER_MODALS_INFO_0 structure returned by a call to NetUserModalsGet().
Lockout durationSpecifies, in seconds, how long a locked account remains locked before it is automatically unlocked. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
Lockout observation windowSpecifies the maximum time, in seconds, that can elapse between any two failed logon attempts before lockout occurs. See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().
Lockout thresholdSpecifies the number of invalid password authentications that can occur before an account is marked “locked out.” See the USER_MODALS_INFO_3 structure returned by a call to NetUserModalsGet().

Operating System Information

This is used to collect various information about installed operating system.

Child ElementsDescription
Build versionThis element specifies the build number of an operating system. It can be used for more precise version information than product release version numbers.
OS ArchitectureThis element specifies the Architecture of the operating system, as opposed to the processor.
OS Country codeThis element specifies the code for the country/region that an operating system uses. Values are based on international phone dialling prefixes-also referred to as IBM country/region codes.
OS LocaleThis element specifies the language identifier used by the operating system. A language identifier is a standard international numeric abbreviation for a country/region.
Operating system nameThis element specifies the operating system instance within a computer system.
Operating system versionThis element specifies the operating system instance within a computer system.
Service pack majorThis element specifies the major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).
Service pack minorThis element specifies the minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

Password Policy

Specific policy items associated with passwords. It is important to note that these policies are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information. Information is stored in the SAM or Active Directory but is encrypted or hidden so the registry and activedirectory are of no use. If this can be figured out, then the password policy is not needed.

Child ElementsDescription
Maximum password ageSpecifies, in seconds, the maximum allowable password age. A value of TIMEQ_FOREVER (-1) indicates that the password never expires. The minimum valid value for this element is ONE_DAY (86400).
Minimum password ageSpecifies the minimum number of seconds that can elapse between the time a password changes and when it can be changed again. A value of zero indicates that no delay is required between password updates.
Minimum password lengthSpecifies the minimum allowable password length. Valid values for this element are zero through PWLEN.
Password hint lengthSpecifies the length of password history maintained. A new password cannot match any of the previous usrmod0_password_hist_len passwords. Valid values for this element are zero through DEF_MAX_PWHIST.
Password complexityA boolean value that signifies whether passwords must meet the complexity requirements put forth by the operating system.
Reversible encryptionDetermines whether or not passwords are stored using reversible encryption.

Port/Network Connection

Information about open ports and network connections.

Child ElementsDescription
Local addressThis element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local portThis element specifies the number assigned to the local listening port.
ProtocolThis element specifies the type of listening port. It is restricted to either TCP or UDP.
Process ID(PID)The id given to the process that is associated with the specified listening port.
Foreign addressThis is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign portThis is the TCP or UDP port to which the program communicates.

Printer Effective Rights

This item stores the effective rights of a printer that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Child ElementsDescription
Printer nameThis entity specifies the name of the printer.
Trustee SIDThis entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DACThe right to modify the DACL in the object’s security descriptor.
Standard write ownerThe right to change the owner in the object’s security descriptor.
Standard synchronizeThe right to use the object for synchronization. This enables a thread to wait until the object is in the signaller state. Some object types do not support this access right.
Access system securityIndicates access to a system access control list (SACL).
Generic readRead access.
Generic writeWrite access.
Generic executeExecute access.
Generic allRead, write, and execute access.
Printer access administerPrinter access administer
Printer access usePrinter access use
Job access administerJob access administer
Job access readJob access read

Process

Information about running processes.

Child ElementsDescription
Creation timeThe Creation time entity represents the creation time of the process. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). See the GetProcessTimes function lpCreationTime.
Current directoryThe Current directory entity represents the current path to the executable file for the process.
DEP enabledThe DEP enabled entity represents whether or not data execution prevention (DEP) is enabled. See the GetProcessDEPPolicy function lpFlags.
Image pathThe Image path entity represents the name of the executable file for the process.
NameThis element indicates name of the process.
Parent process IDThe id given to the parent of the process that is created for the specified command line.
PriorityThe base priority of the process.
Primary windows textThis represents the title of the primary window of the process. See the GetWindowText function.
Process ID(PID)The id given to the process that is created for a specified command line.
Process memoryVirtual memory is an approach to make use of the secondary storage devices as an extension of the primary storage of the computer.
Swap sizeThis element specified the swap size in bytes.

Registry

The windows registry item specifies information that can be collected about a particular registry key. Hive, Key and Name are mandatory fields while submitting to agents.

Child ElementsDescription
Hive*The hive that the registry key belongs to.
Key*This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If xsi:nil attribute is set to true, then the item being represented is the higher level hive. Using xsi:nil here will result in a status of ‘does not exist’ for the type, and value entities since these entities are not associated with a hive by itself. Note that when xsi:nil is used for the key element, the name element should also be nilled.
Name*This element describes the name of a registry key. If xsi:nil attribute is set to true, then the item being represented is the higher level key. Using xsi:nil here will result in a status of ‘does not exist’ for the type, and value entities since these entities are not associated with a key by itself.
Last write timeThe last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a hive, key, or name. When collecting only information about a registry hive the last write time will be the time the hive or any of its entries was written to. When collecting only information about a registry hive and key the last write time will be the time the key or any of its entries was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime.
TypeSpecifies the type of data stored by the registry key. For example: REG_BINARY, REG_DWORD, REG_QWORD etc.
ValueThis entity holds the actual value of the specified registry key. The representation of the value as well as the associated datatype attribute depends on type of data stored in the registry key. If specified registry key is of type REG_BINARY, then the datatype attribute should be set to ‘binary’ and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If registry key is of type REG_DWORD or REG_QWORD, then the datatype attribute should be set to ‘int’ and the value entity should represent the data as an integer. If specified registry key is of type REG_EXPAND_SZ, then the datatype attribute should be set to ‘string’ and the pre-expanded string should be represented by the value entity. If specified registry key is of type REG_MULTI_SZ, then multiple value entities should exist to describe the array of strings, with each value element holds a single string. In the end, there should be the same number of value entities as there are strings in the reg_multi_sz array. If specified registry key is of type REG_SZ, then the datatype should be ‘string’ and the value entity should be a copy of the string.
Windows viewThe windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.

Registry Key Audit Permissions

The windows registry item specifies information that can be collected about a particular registry key. Hive and Key are mandatory fields while submitting to agents.

Child ElementsDescription
Hive*This element specifies the hive of a registry key on the machine from which the SACL was retrieved.
Key*This element specifies a registry key on the machine from which the SACL was retrieved. Note that the hive portion of the string should not be included, as this data should be found under the hive element.
Access system securityIndicates access to a system access control list (SACL).
Create linkCreate link
Create sub-keyCreate sub-key
Enumerate sub-keysEnumerate sub-keys
Generic readRead access.
Generic writeWrite access.
Generic executeExecute access.
Generic allRead, write, and execute access.
NotifyNotify
Query valueQuery value
Set valueSet value
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DACThe right to modify the DACL in the object’s security descriptor.
Standard write ownerThe right to change the owner in the object’s security descriptor.
Trustee SIDThe security identifier (SID) of the specified trustee name.
Windows viewThe windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.
Wow64 64bit keyWow64 64bit key
Wow64 32 bit keyWow64 32 bit key
Wow64 resultWow64 result

Registry Key Effective Rights

This item stores the effective rights of a registry key that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api. Hive and Key are mandatory fields while submitting to agents.

Child ElementsDescription
Hive*The hive that the registry key belongs to.
Key*This element describes a registry key to be gathered. Note that the hive portion of the string should not be included, as this data can be found under the hive element. If xsi:nil attribute is set to true, then the item being represented is the higher level hive.
Trustee SIDThis entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DACThe right to modify the DACL in the object’s security descriptor.
Standard write ownerThe right to change the owner in the object’s security descriptor.
Access system securityIndicates access to a system access control list (SACL).
Generic readRead access.
Generic writeWrite access.
Generic executeExecute access.
Generic allRead, write, and execute access.
Query valueQuery value
Set valueSet value
Create sub-keyCreate sub-key
Enumerate sub-keysEnumerate sub-keys
NotifyNotify
Create linkCreate link
Wow64 64bit keyWow64 64bit key
Wow64 32 bit keyWow64 32 bit key
Wow64 resultWow64 result
Windows viewThe windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set.

Run command history

This is used to collect history of run command.

Child ElementsDescription
HistoryThis element specifies the history of run command.

Scheduled Programs

This is used to collect various information about scheduled task.

Child ElementsDescription
Task nameThis element specifies the scheduled task name.
Task enabledThe Task enabled element is a boolean value that indicates If registered task is enabled.
Task stateThis element specifies the operational state task.
Task pathThis element specifies the the path to where the registered task is stored on the machine.
Last run timeThis element specifies the time the registered task was last run. Data appears in timestamp format such as 1519706807.
Next run timeThis element specifies the time when the registered task is next scheduled to run. Data appears in timestamp format such as 1520409600.

Service Effective Rights

This item stores the effective rights of a service that a discretionary access control list (DACL) structure grants to a specified trustee. The trustee’s effective rights are determined by checking all access-allowed and access-denied access control entries (ACEs) in the DACL. For help with this test see the GetEffectiveRightsFromAcl() api.

Child ElementsDescription
Service nameThis element specifies a service on the machine from which to retrieve the DACL. Note that the Service name element should contain the actual name of the service and not its display name that is found in Control Panel->Administrative Tools->Services. For example, if you wanted to check the effective rights of the Automatic Updates service you would specify ‘wuauserv’ for the Service name element not ‘Automatic Updates’.
Trustee SIDThis element specifies the SID that is associated with a user, group, system, or program (such as a Windows service).
Standard deleteThis permission is required to call the DeleteService function to delete the service.
Standard read controlThis permission is required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object.
Standard write DACThis permission is required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object’s security descriptor.
Standard write ownerThis permission is required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object’s security descriptor.
Generic readRead access (STANDARD_RIGHTS_READ, SERVICE_QUERY_CONFIG, SERVICE_QUERY_STATUS, SERVICE_INTERROGATE, SERVICE_ENUMERATE_DEPENDENTS).
Generic writeWrite access (STANDARD_RIGHTS_WRITE, SERVICE_CHANGE_CONFIG).
Generic executeExecute access (STANDARD_RIGHTS_EXECUTE, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_USER_DEFINED_CONTROL).
Service query configurationThis permission is required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration.
Service change configurationThis permission is required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration.
Service query statisticsThis permission is required to call the QueryServiceStatusEx function to ask the service control manager about the status of the service.
Service enumeration dependentsThis permission is required to call the EnumDependentServices function to enumerate all the services dependent on the service.
Service startThis permission is required to call the StartService function to start the service.
Service stopThis permission is required to call the ControlService function to stop the service.
Service pauseThis permission is required to call the ControlService function to pause or continue the service.
Service interrogateThis permission is required to call the ControlService function to ask the service to report its status immediately.
Service user-definedThis permission is required to call the ControlService function to specify a user-defined control code.

Services

This is used to collect different metadata associated with a windows service.

Child ElementsDescription
Service nameThis element specifies the name of a service in the service control manager database.
Service display nameThis element specifies the service’s display name. The display name is same as it appears in the Windows Services control panel utility.
Service statusThis element specifies the current status of the service.
Service start typeThis element specifies a value that indicates how the service starts.
Service dependencyThis element specifies the dependent services names.
Service descriptionThis element specifies the service description.

Shared Resources

This is used to collect different metadata associated with a windows service.

Child ElementsDescription
NetnameThe share name of the resource.
Shared typeThe type of the shared resource.
Maximum usesThe maximum number of concurrent connections that the shared resource can accommodate.
Current usesThe number of current connections to the shared resource.
Local pathThe local path for the shared resource.
Access read permissionPermission to read data from a resource and, by default, to execute the resource.
Access write permissionPermission to write data to the resource.
Access create permissionPermission to create an instance of the resource (such as a file); data can be written to the resource as the resource is created.
Access execute PermissionPermission to execute the resource.
Access delete permissionPermission to delete the resource.
Access attribute permissionPermission to modify the resource’s attributes (such as the date and time when a file was last modified).
Access permanent permissionPermission to modify the permissions (read, write, create, execute, and delete) assigned to a resource for a user or application.
Access all permissionsPermission to read, write, create, execute, and delete resources, and to modify their attributes and permissions.

sharedresourceauditedpermissions

This is used to collect different metadata associated with a windows service.

Child ElementsDescription
NetnameThis entity specifies the name associated with a particular shared resource.
Trustee SIDThis entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DACThe right to modify the DACL in the object’s security descriptor.
Standard write ownerThe right to change the owner in the object’s security descriptor.
Standard synchronizeThe right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Access system securityIndicates access to a system access control list (SACL).
Generic readRead access.
Generic writeWrite access.
Generic executeExecute access.
Generic allRead, write, and execute access.

Shared resource effective rights

This is used to collect different metadata associated with a windows service.

Child ElementsDescription
NetnameThis entity specifies the name associated with a particular shared resource.
Trustee SIDThis entity specifies the SID that associated a user, group, system, or program (such as a Windows service).
Standard deleteThe right to delete the object.
Standard read controlThe right to read the information in the object’s security descriptor, not including the information in the SACL.
Standard write DACThe right to modify the DACL in the object’s security descriptor.
Standard write ownerThe right to change the owner in the object’s security descriptor.
Standard synchronizeThe right to use the object for synchronization. This enables a thread to wait until the object is in the signalled state. Some object types do not support this access right.
Access system securityIndicates access to a system access control list (SACL).
Generic readRead access.
Generic writeWrite access.
Generic executeExecute access.
Generic allRead, write, and execute access.

SID

This is used to check properties associated with any shared resource on the system.

Child ElementsDescription
Trustee nameThis element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Trustee SIDThe security identifier (SID) of the specified trustee name.
Trustee domainThe domain of the specified trustee name.

SID SID

This is used to check properties associated with any shared resource on the system.

Child ElementsDescription
Trustee domainThe domain of the specified trustee name.
Trustee nameThis element specifies the trustee name associated with a particular SID. In Windows, trustee names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Trustee SIDThe security identifier (SID) of the specified trustee name.

System Autorun

This is used to collect information about startup applications.

Child ElementsDescription
Application nameThis element specifies the file name of the startup command.
CaptionThis element specifies the short description of the startup command.
CommandThis element specifies the command run by the startup command.
DescriptionThis element specifies description of the startup command.
LocationThis element specifies the path where the startup command resides on the disk file system.
UserThis element specifies the user name for whom this startup command will run.

System DEP Policy

This is used to collect information about system Data Execution Prevention (DEP) status.

Child ElementsDescription
DEP PolicyThis element specifies the DEP policy status on the system.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information.

Child ElementsDescription
DHCP enabledThis element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
DHCP Server IPThis element specifies the address of the DHCP server for this adapter.
Lease obtained timeThis element specifies the time when the current DHCP lease was obtained.
Lease expire timeThis element specifies the time when the current DHCP lease expires.
IP maskThis element specifies the list of ip addresses associated with this adapter.
Gateway IPThis element specifies the ip address of the gateway for this adapter.
DescriptionThis element specifies an ANSI character string that contains the description of the adapter.
MAC AddressThis element specifies the hardware address for the adapter.
TypeThis element specifies the adapter type.

System DNS Information

This is used to collect domain name and domain name system ip information.

Child ElementsDescription
Domain nameThis element specifies the domain in which the local computer is registered.
DNS server IPThis element specifies the list of dns server ip address used by the local computer.

System UAC Policy

This is used to collect information about system User Account Control (UAC) status.

Child ElementsDescription
System UAC PolicyThis element specifies the UAC policy status on the system.

Text File Content

This element looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a filepath.
Pattern/Text*This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Sub-expressionThe subexpression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented. Note that this in OVAL definition schema only allows a single subexpression entity. This means that this will check that all (or at least one, none, etc.) the subexpressions pass the same check. This means that the order of multiple subexpression entities in the item does not matter.
Windows viewThe windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

User SID

This allows collection of different groups (identified by SID) that a user belongs to.

Child ElementsDescription
User SIDA string the represents the SID of a particular user.
EnabledA boolean that represents whether the particular user is enabled or not.
Group SIDA string that represents the SID of a particular group. If specified user belongs to more than one group, then multiple Group SID elements should exist. If specified user is not a member of a single group, then a single Group SID element should exist with a status of ‘does not exist’. Ifre is an error determining the groups that the user belongs to, then a single Group SID element should be included with a status of ‘error’.

WMI

The wmi57 outlines information to be checked through Microsoft’s WMI interface. Namespace and Windows Query Language(WQL) are mandatory fields while submitting to agents.

Child ElementsDescription
Namespace*The WMI namespaces of the specific object.
Windows Query Language(WQL)*A WQL query used to identify the object(s) specified. Any valid WQL query is allowed with one exception, all fields must be named. For example SELECT name, age FROM … is valid, but SELECT * FROM … is not valid. This is because the record entity supports only named fields.
ResultThis entity holds the results of the specified WQL statement.

WSUS SCCM Information

This is used to collect configuration details about Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

Child ElementsDescription
User Windows update serverThe UseWUServer element if set to 1 specifies to use wsus server settings.
No auto updateThis element specifies enable/disable automatic updates.
Auto update optionsThis element specifies how to download and notify updates.
Windows update serverThis element specifies URL of the WSUS server used by Automatic Updates.
Windows update status serverThis element specifies HTTP(S) URL of the server to which reporting information will be sent for client computers that use the WSUS server configured by the WUServer key

WUA Update Searcher

This outlines information defined through the Search method of the IUpdateSearcher interface as part of Microsoft’s WUA (Windows Update Agent) API. This information is related to the current patch level in a Windows environment. Search criteria is a mandatory field while submitting query to agents.

Child ElementsDescription
Search criteria*This entity specifies a search criteria to use when generating a search result. The string used for the search criteria entity must match the custom search language for Search method of the IUpdateSearcher interface. The string consists of criteria that are evaluated to determine which updates to return. The Search method performs a synchronous search for updates by using the current configured search options. For more information about possible search criteria, please see the Search method of the IUpdateSearcher interface.
Update IDThis entity specifies a string that represents a revision-independent identifier of an update. This information is part of the IUpdateIdentity interface that is part of the result of the IUpdateSearcher interface’s Search method. Note that multiple update identifiers can be associated with a give search criteria and thus multiple entities can exist for this item.

Volume

The volume item enumerates various attributes about a particular volume mounted to a machine. This includes the various system flags returned by GetVolumeInformation(). It is important to note that these system flags are specific to certain versions of Windows. As a result, the documentation for that version of Windows should be consulted for more information.

Child ElementsDescription
Root pathA string that contains the root directory of the volume to be described. A trailing backslash is required. For example, you would specify \\MyServer\MyShare as “\\MyServer\MyShare\”, or the C drive as “C:\”.
File systemThe type of filesystem. For example FAT or NTFS.
NameThe name of the volume.
Drive typeThe drive type of the volume.
Volume Maximum Compoment LengthThis element specifies the maximum length, in TCHARs, of a file name component that a specified file system supports. A file name component is the portion of a file name between backslashes. The value that is stored in the variable that *lpMaximumComponentLength points to is used to indicate that a specified file system supports long names. For example, for a FAT file system that supports long names, the function stores the value 255, rather than the previous 8.3 indicator. Long names can also be supported on systems that use the NTFS file system.
Serial numberThe volume serial number.
Case sensitive searchThe file system supports case-sensitive file names.
Case preserved namesThe file system preserves the case of file names when it places a name on disk.
Unicode on diskThe file system supports Unicode in file names as they appear on disk.
Persistent ACLsThe file system preserves and enforces ACLs. For example, NTFS preserves and enforces ACLs, and FAT does not.
File compressionThe file system supports file-based compression.
Volume quotaThe file system supports disk quotas.
Supports sparse filesThe file system supports sparse files.
Supports reparse pointsThe file system supports reparse points.
Supports remote storageThe specified volume is a compressed volume; for example, a DoubleSpace volume.
Is volume compressed?The specified volume is a compressed volume; for example, a DoubleSpace volume.
Supports object IDsThe file system supports object identifiers.
Supports encryptionThe file system supports the Encrypted File System (EFS).
Named streamsThe file system supports named streams.
File read-only volumesThe specified volume is read-only.
File sequential write onceThe file system supports one time writes in sequential order.
File supports transactionsThe file system supports transaction processing.
File supports hard linksThe file system supports direct links to other devices and partitions.
File supports extended attributesThe file system supports extended attributes.
File supports open by file IDThe file system supports fileID.
File supports usn journalThe file system supports update sequence number journals.

Wireless Information

This is used to collect various information about wireless connection (WLAN).

Child ElementsDescription
WLAN Interface GUIDThis element holds a string that represents the GUID of an wireless interface.
WLAN Interface descriptionThis element specifies the wireless interface description.
WLAN Interface stateThis element specifies the state of the wireless interface
WLAN Connection ModeThis element specifies the mode of connection.
WLAN Profile nameThis element specifies the profile name associated with the network. If network does not have a profile, this member will be empty. If multiple profiles are associated with the network, there will be multiple entries with the same SSID in the visible network list.
WLAN SSIDThis element specifies the contains the SSID of the association.
WLAN BSS Network typeThis element specifies whether the network is infrastructure or ad hoc.
WLAN MAC addressThis element specifies physical hardware address wireless interface.
WLAN Physical network typeThe WLAN Physical network type element indicates the physical type of the association.
WLAN Physical indexThis element specifies the list of PHY types.
WLAN Signal qualityThis element specifies a percentage value that represents the signal quality of the network.
WLAN Receiving rateThis element specifies the receiving rate of the association.
WLAN Transmission rateThis element specifies the transmission rate of the association.
WLAN Security enabledThis element specifies whether security is enabled on the network. A value of TRUE indicates that security is enabled, otherwise it is not.
WLAN 802.11 enabledThis element specifies whether 802.1X is enabled for this connection.
WLAN Authentication algorithmThis element specifies currently used authentication algorithm.
WLAN Cipher algorithmThis element specifies currently used cipher algorithm.

User

This is used to check information about Windows users. When this collects the users on the system, it only includes the local and built-in user accounts and not domain user accounts. However, it is important to note that domain user accounts can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.

Child ElementsDescription
EnabledThis element holds a boolean value that specifies whether the particular user account is enabled or not.
GroupA string that represents the name of a particular group. In Windows, group names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, groups should be identified in the form: “domain\group name”. For local groups use: “computer name\group name”. For built-in accounts on the system, use the group name without a domain.The group element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups.
Last logonThe date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
UserThis entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. As a result, it is recommended that the case-insensitive operations are used for this entity. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”. For built-in accounts on the system, use the user name without a domain.
Domain logonThe Domain logon holds a string that represents the name of a particular domain user.
Is elevated?The iselevated holds a string that represents the user name should have admin rights.

User SID

This is used to check information about Windows users. When this check collects the user SIDs on the system, it should only include the local and built-in user SIDs and not domain user SIDs. However, it is important to note that domain user SIDs can still be looked up. Also, note that the collection of groups, for which a user is a member, is not recursive. The only groups that will be collected are those for which the user is a direct member. For example, if a user is a member of group A, and group A is a member of group B, the only group that will be collected is group A.

Child ElementsDescription
EnabledThis element holds a boolean value that specifies whether the particular user account is enabled or not.
Group SIDA string the represents the SID of a particular group. The Group SID element can be included multiple times in a system characteristic item in order to record that a user can be a member of a number of different groups.
Last LogonThe date and time when the last logon occurred. This value is stored as the number of seconds that have elapsed since 00:00:00, January 1, 1970, GMT.
NameThis entity indicates the name of the user.
User SIDThis entity holds a string that represents the SID of a particular user.

License

The entity is used to check the content of a particular entry in the Windows registry HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions key, ProductPolicy value. Access to this data is exposed by the functions NtQueryLicenseValue (and also, in version 6.0 and higher, ZwQueryLicenseValue) in NTDLL.DLL. Name is a mandatory field while submitting to agents.

Child ElementsDescription
name*The name of the license.
typeThis entity provides the type of data that is expected: REG_SZ (0x01) for a string; REG_BINARY (0x03) for binary data; REG_DWORD (0x04) for a DWORD.
valueattribute should be set to ‘binary’ and the data represented by the value entity should follow the xsd:hexBinary form. (each binary octet is encoded as two hex digits) If the value being checked is of type REG_DWORD, then the datatype attribute should be set to ‘int’ and the value entity should represent the data as an integer. If the specified registry key is of type REG_SZ, then the datatype should be ‘string’ and the value entity should be a copy of the string.

NTUser

This element defines the different metadata associated with a ntuser.dat file. This includes the key, name, type, and value. Key and name are mandatory fields while submitting to agents.

Child ElementsDescription
Account typeThe account_type element describes if the user account is a local account or domain account.
date_modifiedTime of last modification of file. The integer should represent the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
Days since modifiedThe number of days since the ntuser.dat file was last modified. The value should be rounded up to the next whole integer.
EnabledThe enabled element describes if the user account is enabled or disabled.
File pathThis element describes the file path of the ntuser.dat file.
Key*This element describes a registry key normally found in the HKCU hive to be tested.
Last write timeThe last time that the key or any of its value entries was modified. The value of this entity represents the FILETIME structure which is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). Last write time can be queried on a key or name. When collecting only information about a registry key the last write time will be the time the key or any of its entities was written to. When collecting only information about a registry name the last write time will be the time the name was written to. See the RegQueryInfoKey function lpftLastWriteTime. Data appears in timestamp format such as 1520409600.
Logged onThe logged_on element describes if the user account is currently logged on to the computer.
Name*This element describes the name of a value of a registry key.
SIDThis element holds a string that represents the SID of a particular user.
UsernameThis entity holds a string that represents the name of a particular user. In Windows, user names are case-insensitive. In a domain environment, users should be identified in the form: “domain\user name”. For local users use: “computer name\user name”.
TypeThis entity allows a test to be written against the registry type associated with the specified registry key(s).
ValueThe entity specifies value of the registry key.

System Metric

This is used to check the value of a particular Windows system metric. Access to this information is exposed by the GetSystemMetrics function in User32.dll.

Child ElementsDescription
IndexThis entity corresponds to the index entity.
ValueThis entity provides the value of the system metric.

User right

This entity is used to enumerate all of the trustees/SIDs that have been granted a specific user right/privilege.

Child ElementsDescription
Trustee nameThis entity is the unique name associated with the SID that has been granted the specified user right/privilege. A trustee can be associated with a user, group, or program (such as a Windows service). In Windows, trustee names are case-insensitive. In a domain environment, trustee names should be identified in the form: “domain\trustee name”. For local trustee names use: “computer name\trustee name”. For built-in accounts on the system, use the trustee name without a domain.
Trustee SIDThis entity identifies the SID that has been granted the specified user right/privilege.
User rightThis entity holds a string that represents the name of a particular user right/privilege.

Junction

This used to obtain canonical path information for junctions (reparse points) on Windows filesystems. Path is a mandatory filed while submitting to agents.

Child ElementsDescription
Path*This specifies the path.
Canonical pathThis specifies the canonical path for the target of a Windows junction specified by the path.
Windows viewThis is used to indicate which view (32-bit or 64-bit), the associated path applies to.

PE Header

This defines the different metadata associated with the header of a PE file. For more information, please see the documentation for the IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER structures. File path is a mandatory field while submitting to agents.

Child ElementsDescription
Address of entry pointThis entity is an unsigned 32-bit integer (DWORD) that specifies the address where the loader will begin execution.
Base of codeThis entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file’s code section begins.
Base of dataThis entity is an unsigned 32-bit integer (DWORD) that specifies the relative virtual address where the file’s data section begins.
ChecksumThis entity is an unsigned 32-bit integer (DWORD) that specifies the checksum of the image file.
DLL characteristicsThis entity is an unsigned 32-bit integer (DWORD) that specifies the set of flags indicating the circumstances under which a DLL’s initialization function will be called.
File path*This element specifies the absolute path for a PE file on the machine. A directory cannot be specified as a file path.
Header signatureThis entity is the signature of the header.
Number of sectionsThis entity is an unsigned 16-bit integer (WORD) that specifies the number of sections in the file.
Number of symbolsThis entity is an unsigned 32-bit integer (DWORD) that specifies the number of symbols in the COFF symbol table.
Pointer to symbol tableThis entity is an unsigned 32-bit integer (DWORD) that specifies the file offset of the COFF symbol table.
Target machine typeThis entity is an unsigned 16-bit integer (WORD) that specifies the target architecture that the file is intended for.
Time date stampThis entity is an unsigned 32-bit integer (DWORD) that specifies the time that the linker produced the file. The value is represented as the number of seconds since January 1, 1970, 00:00:00.
Size of optional headerThis entity is an unsigned 32-bit integer (DWORD) that specifies the size of an optional header in bytes.
Image file aggressive working set trimThis entity is a boolean value that specifies that the working set should be aggressively trimmed.
Image file debug strippedThis entity is a boolean value that specifies that the debugging information is stored separately in a .dbg file.
Image file executable imageThis entity is a boolean value that specifies if the file is executable.
Image file large address awareThis entity is a boolean value that specifies that the application can handle addresses larger than 2GB.
Image file local symbols strippedThis entity is a boolean value that specifies if the local symbols are stripped from the file.
Image file line numbers strippedThis entity is a boolean value that specifies if the line numbers are stripped from the file.
Image file 16bit machineThis entity is a boolean value that specifies that the computer supports 16-bit words.
Image file 32bit machineThis entity is a boolean value that specifies that the computer supports 32-bit words.
Image file bytes reversed lowThis entity is a boolean value that specifies that the bytes of the word are reversed.
Image file dllThis entity is a boolean value that specifies that the image is a DLL.
Image file relocs strippedThis entity is a boolean value that specifies if the relocation information is stripped from the file.
Image file removable run from swapThis entity is a boolean value that specifies that the image is on removable media, copy and run from the swap file.
Image file systemThis entity is a boolean value that specifies that the image is a system file.
Image file up system onlyThis entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
Image file dllThis entity is a boolean value that specifies that the image is a DLL.
Image file up system onlyThis entity is a boolean value that specifies that the file should only be run on a uniprocessor computer.
Image file bytes reversed highThis entity is a boolean value that specifies that the bytes of the word are reversed.
Magic numberThis entity is an unsigned 16-bit integer (WORD) that specifies the state of the image file.
Major linker versionThis entity is a BYTE that specifies the major version of the linker that produced the file.
Minor linker versionThis entity is a BYTE that specifies the minor version of the linker that produced the file.
Image base addressThis entity is an unsigned 32-bit integer (DWORD) that specifies the preferred address of the first byte of the image when it is loaded into memory.
Section alignmentThis entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the sections loaded into memory.
File alignmentThis entity is an unsigned 32-bit integer (DWORD) that specifies the alignment of the raw data of sections in the image file.
Loader flagsThis entity is an unsigned 32-bit integer (DWORD) that specifies the loader flags of the header.
Major operating system versionThis entity is an unsigned 16-bit integer (WORD) that specifies the major version of the operating system required to use this executable.
Minor operating system versionThis entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the operating system required to use this executable.
Major image versionThis entity is an unsigned 16-bit integer (WORD) that specifies the major version number of the image.
Minor image versionThis entity is an unsigned 32-bit integer (DWORD) that specifies the minor version number of the image.
Major subsystem versionThis entity is an unsigned 16-bit integer (WORD) that specifies the major version of the subsystem required to run the executable.
Minor subsystem versionThis entity is an unsigned 16-bit integer (WORD) that specifies the minor version of the subsystem required to run the executable.
Number of RVA and sizesThis entity is an unsigned 32-bit integer (DWORD) that specifies the number of directory entries in the remainder of the optional header.
Real number of directory entriesThis entity is the real number of data directory entries in the remainder of the optional header calculated by enumerating the directory entries.
Size of codeThis entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the code sections (in bytes).
Size of headersThis entity is an unsigned 32-bit integer (DWORD) that specifies the total combined size of the MS-DOS stub, PE header, and the section headers (in bytes).
Size of heap reserveThis entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the local heap.
Size of heap commitThis entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the local heap.
Size of imageThis entity is an unsigned 32-bit integer (DWORD) that specifies the total size of the image including all of the headers (in bytes).
Size of initialized dataThis entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of initialized data (in bytes).
Size of stack commitThis entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to commit for the stack.
Size of stack reserveThis entity is an unsigned 32-bit integer (DWORD) that specifies the number of bytes to reserve for the stack.
Size of uninitialized dataThis entity is an unsigned 32-bit integer (DWORD) that specifies the total size of all of the sections that are composed of uninitialized data (in bytes).
SubsystemThis entity is an unsigned 32-bit integer (DWORD) that specifies the type of subsystem that the executable uses for its user interface.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to.

User Access Control(UAC)

This element specifies the different settings that are available under User Access Control. A user access control test will reference a specific instance of this state that defines the exact settings that need to be evaluated.

Child ElementsDescription
Admin approval modeAdmin Approval Mode for the Built-in Administrator account.
Detect installationsDetect application installations and prompt for elevation.
Elevation prompt adminBehavior of the elevation prompt for administrators in Admin Approval Mode.
Elevation prompt standardBehavior of the elevation prompt for standard users.
Elevate signed executablesOnly elevate executables that are signed and validated.
Elevate UI accessOnly elevate UIAccess applications that are installed in secure locations.
Run admins AAMRun all administrators in Admin Approval Mode.
Secure desktopSwitch to the secure desktop when prompting for elevation.
Virtualize write failuresVirtualize file and registry write failures to per-user locations.

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
XPath*Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Software Licenses

This is used to collect information of Software Licenses. It includes software name and license information.

Child ElementsDescription
Software familyThis element specifies the family of the software application.
Software nameThis element specifies the name of the software application.
Software licenseThis element specifies the license serial number of the software application.
Software versionThis element specifies the version of the software application.

Partition

This is used to check the information associated with partitions on the local system.

Child ElementsDescription
Disk nameThis element represents the drive letter or disk name.
Disk descriptionThis element specifies the description associated with the disk.
Disk typeThis element specified the type of disk. For example, Local Disk.
Volume nameThis element specifies the name associated with the volume.
Space leftThis element contains an integer that represents the number of blocks left on a partition (in bytes).
Space usedThis element contains an integer that represents the number of blocks used on a partition (in bytes).
Total spaceThis element contains an integer that represents the total number of blocks on a partition (in bytes).

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Child ElementsDescription
Patch descriptionThis element describes a patch.
Patch IDA unique identification number associated with a patch.
Patch nameThis element specifies the patch name.
Patch rollback availableThis element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severityThis element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch sizeThis element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.
Reboot requiredThis element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE.
Platform CPEThis element specifies platform CPE ID associated with the patch.
Product CPEThis element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system.

Linux Probes

 

Child ElementsDescription
Child ElementsDescription

ARP Cache

This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.

Child ElementsDescription
Host IPThis element specifies host IP address.
Network InterfacesThis element specifies device interface.
MAC addressThis element specifies physical hardware address of the adapter for the network interface associated with this IP address.
PermanentThis element specifies if an ARP entry is permanent or not.

BIOS Information

This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.

Child ElementsDescription
BIOS ManufactureThis element specifies manufacturer of this software element. This value comes from the vendor of the BIOS Information structure in the SMBIOS information.
BIOS NameThis element used to identify the software element.
BIOS Serial NumberThis element specifies serial number of the software element.
System Management BIOS VersionThis element specifies BIOS version as reported by SMBIOS. This value comes from the version of the BIOS information structure in the SMBIOS information.
BIOS StatusThis element specifies current status of BIOS. Various operational and non-operational status can be defined.
BIOS VersionThis element specifies version of the BIOS. This string is created by the BIOS manufacturer.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Child ElementsDescription
Antivirus nameThis element specifies a display name of a installed antivirus product.
Antivirus evrThis represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”.
Antivirus epochRestriction of oval-def:EntityStateAnySimpleType. See schema for details.
Antivirus releaseRestriction of oval-def:EntityStateAnySimpleType. See schema for details.
Antivirus versionThis element specifies version of a installed antivirus product.

Computer Information

This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.

Child ElementsDescription
Address SizesThis element specifies the CPU address size info.
BuffersThis element specifies the amount of RAM, in kilobytes, used for file buffers.
Cache sizeThis element specifies the size of the total processor cache (in bytes). A cache is an external memory area that has a faster access time than the main RAM memory.
CPUThis element specifies name of the processor.
CPU SpeedThis element specifies speed of the processor in megahertz.
CPU ArchitectureThis element specifies processor architecture used by the platform.
CPU coresThis element specifies number of cores.
CPU familyThis element specifies authoritatively identifies the type of processor in the system.
CPU usageThis element specified CPU usage in percentage.
Disk modelThis element specifies the disk model name – a one-line string.
Disk nameThis element specifies the short description of the disk drive – a one-line string.
Disk removable deviceThis element specifies the disk is removable or not.
Disk sizeThis element specifies the total size of the disk drive (in bytes).
Free RAMThis element specifies system free memory size in bytes.
Host nameThis element specifies the label that is assigned to a computer.
Model nameThis element specifies the CPU model info.
Network total bytes receivedThis element represents the number of bytes received.
Network total bytes transmittedThis element represents the number of bytes transmitted.
Network total bytes(received/transmitted)This element represents the total number of bytes received and transmitted.
Operating system architectureThis element specifies the architecture of the operating system.
Operating system nameThis element specifies the name of the operating system.
Operating system releaseThis element specifies the release version of the operating system.
Operating system versionThis element specifies the version of the operating system.
RAM usedThis element specifies used system memory size in bytes.
Total RAMThis element specifies system total memory size in bytes.
ROM modelThis element specifies the rom model name – a one-line string.
ROM nameThis element specifies the short description of the rom – a one-line string.
ROM removable deviceThis element specifies the rom is removable or not.
ROM sizeThis element specifies the size of the rom.
Serial numberThis element specifies the BIOS serial number.
Shared memoryThis element specifies system shared memory size in bytes.
Free swap sizeThis element specifies system free swap size in bytes.
Total swap sizeThis element specifies system total swap size in bytes.
System nameThis element specifies system name.
System product nameThis element specifies the system hardware name.
System time synchronization statusThis element specified if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false
System uptimeThis element specifies the time elapsed since the system was started.
Timezone nameThis element specifies the timezone such as Asia/Kolkata.
Total virtual memory allocatedThis element specifies system total virtual memory size in bytes.

Cron

This is used to collect various information about cron jobs. It includes user name, scheduled job and command.

Child ElementsDescription
ScheduledThis element specifies the scheduled time for a particular cron job.
Scheduled commandThis element indicates command to be executed at scheduled time.
User nameThis element specifies the username for which cron job is scheduled.

Device information

This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.

Child ElementsDescription
Device classThis element describes a type of device
Device driverThis element specifies driver used by the device.
Device manufactureThis element specifies manufacturer of the device.
Device nameThis element specifies the device name.
Device pathThis element specifies the logical path within the device node
Device subclassThis element specifies the support of the class
Device subsystemThis element retrieves the subsystem of the device.

DPKG Information

This is used to check information of a DPKG package.

Child ElementsDescription
ArchitectureThis is the architecture for which the package was built, like : i386, ppc, sparc, noarch.
EpochRestriction of oval-def:EntityStateAnySimpleType. See schema for details.
EVRThis represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”.
NameThis is the DPKG package name to check.
ReleaseRestriction of oval-def:EntityStateAnySimpleType. See schema for details.
VersionRestriction of oval-def:EntityStateAnySimpleType. See schema for details.

Environment Variables

This is used to collect system environment variable information. It includes environment variable name, value and process id.

Child ElementsDescription
NameThis element specifies name of the environment variable
Process ID(PID)This element specifies pid of a process
ValueThis element specifies value of the environment variable

Hosts File(/etc/hosts)

This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.

Child ElementsDescription
Host IPThis element specifies host IP address.
Host nameThis element specifies the label that is assigned to a computer.

Protocols File(/etc/protocols)

This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.

Child ElementsDescription
Protocol aliasesThis element specifies the aliases for the protocol.
Protocol nameThis element specifies the native name for the protocol.
Protocol numberThis element specifies the official number for the protocol.

Services File(/etc/services)

This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.

Child ElementsDescription
Service aliasesThis element specifies alternative names for the same service.
Service nameThis element specifies the service name.
Service portThis element specifies port the service is offered on.
Service protocolThis element specifies, which transport protocol is used.

Family of Operating System

This is used to collect operating system family standard values being windows, unix or macos(Mac OS).

Child ElementsDescription
family of operating systemThis element specifies operating system family.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Child ElementsDescription
Access timeThis element specifies access time of a file.
Creation timeThis element specifies creation time of a file (in timestamp format).
File md5 sumThis element specifies md5 sum of a file.
File nameThis element specifies name of the file on the machine.
File path*This element specifies the location of the file.
Group executeThis element specifies the group execution permission of a file.
Group readThis element specifies the group read permission of a file.
Group IDThis element specifies the group ID for a file.
Group writeThis element specifies the group write permission of a file.
Has extended ACLThis element specifies the access control list existences for a file.
Modified timeThis element specifies the modified time of a file.
Others executeThis element specifies the execute permission of a file for other users.
Others readThis element specifies the read permission of a file for other users.
Others writeThis element specifies the write permission of a file for other users.
Set group User IDThis element specifies the group user id.
SizeThis element specifies the size of a file (in bytes).
Sticky bitThis element specifies the sticky bit of a file.
Owner User IDThis element specifies the owners user id.
TypeThis element specifies the type of the file.
User executeThis element specifies the user execute permission.
User readThis element specifies the user read permission.
User IDThis element specifies the user id of a file.
User writeThis element specifies the user write permission of a file.

Group

This is used to collect various information about the groups. It includes group name and group id.

Child ElementsDescription
GroupThis element specifies the group name.
Group IDThis element specifies the group id.

Interface Listeners

This is used to check what applications such as packet sniffers that are bound to an interface on the system. This is limited to applications that are listening on AF_PACKET sockets. Furthermore, only applications bound to an ethernet interface should be collected.

Child ElementsDescription
Hardware addressThis is the hardware address associated with the interface.
Interface nameThis is the name of the interface (eth0, eth1, fw0, etc.).
Process ID (PID)The pid is the process ID of a specific process
Program nameThis is the name of the communicating program.
ProtocolThis is the physical layer protocol used by the AF_PACKET socket.
User IDThe numeric user id, or UID, is the third column of each user’s entry in /etc/passwd. It represents the owner, and thus privilege level, of the specified program.

Inet-Listening Servers (Deprecated)

This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.

Child ElementsDescription
Foreign addressThis element specifies foreign ip address, which is connected to listening server.
Foreign full addressThis element specifies foreign ip address including port, which is connected to listening server.
Foreign portThis element specifies foreign port, which is connected to listening server
Local addressThis element specifies local ip address on which server is listening
Local full addressThis element specifies full ip address including port on which server is listening.
Local portThis element specifies local port on which server is listening.
Process ID (PID)This element specifies the pid of a listening server program.
Program nameThis element specifies the name of a listening server program.
ProtocolThis element specifies the name for the protocol used by listening server.
User IDThis element specifies the name of a listening server program.

Installed Applications

This is used to collect information about installed applications on the system. It includes application name, version, release, architecture, epoch value.

Child ElementsDescription
Application architectureThis element specifies the architecture for which the package was built, like : i386, ppc, sparc, noarch.
Application nameThis element specifies the installed package name.
Application releaseThis element specifies the release number of the build, changed by the vendor/builder.
Application versionThis element specifies the version number of the build.
Application epochThis element specifies the epoch value. Example: 0, 1, (none)
Application EVRThis element specifies the EVR(Epoch-Version-Release string). Example:0:3.13.0-73.116
Application last useThis element specifies the last use date of an application.
Application publisherThis element specifies the application publisher information.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Child ElementsDescription
Broadcast addressThis element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
FlagThe flag entity represents the interface flag line, which generally contains flags like “UP” to denote an active interface, “PROMISC” to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times.
Hardware AddressThe Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
IP address of an interfaceThis element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
NameThis element specifies the name of an interface.
NetmaskThis element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected.
TypeThis element specifies the type of interface which is limited to certain set of values.

IP forwarding status

This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.

Child ElementsDescription
IP forwarding statusThis element specifies ip forwarding is enabled or disabled.

IP tables rules

This is used to collect various information about IP table rules. It includes chain type, number packets matched to rule, packets size, action to be taken when rule matches (ACCEPT, DROP), pack flow direction, source ip address, destination ip address, rule desc etc.

Child ElementsDescription
BytesThis element specifies aggregate size of the packets in bytes, that matched particular rule.
Chain typeThis element specifies IP tables chain name.
DestinationThis element specifies the destination IP address or subnet of the traffic.
InThis element specifies interface name from which the packet flows in.
OptionThis element indicates IP options (Rarely used).
OutThis element specifies interface name from which the packet flows out.
PacketsThis element specifies the number of packets, that matched particular rule.
ProtocolThis element specifies protocol name for a particular rule.
Rule descriptionThis element specifies the short description of the particular rule.
SourceThis element specifies the source IP address or subnet of the traffic.
TargetThis element specifies what should be done when packet matches the rule eg: ACCEPT. DROP etc.

Kernel Information

This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.

Child ElementsDescription
ArgumentsThis element indicates loaded kernel kernel arguments.
DeviceThis element indicates location of the kernel on which device or volume.
Kernel image pathThis element specified the kernel image path.
Kernel versionThis element indicates loaded kernel kernel version.

Kernel Modules

This is used to collect various information about modules loaded into the kernel. It includes kernel module name, kernel module depending on which module and module status.

Child ElementsDescription
Kernel module nameThis element specifies the module name.
Kernel module statusThis element specifies the what load state the module is in eg: Live, Loading etc.
Kernel module used-byThis element specifies the module name which are depending another module in order to function.

Logged-in Users

This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.

Child ElementsDescription
HostThis element indicates hostname for remote login or kernel version for run-level messages
Process ID(PID)This element indicates the PID of login process.
TimeThis element indicates the time when entry was made.
ttyThis element indicates device name of tty.
TypeThis element indicates the type of record.
User nameThis element indicates logged-in user name.

Mount points

This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.

Child ElementsDescription
Disk file-system nameThis element indicates filesystem name.
Disk mounted onThis element indicates disk mounted path.
Disk sizeThis element indicates total disk partition size (in bytes).
Disk space availableThis element indicates available disk space (in bytes).
Disk space usedThis element indicates used disk space (in bytes).
Disk use percentageThis element indicates used disk space in percentage.

Partitions

This is used to check the information associated with partitions on the local system.

Child ElementsDescription
DeviceThis element contains a string that represents the name of the device.
FS typeThis element contains a string that represents the type of filesystem on a partition.
Mount optionsThis element contains a string that represents the mount options associated with a partition.
Mount pointThis element contains a string that represents the mount point of a partition on the local system.
Space leftThis element contains an integer that represents the number of blocks left on a partition.
Space usedThis element contains an integer that represents the number of blocks used on a partition.
Total spaceThis element contains an integer that represents the total number of blocks on a partition.
UUIDThis element contains a string that represents the universally unique identifier associated with a partition.

Password/User Information

This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.

Child ElementsDescription
GCOS(comment field)This element indicates user information. Usually, it contains the full username. Some programs (for example, finger(1)) display information from this field. GECOS stands for “General Electric Comprehensive Operating System”,which was renamed to GCOS when GE’s large systems ision was sold to Honeywell. Dennis Ritchie has reported: “Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant.”
Group IDThis element indicates group id of a particular group.
Home directoryThis element specifies path to home directory of a particular user.
Login shellThis element specifies login shell of a particular user.
PasswordThis element indicates local user password
User IDThis element indicates user id of a particular user.
User nameThis element indicates local user name.

Port/Network Connection

Information about open ports and network connections.

Child ElementsDescription
Local addressThis element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local portThis element specifies the number assigned to the local listening port.
ProtocolThis element specifies the type of listening port. It is restricted to either TCP or UDP.
Process ID(PID)The id given to the process that is associated with the specified listening port.
Foreign addressThis is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign portThis is the TCP or UDP port to which the program communicates.
Process nameThis element specifies the name of a listening server program.
Port stateThis element indicates the port state.

Process

Information about running processes.

Child ElementsDescription
Command lineThis is the string used to start the process. It includes any parameters that are part of the command line.
Exec shieldThis element specifies execute shield status.
Execution timeThis is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
Login UIDThe loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
Process ID(PID)This is the process ID of the process.
Posix capabilityAn effective capability associated with the process. See linux/include/linux/capability.h for more information.
Parent process IDThis is the process ID of the process’s parent process.
PriorityThis is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
Process nameThis is the name of the processes.td>
Real UIDThis element specifies the real UID.
SE Linux domain labelAn SE Linux domain label associated with the process.
Session IDThe session ID of the process.
Start timeThis is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
ttyThis is the TTY on which the process was started, if applicable.
User IDThis is the effective user id which represents the actual privileges of the process.

RPC Map Information

This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.

Child ElementsDescription
RPC aliasesThis element specifies the aliases for the RPC program.
RPC program nameThis element specifies the native name for the RPC program.
RPC program numberThis element specifies the official number for the RPC program.

RPC Network Connections

This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.

Child ElementsDescription
AddressThis element specifies the IP address of the RPC program.
Network IDThis element specifies, which transport protocol is used.
OwnerThis element specifies an owner for the RPC program.
RPC program IDThis element specifies the RPC program id.
RPC program nameThis element specifies the RPC program name.
RPC program versionThis element specifies the RPC program version.

RPM Information

This is used to check the RPM header information for a given RPM package.

Child ElementsDescription
ArchitectureThis is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
EpochThis is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file
EVRThis represents the epoch, version, and release fields as a single version string. It has the form “EPOCH:VERSION-RELEASE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form 0:VERSION-RELEASE. Comparisons involving this datatype should follow the algorithm of librpm’s rpmvercmp() function
Extended nameThis represents the name, epoch, version, release, and architecture fields as a single version string. It has the form “NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
NameThis is the package name to check.
ReleaseThis is the release number of the build, changed by the vendor/builder.
Signature key IDThis field contains the 64-bit PGP key ID that the RPM issuer (generally the original operating system vendor) uses to sign the key. Note that the value should NOT contain a hyphen to separate the higher 32-bits from the lower 32-bits. It should simply be a 16 character hex string. PGP is used to verify the authenticity and integrity of the RPM being considered. Software packages and patches are signed cryptographically to allow administrators to allay concerns that the distribution mechanism has been compromised, whether that mechanism is web site, FTP server, or even a mirror controlled by a hostile party. OVAL uses this field most of all to confirm that the package installed on the system is that shipped by the vendor, since comparing package version numbers against patch announcements is only programmatically valid if the installed package is known to contain the patched code.
VersionThis is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.

RPM file verify

This is used to verify the integrity of the in idual files in installed RPMs. File path is mandatory for this query while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file or directory in the specified package.
ArchitectureThis is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
Capabilities differThe size_differs entity aligns with the ninth character (‘P’ flag) in the character string in the output generated by running rpm -V on a specific file.
Configuration fileThe configuration_file entity represents the configuration file attribute marker that may be present on a file.
Device differsThe device_differs entity aligns with the fourth character (‘D’ flag) in the character string in the output generated by running rpm -V on a specific file.
Documentation fileThe documentation_file entity represents the documentation file attribute marker that may be present on a file.
EpochThis is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file
Extended nameThis represents the name, epoch, version, release, and architecture fields as a single version string. It has the form “NAME-EPOCH:VERSION-RELEASE.ARCHITECTURE”. Note that a null epoch (or ‘(none)’ as returned by rpm) is equivalent to ‘0’ and would hence have the form NAME-0:VERSION-RELEASE.ARCHITECTURE.
Ghost fileThe ghost_file entity represents the ghost file attribute marker that may be present on a file.
Group differsThe group_differs entity aligns with the seventh character (‘U’ flag) in the character string in the output generated by running rpm -V on a specific file.
License fileThe license_file entity represents the license file attribute marker that may be present on a file.
Link mismatchThe link_mismatch entity aligns with the fifth character (‘L’ flag) in the character string in the output generated by running rpm -V on a specific file.
MD5 differsThis entity aligns with the third character (‘5’ flag) in the character string in the output generated by running rpm -V on a specific file.
Mode differsThis entity aligns with the second character (‘M’ flag) in the character string in the output generated by running rpm -V on a specific file.
Modified time differsThis entity aligns with the eighth character (‘T’ flag) in the character string in the output generated by running rpm -V on a specific file.
NameThis is the package name to check.
Ownership differsThe ownership_differs entity aligns with the sixth character (‘U’ flag) in the character string in the output generated by running rpm -V on a specific file.
ReadMe fileThe readme_file entity represents the readme file attribute marker that may be present on a file.
ReleaseThis is the release number of the build, changed by the vendor/builder.
Size differsThe size_differs entity aligns with the first character (‘S’ flag) in the character string in the output generated by running rpm -V on a specific file.
VersionThis is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.

RPM verify package

This is used to verify the integrity of installed RPMs.

Child ElementsDescription
ArchitectureThis is the architecture for which the RPM was built, like : i386, ppc, sparc, noarch. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be i686.
Dependency check passedThe dependency_check_passed entity indicates whether or not the dependency check passed. If the dependency check is not performed, due to the ‘nodeps’ behavior, this entity must not be collected.
EpochThis is the epoch number of the RPM, this is used as a kludge for version-release comparisons where the vendor has done some kind of re-numbering or version forking. For a null epoch (or ‘(none)’ as returned by rpm) the string ‘(none)’ should be used.. This number is not revealed by a normal query of the RPM’s information — you must use a formatted rpm query command to gather this data from the command line, like so. For an already-installed RPM: rpm -q –qf ‘%{EPOCH}\n’ installed_rpm For an RPM file that has not been installed: rpm -qp –qf ‘%{EPOCH}\n’ rpm_file
Extended nameThis element specifies the extended name.
NameThis is the package name to check.
ReleaseThis is the release number of the build, changed by the vendor/builder.
Verification script successfulThe verification_script_successful entity indicates whether or not the verification script executed successfully. If the verification script is not executed, due to the ‘noscripts’ behavior, this entity must not be collected.
VersionThis is the version number of the build. In the case of an apache rpm named httpd-2.0.40-21.11.4.i686.rpm, this value would be 21.11.4.

Run level

This is used to check information about which run-level specified services are scheduled to exist at. For more information see the output generated by a chkconfig –list.

Child ElementsDescription
KillThis entity determines if the process is supposed to be killed at the specified run-level.
Run levelThis entity refers to the system run-level associated with a service. A run-level is defined as a software configuration of the system that allows only a selected group of processes to exist.
Service nameThis entity refers the name associated with a service. This name is usually the filename of the script file located in the /etc/init.d directory.
StartThis entity determines if the process is scheduled to be spawned at the specified run-level.

SE Linux Boolean

This is used to check the current and pending status of a SELinux boolean.

Child ElementsDescription
Current StatusThe current_status entity represents the current state of the specified SELinux boolean.
NameThe name of the SELinux boolean.
Pending StatusThe pending_status entity represents the pending state of the specified SELinux boolean.

Services

This is used to collect information about services. It includes service name and status.

Child ElementsDescription
Service nameThis specifies the service name.
Service statusThis specifies the status of the service.

Shadow file(/etc/shadow)

This is used to check information from the /etc/shadow file for a specific user. This file contains user’s password, password ageing and lockout information.

Child ElementsDescription
Change allowedThis specifies how often in days a user may change their password. It can also be thought of as the minimum age of a password.
Change listThis is the date of the last password change in days since 1/1/1970.
Change requiredThis describes how long a user can keep a password before the system forces her to change it.
Encryption methodThe encrypt_method entity describes method that is used for hashing passwords.
Expiry dateThis specifies when will the account’s password expire, in days since 1/1/1970.
Days before account inactiveThis entity describes the number days of account inactivity for which the system will wait after a password expires before locking the account. Unix systems are generally configured to only allow a given password to last for a fixed period of time.
Days warning for expirationThis describes how long before password expiration the system begins warning the user. The system will warn the user at each login.
FlagThis is a reserved field that the shadow file may use in the future.
PasswordThis is the encrypted version of the user’s password.
User nameThis is the name of the user being checked.

Shell History

This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.

Child ElementsDescription
CommandThis element specifies history of executed commands.
History fileThis element specifies history file path.
UIDThis element specifies history belongs to which user id.
User nameThis element specifies history belongs to which user.

Sudo Users

This is used to collect sudo users. It includes user name which has sudo access.

Child ElementsDescription
Sudo user nameThis element specifies sudo username.

System Control

This is used to check the values associated with the kernel parameters that are used by the local system.

Child ElementsDescription
NameThis element contains a string that represents the name of a kernel parameter that was collected from the local system.
ValueThis element contains a string that represents the value(s) associated with the specified kernel parameter.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time, lease renew/rebind time and interface description.

Child ElementsDescription
DHCP enabledThis element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
DHCP interfaceThis element specifies DHCP interface
Gateway IPThis element specifies the ip address of the gateway for this adapter.
MAC AddressThis element specifies the hardware address for the adapter.
Interface descriptionThis element specifies an ANSI character string that contains the description of the adapter.
Interface typeThis element specifies the adapter type.
IP maskThis element specifies the list of ip addresses associated with this adapter.
Lease expire timeThis element specifies the time when the current DHCP lease expires.
Lease rebind timeThis element specifies DHCP lease rebind time.
Lease renew timeThis element specifies DHCP lease renew time.
Lease timeThis element specifies DHCP lease time.
DHCP server IPThis element specifies the address of the DHCP server for this adapter.

System DNS Information

This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address

Child ElementsDescription
DNS server IPThis element specifies the list of dns server ip address used by the local computer.
Domain nameThis element specifies the domain in which the local computer is registered.

System Executable shield status

Executable shield status gives information if data memory is executable/non-executable or/and program memory is writable/non-writable.

Child ElementsDescription
Executable shield statusThis element specifies the executable shield No eXecute (NX) and eXecute Disable (XD) status. For Example: NX (Execute Disable) protection active

System Route Information

This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric and interface name.

Child ElementsDescription
DestinationThis element specifies the destination IP address or subnet of the traffic for a specific route entry.
FlagsThis element specifies the flag for a specific route entry.
GatewayThis element specifies the gateway for a specific route entry.
Network InterfacesThis element specifies the interface for a specific route entry.
MetricThis element specifies the metric for a specific route entry.
NetmaskThis element specifies the netmask for a specific route entry.

System ASLR Status

This is used to collect address space layout randomization(ASLR) status. This technique give some protection against buffer overflow attacks by randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.

Child ElementsDescription
ASLR statusThis element specifies the system ASLR status.
0- The process address space randomization is off.
1 – The addresses of mmap base, stack and VDSO page are randomized.
2 – Additionally heap randomization enabled.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Pattern/Text*This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Sub-expressionThe sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented.
Windows viewNot applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

Unix name(uname)

This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.

Child ElementsDescription
LocaleThis element specifies the locale
Machine classThis element specifies the hardware identifier
Node nameThis element indicates name of the present machine in some undefined network
Operating system nameThis element specifies the name of the operating system.
Operating system releaseThis element specifies the release version of the operating system.
Operating system versionThis element specifies the version of the operating system.
Processor typeThis element specifies the hardware identifier
Time zoneThis element specifies the time zone

Wireless Information

This is used to collect various information about wireless connection. It includes wireless name, state, mac address, SSID, interface description, network is infrastructure or ad hoc, frequency, receiving rate, transmission rate, signal quality and security enabled or disabled.

Child ElementsDescription
WLAN BSS Network typeThis element specifies whether the network is infrastructure or ad hoc.
WLAN frequencyThis element specifies wireless frequency.
WLAN Interface descriptionThis element specifies the wireless interface description.
WLAN Interface nameThis element specifies the wireless interface name.
WLAN Interface stateThis element specifies the state of the wireless interface
WLAN MAC addressThis element specifies physical hardware address wireless interface.
WLAN Receiving rateThis element specifies the receiving rate of the association.
WLAN Security enabledThis element specifies whether security is enabled on the network. A value of TRUE indicates that security is enabled, otherwise it is not.
WLAN Signal qualityThis element specifies a percentage value that represents the signal quality of the network.
WLAN SSIDThis element specifies the contains the SSID of the association.
WLAN Transmission rateThis element specifies the transmission rate of the association.

System unit dependency

This element is used to check the dependencies of the specific units.

Child ElementsDescription
DependencyThis entity refers to the name of a unit that was confirmed to be a dependency of the given unit.
UnitThis entity refers to the full systemd unit name, which has a form of “$name.$type”. For example “cupsd.service”. This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.

Systemd unit property

This element is used to retrieve information about systemd units in form of properties. For more information see the output generated by systemctl show $unit.

Child ElementsDescription
PropertyThe name of the property associated with a systemd unit.
UnitThe unit entity refers to the full systemd unit name, which has a form of “$name.$type”. For example “cupsd.service”. This name is usually also the filename of the unit configuration file located in the /etc/systemd/ and /usr/lib/systemd/ directories.
ValueThe value of the property associated with a systemd unit.

App armor status

This is used to check properties representing the counts of profiles and processes as per the results of the “apparmor_status” or “aa-status” command.

Child ElementsDescription
Complain mode processes countDisplays the number of processes in complain mode
Complain mode profiles countDisplays the number of profiles in complain mode
Enforce mode processes countDisplays the number of processes in enforce mode
Enforce mode profiles countDisplays the number of profiles in enforce mode
Loaded profiles countDisplays the number of loaded profiles
Processes with profiles countDisplays the number of processes which have profiles defined
Unconfined processes with profiles countDisplays the number of processes which are unconfined but have a profile defined

Symlink

This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.

Child ElementsDescription
Filepath*Specifies the filepath used to create the object.
Canonical pathSpecifies the canonical path for the target of a symbolic link file specified by the filepath.

Routing table

This is used to check information about the IPv4 and IPv6 routing table entries found in a system’s primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the ‘-n’ option with route(8) or netstat(8). Destination is a mandatory field while submitting to agents.

Child ElementsDescription
Destination*The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
FlagsThe flags associated with the specified routing table entry.
GatewayThe gateway of the specified routing table entry.
Interface nameThe name of the interface associated with the routing table entry.

File extended attribute

This is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. This will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). File path and attribute name are mandatory fields while submitting to agents.

Child ElementsDescription
Attribute name*This is the extended attribute’s name, identifier or key.
File path*The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath.
ValueThe value entity represents the extended attribute’s value or contents. To check for an attribute with no value assigned to it, this entity would be used with an empty value.

GConf

This is used to check the attributes and value(s) associated with GConf preference keys. This can be used to define the preference keys to collect and the sources from which to collect the preference keys. Key and source are mandatory fields while submitting to agents

Child ElementsDescription
Is default?Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
Is writable?Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
Key*The preference key to check.
Source*The source used to look up the preference key. This element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future.
Time modifiedThe time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
TypeThe type of the preference key.
User modifiedThe user who last modified the preference key.
ValueThe value of the preference key.

Virtual Memory Statistics (vmstat)

Virtual Memory Statistics (vmstat) reports information about processes, memory, paging, block IO, traps, and cpu activity.

Child ElementsDescription
Blocks receivedBlocks received from a block device.
Blocks sentBlocks sent to a block device.
Buffer memoryThe amount of memory used as buffers.
Cache memoryThe amount of memory used as cache.
Context switchesThe number of context switches per second.
CPU time idleTime spent idle. Prior to Linux 2.5.41, this includes IO-wait time.
CPU time IOTime spent waiting for IO. Prior to Linux 2.5.41, included in idle.
CPU time kernel codeTime spent running kernel code (system time).
CPU time non-kernel codeTime spent running non-kernel code (user time, including nice time).
CPU time virtual machineTime stolen from a virtual machine. Prior to Linux 2.6.11, unknown.
Idle memoryThe amount of idle memory.
InterruptsThe number of interrupts per second, including the clock.
Memory swapped inThe amount of memory swapped in from disk.
Memory swapped outThe amount of memory swapped to disk.
Runnable processesThe number of runnable processes (running or waiting for run time).
Uninterruptible sleep processesThe number of processes in uninterruptible sleep.
Virtual memory usedThe amount of virtual memory used.

System time

This is used to track the current date and time in the system.

Child ElementsDescription
DateCurrent day in the system.
DayCurrent weekday in the system.
Epoch timeCurrent local UNIX time in the system.
HourCurrent hour in the system.
Local timezoneCurrent local timezone in the system.
MinutesCurrent minutes in the system.
MonthCurrent month in the system.
YearCurrent year in the system.
SecondsCurrent seconds in the system.
TimestampCurrent timestamp (log format) in the system.

SUID bin binary

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Child ElementsDescription
PathThis entity specifies the path in the system.
PermissionThis entity specifies the permission associated with the user namd and path.
UserThis entity specifies the user name.

SUID bin file

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Child ElementsDescription
PathThis entity specifies the path in the system.
PermissionThis entity specifies the permission associated with the user namd and path.
UserThis entity specifies the user name.

Grand Unified Bootloader (grub)

GRUB(Grand Unified Boot loader) is the default boot loader for many Linux distributions. Boot loader plays a major role in bring up the system into running state. Infact boot loader is the first program that runs when a computer is switched on. This helps in transferring control to an operating system kernel.

Child ElementsDescription
Command line defaultThe default command line.
DefaultThe default operating system to boot if you do not hit any key.
InitrdThe initrd image to boot the kernel with.
KernelThe linux kernel image to load along with all the options for it.
Menu entryThe partition where /boot directory is. All paths will be relative to this partition.
RootThe partition where /boot directory is. All paths will be relative to this partition.
TimeoutThe time in seconds to wait before the default operating system is booted.

Boot priority policy

This defines the operating system boot priority policy. The Linux boot loader though (called Grub), usually defaults to booting Linux.

Child ElementsDescription
Menu entryThis element defines the title entry and it starts an operating system section by default unless any other title line is found.

SUID bin binary

Retrieves all the files from /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin, /tmp in the target system that are setuid enabled.

Child ElementsDescription
UserThis entity specifies the user name.
PathThis entity specifies the path in the system.
PermissionThis entity specifies the permission associated with the user namd and path.

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
XPath*Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Child ElementsDescription
Patch descriptionThis element describes a patch.
Patch IDA unique identification number associated with a patch.
Patch nameThis element specifies the patch name.
Patch rollback availableThis element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severityThis element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch sizeThis element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.
Reboot requiredThis element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE.
Platform CPEThis element specifies platform CPE ID associated with the patch.
Product CPEThis element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system.

Mac Probes

Account Information

This is used to collect all users’ information. It includes user name, user ID, group ID, real name, home directory and login shell information.

Child ElementsDescription
Group IDThis element represents the group ID of this account.
Home directoryThis element specifies the home directory for this user account.
Login shellThis element specifies the login shell for this user account.
PasswordThis element specifies obfuscated (*****) or encrypted password for this user.
Real nameThis element specifies user’s real name, aka gecos field of /etc/passwd.
User IDThe numeric user id, or uid, is the third column of each user’s entry in /etc/passwd. This element represents the owner of the file.
User nameThis element specifies the user of the account to gather information from.

ARP Cache

This is used to collect various information about address resolution protocol(ARP) cache table. It includes host IP address, mac address, interface name from ARP cache table.

Child ElementsDescription
Host IPThis element specifies host IP address.
MAC addressThis element specifies physical hardware address of the adapter for the network interface associated with this IP address.
Network InterfacesThis element specifies device interface.
PermanentThis element specifies if an ARP entry is permanent or not.

Authorization Database

This is used to check the properties of the plist-style XML output from the security authorizationdb read right-name command, for reading information about rights authorizations on MacOSX. Right name and XPath are mandatory to query the database.

Child ElementsDescription
Right name*This element specifies the right name to be queried (read) from the authorization database.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
XPath*This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath.

Anti-virus information

This is used to collect information about an installed Antivirus applications.

Child ElementsDescription
Antivirus nameThis element specifies a display name of a installed antivirus product.
Antivirus pathThis element specifies installed path of a installed antivirus product.
Antivirus versionThis element specifies version of a installed antivirus product.

BIOS Information

This is used to collect various information about BIOS (basic input/output system). It includes bios name, version, manufacture, serial number, smbios version, and bios status.

Child ElementsDescription
BIOS NameThis element used to identify the software element.
BIOS Serial NumberThis element specifies serial number of the software element.
BIOS SMC VersionThis element specifies version of the BIOS SMC(Standard Microsystems)
BIOS StatusThis element specifies current status of BIOS. Various operational and non-operational status can be defined.
BIOS VersionThis element specifies version of the BIOS. This string is created by the BIOS manufacturer.

Computer Information

This is used to collect various information about computer system. It includes CPU, RAM, ROM, swap memory, virtual memory, disk, operating system, cache size, host name, model name, serial name etc.

Child ElementsDescription
Address SizesThis element specifies the CPU address size info.
Cache sizeThis element specifies the size of the total processor cache (in bytes). A cache is an external memory area that has a faster access time than the main RAM memory.
CPUThis element specifies name of the processor.
CPU ArchitectureThis element specifies processor architecture used by the platform.
CPU coresThis element specifies number of cores.
CPU familyThis element specifies authoritatively identifies the type of processor in the system.
CPU SpeedThis element specifies speed of the processor in megahertz.
CPU usageThis element specified CPU usage in percentage.
Disk modelThis element specifies the disk model name – a one-line string.
Disk nameThis element specifies the short description of the disk drive – a one-line string.
Disk removable deviceThis element specifies the disk is removable or not.
Disk sizeThis element specifies the total size of the disk drive in bytes.
Free RAMThis element specifies system free memory size in bytes.
Free swap sizeThis element specifies system free swap size in bytes.
Host nameThis element specifies the label that is assigned to a computer.
Model nameThis element specifies the CPU model info.
Network total bytes receivedThis element represents the number of bytes received.
Network total bytes transmittedThis element represents the number of bytes transmitted.
Network total bytes(received/transmitted)This element represents the total number of bytes received and transmitted.
Operating system architectureThis element specifies the architecture of the operating system.
Operating system nameThis element specifies the name of the operating system.
Operating system releaseThis element specifies the release version of the operating system.
Operating system versionThis element specifies the version of the operating system.
RAM usageThis element specifies used system memory size in percentage.
RAM usedThis element specifies used system memory size in bytes.
Serial numberThis element specifies the BIOS serial number.
System nameThis element specifies system name.
System product nameThis element specifies the system hardware name.
System time synchronization statusThis element specified if system time is synchronised with server using Network Time Protocol(NTP). Value is either true or false
System uptimeThis element specifies the time elapsed since the system was started.
Timezone nameThis element specifies the timezone such as Asia/Kolkata.
Total RAMThis element specifies system total memory size in bytes.
Total swap sizeThis element specifies system total swap size in bytes.
Total virtual memory allocatedThis element specifies system total virtual memory size in bytes.

Core Storage

This is used to check the properties of the plist-style XML output from the “diskutil cs list -plist” command, for reading information about the CoreStorage setup on MacOSX. UUID and XPath are mandatory to query the database.

Child ElementsDescription
UUID*This element specifies the UUID of the volume about which the plist information was retrieved.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
XPath*This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath.

Cron

This is used to collect various information about cron jobs. It includes user name, scheduled job and command.

Child ElementsDescription
ScheduledThis element specifies the scheduled time for a particular cron job.
Scheduled commandThis element indicates command to be executed at scheduled time.
User nameThis element specifies the username for which cron job is scheduled.

Device information

This is used to collect information about installed devices on the system. It includes device name, driver, subsystem, device path, class and subclass.

Child ElementsDescription
Device driverThis element specifies driver used by the device.
Device nameThis element specifies the installed devices name.
Device manufactureThis element specifies manufacturer of the device.
Device modelThis element identifies the device model
Device pathThis element specifies the logical path within the device node
Device serialThis element specifies the serial number the device
Device sizeThis element specifies the total size of the device in bytes (Applicable for USB and Media)
Device typeThis element specifies the type of the device.

Disk Utility

This is used to collect various information to verify disks on a Mac OS system. File path and Device are mandatory for this query.

Child ElementsDescription
Device*This element specifies represents the disk on a Mac OS system to verify. Please see diskutil(8) for instructions on how to specify the device.
File path*This element specifies the absolute path for a file or directory on the specified device.
Group executeThis element specifies the group execution permission of a file.
Group readThis element specifies the group read permission of a file.
Group writeThis element specifies the group write permission of a file.
Others executeThis element specifies the execute permission of a file for other users.
Others readThis element specifies the read permission of a file for other users.
Others writeThis element specifies the write permission of a file for other users.
User executeThis element specifies the user execute permission.
User readThis element specifies the user read permission.
User writeThis element specifies the user write permission of a file.

Gatekeeper

This is used to collect information to check the status of Gatekeeper and any unsigned applications that have been granted execute permission.

Child ElementsDescription
EnabledThis element specifies the status of Gatekeeper assessments.
UnlabeledThis element specifies the path to an unsigned application folder to which Gatekeeper has granted execute permission.

Hosts File(/etc/hosts)

This used to collect various information about hosts from /etc/hosts. It includes host IP address and host name.

Child ElementsDescription
Host IPThis element specifies host IP address.
Host nameThis element specifies the label that is assigned to a computer.

Operating System Information

This is used to collect various information about installed operating system.

Child ElementsDescription
Build versionThis element specifies the build number of an operating system. It can be used for more precise version information than product release version numbers.
CopyrightThis element specifies the copyrights of the operating system.
Operating system nameThis element specifies the operating system instance within a computer system.
Service pack majorThis element specifies the major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).
Service pack minorThis element specifies the minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).
Service pack patchThis element specifies the patch version of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

Protocols File(/etc/protocols)

This is used to collect various information about protocol from /etc/protocols. It includes protocol name, protocol number and protocol aliases.

Child ElementsDescription
Protocol aliasesThis element specifies the aliases for the protocol.
Protocol nameThis element specifies the native name for the protocol.
Protocol numberThis element specifies the official number for the protocol.

Services File(/etc/services)

This is used to collect various information about service from /etc/services. It includes service name, service port, service protocol and service aliases.

Child ElementsDescription
Service aliasesThis element specifies alternative names for the same service.
Service nameThis element specifies the service name.
Service portThis element specifies port the service is offered on.
Service protocolThis element specifies, which transport protocol is used.

Family of Operating System

This is used to collect operating system family standard values being windows, unix or macos(Mac OS).

Child ElementsDescription
family of operating systemThis element specifies operating system family.

File

This is used to check metadata associated with files. File path is mandatory for this query while submitting to agents.

Child ElementsDescription
File path*This element specifies the location of the file.
Access timeThis element specifies access time of a file.
Creation timeThis element specifies creation time of a file (in timestamp format).
File md5 sumThis element specifies md5 sum of a file.
File nameThis element specifies the name of the file.
Group executeThis element specifies the group execution permission of a file.
Group readThis element specifies the group read permission of a file.
Group IDThis element specifies the group ID for a file.
Group writeThis element specifies the group write permission of a file.
Has extended ACLThis element specifies the access control list existences for a file.
Modified timeThis element specifies the modified time of a file.
Others executeThis element specifies the execute permission of a file for other users.
Others readThis element specifies the read permission of a file for other users.
Others writeThis element specifies the write permission of a file for other users.
Set group User IDThis element specifies the group user id.
SizeThis element specifies the size of a file (in bytes).
Sticky bitThis element specifies the sticky bit of a file.
Owner User IDThis element specifies the owners user id.
TypeThis element specifies the type of the file.
User executeThis element specifies the user execute permission.
User readThis element specifies the user read permission.
User IDThis element specifies the user id of a file.
User writeThis element specifies the user write permission of a file.

Group

This is used to collect various information about the groups. It includes group name and group id.

Child ElementsDescription
GroupThis element specifies the group name.
Group IDThis element specifies the group id.

Inet-Listening Servers

This is used to collect various information about listening ports. It includes protocol name, local ip address, local port, program name, foreign address, foreign port, process id and user id.

Child ElementsDescription
Foreign addressThis element specifies foreign ip address, which is connected to listening server.
Foreign full addressThis element specifies foreign ip address including port, which is connected to listening server.
Foreign portThis element specifies foreign port, which is connected to listening server
Local addressThis element specifies local ip address on which server is listening
Local full addressThis element specifies full ip address including port on which server is listening.
Local portThis element specifies local port on which server is listening.
Process ID (PID)This element specifies the pid of a listening server program.
Program nameThis element specifies the name of a listening server program.
ProtocolThis element specifies the name for the protocol used by listening server.
User IDThis element specifies the name of a listening server program.

Installed Applications

This is used to collect information about installed applications on the system. It includes application name, version, architecture, path, developer and last used.

Child ElementsDescription
Application architectureThis element specifies the architecture for which the package was built, like : i386, ppc, sparc, noarch.
Application developerThis element specifies the developer of the installed application
Application last useThis element specifies the last use date of an application.
Application nameThis element specifies the installed package name.
Application pathThis element specifies the path in which the application is installed.
Application publisherThis element specifies the application publisher information.
Application versionThis element specifies the version number of the build.

launchd (unified service-management)

This is used to collect information and status of daemons/agents, applications, processes and scripts running in a system.

Child ElementsDescription
LabelThis element specifies the daemon to be queried.
Process ID(pid)This element specifies the process ID of the daemon (if any).
StatusThis element specifies the last exit code of the daemon (if any), or if < 0, indicates the negative of the signal that interrupted processing. For example, a value of -15 would indicate that the job was terminated via a SIGTERM.

Network Interfaces

The interface test enumerate various attributes about the interfaces on a system.

Child ElementsDescription
Broadcast addressThis element specifies the broadcast address. A broadcast address is typically the IP address with the host portion set to either all zeros or all ones. Note that the IP address can be IPv4 or IPv6.
FlagThe flag entity represents the interface flag line, which generally contains flags like “UP” to denote an active interface, “PROMISC” to note that the interface is listening for Ethernet frames not specifically addressed to it, and others. This element can be included multiple times in a system characteristic item in order to record a multitude of flags. Note that the entity_check attribute associated with EntityStateStringType guides the evaluation of entities like this that refer to items that can occur an unbounded number of times.
Hardware AddressThe Hardware Address entity is the hardware or MAC address of the physical network card. MAC addresses should be formatted according to the IEEE 802-2001 standard which states that a MAC address is a sequence of six octet values, separated by hyphens, where each octet is represented by two hexadecimal digits. Uppercase letters should also be used to represent the hexadecimal digits A through F.
IP address of an interfaceThis element specifies the IP address. Note that the IP address can be IPv4 or IPv6. If IP address is an IPv6 address, this entity will be expressed as an IPv6 address prefix using CIDR notation and the netmask entity will not be collected.
NameThis element specifies the name of an interface.
NetmaskThis element specifies the subnet mask for the IP address. Note that If IP address of an interface entity contains an IPv6 address prefix, this entity will not be collected.
TypeThis element specifies the type of interface which is limited to certain set of values.

IP forwarding status

This is used to collect information about the IP forward settings. It includes IP forwarding status which can be either enabled or disabled.

Child ElementsDescription
IP forwarding statusThis element specifies ip forwarding is enabled or disabled.

Packet filter control(pfctl)

This is used to collect various information about packet filter control. It includes action, direction, interface, protocol source, destination, flags and state information.

Child ElementsDescription
ActionThis element specifies action to be taken when a specified rule matches. For example: PASS or BLOCK.
DirectionThis element specifies the packet flow direction.
DestinationThis element specifies the destination IP address or subnet of the traffic.
FlagsThis element specifies different flags associated with the rule.
InterfaceThis element specifies network interface for a specific rule.
ProtocolThis element specifies the protocol associated with the rule.
SourceThis element specifies the source IP address or subnet of the traffic.
StateThis element specifies different states associated with the rule. For example: no state, keep state, modulate state, synproxy state.

Kernel Information

This is used to collect various information about loaded kernel. It includes kernel version, kernel image path, kernel on which device/volume and kernel arguments.

Child ElementsDescription
ArgumentsThis element indicates loaded kernel kernel arguments.
DeviceThis element indicates location of the kernel on which device or volume.
Kernel image pathThis element specified the kernel image path.
Kernel versionThis element indicates loaded kernel kernel version.

Key chain

This is used to collect various information to check the properties of the plist-style XML output from the ‘security show-keychain-info keychain’ command. File path is mandatory for this query.

Child ElementsDescription
File path*This element specifies the filepath of the keychain.
Lock on sleepThis element specifies whether the keychain is configured to lock when the computer sleeps.
Time outThis element specifies the inactivity timeout (in seconds) for the keychain, or 0 if there is no timeout.

Logged-in Users

This is used to collect various information about logged-in users. It includes user name, device tty, remote logged in host name, time when entry made, process id and record type.

Child ElementsDescription
HostThis element indicates hostname for remote login or kernel version for run-level messages
Process ID(PID)This element indicates the PID of login process.
TimeThis element indicates the time when entry was made (in seconds).
ttyThis element indicates device name of tty.
TypeThis element indicates the type of record.
User nameThis element indicates logged-in user name.

Mount points

This is used to collect various information about mounted partitions. It includes disk filesystem name, file system type, disk size, disk space used, available disk space, disk use in terms of percentage and disk mounted path.

Child ElementsDescription
Disk file-system nameThis element indicates filesystem name.
Disk mounted onThis element indicates disk mounted path.
Disk sizeThis element indicates total disk partition size (in bytes).
Disk space availableThis element indicates available disk space (in bytes).
Disk space usedThis element indicates used disk space (in bytes).
Disk use percentageThis element indicates used disk space in percentage.

Non-volatile random-access memory (NVRAM)

This is used to collect information about Non-volatile random-access memory (NVRAM). It pulls data from the ‘nvram -p’ output. It includes variable and value associated with it.

Child ElementsDescription
NVRAM variableThis element indicates variable name.
NVRAM valueThis element indicates value associated with the variable.

Partitions

The partition_test is used to check the information associated with partitions on the local system.

Child ElementsDescription
DeviceThis element contains a string that represents the name of the device.
FS typeThis element contains a string that represents the type of filesystem on a partition.
Mount pointThis element contains a string that represents the mount point of a partition on the local system.
Space leftThis element contains an integer that represents the number of blocks left on a partition.
Space usedThis element contains an integer that represents the number of blocks used on a partition.
Total spaceThis element contains an integer that represents the total number of blocks on a partition.
UUIDThis element contains a string that represents the universally unique identifier associated with a partition.

Password/User Information

This is used to collect various information about system users. It includes user name, password, user id, group id, user information, user home directory path and login shell.

Child ElementsDescription
GCOS(comment field)This element indicates user information. Usually, it contains the full username. Some programs (for example, finger(1)) display information from this field. GECOS stands for “General Electric Comprehensive Operating System”,which was renamed to GCOS when GE’s large systems ision was sold to Honeywell. Dennis Ritchie has reported: “Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant.”
Group IDThis element indicates group id of a particular group.
Home directoryThis element specifies path to home directory of a particular user.
Login shellThis element specifies login shell of a particular user.
PasswordThis element indicates local user password
User IDThis element indicates user id of a particular user.
User nameThis element indicates local user name.

Property List(plist)

Information associated with property list preference keys. File path, App ID and Key entities are mandatory for this query.

Child ElementsDescription
App ID*The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
File path*The absolute path to a plist file (e.g. ~/Library/Preferences/com.apple.Safari.plist). A directory cannot be specified as a filepath.
InstanceThe instance of the preference key found in the plist. The first instance of a matching preference key is given the instance value of 1, the second instance of a matching preference key is given the instance value of 2, and so on. Instance values must be assigned using a depth-first approach. Note that the main purpose of this entity is to provide uniqueness for the different plist items that result from multiple instances of a given preference key in the same plist file.
Key*The preference key to be checked.
TypeThe type of the preference key to be checked.
ValueThe value of the preference key to be checked.

Port/Network Connection

Information about open ports and network connections.

Child ElementsDescription
Local addressThis element specifies the local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local full addressThis element specifies the full local IP address the listening port is bound to. Note that the IP address can be IPv4 or IPv6.
Local portThis element specifies the number assigned to the local listening port.
ProtocolThis element specifies the type of listening port. It is restricted to either TCP or UDP.
Process ID(PID)The id given to the process that is associated with the specified listening port.
Foreign addressThis is the IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign full addressThis is the full IP address with which the program is communicating, or with which it will communicate, in the case of a listening server. Note that the IP address can be IPv4 or IPv6.
Foreign portThis is the TCP or UDP port to which the program communicates.
Process nameThis element specifies the name of a listening server program.
Port stateThis element indicates the port state.
User IDThis element specifies the user id using this port.

Process

Information about running processes.

Child ElementsDescription
Command lineThis is the string used to start the process. It includes any parameters that are part of the command line.
Exec shieldThis element specifies execute shield status.
Execution timeThis is the cumulative CPU time, formatted in [DD-]HH:MM:SS where DD is the number of days when execution time is 24 hours or more.
Login UIDThe loginuid shows which account a user gained access to the system with. The /proc/XXXX/loginuid shows this value.
Process ID(PID)This is the process ID of the process.
Posix capabilityAn effective capability associated with the process. See linux/include/linux/capability.h for more information.
Parent process IDThis is the process ID of the process’s parent process.
PriorityThis is the scheduling priority with which the process runs. This can be adjusted with the nice command or nice() system call.
Process nameThis is the name of the processes.td>
Real UIDThis element specifies the real UID.
SE Linux domain labelAn SE Linux domain label associated with the process.
Session IDThe session ID of the process.
Start timeThis is the time of day the process started formatted in HH:MM:SS if the same day the process started or formatted as MMM_DD (Ex.: Feb_5) if process started the previous day or further in the past.
ttyThis is the TTY on which the process was started, if applicable.
User IDThis is the effective user id which represents the actual privileges of the process.

Resource Limit

This is used to collect information to check system resource limits for launchd.

Child ElementsDescription
Core currentThis element specifies the argest size (in bytes) core file that may be created.
Core limitThis element specifies core hard limit (in bytes).
CPU currentThis element specifies the maximum amount of CPU time (in seconds) to be used by each process.
CPU limitThis element specifies CPU hard limit.
Data currentThis element specifies the maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.
Data limitThis element specifies data hard limit (in bytes).
Filesize currentThis element specifies the largest size (in bytes) file that may be created.
Filesize limitThis element specifies filesize hard limit.
Maxfiles currentThis element specifies the maximum number of open files for this process.
Maxfiles limitThis element specifies maxfiles hard limit (in bytes).
Maxproc currentThis element specifies the maximum number of simultaneous processes for this user id.
Maxproc limitThis element specifies maxproc hard limit.
Memlock currentThis element specifies the maximum size (in bytes) which a process may lock into memory using the mlock(2) function.
Memlock limitThis element specifies memlock hard limit (in bytes).
RSS currentThis element specifies the maximum size (in bytes) to which a process’s resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.
RSS limitThis element specifies rss hard limit (in bytes).
Stack currentThis element specifies the maximum size (in bytes) of the stack segment for a process; this defines how far a program’s stack segment may be extended. Stack extension is performed automatically by the system.
Stack limitThis element specifies stack hard limit (in bytes).

RPC Map Information

This is used to collect various information about rpm program from /etc/rpc. It includes remote procedure call(RPC) program name, program number and program aliases.

Child ElementsDescription
RPC aliasesThis element specifies the aliases for the RPC program.
RPC program nameThis element specifies the native name for the RPC program.
RPC program numberThis element specifies the official number for the RPC program.

RPC Network Connections

This is used to collect various information about RPC connection using rpcinfo. It includes remote procedure call(RPC) program name, program id, program version, transport protocol used, ip address and program owner.

Child ElementsDescription
AddressThis element specifies the IP address of the RPC program.
Network IDThis element specifies, which transport protocol is used.
OwnerThis element specifies an owner for the RPC program.
RPC program IDThis element specifies the RPC program id.
RPC program nameThis element specifies the RPC program name.
RPC program versionThis element specifies the RPC program version.

Services

This is used to collect information about services. It includes service name and status.

Child ElementsDescription
Service nameThis specifies the service name.
Service statusThis specifies the status of the service.

Shell History

This is used to collect various information about shell history. It includes user name, used-id, history file path and command from history file.

Child ElementsDescription
CommandThis element specifies history of executed commands.
History fileThis element specifies history file path.
UIDThis element specifies history belongs to which user id.
User nameThis element specifies history belongs to which user.

Software Updates

This is used to used to access automatic software update information.

Child ElementsDescription
ScheduleThis element specifies whether automatic checking is enabled (true).
Software titleThis element specifies the title string for an available (not installed) software update.

Sudo Users

This is used to collect sudo users. It includes user name which has sudo access.

Child ElementsDescription
Sudo user nameThis element specifies sudo username.

System Control

This is used to check the values associated with the kernel parameters that are used by the local system.

Child ElementsDescription
NameThis element contains a string that represents the name of a kernel parameter that was collected from the local system.
ValueThis element contains a string that represents the value(s) associated with the specified kernel parameter.

System DHCP Information

This is used to collect system Dynamic Host Configuration Protocol (DHCP) information. It includes DHCP enabled, DHCP server ip address, netmask, gateway ip address, interface type, lease time and lease renew/rebind time.

Child ElementsDescription
DHCP enabledThis element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
DHCP interfaceThis element specifies DHCP interface
Gateway IPThis element specifies the ip address of the gateway for this adapter.
MAC AddressThis element specifies the hardware address for the adapter.
Interface typeThis element specifies the adapter type.
IP maskThis element specifies the list of ip addresses associated with this adapter.
Lease rebind timeThis element specifies DHCP lease rebind time.
Lease renew timeThis element specifies DHCP lease renew time.
Lease timeThis element specifies DHCP lease time.
DHCP server IPThis element specifies the address of the DHCP server for this adapter.

System DNS Information

This is used to collect domain name and domain name system ip information. It includes domain name and dns server ip address

Child ElementsDescription
DNS server IPThis element specifies the list of dns server ip address used by the local computer.
Domain nameThis element specifies the domain in which the local computer is registered.

System Profiler

This is used to check the properties of the plist-style XML output from the system_profiler -xml datatype command, for reading information about system inventory data on MacOSX. Data type and XPath are mandatory to query the database.

Child ElementsDescription
Data type*This element specifies data type of the value desired.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
XPath*This element specifies an Xpath expression describing the text node(s) or attribute(s) to look at. Any valid Xpath 1.0 statement is usable with one exception, at most one field may be identified in the Xpath.

System Route Information

This is used to collect system route information. It includes destination, ip address, gateway, netmask, flags, metric, MTU, type and interface name.

Child ElementsDescription
DestinationThis element specifies the destination IP address or subnet of the traffic for a specific route entry.
FlagsThis element specifies the flag for a specific route entry.
GatewayThis element specifies the gateway for a specific route entry.
Network InterfacesThis element specifies the interface for a specific route entry.
MetricThis element specifies the metric for a specific route entry.
Maximum transmission unit(MTU)This element specifies maximum transmission unit.
NetmaskThis element specifies the netmask for a specific route entry.
TypeThis element specifies the type of route. Example: local, static, router, gateway

System Setup

This is used to collect system setup properties.

Child ElementsDescription
Allow power button to sleep computerThis element specifies the value that specifies whether the dynamic host configuration protocol (DHCP) is enabled for this adapter.
Computer nameThis element specifies the computer’s name.
Computer sleepThis element specifies the computer sleep inactivity timer, or 0 for never.
Disable keyboard when enclosure lock is engagedThis element specifies whether the keyboard is locked when the closure lock is engaged.
Display sleepThis element specifies the display sleep inactivity timer, or 0 for never.
Harddisk sleepThis element specifies the hard disk sleep inactivity timer, or 0 for never.
Kernel boot architecture settingThis element specifies the kernel boot architecture setting.
Network time serverThis element specifies the network time server.
Remote Apple eventsThis element specifies whether remote Apple events are enabled.
Remote loginThis element specifies whether remote logins are allowed.
Restart freezeThis element specifies whether the computer will restart after freezing.
Startup diskThis element specifies the startup disk.
Using network timeThis element specifies whether the machine is using network time.
Wait for startup after power failureThis element specifies the number of seconds the computer waits to start up after a power failure.
Wake on modemThis element specifies whether the computer will wake up if the modem is accessed.
Wake on network accessThis element specifies whether the computer will wake up if the network is accessed.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory for this query while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Pattern*The pattern entity represents a regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
TextThe text entity represents the block of text that matched the specified pattern.
Sub-expressionThe sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented.
Windows viewNot applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

Unix name(uname)

This is used to collect various information about operating system. It includes hardware id, operating system name, version, release, processor type, time zone and locale.

Child ElementsDescription
LocaleThis element specifies the locale
Machine classThis element specifies the hardware identifier
Node nameThis element indicates name of the present machine in some undefined network
Operating system nameThis element specifies the name of the operating system.
Operating system releaseThis element specifies the release version of the operating system.
Operating system versionThis element specifies the version of the operating system.
Processor typeThis element specifies the hardware identifier
Time zoneThis element specifies the time zone

Wireless Information

This is used to collect various information about wireless connection. It includes wireless name, state, mac address, SSID, interface description, network is infrastructure or ad hoc, frequency, receiving rate, transmission rate, signal quality and security enabled or disabled.

Child ElementsDescription
WLAN BSS Network typeThis element specifies whether the network is infrastructure or ad hoc.
WLAN Physical modeThis element represents the bandwidth of wireless frequency, example: 802.11 a,b,g,n.
WLAN Interface nameThis element specifies the wireless interface name.
WLAN MAC addressThis element specifies physical hardware address wireless interface.
WLAN Receiving rateThis element specifies the receiving rate of the association (in decibel-milliwatt/dBm).
WLAN SecurityThis element specifies security used to prevent unauthorized access to the network. Example: WPA, WEP
WLAN SSIDThis element specifies the contains the SSID of the association.
WLAN Transmission rateThis element specifies the transmission rate of the association.

Symlink

This is used to obtain canonical path information for symbolic links. File path is a mandatory field while submitting to agents.

Child ElementsDescription
Canonical pathSpecifies the canonical path for the target of a symbolic link file specified by the filepath.
Filepath*Specifies the filepath used to create the object.

Routing table

This is used to check information about the IPv4 and IPv6 routing table entries found in a system’s primary routing table. It is important to note that only numerical addresses will be collected and that their symbolic representations will not be resolved. This equivalent to using the ‘-n’ option with route(8) or netstat(8). Destination is a mandatory field while submitting to agents.

Child ElementsDescription
Destination*The destination IP address prefix of the routing table entry. This is the destination IP address and netmask/prefix-length expressed using CIDR notation.
FlagsThe flags associated with the specified routing table entry.
GatewayThe gateway of the specified routing table entry.
Interface nameThe name of the interface associated with the routing table entry.

File extended attribute

This is used to check extended attribute values associated with UNIX files, of the sort returned by the getfattr command or getxattr() system call. This will collect all UNIX file types (directory, regular file, character device, block device, fifo, symbolic link, and socket). File path and attribute name are mandatory fields while submitting to agents.

Child ElementsDescription
Attribute name*This is the extended attribute’s name, identifier or key.
File path*The filepath element specifies the absolute path for a file on the machine. A directory can be specified as a filepath.
ValueThe value entity represents the extended attribute’s value or contents. To check for an attribute with no value assigned to it, this entity would be used with an empty value.

GConf

This is used to check the attributes and value(s) associated with GConf preference keys. This can be used to define the preference keys to collect and the sources from which to collect the preference keys. Key and source are mandatory fields while submitting to agents

Child ElementsDescription
Is default?Is the preference key value the default value. If true, the preference key value is the default value. If false, the preference key value is not the default value.
Is writable?Is the preference key writable? If true, the preference key is writable. If false, the preference key is not writable.
Key*The preference key to check.
Source*The source used to look up the preference key. This element specifies the source from which to collect the preference key. The source is represented by the absolute path to a GConf XML file as XML is the current backend for GConf. Note that other backends may become available in the future.
Time modifiedThe time the preference key was last modified in seconds since the Unix epoch. The Unix epoch is the time 00:00:00 UTC on January 1, 1970.
TypeThe type of the preference key.
User modifiedThe user who last modified the preference key.
ValueThe value of the preference key.

Property list ‘plist’ (With App ID)

Note: Do not combine Property list ‘plist’ (With File path) with this query.
This is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. App ID and XPath are mandatory fields while submitting to agents.

Child ElementsDescription
App id*The unique application identifier that specifies the application to use when looking up the preference key (e.g. com.apple.Safari).
Value ofThe value of the preference key.
XPath*Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. Note that “equals” is the only valid operator for the xpath entity.

Property list ‘plist’ (With File path)

Note: Do not combine Property list ‘plist’ (With App ID) with this query.
This is used to check the value(s) associated with property list preference keys. It can be used to represent any plist file in XML form (whether its native format is ASCII text, binary, or XML), permitting the use of the XPATH query language to explore its contents. File path command XPath are mandatory fields while submitting to agents.

Child ElementsDescription
File path*The absolute path to a plist file (e.g. /Library/Preferences/com.apple.TimeMachine.plist). A directory cannot be specified as a filepath.
Value ofThe value of the preference key.
XPath*Specifies an XPath 1.0 expression to evaluate against the XML representation of the plist file specified by the filename or app_id entity. Note that “equals” is the only valid operator for the xpath entity.

</ >
< id=”Macxmlfilecontent” class=”col-md-12″>

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
XPath*Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.

Software Licenses

This is used to collect information of Software Licenses. It includes software name and license information.

Child ElementsDescription
Software familyThis element specifies the family of the software application.
Software nameThis element specifies the name of the software application.
Software licenseThis element specifies the license serial number of the software application.
Software versionThis element specifies the version of the software application.

Missing Patches

This is used to investigate missing patches and security fixes in a computer system.

Child ElementsDescription
Patch descriptionThis element describes a patch.
Patch IDA unique identification number associated with a patch.
Patch nameThis element specifies the patch name.
Patch rollback availableThis element specifies if rollback is possible for this patch. Possible values are TRUE or FALSE. An empty value appears if it cannot be determined.
Patch severityThis element specifies severity of a patch. Possible values: Important, Critical, etc. An empty value appears if it cannot be determined.
Patch sizeThis element specifies size of a patch. Values are specified in bytes. A value UNKNOWN appears if patch size cannot be determined.
Reboot requiredThis element specifies if reboot is required after patch installation. Passible values are TRUE or FALSE.
Platform CPEThis element specifies platform CPE ID associated with the patch.
Product CPEThis element specifies product CPE ID associated with the patch. Note: This value is empty when a patch is associated with an operating system.

Common Probes

Environment Variables

This is used to collect system environment variable information. It includes environment variable name, value and process id.

Child ElementsDescription
NameThis element specifies name of the environment variable
Process ID(PID)This element specifies PID of a process
ValueThis element specifies value of the environment variable

Family of Operating System

This is used to collect operating system(OS) family, standard values being windows, unix or macos(Mac OS).

Child ElementsDescription
family of operating systemThis element specifies operating system family.

Text File Content

This looks at the content of a text file (aka a configuration file) by looking at in idual lines. File path, pattern and instance are mandatory while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Pattern/Text*This entity represents a block of text or regular expression that is used to define a block of text. Subexpression notation (parenthesis) is used to call out a value(s) to test against. For example, the pattern abc(.*)xyz would look for a block of text in the file that starts with abc and ends with xyz, with the subexpression being all the characters that exist in between. Note that If pattern can match more than one block of text starting at the same point, then it matches the longest. Subexpressions also match the longest possible substrings, subject to the constraint that the whole match be as long as possible, with subexpressions starting earlier in the pattern taking priority over ones starting later.
Instance*The instance entity calls out which match of the pattern is being represented by this item. The first match is given an instance value of 1, the second match is given an instance value of 2, and so on. The main purpose of this entity is too provide uniqueness for different items that results from multiple matches of a given pattern against the same file.
Sub-expressionThe sub-expression entity represents the value of a subexpression in the specified pattern. If multiple subexpressions are specified in the pattern, then multiple entities are presented.
Windows viewNot applicable for Unix based systems. The windows view value from which this OVAL Item was collected. This is used to indicate from which view (32-bit or 64-bit), the associated Item was collected. A value of ’32_bit’ indicates the Item was collected from the 32-bit view. A value of ’64-bit’ indicates the Item was collected from the 64-bit view. Omitting this entity removes any assertion about which view the Item was collected from, and therefore it is strongly suggested that this entity be set. This entity only applies to 64-bit Microsoft Windows operating systems.

XML File Content

This element is used by a xml file content test to define the specific piece of an xml file(s) to be evaluated. This will only collect regular files on UNIX systems and FILE_TYPE_DISK files on Windows systems. The set of files to be evaluated will be identified with a complete File path. File path and XPath are mandatory fields while submitting to agents.

Child ElementsDescription
File path*This element specifies the absolute path for a file on the machine. A directory cannot be specified as a file path.
Value ofThis element checks the value(s) of the text node(s) or attribute(s) found.
Windows viewThe windows view value to which this was targeted. This is used to indicate which view (32-bit or 64-bit), the associated State applies to. This entity only applies to 64-bit Microsoft Windows operating systems.
XPath*Specifies an XPath 1.0 expression to evaluate against the XML file specified by the filename entity. This XPath 1.0 expression must evaluate to a list of zero or more text values which will be accessible in OVAL via instances of the value_of entity. Any results from evaluating the XPath 1.0 expression other than a list of text strings (e.g., a nodes set) is considered an error. The intention is that the text values be drawn from instances of a single, uniquely named element or attribute. However, an OVAL interpreter is not required to verify this, so the author should define the XPath expression carefully. Note that “equals” is the only valid operator for the xpath entity.

SanerNow Responses

Actions that can be performed on endpoints

Enable device

Enables specified device names from the list. Select the devices to be enabled.
Parameter Description
Not applicable Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled.
Parameter Description
Not applicable Not applicable

Add ARP entry

Adds a specified ARP(Address Resolution Protocol) entry into the ARP cache.
Parameter Description
Network Interface Index The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.
Parameter Description
Network Interface Index The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.
Parameter Description
Network Interface Index The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Flush all ARP entries

Flush all arp entries from the ARP cache.
Parameter Description

Enable device

Enables specified device names from the list. Select the devices to be enabled.
Parameter Description
Not applicable Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled.
Parameter Description
Not applicable Not applicable

Add ARP entry

Adds a specified ARP(Address Resolution Protocol) entry into the ARP cache.
Parameter Description
Network Interface Index The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.
Parameter Description
Network Interface Index The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.
Parameter Description
Network Interface Index The local index value for the network interface associated with this IP address. This index value may change when a network adapter is disabled and then enabled, or under other circumstances, and should not be considered persistent.
Network Interface Locally Unique ID The locally unique identifier (LUID) for the network interface associated with this IP address. Value must be always 0.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Flush all ARP entries

Flush all arp entries from the ARP cache.
Parameter Description

Flush ARP IPV4 entries

Flush all IPv4 ARP entries from the ARP cache.
Parameter Description
Not applicable Not applicable

Flush ARP IPV6 entries

Flush all IPv6 ARP entries from the ARP cache.
Parameter Description
Not applicable Not applicable

Block Domain

Block a specified domain name.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Add entry into host file

Adds an entry into the hosts file.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Delete entry from host file

Deletes an entry from the hosts file.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Modify entry from host file

Updates an existing hosts entry to new entry.
Parameter Description
Domain Name A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.
New Domain Name A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
New IP Address The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.

Flush all entries from host file

Flush all entries from hosts file.
Parameter Description
Not applicable Not applicable

Modify NTP Server

Updates NTP server URL. The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Parameter Description
NTP Server URL URL of an NTP server for clock synchronization.

Network connection kill

Kills a specified network connection.
Parameter Description
Local IP Address The local IPv4 address for the TCP connection on the local computer. A value of zero indicates the listener can accept a connection on any interface.
Local Port The local port number in network byte order for the TCP connection on the local computer.
Remote IP Address The IPv4 address for the TCP connection on the remote computer.
Remote Port The remote port number in network byte order for the TCP connection on the remote computer.

Start process

Start specified processes using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Stop process by process ID

Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Stop process by name

Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Process block

Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Process unblock

Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Quarantine

Isolate a specific file to prevent it from any read/write or execution operations. Enter the absolute path of file to be quarantined.
Parameter Description
Not applicable Not applicable

Clean DLL

Cleanup all unwanted shared DLL registry entries from the system.
Parameter Description
Not applicable Not applicable

Clean font

Cleanup all unwanted fonts registry entries from the system.
Parameter Description
Not applicable Not applicable

Clean help

Cleanup all unwanted system help registry entries from the system.
Parameter Description
Not applicable Not applicable

Clean installer

Cleanup all unwanted installer registry entries from the system.
Parameter Description
Not applicable Not applicable

Clean MRU(Most Recently Used)

Cleanup recent items, browsing history, run command history, file search history, WordPad recent history, regedit favourites, Microsoft Paint and Media player history, Explorer search history. (Applicable for Windows systems only)
Parameter Description
Recently opened programs Recently opened programs
Explorer history Explorer history
Internet Search Assistant Internet Search Assistant
Mediaplayer recent files list Mediaplayer recent files list
MediaPlayer recent URLs list MediaPlayer recent URLs list
Microsoft Paint history Microsoft Paint history
Printers, Computers and People Printers, Computers and People
Recent documents Recent documents
Regedit last accessed keys history Regedit last accessed keys history
Registry favourite list Registry favourite list
Run command history Run command history
Search history Search history
Last visited URL history Last visited URL history
WordPad recent history WordPad recent history

Clean MUI

Cleanup all unwanted shell MUI(Multilingual User Interface) cache registry entries from the system.
Parameter Description
Not applicable Not applicable

Clean start

Cleanup all unwanted startup registry items from the system.
Parameter Description
Not applicable Not applicable

Clean system

Cleanup all unwanted system registry entries.
Parameter Description
Not applicable Not applicable

Clean uninstaller

Cleanup all unwanted uninstaller registry entries from the system.
Parameter Description
Not applicable Not applicable

Clean user

Cleanup all unwanted user registry entries from the system.
Parameter Description
Not applicable Not applicable

Add registry

Add a registry entry in the system.
Parameter Description
Registry Type The type can be one of the following: 1) key – to create key 2) value – to create a value under a key
Registry Hive The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc.)
Registry Sub-key Each root key has its own related keys which are known as sub keys
Registry Data Name in the name/value pair stored within keys
Registry Value Data in name/value pair stored within keys
Registry Value Type The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD

Modify registry

Modifies an existing registry value entry.
Parameter Description
Registry Type The type can be one of the following: 1) key – to create key 2) value – to create a value under a key
Registry Hive The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc)
Registry Sub-key Each root key has its own related keys which are known as sub keys
Registry Data Name in the name/value pair stored within keys
Registry Value Data in name/value pair stored within keys
Registry Value Type The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD

Delete registry

Deletes an existing registry entry.
Parameter Description
Registry Type The type can be one of the following: 1) key – to create key 2) value – to create a value under a key
Registry Hive The root key in the registry (e.g HKEY_LOCAL_MACHINE (HKLM), HKEY_USERS (HKU) etc)
Registry Sub-key Each root key has its own related keys which are known as sub keys
Registry Data Name in the name/value pair stored within keys
Registry Value Data in name/value pair stored within keys
Registry Value Type The ValueType can be one of the following: REG_SZ, REG_DWORD, REG_BINARY, REG_EXPAND_SZ, REG_MULTI_SZ, REG_QWORD

Service start

Start specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service stop

Stop specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service restart

Restart specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service remove

Remove specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service start type automatic

Change service start option to automatic mode using service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service start type manual

Change service start option to manual mode using service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service start type disabled

Change service start option to disabled mode using service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Remove programs from startup

Removes program entries from Windows startup. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Remove scheduled program

Removes scheduled programs from Windows schedule. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Reboot

Reboots the system.
Parameter Description
Message A specified message will be displayed to logged-in user before reboot.
Time in minutes The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately.

Shutdown

Shutdown the system.
Parameter Description
Message The specified message will be displayed to logged-in user before shutdown.
Time in minutes The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately.

Clean cache

Clean cache for the following – internet cache, dns cache, thumbnail cache, prefetch cache for the current logged-in user.
Parameter Description
DNS Cache Cleans up DNS cache. DNS cache stores the locations (IP addresses) of web servers that contain web pages which you have recently viewed.
Internet Cache Cleans up Internet cache. Internet cache is a temporary storage (caching) of web documents, such as HTML pages and images.
Thumbnail Cache Cleans up Thumbnail cache. A thumbnail cache is used to store thumbnail images for Windows Explorer’s thumbnail view.
Prefetch Cache Cleans up Prefetch cache. A prefetch cache is used to help speed up the loading of programs in Windows.

Clean clipboard

Clean the clipboard for the current logged in user.
Parameter Description
Not applicable Not applicable

Clean custom path

Delete an file or directory for the current logged-in user. Enter the absolute file or directory path which needs to be deleted.
Parameter Description
Not applicable Not applicable

Clear error reports

Clear windows error reports for the current logged-in user.
Parameter Description
Not applicable Not applicable

Clean recent places

Clear user recent places for the current logged-in user.
Parameter Description
Not applicable Not applicable

Empty recycle-bin

Empty recycle bin for the current logged-in user.
Parameter Description
Not applicable Not applicable

Clean CMD history

Clear run command history from the system.
Parameter Description
Not applicable Not applicable

Clear temporary files

Clean temporary folders from the system.
Parameter Description
Not applicable Not applicable

Clean windows credential

Clear Windows credentials for the current logged-in user.
Parameter Description
Not applicable Not applicable

Clear windows update files

Clean windows update files from the system.
Parameter Description
Not applicable Not applicable

Enable firewall for all profiles

Enable firewall for all three profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.
Parameter Description
Not applicable Not applicable

Enable firewall for domain profile

Enable firewall for domain profile. The domain profile applies to networks where the host system can authenticate to a domain controller.
Parameter Description
Not applicable Not applicable

Enable firewall for private profile

Enable firewall for private profile. The private profile is a user-assigned profile and is used to designate private or home networks.
Parameter Description
Not applicable Not applicable

Disable firewall for public profile

Enable firewall for public profile. The public profile is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.
Parameter Description
Not applicable Not applicable

Disable firewall for all profiles

Disable firewall for all three profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks. Lastly, the default profile is the public profile, which is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.
Parameter Description
Not applicable Not applicable

Disable firewall for domain profile

Disable firewall for domain profile. The domain profile applies to networks where the host system can authenticate to a domain controller.
Parameter Description
Not applicable Not applicable

Disable firewall for private profile

Disable firewall for private profile. The private profile is a user-assigned profile and is used to designate private or home networks.
Parameter Description
Not applicable Not applicable

Disable firewall for public profile

Disable firewall for public profile. The public profile is used to designate public networks such as Wi-Fi hotspots at coffee shops, airports, and other locations.
Parameter Description
Not applicable Not applicable

Application block

Block a specified application from execution. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Application unblock

Unblock the specified application from execution. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Application Management

Install or uninstall applications.
Parameter Description
Command The value is either ‘install’ or ‘uninstall’
Install Method There are two types of installation methods:
  • by uploading the installation file.
  • by entring a URL that servers the installation file
Application executable Provide the executable path.
URL URL that servers the installation file.
Application name Name of the application to uninstall.
Application architecture The value is either ‘x86’ or ‘x64’
Silent mode option Option to install the application in silent mode.
Additional options Any additional command line option that need to be executed.
Application access To install the application to all users or currently logged on user. The values are ‘AllUser’ or ‘currentUser’
Disable shortcut To disable shortcut creation, provide the option to disable shortcut.
Notify for reboot Show a notification window to the user that a reboot is required post installation/uninstallation.

Patch Management

Install a patch.
Parameter Description
Command The value is install
Install Method There are two types of installation methods:
  • by uploading the installation file.
  • by entring a URL that servers the installation file
Application executable Provide the executable path.
URL URL that servers the installation file.
Silent mode option Option to install the application in silent mode.
Additional options Any additional command line option that need to be executed.
Notify for reboot Show a notification window to the user that a reboot is required post installation/uninstallation.

Remediation Rule

Rules to Include/Exclude applications, patches, or configuration that takes into effect during remediation of a group of devices. Enable auto reboot to allow machines to restart(as required) after remediation. This avoids user intervention while applying patches to the systems.
Parameter Description
Not applicable Not applicable

Remediation job

A Short-lived remediation task to include application patches/configuration that can be applied to a customized set of devices. Enable auto reboot to allow machines to reboot multiple times while remediation. This avoids user intervention while applying patches to the systems.
Parameter Description
Not applicable Not applicable

Application block

Block a specified application from execution. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Application unblock

Unblock the specified application from execution. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Enable device

Enables specified device names from the list. Select the devices to be enabled, or enter custom driver names in the input box.
Parameter Description
Not applicable Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled, or enter custom driver names in the input box.
Parameter Description
Not applicable Not applicable

Add an entry into /etc/hosts file

Adds an entry into /etc/hosts file.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Add Protocol Entry

Adds protocol entry into /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.
Parameter Description
Protocol Alias The aliases for the protocol.
Protocol Name The native name for the protocol. For example ip, tcp, or udp.
Protocol Number The official number for this protocol as it will appear within the IP header.

Add Route

Adds new routing entry into network routing table.
Parameter Description
Gateway The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name The device interface name.
IP Address The ip address to be added into routing table.
Route Type This element specifies the route type.
Netmask A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Add Service Entry

Adds service entry into Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.
Parameter Description
Service Alias The service alias. An optional space or tab separated list of other names for this service.
Service Name The friendly name the service is known by and looked up under.
Service Port Number The port number to use for this service.
Service Protocol The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Block Domain

Block a specified domain name.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Add ARP entry

Add a specified ARP entry into ARP cache.
Parameter Description
Interface Name This interface name will be associated with the an arp entry.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.
Parameter Description
Interface Name This interface name will be associated with the an arp entry.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Delete an entry from /etc/hosts file

Deletes an entry from /etc/hosts file.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Delete Protocol Entry

Deletes protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.
Parameter Description
Protocol Name The native name for the protocol. For example ip, tcp, or udp.
Protocol Number The official number for this protocol as it will appear within the IP header.

Delete Route

Deletes existing routing entry from network routing table.
Parameter Description
Gateway The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name The device interface name.
IP Address The ip address to be added into routing table.
Route Type This element specifies the route type.
Netmask A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Delete Service Entry

Delete service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.
Parameter Description
Service Name The friendly name the service is known by and looked up under.
Service Port Number The port number to use for this service.
Service Protocol The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Disable IP Forwarding

Disables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.
Parameter Description
Not applicable Not applicable

Enable IP Forwarding

Enables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.
Parameter Description
Not applicable Not applicable

Flush all ARP entries

Flush all arp entries from the ARP cache.
Parameter Description
Not applicable Not applicable

Flush all entries from /etc/hosts file

Flush all entries from /etc/hosts file.
Parameter Description
Not applicable Not applicable

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.
Parameter Description
Interface Name The device interface name.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Modify entry from host file

Updates an existing hosts entry to new entry.
Parameter Description
Domain Name A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.
New Domain Name A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
New IP Address The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.

Modify Protocol Entry

Updates existing protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.
Parameter Description
New Protocol Alias The new protocol alias for the protocol.
New Protocol Name The new protocol name. Native name for the protocol. For example ip, tcp, or udp.
New Protocol Number The new protocol number. Official number for this protocol as it will appear within the IP header.
Protocol Alias The protocol alias for the protocol.
Protocol Name The protocol name. Native name for the protocol. For example ip, tcp, or udp.
Protocol Number The protocol number. Official number for this protocol as it will appear within the IP header.

Modify Route

Updates existing routing entry with new entry into network routing table.
Parameter Description
Gateway The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name The device interface name.
IP Address The ip address to be added into routing table.
New Gateway The new gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
New Interface Name The new device interface name.
New IP Address The new network mask to be added into routing table. A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts.
New Route Type This element specifies the new route type.
Route Type This element specifies the old route type.
Netmask A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0
New Netmask The new netmask address to be added into routing table.

Modify Service Entry

Updates existing service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.
Parameter Description
New Service Port Number The new port number to use for this service.
New Service Protocol The new type of protocol to be used. This field should match an entry in the /etc/protocols file.
Service Name The existing friendly name the service is known by and looked up under.
Service Port Number The existing port number to use for this service.
Service Protocol The existing type of protocol to be used. This field should match an entry in the /etc/protocols file.

Network connection kill

Kills a specified network connection.
Parameter Description
Local Port The local port number in network byte order for the TCP connection on the local computer.

Unblock Domain

Unblock a specified blocked domain name.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Process block

Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description

Start process

Start specified processes using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description

Stop process by process ID

Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.
Parameter Description

Stop process by name

Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description

Process unblock

Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description

Append Firewall(iptables) Rules

Appends rules at the end of IP table.
Parameter Description
Rules Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 110 -j ACCEPT

Change File Ownership

Change ownership of a given filepath.
Parameter Description
File Path Absolute filepath
Group name group to be changed for given filepath (optional)
User name username to be changed for given filepath.

Change File Permission

Change permission of a given filepath.
Parameter Description
File Path Absolute filepath
File Permission permission similar to “644” for

Delete Firewall(iptables) Rules

Delete rules from the IP tables.
Parameter Description
Rules Ip table rule to be deleted i/p eg: INPUT 2

Disable Firewall(iptables)

Disables/Stops firewall.
Parameter Description
Not applicable Not applicable

Enable Firewall(iptables)

Enables/Start firewall.
Parameter Description
Not applicable Not applicable

Flush Firewall(iptables) Rules

Clears all IP table rules.
Parameter Description
Not applicable Not applicable

Insert Firewall(iptables) Rules

Insert rules in the beging for IP tables.
Parameter Description
Rules Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 22 -j ACCEPT

Replace Firewall(iptables) Rules

Replace specific rule from the IP table
Parameter Description
Rules ip table rule to be replaced i/p eg: INPUT 2 -i eth0 -p tcp –dport 26 -j ACCEPT

Restart Firewall(iptables)

Restart and reinforce firewall rules.
Parameter Description
Not applicable Not applicable

Set ASLR Status

Set Address space layout randomization (ASLR) setting
Parameter Description
Permanent or Temporary One of the following setting : permanent or temporary(valid till next reboot)
ASLR Status Value One of the following setting : 0 – ASLR Off (Process address space randomization off) 1 – ASLR On for mmap base, stack and VDSO page(Conservative randomization) 2 – ASLR On for mmap base, stack, VDSO page and heap (Full randomization)

Set SELinux Status

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It provides information about SE linux setting.
Parameter Description
SE Linux Status One of the following setting : 0 – Permissive (SELinux logs warnings instead of enforcing), 1 – Enforcing (SELinux security policy is enforced)

Set sysctl Settings

Set sysctl kernel setting. sysctl is an interface for examining and dynamically changing parameters in Unix-like operating systems.
Parameter Description
Not applicable Not applicable

Service restart

Restart specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service start

Start specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service stop

Stop specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Mount Filesystem

Mounts a file system to a local folder.
Parameter Description
Destination Path This element specified the destination path to mount filesystem.
Read-only value This element specifies the read only value (true/false)
Source Path This element specifies the source path to mount a file system.

Reboot

Reboots the system.
Parameter Description
Message A specified message will be displayed to logged-in user before reboot.
Time in minutes The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately.

Shutdown

Shutdown the system.
Parameter Description
Message The specified message will be displayed to logged-in user before shutdown.
Time in minutes The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately.

Unmount Filesystem

Unmount a file system from the local system.
Parameter Description
Mount Point This element specifies the mount point where the filesystem is mounted.

Application Management

Install or uninstall applications.
Parameter Description
Command The value is either ‘install’ or ‘uninstall’
Install Method There are three types of installation methods:
  • by uploading the installation file.
  • by using repository such as yum or Advanced Packaging Tool (APT)
  • by entring a URL that servers the installation file
Application executable Provide the executable path.
Application name Specify the name of the application to be downloaded from repo.
Silent mode option Option to install the application in silent mode.

Patch Management

Install a patch.
Parameter Description
Command The value is install
Install Method There are three types of installation methods:
  • by uploading the installation file.
  • by using repository such as yum or Advanced Packaging Tool (APT)
  • by entring a URL that servers the installation file
Application executable Provide the executable path.
URL URL that servers the installation file.
Application name Specify the name of the application to be downloaded from repo.
Silent mode option Option to install the application in silent mode.

Application block

Block a specified application from execution. Select names from the list or provide comma separated values. Note: In-built applications cannot be blocked in Apple Mac OS X El Capitan and Sierra.
Parameter Description
Not applicable Not applicable

Application unblock

Unblock the specified application from execution. Select names from the list or provide comma separated values. Note: In-built applications cannot be unblocked in Apple Mac OS X El Capitan and Sierra.
Parameter Description
Not applicable Not applicable

Enable device

Enables specified device names from the list. Select the devices to be enabled, or enter custom driver names in the input box.
Parameter Description
Not applicable Not applicable

Disable device

Disables specified device names from the list. Select the devices to be disabled, or enter custom driver names in the input box.
Parameter Description
Not applicable Not applicable

Add an entry into /etc/hosts file

Adds an entry into /etc/hosts file.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Add Protocol Entry

Adds protocol entry into /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.
Parameter Description
Protocol Alias The aliases for the protocol.
Protocol Name The native name for the protocol. For example ip, tcp, or udp.
Protocol Number The official number for this protocol as it will appear within the IP header.

Add Route

Adds new routing entry into network routing table.
Parameter Description
Gateway The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name The device interface name.
IP Address The ip address to be added into routing table.
Route Type This element specifies the route type.
Netmask A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Add Service Entry

Adds service entry into Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.
Parameter Description
Service Alias The service alias. An optional space or tab separated list of other names for this service.
Service Name The friendly name the service is known by and looked up under.
Service Port Number The port number to use for this service.
Service Protocol The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Block Domain

Block a specified domain name.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Add ARP entry

Add a specified ARP entry into ARP cache.
Parameter Description
Interface Name This interface name will be associated with the an arp entry.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Delete ARP entry

Deletes a specified ARP entry from the ARP cache.
Parameter Description
Interface Name This interface name will be associated with the an arp entry.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.

Delete an entry from /etc/hosts file

Deletes an entry from /etc/hosts file.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Delete Protocol Entry

Deletes protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.
Parameter Description
Protocol Name The native name for the protocol. For example ip, tcp, or udp.
Protocol Number The official number for this protocol as it will appear within the IP header.

Delete Route

Deletes existing routing entry from network routing table.
Parameter Description
Gateway The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name The device interface name.
IP Address The ip address to be added into routing table.
Route Type This element specifies the route type.
Netmask A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0

Delete Service Entry

Delete service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.
Parameter Description
Service Name The friendly name the service is known by and looked up under.
Service Port Number The port number to use for this service.
Service Protocol The type of protocol to be used. This field should match an entry in the /etc/protocols file.

Disable IP Forwarding

Disables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.
Parameter Description
Not applicable Not applicable

Enable IP Forwarding

Enables IP forwarding also known as Internet routing. IP forwarding is a concept to make Linux machine to send data from one network to other, this is same as a router.
Parameter Description
Not applicable Not applicable

Flush all ARP entries

Flush all arp entries from the ARP cache.
Parameter Description
Not applicable Not applicable

Flush all entries from /etc/hosts file

Flush all entries from /etc/hosts file.
Parameter Description
Not applicable Not applicable

Modify ARP entry

Modifies a specified ARP entry from the ARP cache.
Parameter Description
Interface Name The device interface name.
IP Address The IP address of the system. This member can be an IPv6 address or an IPv4 address.
MAC Address The physical hardware address of the adapter for the network interface associated with this IP address.

Modify entry from host file

Updates an existing hosts entry to new entry.
Parameter Description
Domain Name A old domain name present in the hosts file on the system. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
IP Address An old IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.
New Domain Name A new domain name. Domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.
New IP Address The new IP address present in hosts file on the system. This member can be an IPv6 address or an IPv4 address.

Modify Protocol Entry

Updates existing protocol entry from /etc/protocol file. This file describes the various DARPA internet protocols that are available from the TCP/IP subsystem.
Parameter Description
New Protocol Alias The new protocol alias for the protocol.
New Protocol Name The new protocol name. Native name for the protocol. For example ip, tcp, or udp.
New Protocol Number The new protocol number. Official number for this protocol as it will appear within the IP header.
Protocol Alias The protocol alias for the protocol.
Protocol Name The protocol name. Native name for the protocol. For example ip, tcp, or udp.
Protocol Number The protocol number. Official number for this protocol as it will appear within the IP header.

Modify Route

Updates existing routing entry with new entry into network routing table.
Parameter Description
Gateway The gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
Interface Name The device interface name.
IP Address The ip address to be added into routing table.
New Gateway The new gateway to be added into routing table. A gateway is a network point that acts as an entrance to another network.
New Interface Name The new device interface name.
New IP Address The new network mask to be added into routing table. A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts.
New Route Type This element specifies the new route type.
Route Type This element specifies the old route type.
Netmask A netmask is a 32-bit mask used to divide an IP address into subnets and specify the network’s available hosts. eg: 255.255.255.0
New Netmask The new netmask address to be added into routing table.

Modify Service Entry

Updates existing service entry from Internet network services list /etc/services file. This file provides a mapping between human-friendly textual names for internet services, and their underlying assigned port numbers and protocol types.
Parameter Description
New Service Port Number The new port number to use for this service.
New Service Protocol The new type of protocol to be used. This field should match an entry in the /etc/protocols file.
Service Name The existing friendly name the service is known by and looked up under.
Service Port Number The existing port number to use for this service.
Service Protocol The existing type of protocol to be used. This field should match an entry in the /etc/protocols file.

Network connection kill

Kills a specified network connection.
Parameter Description
Local Port The local port number in network byte order for the TCP connection on the local computer.

Unblock Domain

Unblock a specified blocked domain name.
Parameter Description
Domain Name A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet and domain names are used to identify one or more IP addresses.

Process block

Block specified processes from execution using a list of process names. Select process names from the list or provide comma separated values. Note: In-built processes cannot be blocked in Apple Mac OS X El Capitan and Sierra
Parameter Description

Start process

Start specified processes using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description

Stop process by process ID

Stop specified processes using a list of process IDs. Select process IDs from the list or provide comma separated values.
Parameter Description

Stop process by name

Stop specified processes using a list of process names. Select process names from the list or provide comma separated values.
Parameter Description

Process unblock

Unblock specified processes from execution using a list of process names. Select process names from the list or provide comma separated values. Note: In-built processes cannot be unblocked in Apple Mac OS X El Capitan and Sierra
Parameter Description

Append Firewall(pfctl) Rules

Appends rules at the end of IP table.
Parameter Description
Rules Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 110 -j ACCEPT

Change File Ownership

Change ownership of a given filepath.
Parameter Description
File Path Absolute filepath
Group name group to be changed for given filepath (optional)
User name username to be changed for given filepath.

Change File Permission

Change permission of a given filepath.
Parameter Description
File Path Absolute filepath
File Permission permission similar to “644” for

Delete Firewall(pfctl) Rules

Delete rules from the IP tables.
Parameter Description
Rules Ip table rule to be deleted i/p eg: INPUT 2

Disable Firewall(pfctl)

Disables/Stops firewall.
Parameter Description
Not applicable Not applicable

Enable Firewall(pfctl)

Enables/Start firewall.
Parameter Description
Not applicable Not applicable

Flush Firewall(pfctl) Rules

Clears all IP table rules.
Parameter Description
Not applicable Not applicable

Insert Firewall(pfctl) Rules

Insert rules in the beging for IP tables.
Parameter Description
Rules Ip table rule to be added i/p eg: INPUT -i eth0 -p tcp –dport 22 -j ACCEPT

Replace Firewall(pfctl) Rules

Replace specific rule from the IP table
Parameter Description
Rules ip table rule to be replaced i/p eg: INPUT 2 -i eth0 -p tcp –dport 26 -j ACCEPT~INPUT 2 -i eth0 -p tcp –dport 26 -j REJECT

Restart Firewall(pfctl)

Restart and reinforce firewall rules.
Parameter Description
Not applicable Not applicable

Set ASLR Status

Set Address space layout randomization (ASLR) setting
Parameter Description
Permanent or Temporary One of the following setting : permanent or temporary(valid till next reboot)
ASLR Status Value One of the following setting : 0 – ASLR Off (Process address space randomization off) 1 – ASLR On for mmap base, stack and VDSO page(Conservative randomization) 2 – ASLR On for mmap base, stack, VDSO page and heap (Full randomization)

Set SELinux Status

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. It provides information about SE linux setting.
Parameter Description
SE Linux Status One of the following setting : 0 – Permissive (SELinux logs warnings instead of enforcing), 1 – Enforcing (SELinux security policy is enforced)

Set sysctl Settings

Set sysctl kernel setting. sysctl is an interface for examining and dynamically changing parameters in Unix-like operating systems.
Parameter Description
Not applicable Not applicable

Service restart

Restart specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service start

Start specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Service stop

Stop specified services by service name. Select names from the list or provide comma separated values.
Parameter Description
Not applicable Not applicable

Mount Filesystem

Mounts a file system to a local folder.
Parameter Description
Destination Path This element specified the destination path to mount filesystem.
Read-only value This element specifies the read only value (true/false)
Source Path This element specifies the source path to mount a file system.

Reboot

Reboots the system.
Parameter Description
Message A specified message will be displayed to logged-in user before reboot.
Time in minutes The specified time(expressed in minutes) after which the system would reboot. Provide a value of 0 to reboot immediately. It takes about a minute to shutdown in Mac systems.

Shutdown

Shutdown the system.
Parameter Description
Message The specified message will be displayed to logged-in user before shutdown.
Time in minutes The specified time(expressed in minutes) after which the system would shutdown. Provide a value of 0 to shutdown immediately. It takes about a minute to shutdown in Mac systems.

Unmount Filesystem

Unmount a file system from the local system.
Parameter Description
Mount Point This element specifies the mount point where the filesystem is mounted.

Application Management

Install or uninstall applications.
Parameter Description
Command The value is either ‘install’ or ‘uninstall’
Install Method There are two types of installation methods:
  • by uploading the installation file.
  • by entring a URL that servers the installation file
Uninstall Method To uninstall, provide the application name to be removed.
Application executable Provide the executable path.
Application name Name of the application to install/uninstall.
URL URL that servers the installation file.
Additional options Any additional command line option that need to be executed.

Patch Management

Install a patch.
Parameter Description
Command The value is either ‘install’ or ‘uninstall’
Install Method There are two types of installation methods:
  • by uploading the installation file.
  • by entring a URL that servers the installation file
Application executable Provide the executable path.
URL URL that servers the installation file.
Additional options Any additional command line option that need to be executed.
Notify for reboot Show a notification window to the user that a reboot is required post installation/uninstallation.

SanerNow Security Architecture, Best Practices and Policies

Physical security

SanerNow is hosted in industry-leading Amazon Web Services (AWS), in two different locations in the USA. AWS data centers have been tested for security, availability and business continuity

Application security

SanerNow platform is hosted in Amazon Web Services. The infrastructure comprises of firewall, load balancers, hardened OS’es, databases and application servers which are managed and maintained by Amazon.

At SecPod, we take a multifaceted approach to application security, to ensure everything from engineering, including architecture, design and development to quality assurance and deployment processes comply with highest standards of security.

Application Architecture

The hosted platform is protected by AWS’s firewall which offers protection from network related intrusions. The second layer of protection is SanerNow’s protection layer which monitors against offending IPs and users. The application can be accessed only by users with valid credentials, and industry-standard password policies on users are enforced. Two-factor authentication can also be enforced by users. Our platform comes with features to secure business data on the cloud:

  • Industry standard Transport Layer Security (TLS v1.2) is enforced
  • Identity management through a secure database
  • Leveraging SAML for all API based authentications
  • IP whitelisting for exclusive access
  • Two-factor authentication
  • Strict authorization policy
  • Multi-tenant architecture with clear boundaries

SanerNow uses a multi-tenant data model to host all customer accounts and data and no customer has access to another customer’s data. Access to the platform by the SecPod employees is also controlled, managed and audited. Access to the platform and the infrastructure are logged for subsequent audits.

Platform Development

SecPod houses Security Research Engineers and they are well-trained in performing white-box audits and black-box testing. With a decade experience in security research domain, each engineer brings the attackers mindset to test and validate the platform to ensure adherence to our highest standards. All major and minor releases are subjected to highest standard of security scrutiny before deploying the platform releases.

Deployment

Deployments to production servers are performed only by trusted and authorized engineers. Only very few pre-authorized engineers have access to SanerNow platform.

Post-deployment monitoring is done by a dedicated 24×7 Support team that monitors the application for suspicious activities or attacks. An escalation matrix up to two levels of engineers has been defined to address contingencies that might occur

An information security team carries out periodic comprehensive application audits. The tests are performed with the help of static analysis tools and aided by manual analysis. Network penetration tests and other black box tests are performed to help identify security vulnerabilities in the application. SanerNow being a security platform, the tools offered by the platform are also used to test the infrastructure in addition to internal and external audits

Data Security

SecPod takes the protection and security of its customer’s data very seriously. The SecPod development team has no access to data on production servers. Changes to the platform, infrastructure are documented extensively as part of an internal change control process.

Our products collect limited information about customers – name, email address and phone – which are retained for account creation. Postal address is requested and retained.

SecPod takes the integrity and protection of customer’s data very seriously. We maintain history of two kinds of data: logs from the system, and customer’s data. All data is stored in AWS platform. Backups are taken every day at multiple locations. Logs are maintained for a duration of 90 days. Customer’s data is backed up to persistent storage every day and retained for the last seven days.

The data at rest is encrypted using AES 256bit standards (key strength – 1024) with the keys being managed by AWS Key Management Service. All data in transit is encrypted using FIPS-140-2 standard encryption over a secure socket connection for all customer accounts hosted on SanerNow.

When an account is deleted, all associated data is destroyed within 7 business days.

Network Security

The SecPod office network where platform is developed, deployed, and managed is secured by firewalls and antivirus software. Firewall logs are stored and reviewed periodically. Audit logs are generated for each remote user session and reviewed. Access to the production environment is via SSH and remote access is possible only via the SecPod’s internal network.

SanerNow platform is hosted in AWS. The SOC and DevOps teams monitor the infrastructure 24×7 for stability and intrusions. End-to-end vulnerability assessments and penetration tests are performed with each quarterly release.

Regulatory Compliance

We implement industry standard security, technical, physical and administrative measures against unauthorized processing of information and against loss, destruction of, or damage to, personal information.

We are working towards SSAE-16 certification and a SOC II report. Our servers are hosted in AWS who are SSAE-16, ISO 27001, and HIPAA compliant.

Reporting issues and threats

If you have found any issues or flaws impacting the data security or privacy of SecPod users, please write to support@secpod.com with relevant information, we’ll act on it immediately.

If you have any questions or doubts, feel free to get in touch with us at support@secpod.com, and we’ll get back to you right away.

Deployment Checklists

Pre-Deployment Checklist

    • Is there a proxy to reach Internet (saner.secpod.com) ?
    • Any network outgoing rule to be configured to reach saner.secpod.com (HTTPS:443) ?
    • Any tool is locally available for software deployment? If not, do you have an Active Directory environment?
    • Offices in multiple locations? Do you want to create separate sites and manage each separately with different users?
    • How many tool administrators/users are required?

Do you have Administrators/Root access to deploy the agents?

  • Do you want scan to run in “Low” mode? Low mode is less CPU-intensive and may take longer scan time
  • Do you have local WSUS server (Windows), Yum Repository (RPM Linux), DPKG Repository (Debian/Ubuntu), Apple Mac OS X Update server?
  • Are there other products that are managing patching?
  • Mail server configurations (Mail account and server details) are required for alerts and reports

System Status

The system is Healthy

Deployment Tool Pre-requisites

SanerNow provides tools to deploy agents on endpoints. SanerNow cloud deployer tool and SanerNow on-premise deployer tool. Cloud deployer tool is available in zip file containing python script. on-premise deployer tool is available in a web portal.

Pre-requisites for SanerNow cloud deployment tool

  1. Disable remote UACRefer the following doc to disable remote UAC, https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
  2. Enable admin$ administrative sharesRefer the following doc to enable administrative shares, https://www.wintips.org/how-to-enable-admin-shares-windows-7/
  3. Ensure security software is not blocking the installation
  4. Enable SMBv2 protocolRefer the following doc to enable SMBv2, https://support.microsoft.com/en-in/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server

Pre-requisites for SanerNow in-house deployment tool

  1. Turn on network discovery and file printer sharing,Refer the following doc to turn on, https://www.pugetsystems.com/labs/support-software/How-to-enable-Network-Discovery-and-configure-sharing-options-in-Windows-10-1008/
  2. Enable SMBv2 protocolRefer the following doc to enable SMBv2, https://support.microsoft.com/en-in/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server
  3. Ensure security software is not blocking the installation
  4. Ensure “Network Access: Sharing and Security model for local Accounts” is set as ‘Classic : Local users authenticate as themselves’follow the following steps,
    1. Open ‘Control panel’
    2. Select ‘Administrative Tools’
    3. Open ‘Local security policy’
    4. On the left pane navigate to ‘Security Settings’ => ‘Local policies’ => ‘Security Options’
    5. On the right pane find ‘Network access: Sharing and security model for local accounts’
    6. Double-click on it in order to change
    7. Set it to ‘Classic – Local users authenticate as themselves’

Security Researcher Hall of Fame

If you believe you have discovered a security vulnerability issue, please share the details with us by sending an email to research@secpod.com. Kindly include a detailed description of the issue and steps to reproduce along with the screenshots (if any).

We would like to thank the following individuals for making a responsible disclosure to us.
  • Sumit Birajdar

Latest updates from us

SecPod and SAT Get Together to Make Organisations More Cyber Hygienic

June 3, 2020
Read Article

Inflow Technologies Partners with SecPod to Enable Faster Delivery of Endpoint Security and Management Solutions

June 1, 2020
Read Article

Launch of SECPOD.ORG

July 10, 2008
Read Article

SecPod Partners with Greenbone

February 25, 2009
Read Article

SecPod Receives Oval Repository Top Contributor Award

July 2, 2009
Read Article

SecPod Wins OVAL Repository Top Contributor Award Once Again

October 5, 2009
Read Article

SecPod Technologies Makes Declaration to Adopt OVAL

December 28, 2010
Read Article

SecPod Technologies Announces the Release of OVAL Definitions Professional Feed

January 2, 2011
Read Article

SecPod Technologies Appoints Greg Pottebaum as Vice President, Business Development

August 12, 2011
Read Article

SecPod Technologies Announces the Release of Beta Version of SCAP Repo

June 22, 2012
Read Article

SecPod Debuts ANCOR and SANER, Its Security Platform and Vulnerability Mitigation Solution

December 12, 2013
Read Article

SecPod Announces SANER Personal, Free Vulnerability Protection Software for Home Computers

December 12, 2013
Read Article

SecPod to Demo SANER – Join Us in NULLCON, Goa 2014 at Booth S-8

February 11, 2014
Read Article

SecPod Announces SANER Business, Vulnerability Management Software for the Enterprise

June 6, 2014
Read Article

SecPod Updates Free SANER Personal Vulnerability Management Solution

June 20, 2014
Read Article

SecPod’s SanerNow Available For MAC OS X Platform

June 12, 2015
Read Article

SecPod Unveils SANER 2.0 with Endpoint Threat Detection and Response

March 6, 2016
Read Article

SecPod Announces Advanced Security to Shield Organizations from Ransomware

August 2, 2016
Read Article

SecPod Supports MSSP with Saner Endpoint Security Platform

August 25, 2016
Read Article

ESG Lab Confirms SanerNow Platform Reduces Complexity, Effort & Cost of Managing & Securing Endpoints

October 5, 2018
Read Article

SecPod SanerNow Wins ”Cutting Edge Vulnerability Assessment, Remediation, Patch & Configuration Management …

October 4, 2018
Read Article

Get notified
about our latest updates

View all our articles & keep
your security upto date

SecPod Blog

Close Menu